* to the *source* attribute value, as in:
+```
+ source = "github.com/oracle-quickstart/terraform-oci-secure-workloads//cis-compute-storage?ref=v0.1.0"
+```
## How to Invoke the Module
diff --git a/cis-compute-storage/SPEC.md b/cis-compute-storage/SPEC.md
index 6f19183..7973a70 100644
--- a/cis-compute-storage/SPEC.md
+++ b/cis-compute-storage/SPEC.md
@@ -1,6 +1,8 @@
## Requirements
-No requirements.
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.3.0 |
## Providers
@@ -20,7 +22,10 @@ No modules.
|------|------|
| [oci_core_app_catalog_listing_resource_version_agreement.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_app_catalog_listing_resource_version_agreement) | resource |
| [oci_core_app_catalog_subscription.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_app_catalog_subscription) | resource |
+| [oci_core_cluster_network.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_cluster_network) | resource |
+| [oci_core_compute_cluster.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_compute_cluster) | resource |
| [oci_core_instance.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource |
+| [oci_core_instance_configuration.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance_configuration) | resource |
| [oci_core_private_ip.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_private_ip) | resource |
| [oci_core_vnic_attachment.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_vnic_attachment) | resource |
| [oci_core_volume.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_volume) | resource |
@@ -37,10 +42,13 @@ No modules.
| [oci_core_app_catalog_listing_resource_versions.existing](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_app_catalog_listing_resource_versions) | data source |
| [oci_core_app_catalog_listings.existing](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_app_catalog_listings) | data source |
| [oci_core_image.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_image) | data source |
+| [oci_core_instance.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_instance) | data source |
+| [oci_core_vnic.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_vnic) | data source |
| [oci_core_vnic_attachments.these](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/core_vnic_attachments) | data source |
| [oci_identity_availability_domains.ads](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source |
| [oci_identity_availability_domains.bv_ads](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source |
| [oci_identity_availability_domains.bv_ads_replicas](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source |
+| [oci_identity_availability_domains.cluster_ads](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source |
| [oci_identity_availability_domains.fs_ads](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source |
| [oci_identity_availability_domains.mt_ads](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source |
| [oci_identity_availability_domains.snapshot_ads](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source |
@@ -50,14 +58,16 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | `map(any)` | `null` | no |
+| [cluster\_instances\_configuration](#input\_cluster\_instances\_configuration) | Cluster instances configuration attributes | object({
default_compartment_id = optional(string) # the default compartment where all resources are defined. It's overriden by the compartment_ocid attribute within each object.
default_defined_tags = optional(map(string)), # the default defined tags. It's overriden by the defined_tags attribute within each object.
default_freeform_tags = optional(map(string)), # the default freeform tags. It's overriden by the freeform_tags attribute within each object.
#default_ssh_public_key_path = optional(string) # the default SSH public key path used to access the workers.
#default_kms_key_id = optional(string) # the default KMS key to assign as the master encryption key. It's overriden by the kms_key_id attribute within each object.
configurations = map(object({ # the instance configurations to manage in this configuration.
compartment_id = optional(string) # the compartment where the instance configuration is created. default_compartment_id is used if this is not defined.
name = optional(string) # the instance configuration display name.
instance_type = optional(string) # the instance type. Default is "compute".
# instance_details = optional(object({ # The instance details to use as the configuration template. If provided, an instance is created and used as template for all instances in the cluster instance pool.
# shape = optional(string) # the instance shape. Default is "BM.Optimized3.36".
# source_type = optional(string)
# image_id = optional(string) # the image id used to boot the instance.
# compartment_id = optional(string) # the instance compartment. It defaults to the configuration compartment_id if undefined.
# }))
template_instance_id = optional(string) # the existing instance id to use as the configuration template for all instances in the cluster instance pool.
defined_tags = optional(map(string)) # instance configuration defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # instance configuration freeform_tags. default_freeform_tags is used if this is not defined.
}))
}) | `null` | no |
+| [clusters\_configuration](#input\_clusters\_configuration) | Clusters configuration attributes. | object({
default_compartment_id = optional(string), # the default compartment where all resources are defined. It's overriden by the compartment_ocid attribute within each object.
default_defined_tags = optional(map(string)), # the default defined tags. It's overriden by the defined_tags attribute within each object.
default_freeform_tags = optional(map(string)), # the default freeform tags. It's overriden by the freeform_tags attribute within each object.
clusters = map(object({ # the clusters to manage in this configuration.
type = optional(string) # the cluster type. Valid values: "cluster_network", "compute_cluster". Default is "cluster_network".
compartment_id = optional(string) # the compartment where the cluster is created. default_compartment_ocid is used if this is not defined.
availability_domain = optional(number) # the availability domain for cluster instances. Default is 1.
name = string # the cluster display name.
defined_tags = optional(map(string)) # clusters defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # clusters freeform_tags. default_freeform_tags is used if this is not defined.
cluster_network_settings = optional(object({ # cluster network settings. Only applicable if type is "cluster_network".
instance_configuration_id = string # the instance configuration id to use in this cluster.
instance_pool = optional(object({ # Cluster instance pool settings.
name = optional(string) # The instance pool name.
size = optional(number) # The number of instances in the instance pool. Defauls is 1.
}))
networking = object({
subnet_id = string # The subnet where instances primary VNIC is placed.
ipv6_enable = optional(bool) # Whether IPv6 is enabled for instances primary VNIC. Default is false.
ipv6_subnet_cidrs = optional(list(string)) # A list of IPv6 subnet CIDR ranges from which the primary VNIC is assigned an IPv6 address. Only applicable if ipv6_enable for primary VNIC is true. Default is [].
secondary_vnic_settings = optional(object({ # Secondary VNIC settings
subnet_id = string # The subnet where instances secondary VNIC are created.
name = optional(string) # The secondary VNIC name.
ipv6_enable = optional(bool) # Whether IPv6 is enabled for the secondary VNIC. Default is false.
ipv6_subnet_cidrs = optional(list(string)) # A list of IPv6 subnet CIDR ranges from which the secondary VNIC is assigned an IPv6 address. Only applicable if ipv6_enable for secondary VNIC is true. Default is [].
}))
})
}))
}))
}) | `null` | no |
+| [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | map(object({
id = string # the compartment OCID
})) | `null` | no |
| [enable\_output](#input\_enable\_output) | Whether Terraform should enable the module output. | `bool` | `true` | no |
-| [file\_system\_dependency](#input\_file\_system\_dependency) | A map of objects containing the externally managed file storage resources this module may depend on. This is used when setting file system replication using target file systems managed in another Terraform configuration. All map objects must have the same type and must contain at least an 'id' attribute (representing the file system OCID) of string type. | `map(any)` | `null` | no |
-| [instances\_configuration](#input\_instances\_configuration) | Compute instances configuration attributes. | object({
default_compartment_id = string, # the default compartment where all resources are defined. It's overriden by the compartment_ocid attribute within each object.
default_subnet_id = optional(string), # the default subnet where all Compute instances are defined. It's overriden by the subnet_id attribute within each Compute instance.
default_ssh_public_key_path = optional(string), # the default ssh public key path used to access the Compute instance. It's overriden by the ssh_public_key attribute within each Compute instance.
default_kms_key_id = optional(string), # the default KMS key to assign as the master encryption key. It's overriden by the kms_key_id attribute within each object.
default_cis_level = optional(string) # The CIS OCI Benchmark profile level. Level "1" is be practical and prudent. Level "2" is intended for environments where security is more critical than manageability and usability. Default is "1".
default_defined_tags = optional(map(string)), # the default defined tags. It's overriden by the defined_tags attribute within each object.
default_freeform_tags = optional(map(string)), # the default freeform tags. It's overriden by the freeform_tags attribute within each object.
default_cloud_init_heredoc_script = optional(string), # a cloud-init script in Terraform heredoc style that is applied to all instances. It has precedence over default_cloud_init_script_file.
default_cloud_init_script_file = optional(string), # a cloud-init script file that is applied to all instances.
instances = map(object({ # the instances to manage in this configuration.
cis_level = optional(string)
compartment_id = optional(string) # the compartment where the instance is created. default_compartment_ocid is used if this is not defined.
shape = string # the instance shape.
name = string # the instance display name.
platform_type = optional(string) # the platform type. Assigning this variable enables various platform security features in the Compute service. Valid values: "AMD_MILAN_BM", "AMD_MILAN_BM_GPU", "AMD_ROME_BM", "AMD_ROME_BM_GPU", "AMD_VM", "GENERIC_BM", "INTEL_ICELAKE_BM", "INTEL_SKYLAKE_BM", "INTEL_VM".
image = object({ # the base image. You must provider either the id or (name and publisher name).
id = optional(string) # the base image id for creating the instance. It takes precedence over name and publisher_name.
name = optional(string) # the image name to search for in marketplace.
publisher_name = optional(string) # the publisher name of the image name.
})
placement = optional(object({ # placement settings
availability_domain = optional(number,1) # the instance availability domain. Default is 1.
fault_domain = optional(number,1) # the instance fault domain. Default is 1.
}))
boot_volume = optional(object({ # boot volume settings
type = optional(string,"paravirtualized") # boot volume emulation type. Valid values: "paravirtualized" (default for platform images), "scsi", "iscsi", "ide", "vfio".
firmware = optional(string) # firmware used to boot the VM. Valid options: "BIOS" (compatible with both 32 bit and 64 bit operating systems that boot using MBR style bootloaders), "UEFI_64" (default for platform images).
size = optional(number,50) # boot volume size. Default is 50GB (minimum allowed by OCI).
preserve_on_instance_deletion = optional(bool,true) # whether to preserve boot volume after deletion. Default is true.
secure_boot = optional(bool, false) # prevents unauthorized boot loaders and operating systems from booting.
measured_boot = optional(bool, false) # enhances boot security by taking and storing measurements of boot components, such as bootloaders, drivers, and operating systems. Bare metal instances do not support Measured Boot.
trusted_platform_module = optional(bool, false) # used to securely store boot measurements.
backup_policy = optional(string,"bronze") # the Oracle managed backup policy. Valid values: "gold", "silver", "bronze". Default is "bronze".
}))
volumes_emulation_type = optional(string,"paravirtualized") # Emulation type for attached storage volumes. Valid values: "paravirtualized" (default for platform images), "scsi", "iscsi", "ide", "vfio". Module supported values for automated attachment: "paravirtualized", "iscsi".
networking = optional(object({ # networking settings
type = optional(string,"paravirtualized") # emulation type for the physical network interface card (NIC). Valid values: "paravirtualized" (default), "e1000", "vfio".
private_ip = optional(string) # a private IP address of your choice to assign to the primary VNIC.
hostname = optional(string) # the primary VNIC hostname.
assign_public_ip = optional(bool) # whether to assign the primary VNIC a public IP. Defaults to whether the subnet is public or private.
subnet_id = optional(string) # the subnet where the primary VNIC is created. default_subnet_id is used if this is not defined.
network_security_groups = optional(list(string)) # list of network security groups the primary VNIC should be placed into.
skip_source_dest_check = optional(bool,false) # whether the source/destination check is disabled on the primary VNIC. Default is false.
secondary_ips = optional(map(object({ # list of secondary private IP addresses for the primary VNIC.
display_name = optional(string) # Secondary IP display name.
hostname = optional(string) # Secondary IP host name.
private_ip = optional(string) # Secondary IP address. If not provided, an IP address from the subnet is randomly chosen.
defined_tags = optional(map(string)) # Secondary IP defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # Secondary IP freeform_tags. default_freeform_tags is used if this is not defined.
})))
secondary_vnics = optional(map(object({
display_name = optional(string) # the VNIC display name.
private_ip = optional(string) # a private IP address of your choice to assign to the VNIC.
hostname = optional(string) # the VNIC hostname.
assign_public_ip = optional(bool) # whether to assign the VNIC a public IP. Defaults to whether the subnet is public or private.
subnet_id = optional(string) # the subnet where the VNIC is created. default_subnet_id is used if this is not defined.
network_security_groups = optional(list(string)) # list of network security groups the VNIC should be placed into.
skip_source_dest_check = optional(bool,false) # whether the source/destination check is disabled on the VNIC. Default is false.
nic_index = optional(number,0) # the physical network interface card (NIC) the VNIC will use. Defaults to 0. Certain bare metal instance shapes have two active physical NICs (0 and 1).
secondary_ips = optional(map(object({ # list of secondary private IP addresses for the VNIC.
display_name = optional(string) # Secondary IP display name.
hostname = optional(string) # Secondary IP host name.
private_ip = optional(string) # Secondary IP address. If not provided, an IP address from the subnet is randomly chosen.
defined_tags = optional(map(string)) # Secondary IP defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # Secondary IP freeform_tags. default_freeform_tags is used if this is not defined.
})))
defined_tags = optional(map(string)) # VNIC defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # VNIC freeform_tags. default_freeform_tags is used if this is not defined.
})))
}))
encryption = optional(object({ # encryption settings
kms_key_id = optional(string) # the KMS key to assign as the master encryption key. default_kms_key_id is used if this is not defined.
encrypt_in_transit_on_instance_create = optional(bool,null) # whether to enable in-transit encryption for the instance. Default is set by the underlying image. Applicable at instance creation time only.
encrypt_in_transit_on_instance_update = optional(bool,null) # whether to enable in-transit encryption for the instance. Default is set by the underlying image. Applicable at instance update time only.
encrypt_data_in_use = optional(bool, false) # whether the instance encrypts data in-use (in memory) while being processed. A.k.a confidential computing.
}))
flex_shape_settings = optional(object({ # flex shape settings
memory = optional(number,16) # the instance memory for Flex shapes. Default is 16GB.
ocpus = optional(number,1) # the instance ocpus number for Flex shapes. Default is 1.
}))
cloud_agent = optional(object({ # Cloud Agent settings
disable_management = optional(bool,false) # whether the management plugins should be disabled. These plugins are enabled by default in the Compute service.
disable_monitoring = optional(bool,false) # whether the monitoring plugins should be disabled. These plugins are enabled by default in the Compute service.
plugins = optional(list(object({ # list of plugins
name = string # the plugin name. It must be a valid plugin name. The plugin names are available in https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/manage-plugins.htm and in compute-only example(./examples/compute-only/input.auto.tfvars.template) as well.
enabled = bool #Whether or not the plugin should be enabled. In order to disable a previously enabled plugin, set this value to false. Simply removing the plugin from the list will not disable it.
})))
}))
cloud_init = optional(object({
heredoc_script = optional(string) # a cloud-init script in Terraform heredoc style that is applied to the instance. It has precedence over script_file.
script_file = optional(string) # a cloud-init script file that is applied to the instance.
}))
ssh_public_key_path = optional(string) # the SSH public key path used to access the instance.
defined_tags = optional(map(string)) # instances defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # instances freeform_tags. default_freeform_tags is used if this is not defined.
}))
}) | `null` | no |
-| [instances\_dependency](#input\_instances\_dependency) | A map of objects containing the externally managed Compute instances this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the instance OCID) of string type. | `map(any)` | `null` | no |
-| [kms\_dependency](#input\_kms\_dependency) | A map of objects containing the externally managed encryption keys this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the key OCID) of string type. | `map(any)` | `null` | no |
+| [file\_system\_dependency](#input\_file\_system\_dependency) | A map of objects containing the externally managed file storage resources this module may depend on. This is used when setting file system replication using target file systems managed in another Terraform configuration. All map objects must have the same type and must contain at least an 'id' attribute (representing the file system OCID) of string type. | map(object({
id = string # the file system OCID.
})) | `null` | no |
+| [instances\_configuration](#input\_instances\_configuration) | Compute instances configuration attributes. | object({
default_compartment_id = string, # the default compartment where all resources are defined. It's overriden by the compartment_ocid attribute within each object.
default_subnet_id = optional(string), # the default subnet where all Compute instances are defined. It's overriden by the subnet_id attribute within each Compute instance.
default_ssh_public_key_path = optional(string), # the default ssh public key path used to access the Compute instance. It's overriden by the ssh_public_key attribute within each Compute instance.
default_kms_key_id = optional(string), # the default KMS key to assign as the master encryption key. It's overriden by the kms_key_id attribute within each object.
default_cis_level = optional(string) # the CIS OCI Benchmark profile level. Level "1" is be practical and prudent. Level "2" is intended for environments where security is more critical than manageability and usability. Default is "1".
default_defined_tags = optional(map(string)), # the default defined tags. It's overriden by the defined_tags attribute within each object.
default_freeform_tags = optional(map(string)), # the default freeform tags. It's overriden by the freeform_tags attribute within each object.
default_cloud_init_heredoc_script = optional(string), # the default cloud-init script in Terraform heredoc style that is applied to all instances. It has precedence over default_cloud_init_script_file.
default_cloud_init_script_file = optional(string), # the default cloud-init script file that is applied to all instances.
instances = map(object({ # the instances to manage in this configuration.
cis_level = optional(string)
compartment_id = optional(string) # the compartment where the instance is created. default_compartment_ocid is used if this is not defined.
shape = string # the instance shape.
name = string # the instance display name.
platform_type = optional(string) # the platform type. Assigning this variable enables various platform security features in the Compute service. Valid values: "AMD_MILAN_BM", "AMD_MILAN_BM_GPU", "AMD_ROME_BM", "AMD_ROME_BM_GPU", "AMD_VM", "GENERIC_BM", "INTEL_ICELAKE_BM", "INTEL_SKYLAKE_BM", "INTEL_VM".
cluster_id = optional(string) # the Compute cluster the instance is added to. It can take either a literal cluster OCID or cluster key defined in the clusters_configuration variable.
image = object({ # the base image. You must provider either the id or (name and publisher name).
id = optional(string) # the base image id for creating the instance. It takes precedence over name and publisher_name.
name = optional(string) # the image name to search for in marketplace.
publisher_name = optional(string) # the publisher name of the image name.
})
placement = optional(object({ # placement settings
availability_domain = optional(number,1) # the instance availability domain. Default is 1.
fault_domain = optional(number,1) # the instance fault domain. Default is 1.
}))
boot_volume = optional(object({ # boot volume settings
type = optional(string,"paravirtualized") # boot volume emulation type. Valid values: "paravirtualized" (default for platform images), "scsi", "iscsi", "ide", "vfio".
firmware = optional(string) # firmware used to boot the VM. Valid options: "BIOS" (compatible with both 32 bit and 64 bit operating systems that boot using MBR style bootloaders), "UEFI_64" (default for platform images).
size = optional(number,50) # boot volume size. Default is 50GB (minimum allowed by OCI).
preserve_on_instance_deletion = optional(bool,true) # whether to preserve boot volume after deletion. Default is true.
secure_boot = optional(bool, false) # prevents unauthorized boot loaders and operating systems from booting.
measured_boot = optional(bool, false) # enhances boot security by taking and storing measurements of boot components, such as bootloaders, drivers, and operating systems. Bare metal instances do not support Measured Boot.
trusted_platform_module = optional(bool, false) # used to securely store boot measurements.
backup_policy = optional(string,"bronze") # the Oracle managed backup policy. Valid values: "gold", "silver", "bronze". Default is "bronze".
}))
volumes_emulation_type = optional(string,"paravirtualized") # Emulation type for attached storage volumes. Valid values: "paravirtualized" (default for platform images), "scsi", "iscsi", "ide", "vfio". Module supported values for automated attachment: "paravirtualized", "iscsi".
networking = optional(object({ # networking settings
type = optional(string,"paravirtualized") # emulation type for the physical network interface card (NIC). Valid values: "paravirtualized" (default), "e1000", "vfio".
private_ip = optional(string) # a private IP address of your choice to assign to the primary VNIC.
hostname = optional(string) # the primary VNIC hostname.
assign_public_ip = optional(bool) # whether to assign the primary VNIC a public IP. Defaults to whether the subnet is public or private.
subnet_id = optional(string) # the subnet where the primary VNIC is created. default_subnet_id is used if this is not defined.
network_security_groups = optional(list(string)) # list of network security groups the primary VNIC should be placed into.
skip_source_dest_check = optional(bool,false) # whether the source/destination check is disabled on the primary VNIC. Default is false.
secondary_ips = optional(map(object({ # list of secondary private IP addresses for the primary VNIC.
display_name = optional(string) # Secondary IP display name.
hostname = optional(string) # Secondary IP host name.
private_ip = optional(string) # Secondary IP address. If not provided, an IP address from the subnet is randomly chosen.
defined_tags = optional(map(string)) # Secondary IP defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # Secondary IP freeform_tags. default_freeform_tags is used if this is not defined.
})))
secondary_vnics = optional(map(object({
display_name = optional(string) # the VNIC display name.
private_ip = optional(string) # a private IP address of your choice to assign to the VNIC.
hostname = optional(string) # the VNIC hostname.
assign_public_ip = optional(bool) # whether to assign the VNIC a public IP. Defaults to whether the subnet is public or private.
subnet_id = optional(string) # the subnet where the VNIC is created. default_subnet_id is used if this is not defined.
network_security_groups = optional(list(string)) # list of network security groups the VNIC should be placed into.
skip_source_dest_check = optional(bool,false) # whether the source/destination check is disabled on the VNIC. Default is false.
nic_index = optional(number,0) # the physical network interface card (NIC) the VNIC will use. Defaults to 0. Certain bare metal instance shapes have two active physical NICs (0 and 1).
secondary_ips = optional(map(object({ # list of secondary private IP addresses for the VNIC.
display_name = optional(string) # Secondary IP display name.
hostname = optional(string) # Secondary IP host name.
private_ip = optional(string) # Secondary IP address. If not provided, an IP address from the subnet is randomly chosen.
defined_tags = optional(map(string)) # Secondary IP defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # Secondary IP freeform_tags. default_freeform_tags is used if this is not defined.
})))
defined_tags = optional(map(string)) # VNIC defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # VNIC freeform_tags. default_freeform_tags is used if this is not defined.
})))
}))
encryption = optional(object({ # encryption settings
kms_key_id = optional(string) # the KMS key to assign as the master encryption key. default_kms_key_id is used if this is not defined.
encrypt_in_transit_on_instance_create = optional(bool,null) # whether to enable in-transit encryption for the instance. Default is set by the underlying image. Applicable at instance creation time only.
encrypt_in_transit_on_instance_update = optional(bool,null) # whether to enable in-transit encryption for the instance. Default is set by the underlying image. Applicable at instance update time only.
encrypt_data_in_use = optional(bool, false) # whether the instance encrypts data in-use (in memory) while being processed. A.k.a confidential computing.
}))
flex_shape_settings = optional(object({ # flex shape settings
memory = optional(number,16) # the instance memory for Flex shapes. Default is 16GB.
ocpus = optional(number,1) # the instance ocpus number for Flex shapes. Default is 1.
}))
cloud_agent = optional(object({ # Cloud Agent settings
disable_management = optional(bool,false) # whether the management plugins should be disabled. These plugins are enabled by default in the Compute service.
disable_monitoring = optional(bool,false) # whether the monitoring plugins should be disabled. These plugins are enabled by default in the Compute service.
plugins = optional(list(object({ # list of plugins
name = string # the plugin name. It must be a valid plugin name. The plugin names are available in https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/manage-plugins.htm and in compute-only example(./examples/compute-only/input.auto.tfvars.template) as well.
enabled = bool #Whether or not the plugin should be enabled. In order to disable a previously enabled plugin, set this value to false. Simply removing the plugin from the list will not disable it.
})))
}))
cloud_init = optional(object({
heredoc_script = optional(string) # the cloud-init script in Terraform heredoc style that is applied to the instance. It has precedence over script_file.
script_file = optional(string) # the cloud-init script file that is applied to the instance.
}))
ssh_public_key_path = optional(string) # the SSH public key path used to access the instance.
defined_tags = optional(map(string)) # instances defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # instances freeform_tags. default_freeform_tags is used if this is not defined.
}))
}) | `null` | no |
+| [instances\_dependency](#input\_instances\_dependency) | A map of objects containing the externally managed Compute instances this module may depend on. The objects, when defined, must contain at least an 'id' attribute (representing the instance OCID) of string type. | map(object({
id = string # the instance OCID
})) | `null` | no |
+| [kms\_dependency](#input\_kms\_dependency) | A map of objects containing the externally managed encryption keys this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the key OCID) of string type. | map(object({
id = string # the key OCID.
})) | `null` | no |
| [module\_name](#input\_module\_name) | The module name. | `string` | `"cis-compute-storage"` | no |
-| [network\_dependency](#input\_network\_dependency) | A map of objects containing the externally managed network resources this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the network resource OCID) of string type. | `map(any)` | `null` | no |
+| [network\_dependency](#input\_network\_dependency) | An object containing the externally managed network resources this module may depend on. Supported resources are 'subnets', and 'network\_security\_groups', represented as map of objects. Each object, when defined, must have an 'id' attribute of string type set with the subnet or NSG OCID. | object({
subnets = optional(map(object({
id = string # the subnet OCID
})))
network_security_groups = optional(map(object({
id = string # the NSG OCID
})))
}) | `null` | no |
| [storage\_configuration](#input\_storage\_configuration) | Storage configuration attributes. | object({
default_compartment_id = optional(string), # the default compartment where all resources are defined. It's overriden by the compartment_id attribute within each object.
default_kms_key_id = optional(string), # the default KMS key to assign as the master encryption key. It's overriden by the kms_key_id attribute within each object.
default_cis_level = optional(string,"1"), # The CIS OCI Benchmark profile level. Level "1" is be practical and prudent. Level "2" is intended for environments where security is more critical than manageability and usability. Default is "1".
default_defined_tags = optional(map(string)), # the default defined tags. It's overriden by the defined_tags attribute within each object.
default_freeform_tags = optional(map(string)), # the default freeform tags. It's overriden by the frreform_tags attribute within each object.
block_volumes = optional(map(object({ # the block volumes to manage in this configuration.
cis_level = optional(string,"1")
compartment_id = optional(string) # the compartment where the block volume is created. default_compartment_id is used if this is not defined.
display_name = string # the name of the block volume.
availability_domain = optional(number,1) # the availability domain where to create the block volume.
volume_size = optional(number,50) # the size of the block volume.
vpus_per_gb = optional(number,0) # the number of vpus per gb. Values are 0(LOW), 10(BALANCE), 20(HIGH), 30-120(ULTRA HIGH)
attach_to_instances = optional(list(object({ # map to where to attach the block volume.
instance_id = string # the instance that this volume will be attached to.
device_name = string # where to mount the block volume. Should be one of the values from disk_mappings in the instance_configuration.
attachment_type = optional(string,"paravirtualized") # the block volume attachment type. Valid values: "paravirtualized" (default), "iscsi".
read_only = optional(bool,false) # whether the attachment is "Read Only" or "Read/Write". Default is false, which means "Read/Write".
})))
encryption = optional(object({ # encryption settings
kms_key_id = optional(string) # the KMS key to assign as the master encryption key. default_kms_key_id is used if this is not defined.
encrypt_in_transit = optional(bool,false) # whether the block volume should encrypt traffic. Works only with paravirtualized attachment type. Default is false.
}))
replication = optional(object({ # replication settings
availability_domain = number # the availability domain (AD) to replicate the volume. The AD is picked from the region specified by 'block_volumes_replication_region' variable if defined. Otherwise picked from the region specified by 'region' variable.
}))
backup_policy = optional(string,"bronze") # the Oracle managed backup policy. Valid values: "gold", "silver", "bronze". Default is "bronze".
defined_tags = optional(map(string)) # block volume defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # block volume freeform_tags. default_freeform_tags is used if this is not defined.
}))),
file_storage = optional(object({ # file storage settings.
default_subnet_id = optional(string), # the default subnet used for all file system mount targets. It's overriden by the subnet_id attribute within each mount_target object.
file_systems = map(object({ # the file systems.
cis_level = optional(string,"1")
compartment_id = optional(string) # the file system compartment. default_compartment_id is used if this is not defined.
file_system_name = string # the file_system name.
availability_domain = optional(number,1) # the file system availability domain..
kms_key_id = optional(string) # the KMS key to assign as the master encryption key. default_kms_key_id is used if this is not defined.
replication = optional(object({ # replication settings
is_target = optional(bool,false) # whether the file system is a replication target. Default is false
file_system_target_id = optional(string) # the file system replication target. It must be an existing unexported file system, in the same or in a different region than the source file system.
interval_in_minutes = optional(number,60) # time interval (in minutes) between replication snapshots. Default is 60 minutes.
}))
snapshot_policy_id = optional(string) # the snapshot policy identifying key in the snapshots_policy map. A default snapshot policy is associated with file systems without a snapshot policy.
defined_tags = optional(map(string)) # file system defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # file system freeform_tags. default_freeform_tags is used if this is not defined.
}))
mount_targets = optional(map(object({ # the mount targets.
compartment_id = optional(string) # the mount target compartment. default_compartment_id is used if this is not defined.
mount_target_name = string # the mount target and export set name.
availability_domain = optional(number,1) # the mount target availability domain.
subnet_id = optional(string) # the mount target subnet. default_subnet_id is used if this is not defined.
exports = optional(list(object({
path = string # export path. For example: /foo
file_system_id = string # the file system identifying key the export applies to. It must be one of the keys in file_systems map of objects.
options = optional(list(object({ # optional export options.
source = string # the source IP or CIDR allowed to access the mount target.
access = optional(string, "READ_ONLY") # type of access grants. Valid values (case sensitive): READ_WRITE, READ_ONLY.
identity = optional(string, "NONE") # UID and GID remapped to. Valid values(case sensitive): ALL, ROOT, NONE.
use_privileged_source_port = optional(bool, true) # If true, accessing the file system through this export must connect from a privileged source port.
})))
})))
})))
snapshot_policies = optional(map(object({
name = string
compartment_id = optional(string)
availability_domain = optional(number,1)
prefix = optional(string)
schedules = optional(list(object({
period = string # "DAILY", "WEEKLY", "MONTHLY", "YEARLY"
prefix = optional(string)
time_zone = optional(string,"UTC")
hour_of_day = optional(number,23)
day_of_week = optional(string)
day_of_month = optional(number)
month = optional(string)
retention_in_seconds = optional(number)
start_time = optional(string)
})))
defined_tags = optional(map(string)) # snapshot policy defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # snapshot policy freeform_tags. default_freeform_tags is used if this is not defined.
})))
}))
}) | `null` | no |
## Outputs
@@ -65,9 +75,13 @@ No modules.
| Name | Description |
|------|-------------|
| [block\_volumes](#output\_block\_volumes) | The block volumes |
+| [cluster\_networks](#output\_cluster\_networks) | The cluster networks. |
+| [compute\_clusters](#output\_compute\_clusters) | The Compute clusters. |
| [file\_systems](#output\_file\_systems) | The file systems |
| [file\_systems\_mount\_targets](#output\_file\_systems\_mount\_targets) | n/a |
| [file\_systems\_snapshot\_policies](#output\_file\_systems\_snapshot\_policies) | n/a |
| [instances](#output\_instances) | The Compute instances |
| [private\_ips](#output\_private\_ips) | The private IPs |
-| [vnic\_attachments](#output\_vnic\_attachments) | The VNIC attachments |
+| [secondary\_private\_ips](#output\_secondary\_private\_ips) | The secondary private IPs in all instances VNICs |
+| [secondary\_vnic\_attachments](#output\_secondary\_vnic\_attachments) | The secondary VNIC attachments |
+| [secondary\_vnics](#output\_secondary\_vnics) | The secondary VNICs |
\ No newline at end of file
diff --git a/cis-compute-storage/compute.tf b/cis-compute-storage/compute.tf
index 4f7c4dc..14cdc0d 100644
--- a/cis-compute-storage/compute.tf
+++ b/cis-compute-storage/compute.tf
@@ -108,7 +108,7 @@ resource "oci_core_instance" "these" {
defined_tags = each.value.defined_tags != null ? each.value.defined_tags : var.instances_configuration.default_defined_tags
freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.instances_configuration.default_freeform_tags)
# some images don't allow encrypt in transit
- is_pv_encryption_in_transit_enabled = coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") >= "1" ? true : (each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_create : null)
+ is_pv_encryption_in_transit_enabled = coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") == "2" ? true : (each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_create : null)
create_vnic_details {
private_ip = each.value.networking != null ? each.value.networking.private_ip : null
assign_public_ip = each.value.networking != null ? coalesce(each.value.networking.assign_public_ip,false) : false
@@ -128,7 +128,7 @@ resource "oci_core_instance" "these" {
firmware = each.value.boot_volume != null ? (each.value.boot_volume.firmware != null ? upper(each.value.boot_volume.firmware) : null) : null
network_type = each.value.networking != null ? upper(each.value.networking.type) : "PARAVIRTUALIZED"
remote_data_volume_type = upper(each.value.volumes_emulation_type)
- is_pv_encryption_in_transit_enabled = coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") >= "1" ? true : (each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_update : null)
+ is_pv_encryption_in_transit_enabled = coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") == "2" ? true : (each.value.encryption != null ? each.value.encryption.encrypt_in_transit_on_instance_update : null)
}
dynamic "platform_config" {
for_each = each.value.platform_type != null || coalesce(each.value.cis_level,var.instances_configuration.default_cis_level,"1") == "2" ? [1] : []
@@ -284,6 +284,11 @@ resource "oci_core_vnic_attachment" "these" {
}
}
+data "oci_core_vnic" "these" {
+ for_each = oci_core_vnic_attachment.these
+ vnic_id = each.value.vnic_id
+}
+
resource "oci_core_private_ip" "these" {
for_each = { for v in concat(local.primary_vnic_secondary_ips, local.secondary_vnics_secondary_ips) : v.key => {
vnic_id = v.vnic_id
diff --git a/cis-compute-storage/metadata.tf b/cis-compute-storage/metadata.tf
index b2d9c2d..d3fd11c 100644
--- a/cis-compute-storage/metadata.tf
+++ b/cis-compute-storage/metadata.tf
@@ -3,5 +3,5 @@
#-- Used to inform module and release number.
locals {
- cislz_module_tag = {"cislz-terraform-module" : fileexists("${path.module}/../release.txt") ? "${var.module_name}/${file("${path.module}/../release.txt")}" : "${var.module_name}"}
+ cislz_module_tag = {"ocilz-terraform-module" : fileexists("${path.module}/../release.txt") ? "${var.module_name}/${file("${path.module}/../release.txt")}" : "${var.module_name}"}
}
\ No newline at end of file
diff --git a/cis-compute-storage/outputs.tf b/cis-compute-storage/outputs.tf
index 8069b06..3e44710 100644
--- a/cis-compute-storage/outputs.tf
+++ b/cis-compute-storage/outputs.tf
@@ -11,11 +11,21 @@ output "private_ips" {
value = var.enable_output ? oci_core_private_ip.these : null
}
-output "vnic_attachments" {
- description = "The VNIC attachments"
+output "secondary_vnics" {
+ description = "The secondary VNICs"
+ value = var.enable_output ? data.oci_core_vnic.these : null
+}
+
+output "secondary_vnic_attachments" {
+ description = "The secondary VNIC attachments"
value = var.enable_output ? oci_core_vnic_attachment.these : null
}
+output "secondary_private_ips" {
+ description = "The secondary private IPs in all instances VNICs"
+ value = var.enable_output ? oci_core_private_ip.these : null
+}
+
output "block_volumes" {
description = "The block volumes"
value = var.enable_output ? oci_core_volume.these : null
diff --git a/cis-compute-storage/providers.tf b/cis-compute-storage/providers.tf
index 3d77dd0..ae32851 100644
--- a/cis-compute-storage/providers.tf
+++ b/cis-compute-storage/providers.tf
@@ -2,6 +2,7 @@
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
terraform {
+ required_version = ">= 1.3.0"
required_providers {
oci = {
source = "oracle/oci"
diff --git a/cis-oke/README.md b/cis-oke/README.md
index b6b162f..3995261 100644
--- a/cis-oke/README.md
+++ b/cis-oke/README.md
@@ -32,6 +32,10 @@ The following features are currently supported by the module:
- Boot volumes in-transit encryption enforced, drive by CIS profile level "2".
## Requirements
+### Terraform Version >= 1.3.0
+
+This module requires Terraform binary version 1.3.0 or greater, as it relies on Optional Object Type Attributes feature. The feature shortens the amount of input values in complex object types, by having Terraform automatically inserting a default value for any missing optional attributes.
+
### IAM Permissions
This module requires the following IAM permissions:
@@ -64,10 +68,6 @@ Allow any-user to manage instances in compartment
For more information about OKE Policies [click here](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpolicyconfig.htm#Policy_Configuration_for_Cluster_Creation_and_Deployment).
-### Terraform Version > 1.3.x
-
-This module relies on [Terraform Optional Object Type Attributes feature](https://developer.hashicorp.com/terraform/language/expressions/type-constraints#optional-object-type-attributes), which has been promoted and no longer experimental in versions greater than 1.3.x. The feature shortens the amount of input values in complex object types, by having Terraform automatically inserting a default value for any missing optional attributes.
-
## How to Invoke the Module
Terraform modules can be invoked locally or remotely.
diff --git a/cis-oke/SPEC.MD b/cis-oke/SPEC.MD
index 36526a8..5526cd1 100644
--- a/cis-oke/SPEC.MD
+++ b/cis-oke/SPEC.MD
@@ -1,6 +1,8 @@
## Requirements
-No requirements.
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.3.0 |
## Providers
@@ -33,11 +35,11 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [clusters\_configuration](#input\_clusters\_configuration) | Cluster configuration attributes. | object({
default_compartment_id = optional(string), # the default compartment where all resources are defined. It's overriden by the compartment_ocid attribute within each object.
default_img_kms_key_id = optional(string) # the default KMS key to assign as the master encryption key for images. It's overriden by the img_kms_key_id attribute within each object.
default_kube_secret_kms_key_id = optional(string) # the default KMS key to assign as the master encryption key for kubernetes secrets. It's overriden by the kube_secret_kms_key_id attribute within each object.
default_cis_level = optional(string, "1") # The CIS OCI Benchmark profile level. Level "1" is be practical and prudent. Level "2" is intended for environments where security is more critical than manageability and usability. Default is "1".
default_defined_tags = optional(map(string)), # the default defined tags. It's overriden by the defined_tags attribute within each object.
default_freeform_tags = optional(map(string)), # the default freeform tags. It's overriden by the freeform_tags attribute within each object.
clusters = map(object({ # the clusters to manage in this configuration.
cis_level = optional(string, "1")
compartment_id = optional(string) # the compartment where the cluster is created. default_compartment_ocid is used if this is not defined.
kubernetes_version = optional(string) # the kubernetes version. If not specified the latest version will be selected.
name = string # the cluster display name.
is_enhanced = optional(bool, false) # if the cluster is enhanced. It is designed to work only on Native CNI. Default is false.
cni_type = optional(string, "flannel") # the CNI type of the cluster. Can be either "flannel" or "native". Default is "flannel".
defined_tags = optional(map(string)) # clusters defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # clusters freeform_tags. default_freeform_tags is used if this is not defined.
options = optional(object({ # optional attributes for the cluster.
add_ons = optional(object({ # configurable cluster addons.
dashboard_enabled = optional(bool, false) # if the dashboard is enabled. Default to false.
tiller_enabled = optional(bool, false) # if the tiller is enabled. Default to false.
}))
admission_controller = optional(object({ # configurable cluster admission controllers.
pod_policy_enabled = optional(bool, false) # if the pod policy is enabled. Default to false.
}))
kubernetes_network_config = optional(object({ # pods and services network configuration for kubernetes.
pods_cidr = optional(string) # the CIDR block for Kubernetes pods. Optional, defaults to 10.244.0.0/16.
services_cidr = optional(string) # the CIDR block for Kubernetes services. Optional, defaults to 10.96.0.0/16.
}))
persistent_volume_config = optional(object({ # configuration to be applied to block volumes created by Kubernetes Persistent Volume Claims (PVC).
defined_tags = optional(map(string)) # PVC defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # PVC freeform_tags. default_freeform_tags is used if this is not defined.
}))
service_lb_config = optional(object({ # configuration to be applied to load balancers created by Kubernetes services
defined_tags = optional(map(string)) # LB defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # LB freeform_tags. default_freeform_tags is used if this is not defined.
}))
}))
networking = object({ # cluster networking settings.
vcn_id = string # the vcn where the cluster will be created.
is_api_endpoint_public = optional(bool) # if the api endpoint is public. default to false.
api_endpoint_nsg_ids = optional(list(string)) # the nsgs used by the api endpoint.
api_endpoint_subnet_id = string # the subnet for the api endpoint.
services_subnet_id = optional(list(string)) # the subnets for the services(Load Balancers).
})
encryption = optional(object({ # encryption settings
kube_secret_kms_key_id = optional(string) # # the KMS key to assign as the master encryption key for kube secrets. default_kube_secret_kms_key_id is used if this is not defined.
}))
image_signing = optional(object({
image_policy_enabled = optional(bool) # whether the image verification policy is enabled. default to false.
img_kms_key_id = optional(string) # the KMS key to assign as the master encryption key for images. default_img_kms_key_id is used if this is not defined.
}))
}))
}) | `null` | no |
-| [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | `map(any)` | `null` | no |
+| [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | map(object({
id = string # the compartment OCID
})) | `null` | no |
| [enable\_output](#input\_enable\_output) | Whether Terraform should enable the module output. | `bool` | `true` | no |
-| [kms\_dependency](#input\_kms\_dependency) | A map of objects containing the externally managed encryption keys this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the key OCID) of string type. | `map(any)` | `null` | no |
+| [kms\_dependency](#input\_kms\_dependency) | A map of objects containing the externally managed encryption keys this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the key OCID) of string type. | map(object({
id = string # the key OCID.
})) | `null` | no |
| [module\_name](#input\_module\_name) | The module name. | `string` | `"cis-oke"` | no |
-| [network\_dependency](#input\_network\_dependency) | A map of objects containing the externally managed network resources this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the network resource OCID) of string type. | `map(any)` | `null` | no |
+| [network\_dependency](#input\_network\_dependency) | An object containing the externally managed network resources this module may depend on. Supported resources are 'vcns', 'subnets', and 'network\_security\_groups', represented as map of objects. Each object, when defined, must have an 'id' attribute of string type set with the VCN, subnet, or NSG OCID. | object({
vcns = optional(map(object({
id = string # the VCN OCID
})))
subnets = optional(map(object({
id = string # the subnet OCID
})))
network_security_groups = optional(map(object({
id = string # the NSG OCID
})))
}) | `null` | no |
| [workers\_configuration](#input\_workers\_configuration) | Worker Nodes configuration attributes | object({
default_cis_level = optional(string, "1") # the CIS OCI Benchmark profile level. Level "1" is be practical and prudent. Level "2" is intended for environments where security is more critical than manageability and usability. Default is "1".
default_compartment_id = optional(string) # the default compartment where all resources are defined. It's overriden by the compartment_ocid attribute within each object.
default_defined_tags = optional(map(string)), # the default defined tags. It's overriden by the defined_tags attribute within each object.
default_freeform_tags = optional(map(string)), # the default freeform tags. It's overriden by the freeform_tags attribute within each object.
default_ssh_public_key_path = optional(string) # the default SSH public key path used to access the workers.
default_kms_key_id = optional(string) # the default KMS key to assign as the master encryption key. It's overriden by the kms_key_id attribute within each object.
default_initial_node_labels = optional(map(string)) # the default initial node labels, a list of key/value pairs to add to nodes after they join the Kubernetes cluster.
node_pools = optional(map(object({ # the node pools to manage in this configuration.
cis_level = optional(string, "1")
kubernetes_version = optional(string) # the kubernetes version for the node pool. it cannot be 2 versions older behind of the cluster version or newer. If not specified, the version of the cluster will be selected.
cluster_id = string # the cluster where the node pool will be created.
compartment_id = optional(string) # the compartment where the node pool is created. default_compartment_ocid is used if this is not defined.
name = string # the node pool display name.
defined_tags = optional(map(string)) # node pool defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # node pool freeform_tags. default_freeform_tags is used if this is not defined.
initial_node_labels = optional(map(string)) # a list of key/value pairs to add to nodes after they join the Kubernetes cluster.
size = optional(number) # the number of nodes that should be in the node pool.
networking = object({ # node pool networking settings.
workers_nsg_ids = optional(list(string)) # the nsgs to be used by the nodes.
workers_subnet_id = string # the subnet for the nodes.
pods_subnet_id = optional(string) # the subnet for the pods. only applied to native CNI.
pods_nsg_ids = optional(list(string)) # the nsgs to be used by the pods. only applied to native CNI.
max_pods_per_node = optional(number) # the maximum number of pods per node. only applied to native CNI.
})
node_config_details = object({ # the configuration of nodes in the node pool.
ssh_public_key_path = optional(string) # the SSH public key path used to access the workers. if not specified default_ssh_public_key_path will be used.
defined_tags = optional(map(string)) # nodes defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # nodes freeform_tags. default_freeform_tags is used if this is not defined.
image = optional(string) # the image for the nodes. Can be specified as ocid or as an Oracle Linux Version. Example: "8.8". If not specified the latest Oracle Linux image will be selected.
node_shape = string # the shape of the nodes.
capacity_reservation_id = optional(string) # the OCID of the compute capacity reservation in which to place the compute instance.
flex_shape_settings = optional(object({ # flex shape settings
memory = optional(number, 16) # the nodes memory for Flex shapes. Default is 16GB.
ocpus = optional(number, 1) # the nodes ocpus number for Flex shapes. Default is 1.
}))
boot_volume = optional(object({ # the boot volume settings.
size = optional(number, 60) # the boot volume size.Default is 60.
preserve_boot_volume = optional(bool, false) # whether to preserve the boot volume after the nodes are terminated.
}))
encryption = optional(object({ # the encryption settings.
enable_encrypt_in_transit = optional(bool) # whether to enable the encrypt in transit. Default is false.
kms_key_id = optional(string) # the KMS key to assign as the master encryption key. default_kms_key_id is used if this is not defined.
}))
placement = optional(list(object({ # placement settings.
availability_domain = optional(number) # the nodes availability domain. Default is 1.
fault_domain = optional(number) # the nodes fault domain. Default is 1.
})))
node_eviction = optional(object({ # node eviction settings.
grace_duration = optional(number) # duration after which OKE will give up eviction of the pods on the node. Can be specified in seconds. Default is 60 minutes.
force_delete = optional(bool) # whether the nodes should be deleted if you cannot evict all the pods in grace period.
}))
node_cycling = optional(object({ # node cycling settings. Available only for Enhanced clusters.
enable_cycling = optional(bool) # whether to enable node cycling. Default is false.
max_surge = optional(string) # maximum additional new compute instances that would be temporarily created and added to nodepool during the cycling nodepool process. OKE supports both integer and percentage input. Defaults to 1, Ranges from 0 to Nodepool size or 0% to 100%.
max_unavailable = optional(string) # maximum active nodes that would be terminated from nodepool during the cycling nodepool process. OKE supports both integer and percentage input. Defaults to 0, Ranges from 0 to Nodepool size or 0% to 100%.
}))
})
})), {})
virtual_node_pools = optional(map(object({
cluster_id = string # the cluster where the virtual node pool will be created.
compartment_id = optional(string) # the compartment where the virtual node pool is created. default_compartment_ocid is used if this is not defined.
name = string # the virtual node pool display name.
defined_tags = optional(map(string)) # virtual node pool defined_tags. default_defined_tags is used if this is not defined.
freeform_tags = optional(map(string)) # virtual node pool freeform_tags. default_freeform_tags is used if this is not defined.
virtual_nodes_defined_tags = optional(map(string)) # defined_tags that apply to virtual nodes. default_defined_tags is used if this is not defined.
virtual_nodes_freeform_tags = optional(map(string)) # freeform_tags that apply to virtual nodes. default_freeform_tags is used if this is not defined.
initial_node_labels = optional(map(string)) # a list of key/value pairs to add to virtual nodes after they join the Kubernetes cluster.
size = optional(number) # the number of virtual nodes that should be in the virtual node pool.
pod_shape = string # the shape assigned to pods. It can be one of Pod.Standard.A1.Flex, Pod.Standard.E3.Flex, Pod.Standard.E4.Flex.
networking = object({ # virtual node pool networking settings.
workers_nsg_ids = optional(list(string)) # the nsgs to be used by the virtual nodes.
workers_subnet_id = string # the subnet for the virtual nodes.
pods_subnet_id = string # the subnet for the pods.
pods_nsg_ids = optional(list(string)) # the nsgs to be used by the pods.
})
placement = optional(list(object({ # placement settings.
availability_domain = optional(number) # the virtual nodes availability domain. Default is 1.
fault_domain = optional(number) # the virtual nodes fault domain. Default is 1.
})))
taints = optional(list(object({ # the taints will be applied to the Virtual Nodes for Kubernetes scheduling.
effect = optional(string) # the effect of the pair.
key = optional(string) # the key of the pair.
value = optional(string) # the value of the pair.
})))
})), {})
}) | `null` | no |
## Outputs
diff --git a/cis-oke/examples/flannel/oke-operator-host-iam/main.tf b/cis-oke/examples/flannel/oke-operator-host-iam/main.tf
index a634cbc..7ae713d 100644
--- a/cis-oke/examples/flannel/oke-operator-host-iam/main.tf
+++ b/cis-oke/examples/flannel/oke-operator-host-iam/main.tf
@@ -1,11 +1,11 @@
module "operator_dynamic_group" {
- source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//dynamic-groups?ref=v0.2.0"
+ source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//dynamic-groups?ref=v0.2.3"
tenancy_ocid = var.tenancy_ocid
dynamic_groups_configuration = var.dynamic_groups_configuration
}
module "operator_policy" {
- source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.2.0"
+ source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-iam//policies?ref=v0.2.3"
tenancy_ocid = var.tenancy_ocid
policies_configuration = var.policies_configuration
}
\ No newline at end of file
diff --git a/cis-oke/examples/flannel/oke-operator-host-iam/providers.tf b/cis-oke/examples/flannel/oke-operator-host-iam/providers.tf
index 6c2673e..bde08a2 100644
--- a/cis-oke/examples/flannel/oke-operator-host-iam/providers.tf
+++ b/cis-oke/examples/flannel/oke-operator-host-iam/providers.tf
@@ -12,11 +12,9 @@ provider "oci" {
}
terraform {
- required_version = "< 1.3.0"
required_providers {
oci = {
source = "oracle/oci"
}
}
- experiments = [module_variable_optional_attrs]
}
diff --git a/cis-oke/metadata.tf b/cis-oke/metadata.tf
index b2d9c2d..d3fd11c 100644
--- a/cis-oke/metadata.tf
+++ b/cis-oke/metadata.tf
@@ -3,5 +3,5 @@
#-- Used to inform module and release number.
locals {
- cislz_module_tag = {"cislz-terraform-module" : fileexists("${path.module}/../release.txt") ? "${var.module_name}/${file("${path.module}/../release.txt")}" : "${var.module_name}"}
+ cislz_module_tag = {"ocilz-terraform-module" : fileexists("${path.module}/../release.txt") ? "${var.module_name}/${file("${path.module}/../release.txt")}" : "${var.module_name}"}
}
\ No newline at end of file
diff --git a/cis-oke/providers.tf b/cis-oke/providers.tf
index a9ba16d..01dfd12 100644
--- a/cis-oke/providers.tf
+++ b/cis-oke/providers.tf
@@ -2,6 +2,7 @@
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
terraform {
+ required_version = ">= 1.3.0"
required_providers {
oci = {
source = "oracle/oci"
diff --git a/release.txt b/release.txt
index def9a01..a192233 100644
--- a/release.txt
+++ b/release.txt
@@ -1 +1 @@
-0.1.5
\ No newline at end of file
+0.1.6
\ No newline at end of file