Merge branch 'issue-373-vnics'

RELEASE-NOTES.md

@@ -1,3 +1,11 @@
+# October 05, 2023 Release Notes - 0.1.1
+
+## Updates
+1. [Secondary VNICs](#0-1-1-compute-secondary-vnics)
+
+### <a name="0-1-1-compute-secondary-vnics">Secondary VNICs</a>
+Compute module can configure instances with secondary VNICs and secondary IPs per VNIC.
+
 # September 22, 2023 Release Notes - 0.1.0
 
 ## Added

cis-compute-storage/README.md

@@ -32,6 +32,7 @@ The following security features are currently supported by the module:
 - [Shielded instances](https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm).
 - Boot volumes backup with Oracle managed policies.
 - [Cloud Agent Plugins](https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/manage-plugins.htm).
+- Secondary VNICs and secondary IP addresses per VNIC. 
 
 ### <a name="block-features">Block Volumes</a>
 - CIS profile level drives data at rest encryption configuration.
@@ -143,10 +144,33 @@ The instances themselves are defined within the **instances** attribute, In Terr
 - **volumes_emulation_type** &ndash; (Optional) emulation type for attached storage volumes. Valid values: "paravirtualized" (default), "scsi", "iscsi", "ide", "vfio". 
 - **networking** &ndash; (Optional) Networking settings. 
   - **type** &ndash; (Optional) Emulation type for the physical network interface card (NIC). Valid values: "paravirtualized" (default), "vfio" (SR-IOV networking), "e1000" (compatible with Linux e1000 driver).
-  - **hostname** &ndash; (Optional) The instance hostname.
-  - **assign_public_ip** &ndash; (Optional) Whether to assign the instance a public IP. Default is false.
-  - **subnet_id** &ndash; (Optional) The subnet where the instance is created. *default_subnet_id* is used if undefined. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
-  - **network_security_groups** &ndash; (Optional) List of network security groups the instance should be placed into. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
+  - **private_ip** &ndash; (Optional) A private IP address of your choice to assign to the primary VNIC. If not provided, an IP address from the subnet is randomly chosen.
+  - **hostname** &ndash; (Optional) The primary VNIC hostname.
+  - **assign_public_ip** &ndash; (Optional) Whether to assign the primary VNIC a public IP. Default is false.
+  - **subnet_id** &ndash; (Optional) The subnet where the primary VNIC is created. *default_subnet_id* is used if undefined. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
+  - **network_security_groups** &ndash; (Optional) List of network security groups the primary VNIC should be placed into. This attribute is overloaded. It can be assigned either a literal OCID or a reference (a key) to an OCID in *network_dependency* variable. See [External Dependencies](#ext-dep) for details.
+  - **skip_source_dest_check** &ndash; (Optional) Whether the source/destination check is disabled on the primary VNIC. If true, the VNIC is able to forward the packet. Default is false.
+  - **secondary_ips** &ndash; (Optional) Map of secondary private IP addresses for the primary VNIC.
+    - **display_name** &ndash; (Optional) Secondary IP display name.
+    - **hostname** &ndash; (Optional) Secondary IP host name.
+    - **private_ip** &ndash; (Optional) Secondary IP address. If not provided, an IP address from the subnet is randomly chosen.
+    - **defined_tags** &ndash; (Optional) Secondary IP defined_tags. default_defined_tags is used if undefined.
+    - **freeform_tags** &ndash; (Optional) Secondary IP freeform_tags. default_freeform_tags is used if undefined.
+  - **secondary_vnics** &ndash; (Optional) Map of secondary VNICs attached to the instance
+    - **display_name** &ndash; (Optional) The VNIC display name.
+    - **private_ip** &ndash; (Optional) a private IP address of your choice to assign to the VNIC. If not provided, an IP address from the subnet is randomly chosen.
+    - **hostname** &ndash; (Optional) The VNIC hostname.
+    - **assign_public_ip**&ndash; (Optional) Whether to assign the VNIC a public IP. Defaults to whether the subnet is public or private.
+    - **subnet_id** &ndash; (Optional) The subnet where the VNIC is created. default_subnet_id is used if undefined.
+    - **network_security_groups** &ndash; (Optional) List of network security groups the VNIC should be placed into.
+    - **skip_source_dest_check** &ndash; (Optional) Whether the source/destination check is disabled on the VNIC. If true, the VNIC is able to forward the packet. Default is false.
+    - **nic_index** &ndash; (Optional) The physical network interface card (NIC) the VNIC will use. Defaults to 0. Certain bare metal instance shapes have two active physical NICs (0 and 1).
+    - **secondary_ips** &ndash; (Optional) Map of secondary private IP addresses for the VNIC.
+      - **display_name** &ndash; (Optional) Secondary IP display name.
+      - **hostname** &ndash; (Optional) Secondary IP host name.
+      - **private_ip** &ndash; (Optional) Secondary IP address. If not provided, an IP address from the subnet is randomly chosen.
+      - **defined_tags** &ndash; (Optional) Secondary IP defined_tags. default_defined_tags is used if undefined.
+      - **freeform_tags** &ndash; (Optional) Secondary IP freeform_tags. default_freeform_tags is used if undefined.  
 - **encryption** &ndash; (Optional) Encryption settings. See section [In Transit Encryption](#in-transit-encryption) for important information.
   - **kms_key_id** &ndash; (Optional) The encryption key for boot volume encryption. *default_kms_key_id* is used if undefined. Required if *cis_level* or *default_cis_level* is "2".
   - **encrypt_in_transit_on_instance_create** &ndash; (Optional) Whether to enable in-transit encryption for the data volume's paravirtualized attachment. Default is false. Applicable during instance **creation** time only. Note that some platform images do not allow instances overriding the image configuration for in-transit encryption at instance creation time. In such cases, for enabling in-transit encryption, use *encrypt_in_transit_on_instance_update* attribute. First run ```terraform apply``` with it set to false, then run ```terraform apply``` again with it set to true.

cis-compute-storage/compute.tf

@@ -100,10 +100,12 @@ resource "oci_core_instance" "these" {
     # some images don't allow encrypt in transit
     is_pv_encryption_in_transit_enabled = each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_create : null
     create_vnic_details {
+      private_ip       = each.value.networking != null ? each.value.networking.private_ip : null
       assign_public_ip = each.value.networking != null ? coalesce(each.value.networking.assign_public_ip,false) : false
       subnet_id        = each.value.networking != null ? (each.value.networking.subnet_id != null ? (length(regexall("^ocid1.*$", each.value.networking.subnet_id)) > 0 ? each.value.networking.subnet_id : var.network_dependency[each.value.networking.subnet_id].id) : (length(regexall("^ocid1.*$", var.instances_configuration.default_subnet_id)) > 0 ? var.instances_configuration.default_subnet_id : var.network_dependency[var.instances_configuration.default_subnet_id].id)) : (length(regexall("^ocid1.*$", var.instances_configuration.default_subnet_id)) > 0 ? var.instances_configuration.default_subnet_id : var.network_dependency[var.instances_configuration.default_subnet_id].id)
       hostname_label   = each.value.networking != null ? (coalesce(each.value.networking.hostname,lower(replace(each.value.name," ","")))) : lower(replace(each.value.name," ",""))
       nsg_ids          = each.value.networking != null ? [for nsg in coalesce(each.value.networking.network_security_groups,[]) : (length(regexall("^ocid1.*$", nsg)) > 0 ? nsg : var.network_dependency[nsg].id)] : null
+      skip_source_dest_check = each.value.networking != null ? each.value.networking.skip_source_dest_check : false
     }
     source_details {
       boot_volume_size_in_gbs = each.value.boot_volume != null ? each.value.boot_volume.size : 50
@@ -184,4 +186,107 @@ data "template_cloudinit_config" "config" {
       content_type = "text/x-shellscript"
       content      = data.template_file.block_volumes_templates[each.key].rendered
     }
-  } */
+  } */
+
+data "oci_core_vnic_attachments" "these" {
+  for_each = var.instances_configuration != null ? var.instances_configuration["instances"] : {}
+    compartment_id = each.value.compartment_id != null ? (length(regexall("^ocid1.*$", each.value.compartment_id)) > 0 ? each.value.compartment_id : var.compartments_dependency[each.value.compartment_id].id) : (length(regexall("^ocid1.*$", var.instances_configuration.default_compartment_id)) > 0 ? var.instances_configuration.default_compartment_id : var.compartments_dependency[var.instances_configuration.default_compartment_id].id) 
+    instance_id    = oci_core_instance.these[each.key].id
+}
+
+locals {
+  secondary_vnics = flatten([
+    for inst_key, inst_value in (var.instances_configuration != null ? var.instances_configuration["instances"] : {}) : [
+      for vnic_key, vnic_value in (inst_value.networking != null ? (inst_value.networking.secondary_vnics != null ? inst_value.networking.secondary_vnics : {}) : {}) : {
+        key              = "${inst_key}.${vnic_key}"
+        inst_key         = inst_key
+        display_name     = vnic_value.display_name
+        private_ip       = vnic_value.private_ip
+        hostname         = vnic_value.hostname
+        assign_public_ip = vnic_value.assign_public_ip
+        subnet_id               = vnic_value.subnet_id
+        network_security_groups = vnic_value.network_security_groups
+        skip_source_dest_check  = vnic_value.skip_source_dest_check
+        nic_index               = vnic_value.nic_index
+        defined_tags            = vnic_value.defined_tags
+        freeform_tags           = vnic_value.freeform_tags
+      } 
+    ]
+  ])
+
+  primary_vnic_secondary_ips = flatten([
+    for inst_key, inst_value in (var.instances_configuration != null ? var.instances_configuration["instances"] : {}) : [
+      for ip_key, ip_value in (inst_value.networking != null ? (inst_value.networking.secondary_ips != null ? inst_value.networking.secondary_ips : {}) : {}) : {
+        key           = "${inst_key}.${ip_key}"
+        vnic_id       = data.oci_core_vnic_attachments.these[inst_key].vnic_attachments[0].vnic_id
+        display_name  = ip_value.display_name
+        private_ip    = ip_value.private_ip
+        hostname      = ip_value.hostname
+        defined_tags  = ip_value.defined_tags
+        freeform_tags = ip_value.freeform_tags
+      } 
+    ]
+  ])
+
+  secondary_vnics_secondary_ips = flatten([
+    for inst_key, inst_value in (var.instances_configuration != null ? var.instances_configuration["instances"] : {}) : [
+      for vnic_key, vnic_value in (inst_value.networking != null ? (inst_value.networking.secondary_vnics != null ? inst_value.networking.secondary_vnics : {}) : {}) : [
+        for ip_key, ip_value in (vnic_value.secondary_ips != null ? vnic_value.secondary_ips : {}) : {
+          key           = "${inst_key}.${vnic_key}.${ip_key}"
+          vnic_id       = oci_core_vnic_attachment.these["${inst_key}.${vnic_key}"].vnic_id
+          display_name  = ip_value.display_name
+          private_ip    = ip_value.private_ip
+          hostname      = ip_value.hostname
+          defined_tags  = ip_value.defined_tags
+          freeform_tags = ip_value.freeform_tags
+        }
+      ] 
+    ]
+  ])
+}
+resource "oci_core_vnic_attachment" "these" {
+  for_each = { for v in local.secondary_vnics : v.key => {
+                                                            inst_key         = v.inst_key
+                                                            display_name     = v.display_name
+                                                            private_ip       = v.private_ip
+                                                            hostname         = v.hostname
+                                                            assign_public_ip = v.assign_public_ip
+                                                            subnet_id               = v.subnet_id
+                                                            network_security_groups = v.network_security_groups
+                                                            skip_source_dest_check  = v.skip_source_dest_check
+                                                            nic_index               = v.nic_index
+                                                            defined_tags            = v.defined_tags
+                                                            freeform_tags           = v.freeform_tags
+                                                         } }
+    display_name = each.value.display_name
+    instance_id  = oci_core_instance.these[each.value.inst_key].id
+    nic_index    = each.value.nic_index
+    create_vnic_details {
+      display_name     = each.value.display_name
+      assign_public_ip = each.value.assign_public_ip
+      private_ip       = each.value.private_ip
+      hostname_label   = each.value.hostname
+      subnet_id        = each.value.subnet_id != null ? (length(regexall("^ocid1.*$", each.value.subnet_id)) > 0 ? each.value.subnet_id : var.network_dependency[each.value.subnet_id].id) : (length(regexall("^ocid1.*$", var.instances_configuration.default_subnet_id)) > 0 ? var.instances_configuration.default_subnet_id : var.network_dependency[var.instances_configuration.default_subnet_id].id)
+      nsg_ids          = [for nsg in coalesce(each.value.network_security_groups,[]) : (length(regexall("^ocid1.*$", nsg)) > 0 ? nsg : var.network_dependency[nsg].id)]
+      skip_source_dest_check = each.value.skip_source_dest_check
+      defined_tags     = each.value.defined_tags != null ? each.value.defined_tags : var.instances_configuration.default_defined_tags
+      freeform_tags    = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.instances_configuration.default_freeform_tags)
+    }
+}
+
+resource "oci_core_private_ip" "these" {
+  for_each = { for v in concat(local.primary_vnic_secondary_ips, local.secondary_vnics_secondary_ips) : v.key => {
+                                                                                                                  vnic_id       = v.vnic_id
+                                                                                                                  display_name  = v.display_name
+                                                                                                                  private_ip    = v.private_ip
+                                                                                                                  hostname      = v.hostname
+                                                                                                                  defined_tags  = v.defined_tags
+                                                                                                                  freeform_tags = v.freeform_tags
+                                                                                                                } }
+    display_name   = each.value.display_name
+    ip_address     = each.value.private_ip
+    vnic_id        = each.value.vnic_id
+    hostname_label = each.value.hostname
+    defined_tags   = each.value.defined_tags != null ? each.value.defined_tags : var.instances_configuration.default_defined_tags
+    freeform_tags  = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.instances_configuration.default_freeform_tags)
+}

cis-compute-storage/examples/compute-block-volume/input.auto.tfvars.template

@@ -84,6 +84,7 @@ instances_configuration = {
         size = 120
         preserve_on_instance_deletion = true
         backup_policy = "gold"
+      }  
       encryption = {
         encrypt_in_transit_on_instance_create = true
       }