* to the *source* attribute value, as in:
```
- source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking?ref=v0.1.0"
+ source = "github.com/oci-landing-zones/terraform-oci-modules-networking?ref=v0.1.0"
```
### Using the Module with Resource Manager
For an ad-hoc use where you can select your resources, follow these guidelines:
-1. [](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking/archive/refs/heads/main.zip)
+1. [](https://cloud.oracle.com/resourcemanager/stacks/create?zipUrl=https://github.com/oci-landing-zones/terraform-oci-modules-networking/archive/refs/heads/main.zip)
2. Accept terms, wait for the configuration to load.
3. Set the working directory to “orm-facade”.
4. Set the stack name you prefer.
-5. Set the terraform version to 1.2.x. Click Next.
-6. Add your json/yaml configuration files. Click Next.
-8. Un-check run apply. Click Create.
+5. Add your JSON/YAML configuration files. Click Next.
+6. Un-check run apply. Click Create.
## Module Functioning
The input parameters for the module can be divided into two categories, for which we recommend to create two different ```*.tfvars.*``` files:
-The input parameters for the module can be divided into two categories, for which we recommend to create two different ```*.tfvars.*``` files:
- 1. OCI REST API authentication information (secrets) - ```terraform.tfvars``` (HCL) or ```terraform.tfvars.json``` (JSON):
+1. OCI REST API authentication information (secrets) - ```terraform.tfvars``` (HCL) or ```terraform.tfvars.json``` (JSON):
- ```tenancy_ocid```
- ```user_ocid```
- ```fingerprint```
@@ -283,7 +281,7 @@ Attributes that support a compartment referring key:
- *compartment_id*
#### network_dependency (Optional)
-A map of map of objects containing the externally managed network resources this module may depend on. This mechanism allows for the usage of referring keys (instead of OCIDs) in some attributes. The module replaces the keys by the OCIDs provided within *network_dependency* map. Contents of *network_dependency* is typically the output of a client of this module. Within *network_dependency*, VCNs must be indexed with the **vcns** key, DRGs indexed with the **dynamic_routing_gateways** key, DRG attachments indexed with **drg_attachments** key, Local Peering Gateways (LPG) indexed with **local_peering_gateways**, Remote Peering Connections (RPC) indexed with **remote_peering_connections** key. Each VCN, DRG, DRG attachment, LPG and RPC must contain the *id* attribute (to which the actual OCID is assigned). RPCs must also pass the peer region name in the *region_name* attribute.
+A map of map of objects containing the externally managed network resources this module may depend on. This mechanism allows for the usage of referring keys (instead of OCIDs) in some attributes. The module replaces the keys by the OCIDs provided within *network_dependency* map. Contents of *network_dependency* is typically the output of a client of this module. Within *network_dependency*, VCNs must be indexed with the **vcns** key, DRGs indexed with the **dynamic_routing_gateways** key, DRG attachments indexed with **drg_attachments** key, Local Peering Gateways (LPG) indexed with **local_peering_gateways**, Remote Peering Connections (RPC) indexed with **remote_peering_connections** key, DNS Private Views indexed by **dns_private_views**. Each VCN, DRG, DRG attachment, LPG, RPC and DNS Private View must contain the *id* attribute (to which the actual OCID is assigned). RPCs must also pass the peer region name in the *region_name* attribute.
*network_dependency* example:
```
@@ -314,9 +312,14 @@ A map of map of objects containing the externally managed network resources this
"region_name" : "us-ashburn-1"
}
}
+ "dns_private_views" : {
+ "XYZ-DNS-VIEW" : {
+ "id" : "ocid1.dnsview.oc1.phx.aaaaaaaa...nhq",
+ }
+ }
}
```
-**Note**: **vcns**, **dynamic_routing_gateways**, **drg_attachments**, **local_peering_gateways**, and **remote_peering_connections** attributes are all optional. They only become mandatory if the *network_configuration* refers to one of these resources through a referring key. Below are the attributes where a referring key is supported:
+**Note**: **vcns**, **dynamic_routing_gateways**, **drg_attachments**, **local_peering_gateways**, **remote_peering_connections** and **dns_private_views** attributes are all optional. They only become mandatory if the *network_configuration* refers to one of these resources through a referring key. Below are the attributes where a referring key is supported:
*network_dependency* attribute | Attribute names in *network_configuration* where the referring key can be utilized
--------------|-------------
@@ -325,6 +328,7 @@ A map of map of objects containing the externally managed network resources this
**drg_attachments** | *drg_attachment_key*
**local_peering_gateways** | *peer_key* in *local_peering_gateways*
**remote_peering_connections** | *peer_key* in *remote_peering_connections*
+**dns_private_views** | *existing_view_id* in *dns_resolver's* *attached_views*.
#### private_ips_dependency (Optional)
A map of map of objects containing the externally managed private IP resources this module may depend on. This mechanism allows for the usage of referring keys (instead of OCIDs) in some attributes. The module replaces the keys by the OCIDs provided within *private_ips_dependency* map. Each private IP must contain the **"id"** attribute (to which the actual OCID is assigned), as in the example below:
@@ -379,9 +383,6 @@ See [external-dependency example](./examples/external-dependency/) for a functio
- [IPSec VPN Examples](examples/edge-connectivity/ipsec-examples/)
- [Generic OCI IPSec BGP VPN](examples/edge-connectivity/ipsec-examples/generic-OCI-ipsec-bgp-vpn/)
- [Local Peering Gateways](examples/local-peering-gateways/)
-- [Remote Peering Connections](examples/remote-peering-connections/)
- - [Generic OCI IPSec BGP VPN](examples/edge-connectivity/ipsec-examples/generic-OCI-ipsec-bgp-vpn/)
-- [Local Peering Gateways](examples/local-peering-gateways/)
- [Remote Peering Connections](examples/remote-peering-connections/)
## Related Documentation
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 26a5a47..113020f 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -1,3 +1,9 @@
+# September 20, 2024 Release Notes - 0.7.0
+
+## Updates
+1. OCI Network Firewall refactored according to updates post Terraform OCI Provider 5.16.0 release. See [oci-network-firewall example](./examples/oci-network-firewall/).
+2. Ability to inject externally managed existing private DNS views into managed DNS resolvers. See [dns-view-injection example](./examples/dns-view-injection/).
+
# August 28, 2024 Release Notes - 0.6.9
## Updates
diff --git a/SPEC.md b/SPEC.md
index 5e785db..65bca2a 100644
--- a/SPEC.md
+++ b/SPEC.md
@@ -75,10 +75,13 @@
| [oci_network_firewall_network_firewall_policy.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy) | resource |
| [oci_network_firewall_network_firewall_policy_address_list.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_address_list) | resource |
| [oci_network_firewall_network_firewall_policy_application.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_application) | resource |
+| [oci_network_firewall_network_firewall_policy_application_group.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_application_group) | resource |
| [oci_network_firewall_network_firewall_policy_decryption_profile.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_decryption_profile) | resource |
| [oci_network_firewall_network_firewall_policy_decryption_rule.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_decryption_rule) | resource |
| [oci_network_firewall_network_firewall_policy_mapped_secret.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_mapped_secret) | resource |
| [oci_network_firewall_network_firewall_policy_security_rule.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_security_rule) | resource |
+| [oci_network_firewall_network_firewall_policy_service.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_service) | resource |
+| [oci_network_firewall_network_firewall_policy_service_list.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_service_list) | resource |
| [oci_network_firewall_network_firewall_policy_url_list.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy_url_list) | resource |
| [time_sleep.wait_for_dns_resolver](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [oci_core_cpe_device_shapes.cpe_device_shapes](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_cpe_device_shapes) | data source |
@@ -99,8 +102,8 @@
|------|-------------|------|---------|:--------:|
| [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain an 'id' attribute of string type set with the compartment OCID. See External Dependencies section in README.md (https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking#ext-dep) for details. | map(object({
id = string
})) | `null` | no |
| [module\_name](#input\_module\_name) | The module name. | `string` | `"networking"` | no |
-| [network\_configuration](#input\_network\_configuration) | n/a | object({
default_compartment_id = optional(string),
default_defined_tags = optional(map(string)),
default_freeform_tags = optional(map(string)),
default_enable_cis_checks = optional(bool),
default_ssh_ports_to_check = optional(list(number)),
network_configuration_categories = optional(map(object({
category_compartment_id = optional(string),
category_defined_tags = optional(map(string)),
category_freeform_tags = optional(map(string)),
category_enable_cis_checks = optional(bool),
category_ssh_ports_to_check = optional(list(number)),
vcns = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
byoipv6cidr_details = optional(map(object({
byoipv6range_id = string
ipv6cidr_block = string
})))
ipv6private_cidr_blocks = optional(list(string)),
is_ipv6enabled = optional(bool),
is_oracle_gua_allocation_enabled = optional(bool),
cidr_blocks = optional(list(string)),
dns_label = optional(string),
block_nat_traffic = optional(bool),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
default_security_list = optional(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
ingress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
src = string,
src_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
dst = string,
dst_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
}))
security_lists = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
ingress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
src = string,
src_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
dst = string,
dst_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
})))
default_route_table = optional(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
route_rules = optional(map(object({
network_entity_id = optional(string),
network_entity_key = optional(string),
description = optional(string),
// Supported values:
// - "a cidr block"
// - "objectstorage" or "all-services" - only for "SERVICE_CIDR_BLOCK"
destination = optional(string),
// Supported values:
// - "CIDR_BLOCK"
// - "SERVICE_CIDR_BLOCK" - only for SGW
destination_type = optional(string),
})))
}))
route_tables = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
route_rules = optional(map(object({
network_entity_id = optional(string),
network_entity_key = optional(string),
description = optional(string),
// Supported values:
// - "a cidr block"
// - "objectstorage" or "all-services" - only for "SERVICE_CIDR_BLOCK"
destination = optional(string),
// Supported values:
// - "CIDR_BLOCK"
// - "SERVICE_CIDR_BLOCK" - only for SGW
destination_type = optional(string),
})))
})))
default_dhcp_options = optional(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
domain_name_type = optional(string),
options = map(object({
type = string,
server_type = optional(string),
custom_dns_servers = optional(list(string))
search_domain_names = optional(list(string))
}))
}))
dhcp_options = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
domain_name_type = optional(string),
options = map(object({
type = string,
server_type = optional(string),
custom_dns_servers = optional(list(string))
search_domain_names = optional(list(string))
}))
})))
subnets = optional(map(object({
cidr_block = string,
compartment_id = optional(string),
#Optional
availability_domain = optional(string),
defined_tags = optional(map(string)),
dhcp_options_key = optional(string),
display_name = optional(string),
dns_label = optional(string),
freeform_tags = optional(map(string)),
ipv6cidr_block = optional(string),
ipv6cidr_blocks = optional(list(string)),
prohibit_internet_ingress = optional(bool),
prohibit_public_ip_on_vnic = optional(bool),
route_table_key = optional(string),
security_list_keys = optional(list(string))
})))
network_security_groups = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string))
freeform_tags = optional(map(string))
ingress_rules = optional(map(object({
description = optional(string),
protocol = string,
stateless = optional(bool),
src = optional(string),
src_type = optional(string),
dst_port_min = optional(number),
dst_port_max = optional(number),
src_port_min = optional(number),
src_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(map(object({
description = optional(string),
protocol = string,
stateless = optional(bool),
dst = optional(string),
dst_type = optional(string),
dst_port_min = optional(number),
dst_port_max = optional(number),
src_port_min = optional(number),
src_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
})))
dns_resolver = optional(object({
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
attached_views = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
dns_zones = optional(map(object({
compartment_id = optional(string),
name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
scope = optional(string),
zone_type = optional(string),
external_downstreams = optional(list(object({
address = optional(string),
ports = optional(string),
tsig_key = optional(string),
}))),
external_masters = optional(list(object({
address = optional(string),
port = optional(string),
tsig_key = optional(string),
}))),
dns_records = optional(map(object({
domain = optional(string),
compartment_id = optional(string),
rtype = optional(string),
rdata = optional(string),
ttl = optional(number),
})))
dns_rrset = optional(map(object({
compartment_id = optional(string)
domain = optional(string),
rtype = optional(string),
scope = optional(string),
items = optional(list(object({
domain = optional(string),
rdata = optional(string),
rtype = optional(string),
ttl = optional(string),
})))
})))
dns_steering_policies = optional(map(object({
compartment_id = optional(string),
domain_name = optional(string),
display_name = optional(string),
template = optional(string),
answers = optional(list(object({
name = optional(string),
rdata = optional(string),
rtype = optional(string),
is_disabled = optional(bool),
pool = optional(string),
}))),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
health_check_monitor_id = optional(string)
rules = optional(list(object({
rule_type = optional(string)
cases = optional(list(object({
answer_data = optional(object({
answer_condition = optional(string)
should_keep = optional(string)
value = optional(string)
})),
case_condition = optional(string),
count = optional(number)
}))),
default_answer_data = optional(object({
answer_condition = optional(string),
should_keep = optional(bool),
value = optional(string),
})),
default_count = optional(number),
description = optional(string),
}))),
ttl = optional(string),
}))),
}))),
}))),
rules = optional(list(object({
action = optional(string),
destination_address = optional(list(string)),
source_endpoint_name = optional(string),
client_address_conditions = optional(list(string)),
qname_cover_conditions = optional(list(string)),
}))),
resolver_endpoints = optional(map(object({
name = optional(string),
is_forwarding = optional(string),
is_listening = optional(string),
subnet = optional(string),
endpoint_type = optional(string),
forwarding_address = optional(string),
listening_address = optional(string),
nsg = optional(list(string)),
}))),
tsig_keys = optional(map(object({
compartment_id = optional(string),
algorithm = optional(string),
name = optional(string),
secret = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
}))),
}))
vcn_specific_gateways = optional(object({
internet_gateways = optional(map(object({
compartment_id = optional(string),
enabled = optional(bool),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
route_table_key = optional(string)
})))
nat_gateways = optional(map(object({
compartment_id = optional(string),
block_traffic = optional(bool),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
public_ip_id = optional(string),
route_table_key = optional(string)
})))
service_gateways = optional(map(object({
compartment_id = optional(string),
// SGW services value:
// - objectstorage - for object storage access
// - all-services - for all OCI internal network services access
services = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
route_table_key = optional(string)
})))
local_peering_gateways = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
peer_id = optional(string),
peer_key = optional(string),
route_table_key = optional(string)
})))
}))
})))
inject_into_existing_vcns = optional(map(object({
vcn_id = string,
default_security_list = optional(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
ingress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
src = string,
src_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
dst = string,
dst_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
}))
security_lists = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
ingress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
src = string,
src_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
dst = string,
dst_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
})))
default_route_table = optional(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
route_rules = optional(map(object({
network_entity_id = optional(string),
network_entity_key = optional(string),
description = optional(string),
// Supported values:
// - "a cidr block"
// - "objectstorage" or "all-services" - only for "SERVICE_CIDR_BLOCK"
destination = optional(string),
// Supported values:
// - "CIDR_BLOCK"
// - "SERVICE_CIDR_BLOCK" - only for SGW
destination_type = optional(string),
})))
}))
route_tables = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
route_rules = optional(map(object({
network_entity_id = optional(string),
network_entity_key = optional(string),
description = optional(string),
// Supported values:
// - "a cidr block"
// - "objectstorage" or "all-services" - only for "SERVICE_CIDR_BLOCK"
destination = optional(string),
// Supported values:
// - "CIDR_BLOCK"
// - "SERVICE_CIDR_BLOCK" - only for SGW
destination_type = optional(string)
})))
})))
default_dhcp_options = optional(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
domain_name_type = optional(string),
options = map(object({
type = string,
server_type = optional(string),
custom_dns_servers = optional(list(string))
search_domain_names = optional(list(string))
}))
}))
dhcp_options = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
domain_name_type = optional(string),
options = map(object({
type = string,
server_type = optional(string),
custom_dns_servers = optional(list(string))
search_domain_names = optional(list(string))
}))
})))
subnets = optional(map(object({
cidr_block = string,
compartment_id = optional(string),
#Optional
availability_domain = optional(string),
defined_tags = optional(map(string)),
dhcp_options_id = optional(string),
dhcp_options_key = optional(string),
display_name = optional(string),
dns_label = optional(string),
freeform_tags = optional(map(string)),
ipv6cidr_block = optional(string),
ipv6cidr_blocks = optional(list(string)),
prohibit_internet_ingress = optional(bool),
prohibit_public_ip_on_vnic = optional(bool),
route_table_id = optional(string),
route_table_key = optional(string),
security_list_ids = optional(list(string)),
security_list_keys = optional(list(string))
})))
network_security_groups = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string))
freeform_tags = optional(map(string))
ingress_rules = optional(map(object({
description = optional(string),
protocol = string,
stateless = optional(bool),
src = optional(string),
src_type = optional(string),
dst_port_min = number,
dst_port_max = number,
src_port_min = optional(number),
src_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(map(object({
description = optional(string),
protocol = string,
stateless = optional(bool),
dst = optional(string),
dst_type = optional(string),
dst_port_min = optional(number),
dst_port_max = optional(number),
src_port_min = optional(number),
src_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
})))
dns_resolver = optional(object({
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
attached_views = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
dns_zones = optional(map(object({
compartment_id = optional(string),
name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
scope = optional(string),
zone_type = optional(string),
external_downstreams = optional(list(object({
address = optional(string),
ports = optional(string),
tsig_key = optional(string),
}))),
external_masters = optional(list(object({
address = optional(string),
port = optional(string),
tsig_key = optional(string),
}))),
dns_records = optional(map(object({
domain = optional(string),
compartment_id = optional(string),
rtype = optional(string),
rdata = optional(string),
ttl = optional(string),
})))
dns_rrset = optional(map(object({
domain = optional(string),
rtype = optional(string),
scope = optional(string),
items = optional(list(object({
domain = optional(string),
rdata = optional(string),
rtype = optional(string),
ttl = optional(string),
})))
})))
dns_steering_policies = optional(map(object({
compartment_id = optional(string),
domain_name = optional(string),
display_name = optional(string),
template = optional(string),
answers = optional(list(object({
name = optional(string),
rdata = optional(string),
rtype = optional(string),
is_disabled = optional(bool),
pool = optional(string),
}))),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
health_check_monitor_id = optional(string)
rules = optional(list(object({
rule_type = optional(string)
cases = optional(list(object({
answer_data = optional(object({
answer_condition = optional(string)
should_keep = optional(string)
value = optional(string)
})),
case_condition = optional(string),
count = optional(number)
}))),
default_answer_data = optional(object({
answer_condition = optional(string),
should_keep = optional(bool),
value = optional(string),
})),
default_count = optional(number),
description = optional(string),
}))),
ttl = optional(string),
}))),
}))),
}))),
rules = optional(list(object({
action = optional(string),
destination_address = optional(string),
source_endpoint_name = optional(string),
client_address_condition = optional(string),
qname_cover_condtions = optional(string),
}))),
resolver_endpoints = optional(map(object({
name = optional(string),
is_forwarding = optional(bool),
is_listening = optional(bool),
subnet = optional(string),
endpoint_type = optional(string),
forwarding_address = optional(string),
listening_address = optional(string),
nsg = optional(string),
}))),
tsig_keys = optional(map(object({
compartment_id = optional(string),
algorithm = optional(string),
name = optional(string),
secret = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
}))),
}))
vcn_specific_gateways = optional(object({
internet_gateways = optional(map(object({
compartment_id = optional(string),
enabled = optional(bool),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
route_table_id = optional(string),
route_table_key = optional(string)
})))
nat_gateways = optional(map(object({
compartment_id = optional(string),
block_traffic = optional(bool),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
public_ip_id = optional(string),
route_table_id = optional(string),
route_table_key = optional(string)
})))
service_gateways = optional(map(object({
compartment_id = optional(string),
// SGW services value:
// - objectstorage - for object storage access
// - all-services - for all OCI internal network services access
services = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
route_table_id = optional(string),
route_table_key = optional(string)
})))
local_peering_gateways = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
peer_id = optional(string),
peer_key = optional(string),
route_table_id = optional(string),
route_table_key = optional(string)
})))
}))
})))
IPs = optional(object({
public_ips_pools = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
})))
public_ips = optional(map(object({
compartment_id = optional(string),
lifetime = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
private_ip_id = optional(string),
public_ip_pool_id = optional(string),
public_ip_pool_key = optional(string)
})))
}))
non_vcn_specific_gateways = optional(object({
dynamic_routing_gateways = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
remote_peering_connections = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
peer_id = optional(string),
peer_key = optional(string),
peer_region_name = optional(string)
})))
drg_attachments = optional(map(object({
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
drg_route_table_id = optional(string),
drg_route_table_key = optional(string),
network_details = optional(object({
attached_resource_id = optional(string),
attached_resource_key = optional(string),
type = string,
route_table_id = optional(string),
route_table_key = optional(string),
vcn_route_type = optional(string)
}))
})))
drg_route_tables = optional(map(object({
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
import_drg_route_distribution_id = optional(string),
import_drg_route_distribution_key = optional(string),
is_ecmp_enabled = optional(bool),
route_rules = optional(map(object({
destination = string,
destination_type = string,
next_hop_drg_attachment_id = optional(string),
next_hop_drg_attachment_key = optional(string),
})))
})))
drg_route_distributions = optional(map(object({
distribution_type = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string))
statements = optional(map(object({
action = string,
match_criteria = optional(object({
match_type = string,
attachment_type = optional(string),
drg_attachment_id = optional(string),
drg_attachment_key = optional(string)
}))
priority = optional(number)
})))
})))
})))
customer_premises_equipments = optional(map(object({
compartment_id = optional(string),
ip_address = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
cpe_device_shape_id = optional(string),
cpe_device_shape_vendor_name = optional(string)
})))
ipsecs = optional(map(object({
compartment_id = optional(string),
cpe_id = optional(string),
cpe_key = optional(string),
drg_id = optional(string),
drg_key = optional(string),
static_routes = list(string),
cpe_local_identifier = optional(string),
cpe_local_identifier_type = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
tunnels_management = optional(object({
tunnel_1 = optional(object({
routing = string,
bgp_session_info = optional(object({
customer_bgp_asn = optional(string),
customer_interface_ip = optional(string),
oracle_interface_ip = optional(string)
}))
encryption_domain_config = optional(object({
cpe_traffic_selector = optional(string),
oracle_traffic_selector = optional(string)
}))
shared_secret = optional(string),
ike_version = optional(string)
})),
tunnel_2 = optional(object({
routing = string,
bgp_session_info = optional(object({
customer_bgp_asn = optional(string),
customer_interface_ip = optional(string),
oracle_interface_ip = optional(string)
}))
encryption_domain_config = optional(object({
cpe_traffic_selector = optional(string),
oracle_traffic_selector = optional(string)
}))
shared_secret = optional(string),
ike_version = optional(string)
}))
}))
})))
fast_connect_virtual_circuits = optional(map(object({
#Required
compartment_id = optional(string),
provision_fc_virtual_circuit = bool,
show_available_fc_virtual_circuit_providers = bool,
type = string,
#Optional
bandwidth_shape_name = optional(string),
bgp_admin_state = optional(string),
cross_connect_mappings = optional(map(object({
#Optional
bgp_md5auth_key = optional(string)
cross_connect_or_cross_connect_group_id = optional(string)
cross_connect_or_cross_connect_group_key = optional(string)
customer_bgp_peering_ip = optional(string)
customer_bgp_peering_ipv6 = optional(string)
oracle_bgp_peering_ip = optional(string)
oracle_bgp_peering_ipv6 = optional(string)
vlan = optional(string)
})))
customer_asn = optional(string)
defined_tags = optional(map(string))
display_name = optional(string)
freeform_tags = optional(map(string))
ip_mtu = optional(number)
is_bfd_enabled = optional(bool)
gateway_id = optional(string)
gateway_key = optional(string)
provider_service_id = optional(string)
provider_service_key = optional(string)
provider_service_key_name = optional(string)
public_prefixes = optional(map(object({
#Required
cidr_block = string,
})))
region = optional(string)
routing_policy = optional(list(string))
})))
cross_connect_groups = optional(map(object({
compartment_id = optional(string),
customer_reference_name = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
cross_connects = optional(map(object({
compartment_id = optional(string),
location_name = string,
port_speed_shape_name = string,
customer_reference_name = optional(string),
defined_tags = optional(map(string))
display_name = optional(string),
far_cross_connect_or_cross_connect_group_id = optional(string),
far_cross_connect_or_cross_connect_group_key = optional(string),
freeform_tags = optional(map(string))
near_cross_connect_or_cross_connect_group_id = optional(string),
near_cross_connect_or_cross_connect_group_key = optional(string),
})))
})))
inject_into_existing_drgs = optional(map(object({
drg_id = string,
remote_peering_connections = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
peer_id = optional(string),
peer_key = optional(string),
peer_region_name = optional(string)
})))
drg_attachments = optional(map(object({
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
drg_route_table_id = optional(string),
drg_route_table_key = optional(string),
network_details = optional(object({
attached_resource_id = optional(string),
attached_resource_key = optional(string),
type = string,
route_table_id = optional(string),
route_table_key = optional(string),
vcn_route_type = optional(string)
}))
})))
drg_route_tables = optional(map(object({
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
import_drg_route_distribution_id = optional(string),
import_drg_route_distribution_key = optional(string),
is_ecmp_enabled = optional(bool),
route_rules = optional(map(object({
destination = string,
destination_type = string,
next_hop_drg_attachment_id = optional(string),
next_hop_drg_attachment_key = optional(string),
})))
})))
drg_route_distributions = optional(map(object({
distribution_type = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string))
statements = optional(map(object({
action = string,
match_criteria = optional(object({
match_type = string,
attachment_type = optional(string),
drg_attachment_id = optional(string),
drg_attachment_key = optional(string)
}))
priority = number
})))
})))
})))
network_firewalls_configuration = optional(object({
network_firewalls = optional(map(object({
availability_domain = optional(number),
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
ipv4address = optional(string),
ipv6address = optional(string),
network_security_group_ids = optional(list(string)),
network_security_group_keys = optional(list(string)),
subnet_id = optional(string),
subnet_key = optional(string),
network_firewall_policy_id = optional(string),
network_firewall_policy_key = optional(string)
}))),
network_firewall_policies = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
# application_lists = optional(map(object({
# application_list_name = string,
# application_values = map(object({
# type = string,
# icmp_type = optional(string),
# icmp_code = optional(string),
# minimum_port = optional(number),
# maximum_port = optional(number)
# }))
# })))
applications = optional(map(object({
name = string,
type = string,
icmp_type = optional(string),
icmp_code = optional(string),
})))
decryption_profiles = optional(map(object({
type = string, # Valid values: "SSL_FORWARD_PROXY", "SSL_INBOUND_INSPECTION"
name = string,
is_out_of_capacity_blocked = optional(bool),
is_unsupported_cipher_blocked = optional(bool),
is_unsupported_version_blocked = optional(bool),
are_certificate_extensions_restricted = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_auto_include_alt_name = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_expired_certificate_blocked = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_revocation_status_timeout_blocked = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_unknown_revocation_status_blocked = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_untrusted_issuer_blocked = optional(bool) # Applicable only when type = "SSL_FORWARD_PROXY"
})))
ip_address_lists = optional(map(object({
name = string,
type = string, # Valid values: "FQND", "IP"
addresses = list(string)
})))
decryption_rules = optional(map(object({
name = string,
action = string,
decryption_profile_id = optional(string),
secret = optional(string),
destination_ip_address_list = optional(string),
source_ip_address_list = optional(string)
})))
mapped_secrets = optional(map(object({
name = string,
type = string, # Valid values: SSL_FORWARD_PROXY, SSL_INBOUND_INSPECTION
source = string, # Valid value: OCI_VAULT
vault_secret_id = string,
version_number = string,
})))
security_rules = optional(map(object({
action = string, # Valid values: ALLOW,DROP,REJECT,INSPECT
name = string,
application = optional(list(string)),
destination_address = optional(list(string)),
service = optional(list(string)),
source_address = optional(list(string)),
url = optional(list(string)),
inspection = optional(string), # This is only applicable if action is INSPECT
after_rule = optional(string),
before_rule = optional(string)
})))
url_lists = optional(map(object({
name = string,
pattern = string,
type = string # Valid value: SIMPLE
})))
})))
}))
l7_load_balancers = optional(map(object({
compartment_id = optional(string),
display_name = string,
shape = string,
subnet_ids = list(string),
subnet_keys = list(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
ip_mode = optional(string),
is_private = optional(bool),
network_security_group_ids = optional(list(string)),
network_security_group_keys = optional(list(string)),
reserved_ips_ids = optional(list(string)),
reserved_ips_keys = optional(list(string))
shape_details = optional(object({
maximum_bandwidth_in_mbps = number,
minimum_bandwidth_in_mbps = number
}))
backend_sets = optional(map(object({
health_checker = object({
protocol = string,
interval_ms = number,
is_force_plain_text = bool,
port = number,
response_body_regex = optional(string),
retries = number,
return_code = number,
timeout_in_millis = number,
url_path = optional(string)
})
name = string,
policy = string,
lb_cookie_session_persistence_configuration = optional(object({
cookie_name = optional(string),
disable_fallback = optional(bool),
domain = optional(string),
is_http_only = optional(bool),
is_secure = optional(bool),
max_age_in_seconds = optional(number),
path = optional(string),
}))
session_persistence_configuration = optional(object({
cookie_name = string,
disable_fallback = optional(bool)
}))
ssl_configuration = optional(object({
certificate_ids = optional(list(string)),
certificate_keys = optional(list(string)),
certificate_name = optional(string),
cipher_suite_name = optional(string),
protocols = optional(list(string)),
server_order_preference = optional(string),
trusted_certificate_authority_ids = optional(list(string)),
trusted_certificate_authority_keys = optional(list(string)),
verify_depth = optional(number),
verify_peer_certificate = optional(bool),
}))
backends = optional(map(object({
ip_address = string,
port = number,
backup = optional(bool),
drain = optional(bool),
offline = optional(bool),
weight = optional(number)
})))
})))
cipher_suites = optional(map(object({
ciphers = list(string),
name = string
})))
path_route_sets = optional(map(object({
name = string,
path_routes = map(object({
backend_set_key = string,
path = string,
path_match_type = object({
match_type = string
})
}))
})))
host_names = optional(map(object({
hostname = string,
name = string
})))
routing_policies = optional(map(object({
condition_language_version = string,
name = string,
rules = map(object({
actions = map(object({
backend_set_key = string,
name = string,
}))
condition = string,
name = string
}))
})))
rule_sets = optional(map(object({
name = string,
items = map(object({
action = string,
allowed_methods = optional(list(string)),
are_invalid_characters_allowed = optional(bool),
conditions = optional(map(object({
attribute_name = string,
attribute_value = string,
operator = optional(string)
})))
description = optional(string),
header = optional(string),
http_large_header_size_in_kb = optional(number),
prefix = optional(string),
redirect_uri = optional(object({
host = optional(string, )
path = optional(string),
port = optional(number),
protocol = optional(string),
query = optional(string)
}))
response_code = optional(number)
status_code = optional(number),
suffix = optional(string),
value = optional(string)
}))
})))
certificates = optional(map(object({
#Required
certificate_name = string,
#Optional
ca_certificate = optional(string),
passphrase = optional(string),
private_key = optional(string),
public_certificate = optional(string)
})))
listeners = optional(map(object({
default_backend_set_key = string,
name = string,
port = string,
protocol = string,
connection_configuration = optional(object({
idle_timeout_in_seconds = number,
backend_tcp_proxy_protocol_version = optional(string)
}))
hostname_keys = optional(list(string)),
path_route_set_key = optional(string),
routing_policy_key = optional(string),
rule_set_keys = optional(list(string)),
ssl_configuration = optional(object({
certificate_key = optional(string),
certificate_ids = optional(list(string)),
cipher_suite_key = optional(string),
protocols = optional(list(string)),
server_order_preference = optional(string),
trusted_certificate_authority_ids = optional(list(string)),
verify_depth = optional(number),
verify_peer_certificate = optional(bool)
}))
})))
})))
}))
}
)))
}) | n/a | yes |
-| [network\_dependency](#input\_network\_dependency) | An object containing the externally managed network resources this module may depend on. Supported resources are 'vcns', 'dynamic\_routing\_gateways', 'drg\_attachments', 'local\_peering\_gateways', and 'remote\_peering\_connections', represented as map of objects. Each object, when defined, must have an 'id' attribute of string type set with the VCN, DRG OCID, DRG Attachment OCID, Local Peering Gateway OCID or Remote Peering Connection OCID. 'remote\_peering\_connections' must also pass the peer region name in the region\_name attribute. See External Dependencies section in README.md (https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking#ext-dep) for details. | object({
vcns = optional(map(object({
id = string # the VCN OCID
})))
dynamic_routing_gateways = optional(map(object({
id = string # the DRG OCID
})))
drg_attachments = optional(map(object({
id = string # the DRG attachment OCID
})))
local_peering_gateways = optional(map(object({
id = string # the LPG OCID
})))
remote_peering_connections = optional(map(object({
id = string # the peer RPC OCID
region_name = string # the peer RPC region name
})))
}) | `null` | no |
+| [network\_configuration](#input\_network\_configuration) | n/a | object({
default_compartment_id = optional(string),
default_defined_tags = optional(map(string)),
default_freeform_tags = optional(map(string)),
default_enable_cis_checks = optional(bool),
default_ssh_ports_to_check = optional(list(number)),
network_configuration_categories = optional(map(object({
category_compartment_id = optional(string),
category_defined_tags = optional(map(string)),
category_freeform_tags = optional(map(string)),
category_enable_cis_checks = optional(bool),
category_ssh_ports_to_check = optional(list(number)),
vcns = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
byoipv6cidr_details = optional(map(object({
byoipv6range_id = string
ipv6cidr_block = string
})))
ipv6private_cidr_blocks = optional(list(string)),
is_ipv6enabled = optional(bool),
is_oracle_gua_allocation_enabled = optional(bool),
cidr_blocks = optional(list(string)),
dns_label = optional(string),
block_nat_traffic = optional(bool),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
default_security_list = optional(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
ingress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
src = string,
src_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
dst = string,
dst_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
}))
security_lists = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
ingress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
src = string,
src_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
dst = string,
dst_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
})))
default_route_table = optional(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
route_rules = optional(map(object({
network_entity_id = optional(string),
network_entity_key = optional(string),
description = optional(string),
// Supported values:
// - "a cidr block"
// - "objectstorage" or "all-services" - only for "SERVICE_CIDR_BLOCK"
destination = optional(string),
// Supported values:
// - "CIDR_BLOCK"
// - "SERVICE_CIDR_BLOCK" - only for SGW
destination_type = optional(string),
})))
}))
route_tables = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
route_rules = optional(map(object({
network_entity_id = optional(string),
network_entity_key = optional(string),
description = optional(string),
// Supported values:
// - "a cidr block"
// - "objectstorage" or "all-services" - only for "SERVICE_CIDR_BLOCK"
destination = optional(string),
// Supported values:
// - "CIDR_BLOCK"
// - "SERVICE_CIDR_BLOCK" - only for SGW
destination_type = optional(string),
})))
})))
default_dhcp_options = optional(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
domain_name_type = optional(string),
options = map(object({
type = string,
server_type = optional(string),
custom_dns_servers = optional(list(string))
search_domain_names = optional(list(string))
}))
}))
dhcp_options = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
domain_name_type = optional(string),
options = map(object({
type = string,
server_type = optional(string),
custom_dns_servers = optional(list(string))
search_domain_names = optional(list(string))
}))
})))
subnets = optional(map(object({
cidr_block = string,
compartment_id = optional(string),
#Optional
availability_domain = optional(string),
defined_tags = optional(map(string)),
dhcp_options_key = optional(string),
display_name = optional(string),
dns_label = optional(string),
freeform_tags = optional(map(string)),
ipv6cidr_block = optional(string),
ipv6cidr_blocks = optional(list(string)),
prohibit_internet_ingress = optional(bool),
prohibit_public_ip_on_vnic = optional(bool),
route_table_key = optional(string),
security_list_keys = optional(list(string))
})))
network_security_groups = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string))
freeform_tags = optional(map(string))
ingress_rules = optional(map(object({
description = optional(string),
protocol = string,
stateless = optional(bool),
src = optional(string),
src_type = optional(string),
dst_port_min = optional(number),
dst_port_max = optional(number),
src_port_min = optional(number),
src_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(map(object({
description = optional(string),
protocol = string,
stateless = optional(bool),
dst = optional(string),
dst_type = optional(string),
dst_port_min = optional(number),
dst_port_max = optional(number),
src_port_min = optional(number),
src_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
})))
dns_resolver = optional(object({
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
attached_views = optional(map(object({
existing_view_id = optional(string) # an existing externally managed view. Assign either this attribute or the others for having this module managing the view.
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
dns_zones = optional(map(object({
compartment_id = optional(string),
name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
scope = optional(string),
zone_type = optional(string),
external_downstreams = optional(list(object({
address = optional(string),
ports = optional(string),
tsig_key = optional(string),
}))),
external_masters = optional(list(object({
address = optional(string),
port = optional(string),
tsig_key = optional(string),
}))),
dns_records = optional(map(object({
domain = optional(string),
compartment_id = optional(string),
rtype = optional(string),
rdata = optional(string),
ttl = optional(number),
})))
dns_rrset = optional(map(object({
compartment_id = optional(string)
domain = optional(string),
rtype = optional(string),
scope = optional(string),
items = optional(list(object({
domain = optional(string),
rdata = optional(string),
rtype = optional(string),
ttl = optional(string),
})))
})))
dns_steering_policies = optional(map(object({
compartment_id = optional(string),
domain_name = optional(string),
display_name = optional(string),
template = optional(string),
answers = optional(list(object({
name = optional(string),
rdata = optional(string),
rtype = optional(string),
is_disabled = optional(bool),
pool = optional(string),
}))),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
health_check_monitor_id = optional(string)
rules = optional(list(object({
rule_type = optional(string)
cases = optional(list(object({
answer_data = optional(object({
answer_condition = optional(string)
should_keep = optional(string)
value = optional(string)
})),
case_condition = optional(string),
count = optional(number)
}))),
default_answer_data = optional(object({
answer_condition = optional(string),
should_keep = optional(bool),
value = optional(string),
})),
default_count = optional(number),
description = optional(string),
}))),
ttl = optional(string),
}))),
}))),
}))),
rules = optional(list(object({
action = optional(string),
destination_address = optional(list(string)),
source_endpoint_name = optional(string),
client_address_conditions = optional(list(string)),
qname_cover_conditions = optional(list(string)),
}))),
resolver_endpoints = optional(map(object({
name = optional(string),
is_forwarding = optional(string),
is_listening = optional(string),
subnet = optional(string),
endpoint_type = optional(string),
forwarding_address = optional(string),
listening_address = optional(string),
nsg = optional(list(string)),
}))),
tsig_keys = optional(map(object({
compartment_id = optional(string),
algorithm = optional(string),
name = optional(string),
secret = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
}))),
}))
vcn_specific_gateways = optional(object({
internet_gateways = optional(map(object({
compartment_id = optional(string),
enabled = optional(bool),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
route_table_key = optional(string)
})))
nat_gateways = optional(map(object({
compartment_id = optional(string),
block_traffic = optional(bool),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
public_ip_id = optional(string),
route_table_key = optional(string)
})))
service_gateways = optional(map(object({
compartment_id = optional(string),
// SGW services value:
// - objectstorage - for object storage access
// - all-services - for all OCI internal network services access
services = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
route_table_key = optional(string)
})))
local_peering_gateways = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
peer_id = optional(string),
peer_key = optional(string),
route_table_key = optional(string)
})))
}))
})))
inject_into_existing_vcns = optional(map(object({
vcn_id = string,
default_security_list = optional(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
ingress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
src = string,
src_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
dst = string,
dst_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
}))
security_lists = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
ingress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
src = string,
src_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(list(object({
stateless = optional(bool),
protocol = string,
description = optional(string),
dst = string,
dst_type = string,
src_port_min = optional(number),
src_port_max = optional(number),
dst_port_min = optional(number),
dst_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
})))
default_route_table = optional(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
route_rules = optional(map(object({
network_entity_id = optional(string),
network_entity_key = optional(string),
description = optional(string),
// Supported values:
// - "a cidr block"
// - "objectstorage" or "all-services" - only for "SERVICE_CIDR_BLOCK"
destination = optional(string),
// Supported values:
// - "CIDR_BLOCK"
// - "SERVICE_CIDR_BLOCK" - only for SGW
destination_type = optional(string),
})))
}))
route_tables = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
display_name = optional(string),
route_rules = optional(map(object({
network_entity_id = optional(string),
network_entity_key = optional(string),
description = optional(string),
// Supported values:
// - "a cidr block"
// - "objectstorage" or "all-services" - only for "SERVICE_CIDR_BLOCK"
destination = optional(string),
// Supported values:
// - "CIDR_BLOCK"
// - "SERVICE_CIDR_BLOCK" - only for SGW
destination_type = optional(string)
})))
})))
default_dhcp_options = optional(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
domain_name_type = optional(string),
options = map(object({
type = string,
server_type = optional(string),
custom_dns_servers = optional(list(string))
search_domain_names = optional(list(string))
}))
}))
dhcp_options = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
domain_name_type = optional(string),
options = map(object({
type = string,
server_type = optional(string),
custom_dns_servers = optional(list(string))
search_domain_names = optional(list(string))
}))
})))
subnets = optional(map(object({
cidr_block = string,
compartment_id = optional(string),
#Optional
availability_domain = optional(string),
defined_tags = optional(map(string)),
dhcp_options_id = optional(string),
dhcp_options_key = optional(string),
display_name = optional(string),
dns_label = optional(string),
freeform_tags = optional(map(string)),
ipv6cidr_block = optional(string),
ipv6cidr_blocks = optional(list(string)),
prohibit_internet_ingress = optional(bool),
prohibit_public_ip_on_vnic = optional(bool),
route_table_id = optional(string),
route_table_key = optional(string),
security_list_ids = optional(list(string)),
security_list_keys = optional(list(string))
})))
network_security_groups = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string))
freeform_tags = optional(map(string))
ingress_rules = optional(map(object({
description = optional(string),
protocol = string,
stateless = optional(bool),
src = optional(string),
src_type = optional(string),
dst_port_min = number,
dst_port_max = number,
src_port_min = optional(number),
src_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
}))),
egress_rules = optional(map(object({
description = optional(string),
protocol = string,
stateless = optional(bool),
dst = optional(string),
dst_type = optional(string),
dst_port_min = optional(number),
dst_port_max = optional(number),
src_port_min = optional(number),
src_port_max = optional(number),
icmp_type = optional(number),
icmp_code = optional(number)
})))
})))
dns_resolver = optional(object({
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
attached_views = optional(map(object({
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
dns_zones = optional(map(object({
compartment_id = optional(string),
name = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
scope = optional(string),
zone_type = optional(string),
external_downstreams = optional(list(object({
address = optional(string),
ports = optional(string),
tsig_key = optional(string),
}))),
external_masters = optional(list(object({
address = optional(string),
port = optional(string),
tsig_key = optional(string),
}))),
dns_records = optional(map(object({
domain = optional(string),
compartment_id = optional(string),
rtype = optional(string),
rdata = optional(string),
ttl = optional(string),
})))
dns_rrset = optional(map(object({
domain = optional(string),
rtype = optional(string),
scope = optional(string),
items = optional(list(object({
domain = optional(string),
rdata = optional(string),
rtype = optional(string),
ttl = optional(string),
})))
})))
dns_steering_policies = optional(map(object({
compartment_id = optional(string),
domain_name = optional(string),
display_name = optional(string),
template = optional(string),
answers = optional(list(object({
name = optional(string),
rdata = optional(string),
rtype = optional(string),
is_disabled = optional(bool),
pool = optional(string),
}))),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
health_check_monitor_id = optional(string)
rules = optional(list(object({
rule_type = optional(string)
cases = optional(list(object({
answer_data = optional(object({
answer_condition = optional(string)
should_keep = optional(string)
value = optional(string)
})),
case_condition = optional(string),
count = optional(number)
}))),
default_answer_data = optional(object({
answer_condition = optional(string),
should_keep = optional(bool),
value = optional(string),
})),
default_count = optional(number),
description = optional(string),
}))),
ttl = optional(string),
}))),
}))),
}))),
rules = optional(list(object({
action = optional(string),
destination_address = optional(string),
source_endpoint_name = optional(string),
client_address_condition = optional(string),
qname_cover_condtions = optional(string),
}))),
resolver_endpoints = optional(map(object({
name = optional(string),
is_forwarding = optional(bool),
is_listening = optional(bool),
subnet = optional(string),
endpoint_type = optional(string),
forwarding_address = optional(string),
listening_address = optional(string),
nsg = optional(string),
}))),
tsig_keys = optional(map(object({
compartment_id = optional(string),
algorithm = optional(string),
name = optional(string),
secret = optional(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
}))),
}))
vcn_specific_gateways = optional(object({
internet_gateways = optional(map(object({
compartment_id = optional(string),
enabled = optional(bool),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
route_table_id = optional(string),
route_table_key = optional(string)
})))
nat_gateways = optional(map(object({
compartment_id = optional(string),
block_traffic = optional(bool),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
public_ip_id = optional(string),
route_table_id = optional(string),
route_table_key = optional(string)
})))
service_gateways = optional(map(object({
compartment_id = optional(string),
// SGW services value:
// - objectstorage - for object storage access
// - all-services - for all OCI internal network services access
services = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
route_table_id = optional(string),
route_table_key = optional(string)
})))
local_peering_gateways = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
peer_id = optional(string),
peer_key = optional(string),
route_table_id = optional(string),
route_table_key = optional(string)
})))
}))
})))
IPs = optional(object({
public_ips_pools = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
})))
public_ips = optional(map(object({
compartment_id = optional(string),
lifetime = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
private_ip_id = optional(string),
public_ip_pool_id = optional(string),
public_ip_pool_key = optional(string)
})))
}))
non_vcn_specific_gateways = optional(object({
dynamic_routing_gateways = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
remote_peering_connections = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
peer_id = optional(string),
peer_key = optional(string),
peer_region_name = optional(string)
})))
drg_attachments = optional(map(object({
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
drg_route_table_id = optional(string),
drg_route_table_key = optional(string),
network_details = optional(object({
attached_resource_id = optional(string),
attached_resource_key = optional(string),
type = string,
route_table_id = optional(string),
route_table_key = optional(string),
vcn_route_type = optional(string)
}))
})))
drg_route_tables = optional(map(object({
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
import_drg_route_distribution_id = optional(string),
import_drg_route_distribution_key = optional(string),
is_ecmp_enabled = optional(bool),
route_rules = optional(map(object({
destination = string,
destination_type = string,
next_hop_drg_attachment_id = optional(string),
next_hop_drg_attachment_key = optional(string),
})))
})))
drg_route_distributions = optional(map(object({
distribution_type = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string))
statements = optional(map(object({
action = string,
match_criteria = optional(object({
match_type = string,
attachment_type = optional(string),
drg_attachment_id = optional(string),
drg_attachment_key = optional(string)
}))
priority = optional(number)
})))
})))
})))
customer_premises_equipments = optional(map(object({
compartment_id = optional(string),
ip_address = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
cpe_device_shape_id = optional(string),
cpe_device_shape_vendor_name = optional(string)
})))
ipsecs = optional(map(object({
compartment_id = optional(string),
cpe_id = optional(string),
cpe_key = optional(string),
drg_id = optional(string),
drg_key = optional(string),
static_routes = list(string),
cpe_local_identifier = optional(string),
cpe_local_identifier_type = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
tunnels_management = optional(object({
tunnel_1 = optional(object({
routing = string,
bgp_session_info = optional(object({
customer_bgp_asn = optional(string),
customer_interface_ip = optional(string),
oracle_interface_ip = optional(string)
}))
encryption_domain_config = optional(object({
cpe_traffic_selector = optional(string),
oracle_traffic_selector = optional(string)
}))
shared_secret = optional(string),
ike_version = optional(string)
})),
tunnel_2 = optional(object({
routing = string,
bgp_session_info = optional(object({
customer_bgp_asn = optional(string),
customer_interface_ip = optional(string),
oracle_interface_ip = optional(string)
}))
encryption_domain_config = optional(object({
cpe_traffic_selector = optional(string),
oracle_traffic_selector = optional(string)
}))
shared_secret = optional(string),
ike_version = optional(string)
}))
}))
})))
fast_connect_virtual_circuits = optional(map(object({
#Required
compartment_id = optional(string),
provision_fc_virtual_circuit = bool,
show_available_fc_virtual_circuit_providers = bool,
type = string,
#Optional
bandwidth_shape_name = optional(string),
bgp_admin_state = optional(string),
cross_connect_mappings = optional(map(object({
#Optional
bgp_md5auth_key = optional(string)
cross_connect_or_cross_connect_group_id = optional(string)
cross_connect_or_cross_connect_group_key = optional(string)
customer_bgp_peering_ip = optional(string)
customer_bgp_peering_ipv6 = optional(string)
oracle_bgp_peering_ip = optional(string)
oracle_bgp_peering_ipv6 = optional(string)
vlan = optional(string)
})))
customer_asn = optional(string)
defined_tags = optional(map(string))
display_name = optional(string)
freeform_tags = optional(map(string))
ip_mtu = optional(number)
is_bfd_enabled = optional(bool)
gateway_id = optional(string)
gateway_key = optional(string)
provider_service_id = optional(string)
provider_service_key = optional(string)
provider_service_key_name = optional(string)
public_prefixes = optional(map(object({
#Required
cidr_block = string,
})))
region = optional(string)
routing_policy = optional(list(string))
})))
cross_connect_groups = optional(map(object({
compartment_id = optional(string),
customer_reference_name = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
cross_connects = optional(map(object({
compartment_id = optional(string),
location_name = string,
port_speed_shape_name = string,
customer_reference_name = optional(string),
defined_tags = optional(map(string))
display_name = optional(string),
far_cross_connect_or_cross_connect_group_id = optional(string),
far_cross_connect_or_cross_connect_group_key = optional(string),
freeform_tags = optional(map(string))
near_cross_connect_or_cross_connect_group_id = optional(string),
near_cross_connect_or_cross_connect_group_key = optional(string),
})))
})))
inject_into_existing_drgs = optional(map(object({
drg_id = string,
remote_peering_connections = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
peer_id = optional(string),
peer_key = optional(string),
peer_region_name = optional(string)
})))
drg_attachments = optional(map(object({
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
drg_route_table_id = optional(string),
drg_route_table_key = optional(string),
network_details = optional(object({
attached_resource_id = optional(string),
attached_resource_key = optional(string),
type = string,
route_table_id = optional(string),
route_table_key = optional(string),
vcn_route_type = optional(string)
}))
})))
drg_route_tables = optional(map(object({
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
import_drg_route_distribution_id = optional(string),
import_drg_route_distribution_key = optional(string),
is_ecmp_enabled = optional(bool),
route_rules = optional(map(object({
destination = string,
destination_type = string,
next_hop_drg_attachment_id = optional(string),
next_hop_drg_attachment_key = optional(string),
})))
})))
drg_route_distributions = optional(map(object({
distribution_type = string,
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string))
statements = optional(map(object({
action = string,
match_criteria = optional(object({
match_type = string,
attachment_type = optional(string),
drg_attachment_id = optional(string),
drg_attachment_key = optional(string)
}))
priority = number
})))
})))
})))
network_firewalls_configuration = optional(object({
network_firewalls = optional(map(object({
availability_domain = optional(number),
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
ipv4address = optional(string),
ipv6address = optional(string),
network_security_group_ids = optional(list(string)),
network_security_group_keys = optional(list(string)),
subnet_id = optional(string),
subnet_key = optional(string),
network_firewall_policy_id = optional(string),
network_firewall_policy_key = optional(string)
}))),
network_firewall_policies = optional(map(object({
compartment_id = optional(string),
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
services = optional(map(object({
name = string
type = optional(string) # Valid values: "TCP_SERVICE" or "UDP_SERVICE"
minimum_port = number
maximum_port = optional(number)
})))
service_lists = optional(map(object({
name = string
services = list(string)
})))
applications = optional(map(object({
name = string,
type = string,
icmp_type = number,
icmp_code = optional(number),
})))
application_lists = optional(map(object({
name = string,
applications = list(string)
}))),
mapped_secrets = optional(map(object({
name = string,
type = string, # Valid values: SSL_FORWARD_PROXY, SSL_INBOUND_INSPECTION
source = string, # Valid value: OCI_VAULT
vault_secret_id = string,
version_number = string,
}))),
decryption_profiles = optional(map(object({
type = string, # Valid values: "SSL_FORWARD_PROXY", "SSL_INBOUND_INSPECTION"
name = string,
is_out_of_capacity_blocked = optional(bool),
is_unsupported_cipher_blocked = optional(bool),
is_unsupported_version_blocked = optional(bool),
are_certificate_extensions_restricted = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_auto_include_alt_name = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_expired_certificate_blocked = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_revocation_status_timeout_blocked = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_unknown_revocation_status_blocked = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_untrusted_issuer_blocked = optional(bool) # Applicable only when type = "SSL_FORWARD_PROXY"
}))),
decryption_rules = optional(map(object({
name = string,
action = string,
decryption_profile_id = optional(string),
secret = optional(string),
source_ip_address_list = optional(string),
destination_ip_address_list = optional(string)
}))),
address_lists = optional(map(object({
name = string,
type = string, # Valid values: "FQND", "IP"
addresses = list(string)
})))
url_lists = optional(map(object({
name = string,
pattern = string,
type = string # Valid value: SIMPLE
}))),
security_rules = optional(map(object({
action = string, # Valid values: ALLOW,DROP,REJECT,INSPECT
name = string,
application_lists = optional(list(string)),
destination_address_lists = optional(list(string)),
service_lists = optional(list(string)),
source_address_lists = optional(list(string)),
url_lists = optional(list(string)),
inspection = optional(string), # This is only applicable if action is INSPECT
after_rule = optional(string),
before_rule = optional(string)
})))
})))
}))
l7_load_balancers = optional(map(object({
compartment_id = optional(string),
display_name = string,
shape = string,
subnet_ids = list(string),
subnet_keys = list(string),
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
ip_mode = optional(string),
is_private = optional(bool),
network_security_group_ids = optional(list(string)),
network_security_group_keys = optional(list(string)),
reserved_ips_ids = optional(list(string)),
reserved_ips_keys = optional(list(string))
shape_details = optional(object({
maximum_bandwidth_in_mbps = number,
minimum_bandwidth_in_mbps = number
}))
backend_sets = optional(map(object({
health_checker = object({
protocol = string,
interval_ms = number,
is_force_plain_text = bool,
port = number,
response_body_regex = optional(string),
retries = number,
return_code = number,
timeout_in_millis = number,
url_path = optional(string)
})
name = string,
policy = string,
lb_cookie_session_persistence_configuration = optional(object({
cookie_name = optional(string),
disable_fallback = optional(bool),
domain = optional(string),
is_http_only = optional(bool),
is_secure = optional(bool),
max_age_in_seconds = optional(number),
path = optional(string),
}))
session_persistence_configuration = optional(object({
cookie_name = string,
disable_fallback = optional(bool)
}))
ssl_configuration = optional(object({
certificate_ids = optional(list(string)),
certificate_keys = optional(list(string)),
certificate_name = optional(string),
cipher_suite_name = optional(string),
protocols = optional(list(string)),
server_order_preference = optional(string),
trusted_certificate_authority_ids = optional(list(string)),
trusted_certificate_authority_keys = optional(list(string)),
verify_depth = optional(number),
verify_peer_certificate = optional(bool),
}))
backends = optional(map(object({
ip_address = string,
port = number,
backup = optional(bool),
drain = optional(bool),
offline = optional(bool),
weight = optional(number)
})))
})))
cipher_suites = optional(map(object({
ciphers = list(string),
name = string
})))
path_route_sets = optional(map(object({
name = string,
path_routes = map(object({
backend_set_key = string,
path = string,
path_match_type = object({
match_type = string
})
}))
})))
host_names = optional(map(object({
hostname = string,
name = string
})))
routing_policies = optional(map(object({
condition_language_version = string,
name = string,
rules = map(object({
actions = map(object({
backend_set_key = string,
name = string,
}))
condition = string,
name = string
}))
})))
rule_sets = optional(map(object({
name = string,
items = map(object({
action = string,
allowed_methods = optional(list(string)),
are_invalid_characters_allowed = optional(bool),
conditions = optional(map(object({
attribute_name = string,
attribute_value = string,
operator = optional(string)
})))
description = optional(string),
header = optional(string),
http_large_header_size_in_kb = optional(number),
prefix = optional(string),
redirect_uri = optional(object({
host = optional(string, )
path = optional(string),
port = optional(number),
protocol = optional(string),
query = optional(string)
}))
response_code = optional(number)
status_code = optional(number),
suffix = optional(string),
value = optional(string)
}))
})))
certificates = optional(map(object({
#Required
certificate_name = string,
#Optional
ca_certificate = optional(string),
passphrase = optional(string),
private_key = optional(string),
public_certificate = optional(string)
})))
listeners = optional(map(object({
default_backend_set_key = string,
name = string,
port = string,
protocol = string,
connection_configuration = optional(object({
idle_timeout_in_seconds = number,
backend_tcp_proxy_protocol_version = optional(string)
}))
hostname_keys = optional(list(string)),
path_route_set_key = optional(string),
routing_policy_key = optional(string),
rule_set_keys = optional(list(string)),
ssl_configuration = optional(object({
certificate_key = optional(string),
certificate_ids = optional(list(string)),
cipher_suite_key = optional(string),
protocols = optional(list(string)),
server_order_preference = optional(string),
trusted_certificate_authority_ids = optional(list(string)),
verify_depth = optional(number),
verify_peer_certificate = optional(bool)
}))
})))
})))
}))
}
)))
}) | n/a | yes |
+| [network\_dependency](#input\_network\_dependency) | An object containing the externally managed network resources this module may depend on. Supported resources are 'vcns', 'dynamic\_routing\_gateways', 'drg\_attachments', 'local\_peering\_gateways', 'remote\_peering\_connections', and 'dns\_private\_views', represented as map of objects. Each object, when defined, must have an 'id' attribute of string type set with the VCN, DRG OCID, DRG Attachment OCID, Local Peering Gateway OCID or Remote Peering Connection OCID. 'remote\_peering\_connections' must also pass the peer region name in the region\_name attribute. See External Dependencies section in README.md (https://github.com/oci-landing-zones/terraform-oci-modules-networking#ext-dep) for details. | object({
vcns = optional(map(object({
id = string # the VCN OCID
})))
dynamic_routing_gateways = optional(map(object({
id = string # the DRG OCID
})))
drg_attachments = optional(map(object({
id = string # the DRG attachment OCID
})))
local_peering_gateways = optional(map(object({
id = string # the LPG OCID
})))
remote_peering_connections = optional(map(object({
id = string # the peer RPC OCID
region_name = string # the peer RPC region name
})))
dns_private_views = optional(map(object({
id = string # the DNS private view OCID
})))
}) | `null` | no |
| [private\_ips\_dependency](#input\_private\_ips\_dependency) | An object containing the externally managed Private IP resources this module may depend on. All map objects must have the same type and must contain an 'id' attribute of string type set with the Private IP OCID. See External Dependencies section in README.md (https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking#ext-dep) for details. | map(object({
id = string
})) | `null` | no |
## Outputs
diff --git a/dns.tf b/dns.tf
index 4cd7741..13c85e1 100644
--- a/dns.tf
+++ b/dns.tf
@@ -77,8 +77,7 @@ locals {
display_name = view_value.display_name
defined_tags = view_value.defined_tags
freeform_tags = view_value.freeform_tags
- }
-
+ } if view_value.existing_view_id == null
] : [] : []
]) : flat_attached_views.view_key => flat_attached_views
} : {}
@@ -101,6 +100,7 @@ locals {
external_downstreams = zone_value.external_downstreams != null ? zone_value.external_downstreams : []
external_masters = zone_value.external_masters != null ? zone_value.external_masters : []
zone_type = zone_value.zone_type
+ view_id = view_value.existing_view_id
}
] : []
] : [] : []
@@ -109,7 +109,7 @@ locals {
one_dimension_dns_steering_policies = local.one_dimension_processed_vcns != null ? {
for flat_dns_steering_policies in flatten([
- for vcn_key, vcn_value in local.one_dimension_processed_existing_vcns :
+ for vcn_key, vcn_value in local.one_dimension_processed_vcns :
vcn_value.dns_resolver != null ? vcn_value.dns_resolver.attached_views != null ? [
for view_key, view_value in vcn_value.dns_resolver.attached_views :
view_value.dns_zones != null ? [
@@ -169,13 +169,11 @@ data "oci_core_vcn_dns_resolver_association" "dns_resolvers" {
resource "oci_dns_view" "these" {
for_each = local.one_dimension_dns_views
-
- compartment_id = each.value.compartment_id
-
- display_name = each.value.display_name
- scope = "PRIVATE"
- defined_tags = each.value.defined_tags
- freeform_tags = each.value.freeform_tags
+ compartment_id = each.value.compartment_id
+ display_name = each.value.display_name
+ scope = "PRIVATE"
+ defined_tags = each.value.defined_tags
+ freeform_tags = each.value.freeform_tags
}
@@ -186,7 +184,7 @@ resource "oci_dns_zone" "these" {
scope = each.value.scope
zone_type = each.value.zone_type
- view_id = each.value.view_key != null ? oci_dns_view.these[each.value.view_key].id : null
+ view_id = each.value.view_key != null ? (contains(keys(oci_dns_view.these),each.value.view_key) ? oci_dns_view.these[each.value.view_key].id : (length(regexall("^ocid1.*$", each.value.view_id)) > 0 ? each.value.view_id : var.network_dependency["dns_private_views"][each.value.view_id].id)) : null
dynamic "external_downstreams" {
for_each = each.value.external_downstreams
@@ -274,7 +272,7 @@ resource "oci_dns_resolver" "these" {
for_each = each.value.attached_views
iterator = views
content {
- view_id = oci_dns_view.these[views.key].id
+ view_id = views.key != null ? (contains(keys(oci_dns_view.these),views.key) ? oci_dns_view.these[views.key].id : (length(regexall("^ocid1.*$", views.value.existing_view_id)) > 0 ? views.value.existing_view_id : var.network_dependency["dns_private_views"][views.value.existing_view_id].id)) : null
}
}
defined_tags = each.value.defined_tags
diff --git a/examples/TransitRouting-DRGHub-NFW/main.tf b/examples/TransitRouting-DRGHub-NFW/main.tf
index 8dbda6c..01a76a2 100644
--- a/examples/TransitRouting-DRGHub-NFW/main.tf
+++ b/examples/TransitRouting-DRGHub-NFW/main.tf
@@ -9,7 +9,6 @@
module "terraform_oci_networking" {
source = "../../"
-
network_configuration = var.network_configuration
}
diff --git a/examples/TransitRouting-DRGHub-NFW/network_configuration.auto.tfvars b/examples/TransitRouting-DRGHub-NFW/network_configuration.auto.tfvars
index 8f769c3..1643a31 100644
--- a/examples/TransitRouting-DRGHub-NFW/network_configuration.auto.tfvars
+++ b/examples/TransitRouting-DRGHub-NFW/network_configuration.auto.tfvars
@@ -8,7 +8,7 @@
# ####################################################################################################### #
network_configuration = {
- default_compartment_id = "ocid1.compartment.oc1....."
+ default_compartment_id = "ocid1.compartment.oc1....."
default_freeform_tags = {
"vision-environment" = "vision"
}
@@ -300,81 +300,61 @@ network_configuration = {
display_name = "hub_nfw"
subnet_key = "SUBNET-H-KEY"
ipv4address = "10.0.0.10"
- network_firewall_policy_key = "HUB-NFW-POLICY-KEY"
+ network_firewall_policy_key = "HUB-NFW-POLICY"
}
}
network_firewall_policies = {
- HUB-NFW-POLICY-KEY = {
- display_name = "hub_nfw_policy"
+ HUB-NFW-POLICY = {
+ display_name = "hubnfw-policy"
+ applications = {
+ HUBNFW-APP-1 = {
+ name = "hubnfw-app-1"
+ type = "ICMP"
+ icmp_type = "128"
+ }
+ }
application_lists = {
- hubnfw_app_list_1 = {
- application_list_name = "hubnfw_app_list_1"
- application_values = {
- hubnfw_app_list_1_1 = {
- type = "TCP"
- minimum_port = 80
- maximum_port = 8080
- }
- }
+ HUBNFW-APP-LIST = {
+ name = "hubnfw-app-list"
+ applications = ["HUBNFW-APP-1"]
}
}
-
- ip_address_lists = {
- hubnfw_ip_list = {
- ip_address_list_name = "hubnfw_ip_list"
- ip_address_list_value = ["10.0.0.1"]
+ address_lists = {
+ HUBNFW-IP-LIST = {
+ name = "hubnfw-ip-list"
+ addresses = ["10.0.0.1"]
+ type = "IP"
}
}
- security_rules = {
- SecurityRuleA = {
- action = "ALLOW"
- name = "SecurityRuleA"
- conditions = {
- prd_cond1_A = {
- applications = []
- destinations = ["hubnfw_ip_list"]
- sources = []
- urls = ["hubnfw_policy_url_1"]
- }
- }
+ url_lists = {
+ HUBNFW-URL-1 = {
+ name = "hubnfw-url-1",
+ type = "SIMPLE"
+ pattern = "www.oracle.com"
}
-
- SecurityRuleB = {
- action = "INSPECT"
- inspection = "INTRUSION_DETECTION"
- name = "SecurityRuleB"
- conditions = {
- prd_cond1_B = {
- applications = ["hubnfw_app_list_1"]
- destinations = []
- sources = ["hubnfw_ip_list"]
- urls = ["hubnfw_policy_url_1"]
- }
- }
+ HUBNFW-URL-2 = {
+ name = "hubnfw-url-2",
+ type = "SIMPLE"
+ pattern = "www.google.com"
}
}
- url_lists = {
- hubnfw_policy_url_1 = {
- url_list_name = "hubnfw_policy_url_1",
- url_list_values = {
- hubnfw_policy_url_1_1 = {
- type = "SIMPLE"
- pattern = "www.oracle.com"
- }
- hubnfw_policy_url_1_2 = {
- type = "SIMPLE"
- pattern = "www.google.com"
- }
- }
+ security_rules = {
+ SECURITY-RULE-A = {
+ action = "ALLOW"
+ name = "security-rule-a"
+ application_lists = []
+ destination_address_lists = ["HUBNFW-IP-LIST"]
+ source_address_lists = []
+ url_lists = ["HUBNFW-URL-1"]
}
- hubnfw_policy_url_2 = {
- url_list_name = "hubnfw_policy_url_2",
- url_list_values = {
- hubnfw_policy_url_2_1 = {
- type = "SIMPLE"
- pattern = "www.facebook.com"
- }
- }
+ SECURITY-RULE-B = {
+ action = "INSPECT"
+ inspection = "INTRUSION_DETECTION"
+ name = "security-rule-b"
+ application = ["HUBNFW-APP-LIST"]
+ destination_address = []
+ source_address = ["HUBNFW-IP-LIST"]
+ url_lists = ["HUBNFW-URL-2"]
}
}
}
diff --git a/examples/TransitRouting-DRGHub-NFW/provider.tf b/examples/TransitRouting-DRGHub-NFW/provider.tf
index ed17fc6..564b449 100644
--- a/examples/TransitRouting-DRGHub-NFW/provider.tf
+++ b/examples/TransitRouting-DRGHub-NFW/provider.tf
@@ -21,9 +21,7 @@ terraform {
required_providers {
oci = {
- source = "oracle/oci"
- version = "<= 5.16.0"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
\ No newline at end of file
diff --git a/examples/TransitRouting-DRGHub-NFW/variables.tf b/examples/TransitRouting-DRGHub-NFW/variables.tf
index 3f98647..4cbeae1 100644
--- a/examples/TransitRouting-DRGHub-NFW/variables.tf
+++ b/examples/TransitRouting-DRGHub-NFW/variables.tf
@@ -11,986 +11,6 @@ variable "private_key_password" {}
variable "region" {}
variable "network_configuration" {
- type = object({
- default_compartment_id = optional(string),
- default_defined_tags = optional(map(string)),
- default_freeform_tags = optional(map(string)),
- default_enable_cis_checks = optional(bool),
- default_ssh_ports_to_check = optional(list(number)),
-
- network_configuration_categories = optional(map(object({
- category_compartment_id = optional(string),
- category_defined_tags = optional(map(string)),
- category_freeform_tags = optional(map(string)),
- category_enable_cis_checks = optional(bool),
- category_ssh_ports_to_check = optional(list(number)),
-
- vcns = optional(map(object({
- compartment_id = optional(string),
- display_name = optional(string),
- byoipv6cidr_details = optional(map(object({
- byoipv6range_id = string
- ipv6cidr_block = string
- })))
- ipv6private_cidr_blocks = optional(list(string)),
- is_ipv6enabled = optional(bool),
- is_oracle_gua_allocation_enabled = optional(bool),
- cidr_blocks = optional(list(string)),
- dns_label = optional(string),
- block_nat_traffic = optional(bool),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
-
- default_security_list = optional(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- ingress_rules = optional(list(object({
- stateless = optional(bool),
- protocol = string,
- description = optional(string),
- src = string,
- src_type = string,
- src_port_min = optional(number),
- src_port_max = optional(number),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- }))),
- egress_rules = optional(list(object({
- stateless = optional(bool),
- protocol = string,
- description = optional(string),
- dst = string,
- dst_type = string,
- src_port_min = optional(number),
- src_port_max = optional(number),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- })))
- }))
-
- security_lists = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- display_name = optional(string),
- ingress_rules = optional(list(object({
- stateless = optional(bool),
- protocol = string,
- description = optional(string),
- src = string,
- src_type = string,
- src_port_min = optional(number),
- src_port_max = optional(number),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- }))),
- egress_rules = optional(list(object({
- stateless = optional(bool),
- protocol = string,
- description = optional(string),
- dst = string,
- dst_type = string,
- src_port_min = optional(number),
- src_port_max = optional(number),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- })))
- })))
-
- default_route_table = optional(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- display_name = optional(string),
- route_rules = optional(map(object({
- network_entity_id = optional(string),
- network_entity_key = optional(string),
- description = optional(string),
- destination = optional(string),
- destination_type = optional(string)
- })))
- }))
-
- route_tables = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- display_name = optional(string),
- route_rules = optional(map(object({
- network_entity_id = optional(string),
- network_entity_key = optional(string),
- description = optional(string),
- destination = optional(string),
- destination_type = optional(string)
- })))
- })))
-
- default_dhcp_options = optional(object({
- compartment_id = optional(string),
- display_name = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- domain_name_type = optional(string),
- options = map(object({
- type = string,
- server_type = optional(string),
- custom_dns_servers = optional(list(string))
- search_domain_names = optional(list(string))
- }))
- }))
-
- dhcp_options = optional(map(object({
- compartment_id = optional(string),
- display_name = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- domain_name_type = optional(string),
- options = map(object({
- type = string,
- server_type = optional(string),
- custom_dns_servers = optional(list(string))
- search_domain_names = optional(list(string))
- }))
- })))
-
- subnets = optional(map(object({
- cidr_block = string,
- compartment_id = optional(string),
- #Optional
- availability_domain = optional(string),
- defined_tags = optional(map(string)),
- dhcp_options_key = optional(string),
- display_name = optional(string),
- dns_label = optional(string),
- freeform_tags = optional(map(string)),
- ipv6cidr_block = optional(string),
- ipv6cidr_blocks = optional(list(string)),
- prohibit_internet_ingress = optional(bool),
- prohibit_public_ip_on_vnic = optional(bool),
- route_table_key = optional(string),
- security_list_keys = optional(list(string))
- })))
-
- network_security_groups = optional(map(object({
- compartment_id = optional(string),
- display_name = optional(string),
- defined_tags = optional(map(string))
- freeform_tags = optional(map(string))
- ingress_rules = optional(map(object({
- description = optional(string),
- protocol = string,
- stateless = optional(bool),
- src = optional(string),
- src_type = optional(string),
- dst_port_min = number,
- dst_port_max = number,
- src_port_min = optional(number),
- src_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- }))),
- egress_rules = optional(map(object({
- description = optional(string),
- protocol = string,
- stateless = optional(bool),
- dst = optional(string),
- dst_type = optional(string),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- src_port_min = optional(number),
- src_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- })))
- })))
-
- vcn_specific_gateways = optional(object({
- internet_gateways = optional(map(object({
- compartment_id = optional(string),
- enabled = optional(bool),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- route_table_key = optional(string)
- })))
-
- nat_gateways = optional(map(object({
- compartment_id = optional(string),
- block_traffic = optional(bool),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- public_ip_id = optional(string),
- route_table_key = optional(string)
- })))
-
- service_gateways = optional(map(object({
- compartment_id = optional(string),
- services = string,
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- route_table_key = optional(string)
- })))
-
- local_peering_gateways = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- peer_id = optional(string),
- peer_key = optional(string),
- route_table_key = optional(string)
- })))
- }))
- })))
-
- inject_into_existing_vcns = optional(map(object({
-
- vcn_id = string,
-
- default_security_list = optional(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- ingress_rules = optional(list(object({
- stateless = optional(bool),
- protocol = string,
- description = optional(string),
- src = string,
- src_type = string,
- src_port_min = optional(number),
- src_port_max = optional(number),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- }))),
- egress_rules = optional(list(object({
- stateless = optional(bool),
- protocol = string,
- description = optional(string),
- dst = string,
- dst_type = string,
- src_port_min = optional(number),
- src_port_max = optional(number),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- })))
- }))
-
- security_lists = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- display_name = optional(string),
- ingress_rules = optional(list(object({
- stateless = optional(bool),
- protocol = string,
- description = optional(string),
- src = string,
- src_type = string,
- src_port_min = optional(number),
- src_port_max = optional(number),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- }))),
- egress_rules = optional(list(object({
- stateless = optional(bool),
- protocol = string,
- description = optional(string),
- dst = string,
- dst_type = string,
- src_port_min = optional(number),
- src_port_max = optional(number),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- })))
- })))
-
- default_route_table = optional(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- display_name = optional(string),
- route_rules = optional(map(object({
- network_entity_id = optional(string),
- network_entity_key = optional(string),
- description = optional(string),
- destination = optional(string),
- destination_type = optional(string)
- })))
- }))
-
- route_tables = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- display_name = optional(string),
- route_rules = optional(map(object({
- network_entity_id = optional(string),
- network_entity_key = optional(string),
- description = optional(string),
- destination = optional(string),
- destination_type = optional(string)
- })))
- })))
-
- default_dhcp_options = optional(object({
- compartment_id = optional(string),
- display_name = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- domain_name_type = optional(string),
- options = map(object({
- type = string,
- server_type = optional(string),
- custom_dns_servers = optional(list(string))
- search_domain_names = optional(list(string))
- }))
- }))
-
- dhcp_options = optional(map(object({
- compartment_id = optional(string),
- display_name = optional(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- domain_name_type = optional(string),
- options = map(object({
- type = string,
- server_type = optional(string),
- custom_dns_servers = optional(list(string))
- search_domain_names = optional(list(string))
- }))
- })))
-
- subnets = optional(map(object({
- cidr_block = string,
- compartment_id = optional(string),
- #Optional
- availability_domain = optional(string),
- defined_tags = optional(map(string)),
- dhcp_options_id = optional(string),
- dhcp_options_key = optional(string),
- display_name = optional(string),
- dns_label = optional(string),
- freeform_tags = optional(map(string)),
- ipv6cidr_block = optional(string),
- ipv6cidr_blocks = optional(list(string)),
- prohibit_internet_ingress = optional(bool),
- prohibit_public_ip_on_vnic = optional(bool),
- route_table_id = optional(string),
- route_table_key = optional(string),
- security_list_ids = optional(list(string)),
- security_list_keys = optional(list(string))
- })))
-
- network_security_groups = optional(map(object({
- compartment_id = optional(string),
- display_name = optional(string),
- defined_tags = optional(map(string))
- freeform_tags = optional(map(string))
- ingress_rules = optional(map(object({
- description = optional(string),
- protocol = string,
- stateless = optional(bool),
- src = optional(string),
- src_type = optional(string),
- dst_port_min = number,
- dst_port_max = number,
- src_port_min = optional(number),
- src_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- }))),
- egress_rules = optional(map(object({
- description = optional(string),
- protocol = string,
- stateless = optional(bool),
- dst = optional(string),
- dst_type = optional(string),
- dst_port_min = optional(number),
- dst_port_max = optional(number),
- src_port_min = optional(number),
- src_port_max = optional(number),
- icmp_type = optional(number),
- icmp_code = optional(number)
- })))
- })))
-
- vcn_specific_gateways = optional(object({
- internet_gateways = optional(map(object({
- compartment_id = optional(string),
- enabled = optional(bool),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- route_table_id = optional(string),
- route_table_key = optional(string)
- })))
-
- nat_gateways = optional(map(object({
- compartment_id = optional(string),
- block_traffic = optional(bool),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- public_ip_id = optional(string),
- route_table_id = optional(string),
- route_table_key = optional(string)
- })))
-
- service_gateways = optional(map(object({
- compartment_id = optional(string),
- services = string,
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- route_table_id = optional(string),
- route_table_key = optional(string)
- })))
-
- local_peering_gateways = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- peer_id = optional(string),
- peer_key = optional(string),
- route_table_id = optional(string),
- route_table_key = optional(string)
- })))
- }))
- })))
-
- IPs = optional(object({
-
- public_ips_pools = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- })))
-
- public_ips = optional(map(object({
- compartment_id = optional(string),
- lifetime = string,
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- private_ip_id = optional(string),
- public_ip_pool_id = optional(string),
- public_ip_pool_key = optional(string)
- })))
- }))
-
-
-
- non_vcn_specific_gateways = optional(object({
-
- dynamic_routing_gateways = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
-
- remote_peering_connections = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- peer_id = optional(string),
- peer_key = optional(string),
- peer_region_name = optional(string)
- })))
-
- drg_attachments = optional(map(object({
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- drg_route_table_id = optional(string),
- drg_route_table_key = optional(string),
- network_details = optional(object({
- attached_resource_id = optional(string),
- attached_resource_key = optional(string),
- type = string,
- route_table_id = optional(string),
- route_table_key = optional(string),
- vcn_route_type = optional(string)
- }))
- })))
-
- drg_route_tables = optional(map(object({
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- import_drg_route_distribution_id = optional(string),
- import_drg_route_distribution_key = optional(string),
- is_ecmp_enabled = optional(bool),
- route_rules = optional(map(object({
- destination = string,
- destination_type = string,
- next_hop_drg_attachment_id = optional(string),
- next_hop_drg_attachment_key = optional(string),
- })))
- })))
-
- drg_route_distributions = optional(map(object({
- distribution_type = string,
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string))
- statements = optional(map(object({
- action = string,
- match_criteria = optional(object({
- match_type = string,
- attachment_type = optional(string),
- drg_attachment_id = optional(string),
- drg_attachment_key = optional(string)
- }))
- priority = optional(number)
- })))
- })))
- })))
-
- customer_premises_equipments = optional(map(object({
- compartment_id = optional(string),
- ip_address = string,
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- cpe_device_shape_id = optional(string),
- cpe_device_shape_vendor_name = optional(string)
- })))
-
- ipsecs = optional(map(object({
- compartment_id = optional(string),
- cpe_id = optional(string),
- cpe_key = optional(string),
- drg_id = optional(string),
- drg_key = optional(string),
- static_routes = list(string),
- cpe_local_identifier = optional(string),
- cpe_local_identifier_type = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- tunnels_management = optional(object({
- tunnel_1 = optional(object({
- routing = string,
- bgp_session_info = optional(object({
- customer_bgp_asn = optional(string),
- customer_interface_ip = optional(string),
- oracle_interface_ip = optional(string)
- }))
- encryption_domain_config = optional(object({
- cpe_traffic_selector = optional(string),
- oracle_traffic_selector = optional(string)
- }))
- shared_secret = optional(string),
- ike_version = optional(string)
- })),
- tunnel_2 = optional(object({
- routing = string,
- bgp_session_info = optional(object({
- customer_bgp_asn = optional(string),
- customer_interface_ip = optional(string),
- oracle_interface_ip = optional(string)
- }))
- encryption_domain_config = optional(object({
- cpe_traffic_selector = optional(string),
- oracle_traffic_selector = optional(string)
- }))
- shared_secret = optional(string),
- ike_version = optional(string)
- }))
- }))
- })))
-
- fast_connect_virtual_circuits = optional(map(object({
- #Required
- compartment_id = optional(string),
- provision_fc_virtual_circuit = bool,
- show_available_fc_virtual_circuit_providers = bool,
- type = string,
- #Optional
- bandwidth_shape_name = optional(string),
- bgp_admin_state = optional(string),
- cross_connect_mappings = optional(map(object({
- #Optional
- bgp_md5auth_key = optional(string)
- cross_connect_or_cross_connect_group_id = optional(string)
- cross_connect_or_cross_connect_group_key = optional(string)
- customer_bgp_peering_ip = optional(string)
- customer_bgp_peering_ipv6 = optional(string)
- oracle_bgp_peering_ip = optional(string)
- oracle_bgp_peering_ipv6 = optional(string)
- vlan = optional(string)
- })))
- customer_asn = optional(string)
- defined_tags = optional(map(string))
- display_name = optional(string)
- freeform_tags = optional(map(string))
- ip_mtu = optional(number)
- is_bfd_enabled = optional(bool)
- gateway_id = optional(string)
- gateway_key = optional(string)
- provider_service_id = optional(string)
- provider_service_key = optional(string)
- provider_service_key_name = optional(string)
- public_prefixes = optional(map(object({
- #Required
- cidr_block = string,
- })))
- region = optional(string)
- routing_policy = optional(list(string))
- })))
-
- cross_connect_groups = optional(map(object({
- compartment_id = optional(string),
- customer_reference_name = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- cross_connects = optional(map(object({
- compartment_id = optional(string),
- location_name = string,
- port_speed_shape_name = string,
- customer_reference_name = optional(string),
- defined_tags = optional(map(string))
- display_name = optional(string),
- far_cross_connect_or_cross_connect_group_id = optional(string),
- far_cross_connect_or_cross_connect_group_key = optional(string),
- freeform_tags = optional(map(string))
- near_cross_connect_or_cross_connect_group_id = optional(string),
- near_cross_connect_or_cross_connect_group_key = optional(string),
- })))
- })))
-
- inject_into_existing_drgs = optional(map(object({
- drg_id = string,
-
- remote_peering_connections = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- peer_id = optional(string),
- peer_key = optional(string),
- peer_region_name = optional(string)
- })))
-
- drg_attachments = optional(map(object({
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- drg_route_table_id = optional(string),
- drg_route_table_key = optional(string),
- network_details = optional(object({
- attached_resource_id = optional(string),
- attached_resource_key = optional(string),
- type = string,
- route_table_id = optional(string),
- route_table_key = optional(string),
- vcn_route_type = optional(string)
- }))
- })))
-
- drg_route_tables = optional(map(object({
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- import_drg_route_distribution_id = optional(string),
- import_drg_route_distribution_key = optional(string),
- is_ecmp_enabled = optional(bool),
- route_rules = optional(map(object({
- destination = string,
- destination_type = string,
- next_hop_drg_attachment_id = optional(string),
- next_hop_drg_attachment_key = optional(string),
- })))
- })))
-
- drg_route_distributions = optional(map(object({
- distribution_type = string,
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string))
- statements = optional(map(object({
- action = string,
- match_criteria = optional(object({
- match_type = string,
- attachment_type = optional(string),
- drg_attachment_id = optional(string),
- drg_attachment_key = optional(string)
- }))
- priority = number
- })))
- })))
- })))
-
- network_firewalls_configuration = optional(object({
- network_firewalls = optional(map(object({
- availability_domain = optional(number),
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- ipv4address = optional(string),
- ipv6address = optional(string),
- network_security_group_ids = optional(list(string)),
- network_security_group_keys = optional(list(string)),
- subnet_id = optional(string),
- subnet_key = optional(string),
- network_firewall_policy_id = optional(string),
- network_firewall_policy_key = optional(string)
- }))),
-
- network_firewall_policies = optional(map(object({
- compartment_id = optional(string),
- defined_tags = optional(map(string)),
- display_name = optional(string),
- freeform_tags = optional(map(string)),
- application_lists = optional(map(object({
- application_list_name = string,
- application_values = map(object({
- type = string,
- icmp_type = optional(string),
- icmp_code = optional(string),
- minimum_port = optional(number),
- maximum_port = optional(number)
- }))
- })))
- decryption_profiles = optional(map(object({
- is_out_of_capacity_blocked = bool,
- is_unsupported_cipher_blocked = bool,
- is_unsupported_version_blocked = bool,
- type = string,
- key = string,
- are_certificate_extensions_restricted = optional(bool),
- is_auto_include_alt_name = optional(bool),
- is_expired_certificate_blocked = optional(bool),
- is_revocation_status_timeout_blocked = optional(bool),
- is_unknown_revocation_status_blocked = optional(bool),
- is_untrusted_issuer_blocked = optional(bool)
- })))
- decryption_rules = optional(map(object({
- action = string,
- name = string,
- decryption_profile = optional(string),
- secret = optional(string),
- conditions = map(object({
- destinations = optional(list(string)),
- sources = optional(list(string))
- }))
- })))
- ip_address_lists = optional(map(object({
- ip_address_list_name = string,
- ip_address_list_value = list(string)
- })))
- mapped_secrets = optional(map(object({
- key = optional(string),
- type = string,
- vault_secret_id = string,
- version_number = string,
- })))
- security_rules = optional(map(object({
- action = string,
- inspection = optional(string),
- name = string
- conditions = map(object({
- applications = optional(list(string)),
- destinations = optional(list(string)),
- sources = optional(list(string)),
- urls = optional(list(string))
- }))
- })))
- url_lists = optional(map(object({
- url_list_name = string,
- url_list_values = map(object({
- type = string,
- pattern = string
- }))
- })))
- })))
- }))
-
- l7_load_balancers = optional(map(object({
- compartment_id = optional(string),
- display_name = string,
- shape = string,
- subnet_ids = list(string),
- subnet_keys = list(string),
- defined_tags = optional(map(string)),
- freeform_tags = optional(map(string)),
- ip_mode = optional(string),
- is_private = optional(bool),
- network_security_group_ids = optional(list(string)),
- network_security_group_keys = optional(list(string)),
- reserved_ips_ids = optional(list(string)),
- reserved_ips_keys = optional(list(string))
- shape_details = optional(object({
- maximum_bandwidth_in_mbps = number,
- minimum_bandwidth_in_mbps = number
- }))
- backend_sets = optional(map(object({
- health_checker = object({
- protocol = string,
- interval_ms = number,
- is_force_plain_text = bool,
- port = number,
- response_body_regex = optional(string),
- retries = number,
- return_code = number,
- timeout_in_millis = number,
- url_path = optional(string)
- })
- name = string,
- policy = string,
- lb_cookie_session_persistence_configuration = optional(object({
- cookie_name = optional(string),
- disable_fallback = optional(bool),
- domain = optional(string),
- is_http_only = optional(bool),
- is_secure = optional(bool),
- max_age_in_seconds = optional(number),
- path = optional(string),
- }))
- session_persistence_configuration = optional(object({
- cookie_name = string,
- disable_fallback = optional(bool)
- }))
- ssl_configuration = optional(object({
- certificate_ids = optional(list(string)),
- certificate_keys = optional(list(string)),
- certificate_name = optional(string),
- cipher_suite_name = optional(string),
- protocols = optional(list(string)),
- server_order_preference = optional(string),
- trusted_certificate_authority_ids = optional(list(string)),
- trusted_certificate_authority_keys = optional(list(string)),
- verify_depth = optional(number),
- verify_peer_certificate = optional(bool),
- }))
- backends = optional(map(object({
- ip_address = string,
- port = number,
- backup = optional(bool),
- drain = optional(bool),
- offline = optional(bool),
- weight = optional(number)
- })))
- })))
- cipher_suites = optional(map(object({
- ciphers = list(string),
- name = string
- })))
- path_route_sets = optional(map(object({
- name = string,
- path_routes = map(object({
- backend_set_key = string,
- path = string,
- path_match_type = object({
- match_type = string
- })
- }))
- })))
- host_names = optional(map(object({
- hostname = string,
- name = string
- })))
- routing_policies = optional(map(object({
- condition_language_version = string,
- name = string,
- rules = map(object({
- actions = map(object({
- backend_set_key = string,
- name = string,
- }))
- condition = string,
- name = string
- }))
- })))
- rule_sets = optional(map(object({
- name = string,
- items = map(object({
- action = string,
- allowed_methods = optional(list(string)),
- are_invalid_characters_allowed = optional(bool),
- conditions = optional(map(object({
- attribute_name = string,
- attribute_value = string,
- operator = optional(string)
- })))
- description = optional(string),
- header = optional(string),
- http_large_header_size_in_kb = optional(number),
- prefix = optional(string),
- redirect_uri = optional(object({
- host = optional(string, )
- path = optional(string),
- port = optional(number),
- protocol = optional(string),
- query = optional(string)
- }))
- response_code = optional(number)
- status_code = optional(number),
- suffix = optional(string),
- value = optional(string)
- }))
- })))
- certificates = optional(map(object({
- #Required
- certificate_name = string,
- #Optional
- ca_certificate = optional(string),
- passphrase = optional(string),
- private_key = optional(string),
- public_certificate = optional(string)
- })))
- listeners = optional(map(object({
- default_backend_set_key = string,
- name = string,
- port = string,
- protocol = string,
- connection_configuration = optional(object({
- idle_timeout_in_seconds = number,
- backend_tcp_proxy_protocol_version = optional(string)
- }))
- hostname_keys = optional(list(string)),
- path_route_set_key = optional(string),
- routing_policy_key = optional(string),
- rule_set_keys = optional(list(string)),
- ssl_configuration = optional(object({
- certificate_key = optional(string),
- certificate_ids = optional(list(string)),
- cipher_suite_key = optional(string),
- protocols = optional(list(string)),
- server_order_preference = optional(string),
- trusted_certificate_authority_ids = optional(list(string)),
- verify_depth = optional(number),
- verify_peer_certificate = optional(bool)
- }))
- })))
- })))
- }))
- }
- )))
- })
+ type = any
}
diff --git a/examples/dns-view-injection/README.md b/examples/dns-view-injection/README.md
new file mode 100644
index 0000000..b4c0168
--- /dev/null
+++ b/examples/dns-view-injection/README.md
@@ -0,0 +1,24 @@
+# OCI Private DNS View Injection Example
+
+## Description
+
+This example shows how to inject na existing private DNS view to a DNS resolver managed by the [terraform-oci-landing-zones-networking](../..) module.
+
+It directly injects the existing private DNS view OCID into the *attached_view*'s *existing_view_id* attribute.
+
+Optionally, it could also inject a key within *dns_private_views* attribute of *network_dependency* variable.
+
+## Using this example
+1. Rename *terraform.tfvars.template* to *terraform.tfvars*.
+
+2. Within *terraform.tfvars*, provide tenancy connectivity information and adjust the input variables, by making the appropriate substitutions:
+ - Replace \ placeholder with appropriate value.
+
+Refer to [Networking module README.md](../../README.md) for overall attributes usage.
+
+3. In this folder, run the typical Terraform workflow:
+```
+terraform init
+terraform plan -out plan.out
+terraform apply plan.out
+```
\ No newline at end of file
diff --git a/examples/dns-view-injection/main.tf b/examples/dns-view-injection/main.tf
new file mode 100644
index 0000000..11041d1
--- /dev/null
+++ b/examples/dns-view-injection/main.tf
@@ -0,0 +1,9 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+module "dns_view_injection" {
+ source = "../../"
+ network_configuration = var.network_configuration
+ network_dependency = var.network_dependency
+}
+
diff --git a/examples/dns-view-injection/provider.tf b/examples/dns-view-injection/provider.tf
new file mode 100644
index 0000000..f11d1ce
--- /dev/null
+++ b/examples/dns-view-injection/provider.tf
@@ -0,0 +1,21 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+provider "oci" {
+ region = var.region
+ tenancy_ocid = var.tenancy_ocid
+ user_ocid = var.user_ocid
+ fingerprint = var.fingerprint
+ private_key_path = var.private_key_path
+ private_key_password = var.private_key_password
+}
+
+terraform {
+ required_version = ">= 1.3.0"
+
+ required_providers {
+ oci = {
+ source = "oracle/oci"
+ }
+ }
+}
\ No newline at end of file
diff --git a/examples/dns-view-injection/terraform.tfvars.template b/examples/dns-view-injection/terraform.tfvars.template
new file mode 100644
index 0000000..2755be7
--- /dev/null
+++ b/examples/dns-view-injection/terraform.tfvars.template
@@ -0,0 +1,92 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+tenancy_ocid = ""
+user_ocid = ""
+fingerprint = ""
+private_key_path = ""
+private_key_password = ""
+region = ""
+
+
+network_configuration = {
+ default_compartment_id = ""
+ network_configuration_categories = {
+ DNS-VIEW-INJECTION = {
+
+ vcns = {
+ MY-VCN = {
+ display_name = "dns-view-injection-vcn"
+ is_ipv6enabled = false
+ is_oracle_gua_allocation_enabled = false
+ cidr_blocks = ["10.0.0.0/24"],
+ dns_label = "dnsvcn"
+ is_create_igw = false
+ is_attach_drg = false
+ block_nat_traffic = false
+
+ subnets = {
+ MY-SUBNET = {
+ cidr_block = "10.0.0.0/24"
+ display_name = "dns-view-injection-subnet"
+ dns_label = "dnssubnet"
+ prohibit_internet_ingress = true
+ }
+ }
+
+ dns_resolver = {
+ display_name = "custom-dns-resolver"
+ attached_views = {
+ DNS-VIEW-1 = {
+ existing_view_id = "" # This is the injected DNS view. It can be either an OCID or a key within 'dns_private_views' attribute of 'network_dependency' variable (see commented out snippet down below).
+ }
+ }
+ rules = [
+ {
+ action = "FORWARD"
+ destination_address = ["10.0.2.128"]
+ source_endpoint_name = "CUSTOM-RESOLVER-ENDPOINT"
+ qname_cover_conditions = ["internal.example.com"]
+
+ },
+ {
+ action = "FORWARD"
+ client_address_conditions = ["192.168.1.0/24"]
+ destination_address = ["10.0.2.128"]
+ source_endpoint_name = "CUSTOM-RESOLVER-ENDPOINT"
+
+ }
+ ]
+ resolver_endpoints = {
+ CUSTOM-RESOLVER-ENDPOINT = {
+ enpoint_type = "VNIC"
+ is_forwarding = "true"
+ is_listening = "false"
+ forwarding_address = "10.0.0.32"
+ name = "custom_resolver_endpoint"
+ subnet = "MY-SUBNET"
+ }
+ }
+ tsig_keys = {
+ MY-TSIG = {
+ algorithm = "hmac-sha1"
+ name = "my-tsig"
+ secret = "welcome1"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
+
+/*
+network_dependency = {
+ dns_private_views = {
+ EXTERNALLY-MANAGED-VIEW = {
+ id = "ocid1.dnsview.oc1.....snhq"
+ }
+ }
+}
+*/
\ No newline at end of file
diff --git a/examples/dns-view-injection/variables.tf b/examples/dns-view-injection/variables.tf
new file mode 100644
index 0000000..15ff0d1
--- /dev/null
+++ b/examples/dns-view-injection/variables.tf
@@ -0,0 +1,22 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+# tenancy details
+variable "tenancy_ocid" {}
+variable "user_ocid" {}
+variable "fingerprint" {}
+variable "private_key_path" {}
+variable "private_key_password" {}
+variable "region" {}
+
+variable "network_configuration" {
+ type = any
+}
+
+variable "network_dependency" {
+ description = "An object containing the externally managed network resources this module may depend on. Supported resources are 'vcns', 'dynamic_routing_gateways', 'drg_attachments', 'local_peering_gateways', 'remote_peering_connections', and 'dns_private_views', represented as map of objects. Each object, when defined, must have an 'id' attribute of string type set with the VCN, DRG OCID, DRG Attachment OCID, Local Peering Gateway OCID or Remote Peering Connection OCID. 'remote_peering_connections' must also pass the peer region name in the region_name attribute. See External Dependencies section in README.md (https://github.com/oci-landing-zones/terraform-oci-modules-networking#ext-dep) for details."
+ type = any
+ default = null
+}
+
+
diff --git a/examples/dns/provider.tf b/examples/dns/provider.tf
index 46db25f..ab2f1ba 100644
--- a/examples/dns/provider.tf
+++ b/examples/dns/provider.tf
@@ -21,8 +21,7 @@ terraform {
required_providers {
oci = {
- source = "oracle/oci"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
\ No newline at end of file
diff --git a/examples/local-peering-gateways/lpg-acceptor/provider.tf b/examples/local-peering-gateways/lpg-acceptor/provider.tf
index d9084cb..47dc64c 100644
--- a/examples/local-peering-gateways/lpg-acceptor/provider.tf
+++ b/examples/local-peering-gateways/lpg-acceptor/provider.tf
@@ -15,8 +15,7 @@ terraform {
required_providers {
oci = {
- source = "oracle/oci"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
\ No newline at end of file
diff --git a/examples/local-peering-gateways/lpg-requestor/provider.tf b/examples/local-peering-gateways/lpg-requestor/provider.tf
index d9084cb..47dc64c 100644
--- a/examples/local-peering-gateways/lpg-requestor/provider.tf
+++ b/examples/local-peering-gateways/lpg-requestor/provider.tf
@@ -15,8 +15,7 @@ terraform {
required_providers {
oci = {
- source = "oracle/oci"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
\ No newline at end of file
diff --git a/examples/oci-network-firewall/README.md b/examples/oci-network-firewall/README.md
new file mode 100644
index 0000000..f5ec4fe
--- /dev/null
+++ b/examples/oci-network-firewall/README.md
@@ -0,0 +1,24 @@
+# OCI Network Firewall Example
+
+## Description
+
+This example implements the network firewall policy in the use case described in https://www.ateam-oracle.com/post/oci-network-firewall---concepts-and-deployment. The complete routing scenario is not implemented.
+
+Note that the IP addresses for the Internet hosts are fictitious, so please update them appropriately.
+
+For detailed description of the ```terraform-oci-landing-zones-networking``` networking core module please refer to the core module specific [README.md](../../README.md) and [SPEC.md](../../SPEC.md).
+
+## Using this example
+1. Rename *terraform.tfvars.template* to *terraform.tfvars*.
+
+2. Within *terraform.tfvars*, provide tenancy connectivity information and adjust the input variables, by making the appropriate substitutions:
+ - Replace \ placeholder with appropriate value.
+
+Refer to [Networking module README.md](https://github.com/oci-landing-zones/terraform-oci-modules-networking/blob/main/README.md) for overall attributes usage.
+
+3. In this folder, run the typical Terraform workflow:
+```
+terraform init
+terraform plan -out plan.out
+terraform apply plan.out
+```
diff --git a/examples/oci-network-firewall/main.tf b/examples/oci-network-firewall/main.tf
new file mode 100644
index 0000000..b15104a
--- /dev/null
+++ b/examples/oci-network-firewall/main.tf
@@ -0,0 +1,8 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+module "terraform_oci_networking" {
+ source = "../../"
+ network_configuration = var.network_configuration
+}
+
diff --git a/examples/oci-network-firewall/outputs.tf b/examples/oci-network-firewall/outputs.tf
new file mode 100644
index 0000000..1a85f5c
--- /dev/null
+++ b/examples/oci-network-firewall/outputs.tf
@@ -0,0 +1,7 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+output "provisioned_networking_resources" {
+ description = "Provisioned networking resources"
+ value = module.terraform_oci_networking.provisioned_networking_resources
+}
\ No newline at end of file
diff --git a/examples/oci-network-firewall/provider.tf b/examples/oci-network-firewall/provider.tf
new file mode 100644
index 0000000..02fba69
--- /dev/null
+++ b/examples/oci-network-firewall/provider.tf
@@ -0,0 +1,21 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+provider "oci" {
+ region = var.region
+ tenancy_ocid = var.tenancy_ocid
+ user_ocid = var.user_ocid
+ fingerprint = var.fingerprint
+ private_key_path = var.private_key_path
+ private_key_password = var.private_key_password
+}
+
+terraform {
+ required_version = ">= 1.3.0"
+
+ required_providers {
+ oci = {
+ source = "oracle/oci"
+ }
+ }
+}
\ No newline at end of file
diff --git a/examples/oci-network-firewall/terraform.tfvars.template b/examples/oci-network-firewall/terraform.tfvars.template
new file mode 100644
index 0000000..46fbdad
--- /dev/null
+++ b/examples/oci-network-firewall/terraform.tfvars.template
@@ -0,0 +1,124 @@
+# Copyright (c) 2024, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+tenancy_ocid = ""
+user_ocid = ""
+fingerprint = ""
+private_key_path = ""
+private_key_password = ""
+region = ""
+
+network_configuration = {
+ default_compartment_id = ""
+ network_configuration_categories = {
+ FIREWALL = {
+ vcns = {
+ FIREWALL-VCN = {
+ display_name = "firewall-vcn"
+ is_ipv6enabled = false
+ is_oracle_gua_allocation_enabled = false
+ cidr_blocks = ["192.168.0.0/24"],
+ dns_label = "firewallvcn"
+ is_create_igw = false
+ is_attach_drg = false
+ block_nat_traffic = false
+
+ subnets = {
+ FIREWALL-SUBNET = {
+ cidr_block = "192.168.0.16/28"
+ display_name = "firewall-subnet"
+ dns_label = "firewallsubnet"
+ ipv6cidr_blocks = []
+ prohibit_internet_ingress = true
+ }
+ }
+ }
+ }
+ non_vcn_specific_gateways = {
+ network_firewalls_configuration = {
+ network_firewalls = {
+ NFW = {
+ display_name = "nfw"
+ subnet_key = "FIREWALL-SUBNET"
+ ipv4address = "192.168.0.20"
+ network_firewall_policy_key = "NFW-POLICY"
+ }
+ }
+ network_firewall_policies = {
+ NFW-POLICY = {
+ display_name = "nfw-policy"
+ applications = {
+ ICMP = {
+ name = "ICMP"
+ type = "ICMP"
+ icmp_type = 8
+ icmp_code = 0
+ }
+ }
+ application_lists = {
+ ICMP-LIST = {
+ name = "ICMP-Application-List"
+ applications = ["ICMP"]
+ }
+ }
+ services = {
+ SSH = {
+ name = "SSH"
+ type = "TCP_SERVICE"
+ minimum_port = 22
+ maximum_port = 22
+ }
+ }
+ service_lists = {
+ SSH-LIST = {
+ name = "SSH-Service-List"
+ services = ["SSH"]
+ }
+ }
+ address_lists = {
+ ADDRESS-LIST-PERMIT = {
+ name = "IP-Address-List-Permit"
+ type = "IP"
+ addresses = ["150.136.212.20/32"]
+ },
+ ADDRESS-LIST-DENY = {
+ name = "IP-Address-List-Deny"
+ type = "IP"
+ addresses = ["192.9.241.52/32"]
+ },
+ ADDRESS-LIST-VCN-HOSTS = {
+ name = "IP-Address-List-VCN-Hosts"
+ type = "IP"
+ addresses = ["192.168.0.10/32"]
+ }
+ }
+ security_rules = {
+ ICMP-PERMIT-RULE = {
+ action = "ALLOW"
+ name = "ICMP-Permit"
+ application_lists = ["ICMP-LIST"]
+ source_address_lists = ["ADDRESS-LIST-PERMIT"]
+ destination_address_lists = ["ADDRESS-LIST-VCN-HOSTS"]
+ }
+ SSH-PERMIT-RULE = {
+ action = "ALLOW"
+ name = "SSH-Permit"
+ servicen_lists = ["SSH-LIST"]
+ source_address_lists = ["ADDRESS-LIST-PERMIT"]
+ destination_address_lists = ["ADDRESS-LIST-VCN-HOSTS"]
+ }
+ DENY-RULE = {
+ action = "DROP"
+ name = "Deny"
+ application_lists = []
+ source_address_lists = ["ADDRESS-LIST-DENY"]
+ destination_address_lists = ["ADDRESS-LIST-VCN-HOSTS"]
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/examples/oci-network-firewall/variables.tf b/examples/oci-network-firewall/variables.tf
new file mode 100644
index 0000000..e6c31d0
--- /dev/null
+++ b/examples/oci-network-firewall/variables.tf
@@ -0,0 +1,15 @@
+# Copyright (c) 2023, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+
+# tenancy details
+variable "tenancy_ocid" {}
+variable "user_ocid" {}
+variable "fingerprint" {}
+variable "private_key_path" {}
+variable "private_key_password" {}
+variable "region" {}
+
+variable "network_configuration" {
+ type = any
+}
+
diff --git a/examples/oke-examples/flannel/provider.tf b/examples/oke-examples/flannel/provider.tf
index c94a697..f36f035 100644
--- a/examples/oke-examples/flannel/provider.tf
+++ b/examples/oke-examples/flannel/provider.tf
@@ -15,8 +15,7 @@ terraform {
required_version = ">= 1.3.0"
required_providers {
oci = {
- source = "oracle/oci"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
diff --git a/examples/oke-examples/native/provider.tf b/examples/oke-examples/native/provider.tf
index 11cb25c..8b3ce99 100644
--- a/examples/oke-examples/native/provider.tf
+++ b/examples/oke-examples/native/provider.tf
@@ -13,8 +13,7 @@ terraform {
required_version = ">= 1.3.0"
required_providers {
oci = {
- source = "oracle/oci"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
diff --git a/examples/remote-peering-connections/rpc-acceptor/provider.tf b/examples/remote-peering-connections/rpc-acceptor/provider.tf
index d9084cb..47dc64c 100644
--- a/examples/remote-peering-connections/rpc-acceptor/provider.tf
+++ b/examples/remote-peering-connections/rpc-acceptor/provider.tf
@@ -15,8 +15,7 @@ terraform {
required_providers {
oci = {
- source = "oracle/oci"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
\ No newline at end of file
diff --git a/examples/remote-peering-connections/rpc-requestor/provider.tf b/examples/remote-peering-connections/rpc-requestor/provider.tf
index d9084cb..47dc64c 100644
--- a/examples/remote-peering-connections/rpc-requestor/provider.tf
+++ b/examples/remote-peering-connections/rpc-requestor/provider.tf
@@ -15,8 +15,7 @@ terraform {
required_providers {
oci = {
- source = "oracle/oci"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
\ No newline at end of file
diff --git a/modules/waf/variables.tf b/modules/waf/variables.tf
index 4f82c6f..065e022 100644
--- a/modules/waf/variables.tf
+++ b/modules/waf/variables.tf
@@ -13,7 +13,6 @@ variable "waf_configuration" {
waf = map(object({
display_name = optional(string)
defined_tags = optional(map(string))
- defined_tags = optional(map(string))
freeform_tags = optional(map(string))
backend_type = string
compartment_id = optional(string)
diff --git a/network_firewall_policies.tf b/network_firewall_policies.tf
index c12c2c4..e46041a 100644
--- a/network_firewall_policies.tf
+++ b/network_firewall_policies.tf
@@ -21,18 +21,45 @@ locals {
display_name = nfwp_value.display_name
freeform_tags = nfwp_value.freeform_tags
applications = nfwp_value.applications
+ application_lists = nfwp_value.application_lists
decryption_profiles = nfwp_value.decryption_profiles
decryption_rules = nfwp_value.decryption_rules
- ip_address_lists = nfwp_value.ip_address_lists
+ address_lists = nfwp_value.address_lists
mapped_secrets = nfwp_value.mapped_secrets
security_rules = nfwp_value.security_rules
url_lists = nfwp_value.url_lists
+ services = nfwp_value.services
+ service_lists = nfwp_value.service_lists
nfwp_key = nfwp_key
}
] : [] : [] : []
]) : flat_nfwp.nfwp_key => flat_nfwp
} : null
+ nfw_policy_services = flatten([
+ for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
+ for service_key, service_value in (coalesce(policy_value.services,{})) : {
+ key = "${policy_key}.${service_key}"
+ policy_key = policy_key
+ name = service_value.name
+ type = service_value.type
+ minimum_port = service_value.minimum_port
+ maximum_port = service_value.maximum_port
+ }
+ ]
+ ])
+
+ nfw_policy_service_lists = flatten([
+ for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
+ for serv_key, serv_value in (coalesce(policy_value.service_lists,{})) : {
+ key = "${policy_key}.${serv_key}"
+ policy_key = policy_key
+ name = serv_value.name
+ services = serv_value.services
+ }
+ ]
+ ])
+
nfw_policy_applications = flatten([
for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
for app_key, app_value in (coalesce(policy_value.applications,{})) : {
@@ -46,6 +73,17 @@ locals {
]
])
+ nfw_policy_application_lists = flatten([
+ for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
+ for applist_key, applist_value in (coalesce(policy_value.application_lists,{})) : {
+ key = "${policy_key}.${applist_key}"
+ policy_key = policy_key
+ name = applist_value.name
+ apps = applist_value.applications
+ }
+ ]
+ ])
+
nfw_policy_decryption_profiles = flatten([
for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
for prof_key, prof_value in (coalesce(policy_value.decryption_profiles,{})) : {
@@ -68,7 +106,7 @@ locals {
nfw_policy_address_lists = flatten([
for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
- for add_key, add_value in (coalesce(policy_value.ip_address_lists,{})) : {
+ for add_key, add_value in (coalesce(policy_value.address_lists,{})) : {
key = "${policy_key}.${add_key}"
policy_key = policy_key
name = add_value.name
@@ -96,7 +134,7 @@ locals {
nfw_policy_mapped_secrets = flatten([
for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
for secret_key, secret_value in (coalesce(policy_value.mapped_secrets,{})) : {
- key = "${policy_key}.${secret_value}"
+ key = "${policy_key}.${secret_key}"
policy_key = policy_key
name = secret_value.name
source = secret_value.source
@@ -110,7 +148,7 @@ locals {
nfw_policy_url_lists = flatten([
for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
for url_key, url_value in (coalesce(policy_value.url_lists,{})) : {
- key = "${policy_key}.${url_value}"
+ key = "${policy_key}.${url_key}"
policy_key = policy_key
name = url_value.name
pattern = url_value.pattern
@@ -122,18 +160,18 @@ locals {
nfw_policy_security_rules = flatten([
for policy_key, policy_value in coalesce(local.one_dimension_processed_nfw_policies,{}) : [
for security_key, security_value in (coalesce(policy_value.security_rules,{})) : {
- key = "${policy_key}.${security_value}"
- policy_key = policy_key
- action = security_value.action
- name = security_value.name
- application = security_value.application
- destination_address = security_value.destination_address
- service = security_value.service
- source_address = security_value.source_address
- url = security_value.url
- inspection = security_value.inspection
- after_rule = security_value.after_rule
- before_rule = security_value.before_rule
+ key = "${policy_key}.${security_key}"
+ policy_key = policy_key
+ action = security_value.action
+ name = security_value.name
+ application_lists = security_value.application_lists
+ destination_address_lists = security_value.destination_address_lists
+ service_lists = security_value.service_lists
+ source_address_lists = security_value.source_address_lists
+ url_lists = security_value.url_lists
+ inspection = security_value.inspection
+ after_rule = security_value.after_rule
+ before_rule = security_value.before_rule
}
]
])
@@ -148,7 +186,7 @@ locals {
display_name = nfw_pol_value.display_name
freeform_tags = nfw_pol_value.freeform_tags
id = nfw_pol_value.id
- #ip_address_lists = nfw_pol_value.ip_address_lists
+ #address_lists = nfw_pol_value.address_lists
#is_firewall_attached = nfw_pol_value.is_firewall_attached
lifecycle_details = nfw_pol_value.lifecycle_details
#mapped_secrets = nfw_pol_value.mapped_secrets
@@ -174,6 +212,34 @@ resource "oci_network_firewall_network_firewall_policy" "these" {
freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags)
}
+resource "oci_network_firewall_network_firewall_policy_service" "these" {
+ for_each = { for v in local.nfw_policy_services : v.key => {
+ policy_key = v.policy_key
+ name = v.name
+ type = v.type
+ minimum_port = v.minimum_port
+ maximum_port = v.maximum_port
+ } }
+ network_firewall_policy_id = oci_network_firewall_network_firewall_policy.these[each.value.policy_key].id
+ name = each.value.name
+ type = each.value.type
+ port_ranges {
+ minimum_port = each.value.minimum_port
+ maximum_port = each.value.maximum_port
+ }
+}
+
+resource "oci_network_firewall_network_firewall_policy_service_list" "these" {
+ for_each = { for v in local.nfw_policy_service_lists : v.key => {
+ policy_key = v.policy_key
+ name = v.name
+ services = v.services
+ } }
+ network_firewall_policy_id = oci_network_firewall_network_firewall_policy.these[each.value.policy_key].id
+ name = each.value.name
+ services = [for service in each.value.services : oci_network_firewall_network_firewall_policy_service.these["${each.value.policy_key}.${service}"].name]
+}
+
resource "oci_network_firewall_network_firewall_policy_application" "these" {
for_each = { for v in local.nfw_policy_applications : v.key => {
policy_key = v.policy_key
@@ -189,6 +255,17 @@ resource "oci_network_firewall_network_firewall_policy_application" "these" {
icmp_code = each.value.icmp_code
}
+resource "oci_network_firewall_network_firewall_policy_application_group" "these" {
+ for_each = { for v in local.nfw_policy_application_lists : v.key => {
+ policy_key = v.policy_key
+ name = v.name
+ apps = v.apps
+ } }
+ network_firewall_policy_id = oci_network_firewall_network_firewall_policy.these[each.value.policy_key].id
+ name = each.value.name
+ apps = [for app in each.value.apps : oci_network_firewall_network_firewall_policy_application.these["${each.value.policy_key}.${app}"].name]
+}
+
resource "oci_network_firewall_network_firewall_policy_decryption_profile" "these" {
for_each = { for v in local.nfw_policy_decryption_profiles : v.key => {
policy_key = v.policy_key
@@ -282,24 +359,24 @@ resource "oci_network_firewall_network_firewall_policy_url_list" "these" {
network_firewall_policy_id = oci_network_firewall_network_firewall_policy.these[each.value.policy_key].id
urls {
pattern = each.value.pattern
- type = each.value.tyep
+ type = each.value.type
}
}
resource "oci_network_firewall_network_firewall_policy_security_rule" "these" {
for_each = {
for v in local.nfw_policy_security_rules : v.key => {
- policy_key = v.policy_key
- action = v.action
- name = v.name
- application = v.application
- destination_address = v.destination_address
- service = v.service
- source_address = v.source_address
- url = v.url
- inspection = v.inspection
- after_rule = v.after_rule
- before_rule = v.before_rule
+ policy_key = v.policy_key
+ action = v.action
+ name = v.name
+ application_lists = v.application_lists
+ destination_address_lists = v.destination_address_lists
+ service_lists = v.service_lists
+ source_address_lists = v.source_address_lists
+ url_lists = v.url_lists
+ inspection = v.inspection
+ after_rule = v.after_rule
+ before_rule = v.before_rule
}}
lifecycle {
ignore_changes = [position]
@@ -308,12 +385,12 @@ resource "oci_network_firewall_network_firewall_policy_security_rule" "these" {
action = each.value.action
name = each.value.name
condition {
- application = each.value.application
- destination_address = each.value.destination_address
- service = each.value.service
- source_address = each.value.source_address
- url = each.value.url
- }
+ application = each.value.application_lists != null ? [for app_list in each.value.application_lists: oci_network_firewall_network_firewall_policy_application_group.these["${each.value.policy_key}.${app_list}"].name ] : null
+ destination_address = each.value.destination_address_lists != null ? [for dest_list in each.value.destination_address_lists: oci_network_firewall_network_firewall_policy_address_list.these["${each.value.policy_key}.${dest_list}"].name ] : null
+ source_address = each.value.source_address_lists != null ? [for source_list in each.value.source_address_lists: oci_network_firewall_network_firewall_policy_address_list.these["${each.value.policy_key}.${source_list}"].name ] : null
+ url = each.value.url_lists != null ? [for url_list in each.value.url_lists: oci_network_firewall_network_firewall_policy_url_list.these["${each.value.policy_key}.${url_list}"].name ] : null
+ service = each.value.service_lists != null ? [for service_list in each.value.service_lists: oci_network_firewall_network_firewall_policy_service_list.these["${each.value.policy_key}.${service_list}"].name ] : null
+}
network_firewall_policy_id = oci_network_firewall_network_firewall_policy.these[each.value.policy_key].id
#Optional
@@ -325,207 +402,3 @@ resource "oci_network_firewall_network_firewall_policy_security_rule" "these" {
before_rule = each.value.before_rule
}
}
-
-/* resource "oci_network_firewall_network_firewall_policy" "these" {
-
- for_each = local.one_dimension_processed_nfw_policies != null ? length(local.one_dimension_processed_nfw_policies) > 0 ? local.one_dimension_processed_nfw_policies : {} : {}
-
- compartment_id = each.value.compartment_id != null ? (length(regexall("^ocid1.*$", each.value.compartment_id)) > 0 ? each.value.compartment_id : var.compartments_dependency[each.value.compartment_id].id) : null
- defined_tags = each.value.defined_tags
- display_name = each.value.display_name
- freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags)
-
- dynamic "application_lists" {
- for_each = each.value.application_lists != null ? length(each.value.application_lists) > 0 ? [
- for app_list_key, app_list_value in each.value.application_lists : {
- application_list_name = app_list_value.application_list_name
- application_values = app_list_value.application_values
- }] : [] : []
- iterator = application_list
-
- content {
- application_list_name = application_list.value.application_list_name
-
- dynamic "application_values" {
- for_each = application_list.value.application_values != null ? application_list.value.application_values != null ? [
- for app_value_key, app_value_value in application_list.value.application_values : {
- type = app_value_value.type
- icmp_type = app_value_value.icmp_type
- icmp_code = app_value_value.icmp_code
- minimum_port = app_value_value.minimum_port
- maximum_port = app_value_value.maximum_port
- }] : [] : []
- iterator = application_value
-
- content {
- type = application_value.value.type
- icmp_type = application_value.value.icmp_type
- icmp_code = application_value.value.icmp_code
- minimum_port = application_value.value.minimum_port
- maximum_port = application_value.value.maximum_port
- }
- }
- }
- }
-
- dynamic "decryption_profiles" {
- for_each = each.value.decryption_profiles != null ? length(each.value.decryption_profiles) > 0 ? [
- for d_profile_key, d_profile_value in each.value.decryption_profiles : {
- is_out_of_capacity_blocked = d_profile_value.is_out_of_capacity_blocked
- is_unsupported_cipher_blocked = d_profile_value.is_unsupported_cipher_blocked
- is_unsupported_version_blocked = d_profile_value.is_unsupported_version_blocked
- type = d_profile_value.type
- key = d_profile_value.key
- #Optional
- are_certificate_extensions_restricted = d_profile_value.are_certificate_extensions_restricted
- is_auto_include_alt_name = d_profile_value.is_auto_include_alt_name
- is_expired_certificate_blocked = d_profile_value.is_expired_certificate_blocked
- is_revocation_status_timeout_blocked = d_profile_value.is_revocation_status_timeout_blocked
- is_unknown_revocation_status_blocked = d_profile_value.is_unknown_revocation_status_blocked
- is_untrusted_issuer_blocked = d_profile_value.is_untrusted_issuer_blocked
- }] : [] : []
- iterator = decryption_profile
-
- content {
- is_out_of_capacity_blocked = decryption_profile.value.is_out_of_capacity_blocked
- is_unsupported_cipher_blocked = decryption_profile.value.is_unsupported_cipher_blocked
- is_unsupported_version_blocked = decryption_profile.value.is_unsupported_version_blocked
- type = decryption_profile.value.type
- key = decryption_profile.value.key
-
- #Optional
- are_certificate_extensions_restricted = decryption_profile.value.are_certificate_extensions_restricted
- is_auto_include_alt_name = decryption_profile.value.is_auto_include_alt_name
- is_expired_certificate_blocked = decryption_profile.value.is_expired_certificate_blocked
- is_revocation_status_timeout_blocked = decryption_profile.value.is_revocation_status_timeout_blocked
- is_unknown_revocation_status_blocked = decryption_profile.value.is_unknown_revocation_status_blocked
- is_untrusted_issuer_blocked = decryption_profile.value.is_untrusted_issuer_blocked
- }
- }
-
-
- dynamic "decryption_rules" {
- for_each = each.value.decryption_rules != null ? length(each.value.decryption_rules) > 0 ? [
- for d_rule_key, d_rule_value in each.value.decryption_rules : {
- action = d_rule_value.action
- name = d_rule_value.name
- decryption_profile = d_rule_value.decryption_profile
- secret = d_rule_value.secret
- conditions = d_rule_value.conditions
- }] : [] : []
- iterator = decryption_rule
-
- content {
- action = decryption_rule.value.action
- name = decryption_rule.value.name
- decryption_profile = decryption_rule.value.decryption_profile
- secret = decryption_rule.value.secret
- dynamic "condition" {
- for_each = decryption_rule.value != null ? length(decryption_rule.value) > 0 ? [
- for cond_key, cond_value in decryption_rule.value.conditions : {
- destinations = cond_value.destinations
- sources = cond_value.sources
- }] : [] : []
- iterator = cond
- content {
- destinations = cond.value.destinations
- sources = cond.value.sources
- }
- }
- }
- }
-
- dynamic "ip_address_lists" {
- for_each = each.value.ip_address_lists != null ? length(each.value.ip_address_lists) > 0 ? [
- for ipa_list_key, ipa_list_value in each.value.ip_address_lists : {
- ip_address_list_name = ipa_list_value.ip_address_list_name
- ip_address_list_value = ipa_list_value.ip_address_list_value
- }] : [] : []
- iterator = ip_address_list
-
- content {
- ip_address_list_name = ip_address_list.value.ip_address_list_name
- ip_address_list_value = ip_address_list.value.ip_address_list_value
- }
- }
-
- dynamic "mapped_secrets" {
- for_each = each.value.mapped_secrets != null ? length(each.value.mapped_secrets) > 0 ? [
- for ms_key, ms_value in each.value.mapped_secrets : {
- key = ms_value.key
- type = ms_value.type
- vault_secret_id = ms_value.vault_secret_id
- version_number = ms_value.version_number
- }] : [] : []
- iterator = mapped_secret
-
- content {
- type = mapped_secret.value.type
- key = mapped_secret.value.key
- vault_secret_id = mapped_secret.value.vault_secret_id
- version_number = mapped_secret.value.version_number
- }
- }
-
- dynamic "security_rules" {
- for_each = each.value.security_rules != null ? length(each.value.security_rules) > 0 ? [
- for sr_key, sr_value in each.value.security_rules : {
- action = sr_value.action
- conditions = sr_value.conditions
- name = sr_value.name
- inspection = sr_value.inspection
- }] : [] : []
- iterator = security_rule
-
- content {
- action = security_rule.value.action
- name = security_rule.value.name
- inspection = security_rule.value.inspection
-
- dynamic "condition" {
- for_each = security_rule.value.conditions != null ? security_rule.value.conditions != null ? [
- for cond_key, cond_value in security_rule.value.conditions : {
- applications = cond_value.applications
- destinations = cond_value.destinations
- sources = cond_value.sources
- urls = cond_value.urls
- }] : [] : []
- iterator = condition
-
- content {
- applications = condition.value.applications
- destinations = condition.value.destinations
- sources = condition.value.sources
- urls = condition.value.urls
- }
- }
- }
- }
-
- dynamic "url_lists" {
- for_each = each.value.url_lists != null ? length(each.value.url_lists) > 0 ? [
- for urll in each.value.url_lists : {
- url_list_name = urll.url_list_name
- url_list_values = urll.url_list_values
- }] : [] : []
- iterator = url_list
-
- content {
- url_list_name = url_list.value.url_list_name
-
- dynamic "url_list_values" {
- for_each = url_list.value.url_list_values != null ? length(url_list.value.url_list_values) > 0 ? [
- for urllv in url_list.value.url_list_values : {
- type = urllv.type
- pattern = urllv.pattern
- }] : [] : []
- iterator = url_list_value
-
- content {
- type = url_list_value.value.type
- pattern = url_list_value.value.pattern
- }
- }
- }
- }
-} */
diff --git a/orm-facade/provider.tf b/orm-facade/provider.tf
index ed17fc6..564b449 100644
--- a/orm-facade/provider.tf
+++ b/orm-facade/provider.tf
@@ -21,9 +21,7 @@ terraform {
required_providers {
oci = {
- source = "oracle/oci"
- version = "<= 5.16.0"
- configuration_aliases = [oci]
+ source = "oracle/oci"
}
}
}
\ No newline at end of file
diff --git a/release.txt b/release.txt
index 1864002..bcaffe1 100644
--- a/release.txt
+++ b/release.txt
@@ -1 +1 @@
-0.6.9
\ No newline at end of file
+0.7.0
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 84452c4..0da2c12 100644
--- a/variables.tf
+++ b/variables.tf
@@ -227,6 +227,7 @@ variable "network_configuration" {
defined_tags = optional(map(string)),
freeform_tags = optional(map(string)),
attached_views = optional(map(object({
+ existing_view_id = optional(string) # an existing externally managed view. Assign either this attribute or the others for having this module managing the view.
compartment_id = optional(string),
display_name = optional(string),
defined_tags = optional(map(string)),
@@ -1012,22 +1013,33 @@ variable "network_configuration" {
defined_tags = optional(map(string)),
display_name = optional(string),
freeform_tags = optional(map(string)),
- # application_lists = optional(map(object({
- # application_list_name = string,
- # application_values = map(object({
- # type = string,
- # icmp_type = optional(string),
- # icmp_code = optional(string),
- # minimum_port = optional(number),
- # maximum_port = optional(number)
- # }))
- # })))
+ services = optional(map(object({
+ name = string
+ type = optional(string) # Valid values: "TCP_SERVICE" or "UDP_SERVICE"
+ minimum_port = number
+ maximum_port = optional(number)
+ })))
+ service_lists = optional(map(object({
+ name = string
+ services = list(string)
+ })))
applications = optional(map(object({
name = string,
type = string,
- icmp_type = optional(string),
- icmp_code = optional(string),
+ icmp_type = number,
+ icmp_code = optional(number),
})))
+ application_lists = optional(map(object({
+ name = string,
+ applications = list(string)
+ }))),
+ mapped_secrets = optional(map(object({
+ name = string,
+ type = string, # Valid values: SSL_FORWARD_PROXY, SSL_INBOUND_INSPECTION
+ source = string, # Valid value: OCI_VAULT
+ vault_secret_id = string,
+ version_number = string,
+ }))),
decryption_profiles = optional(map(object({
type = string, # Valid values: "SSL_FORWARD_PROXY", "SSL_INBOUND_INSPECTION"
name = string,
@@ -1040,43 +1052,36 @@ variable "network_configuration" {
is_revocation_status_timeout_blocked = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_unknown_revocation_status_blocked = optional(bool), # Applicable only when type = "SSL_FORWARD_PROXY"
is_untrusted_issuer_blocked = optional(bool) # Applicable only when type = "SSL_FORWARD_PROXY"
- })))
- ip_address_lists = optional(map(object({
+ }))),
+ decryption_rules = optional(map(object({
+ name = string,
+ action = string,
+ decryption_profile_id = optional(string),
+ secret = optional(string),
+ source_ip_address_list = optional(string),
+ destination_ip_address_list = optional(string)
+ }))),
+ address_lists = optional(map(object({
name = string,
type = string, # Valid values: "FQND", "IP"
addresses = list(string)
})))
- decryption_rules = optional(map(object({
- name = string,
- action = string,
- decryption_profile_id = optional(string),
- secret = optional(string),
- destination_ip_address_list = optional(string),
- source_ip_address_list = optional(string)
- })))
- mapped_secrets = optional(map(object({
- name = string,
- type = string, # Valid values: SSL_FORWARD_PROXY, SSL_INBOUND_INSPECTION
- source = string, # Valid value: OCI_VAULT
- vault_secret_id = string,
- version_number = string,
- })))
- security_rules = optional(map(object({
- action = string, # Valid values: ALLOW,DROP,REJECT,INSPECT
- name = string,
- application = optional(list(string)),
- destination_address = optional(list(string)),
- service = optional(list(string)),
- source_address = optional(list(string)),
- url = optional(list(string)),
- inspection = optional(string), # This is only applicable if action is INSPECT
- after_rule = optional(string),
- before_rule = optional(string)
- })))
url_lists = optional(map(object({
name = string,
pattern = string,
type = string # Valid value: SIMPLE
+ }))),
+ security_rules = optional(map(object({
+ action = string, # Valid values: ALLOW,DROP,REJECT,INSPECT
+ name = string,
+ application_lists = optional(list(string)),
+ destination_address_lists = optional(list(string)),
+ service_lists = optional(list(string)),
+ source_address_lists = optional(list(string)),
+ url_lists = optional(list(string)),
+ inspection = optional(string), # This is only applicable if action is INSPECT
+ after_rule = optional(string),
+ before_rule = optional(string)
})))
})))
}))
@@ -1260,7 +1265,7 @@ variable "compartments_dependency" {
}
variable "network_dependency" {
- description = "An object containing the externally managed network resources this module may depend on. Supported resources are 'vcns', 'dynamic_routing_gateways', 'drg_attachments', 'local_peering_gateways', and 'remote_peering_connections', represented as map of objects. Each object, when defined, must have an 'id' attribute of string type set with the VCN, DRG OCID, DRG Attachment OCID, Local Peering Gateway OCID or Remote Peering Connection OCID. 'remote_peering_connections' must also pass the peer region name in the region_name attribute. See External Dependencies section in README.md (https://github.com/oracle-quickstart/terraform-oci-cis-landing-zone-networking#ext-dep) for details."
+ description = "An object containing the externally managed network resources this module may depend on. Supported resources are 'vcns', 'dynamic_routing_gateways', 'drg_attachments', 'local_peering_gateways', 'remote_peering_connections', and 'dns_private_views', represented as map of objects. Each object, when defined, must have an 'id' attribute of string type set with the VCN, DRG OCID, DRG Attachment OCID, Local Peering Gateway OCID or Remote Peering Connection OCID. 'remote_peering_connections' must also pass the peer region name in the region_name attribute. See External Dependencies section in README.md (https://github.com/oci-landing-zones/terraform-oci-modules-networking#ext-dep) for details."
type = object({
vcns = optional(map(object({
id = string # the VCN OCID
@@ -1278,6 +1283,9 @@ variable "network_dependency" {
id = string # the peer RPC OCID
region_name = string # the peer RPC region name
})))
+ dns_private_views = optional(map(object({
+ id = string # the DNS private view OCID
+ })))
})
default = null
}