Updating rules

Author: harsh97

feature_store/apigw_terraform/main.tf

@@ -8,18 +8,21 @@ resource "random_string" "suffix" {
 }
 
 locals {
-  compartment_id = data.oci_network_load_balancer_network_load_balancer.nlb.compartment_id
+  compartment_id = var.use_nlb_compartment?data.oci_network_load_balancer_network_load_balancer.nlb.compartment_id:var.compartment_id
 }
 
-
 data oci_network_load_balancer_network_load_balancer nlb {
   network_load_balancer_id = var.nlb_id
 }
 
 module "feature_store_gw_subnet" {
   source = "./modules/subnet"
   kubernetes_nlb_id = var.nlb_id
+  compartment_id = local.compartment_id
   subnet_name = "fs-gw-subnet"
+  existing_subnet_id = var.api_gw_subnet_id
+  use_existing_subnet = !var.automatically_provision_apigw_subnet
+  create_security_rules = var.create_security_rules
 }
 
 module "function" {
@@ -29,7 +32,6 @@ module "function" {
   ocir_path = var.function_img_ocir_url
   subnet_id = module.feature_store_gw_subnet.subnet_id
   name_suffix = random_string.suffix.id
-
 }
 
 module "api_gw" {

feature_store/apigw_terraform/modules/api_gw/main.tf

@@ -6,10 +6,14 @@ locals {
   # we are doing it like this because of issues in escaping ${ character
   path_str = format("%s%s","$","{request.path[")
   path_map = {for path,methods in local.unique_paths: path=>replace(replace(tostring(path), "{", local.path_str),"}", "]}")}
-  policies = ["allow any-user to use functions-family in tenancy where ALL {request.principal.type='ApiGateway'}"]
+  policies = ["allow any-user to use functions-family in compartment ${data.oci_identity_compartment.compartment1.name} where ALL {request.principal.type='ApiGateway'}"]
 
 }
 
+data "oci_identity_compartment" "compartment1" {
+  id = var.compartment_id
+}
+
 resource oci_apigateway_api specs {
   display_name = "Feature Store API spec"
   compartment_id = var.compartment_id
@@ -46,7 +50,9 @@ data "oci_network_load_balancer_network_load_balancer" "nlb"{
 }
 
 resource oci_apigateway_deployment fs_deployment {
+  display_name="Feature store api deployment"
   compartment_id = var.compartment_id
+
   gateway_id     = oci_apigateway_gateway.fs_gateway.id
   path_prefix    = "/20230101"
   specification {

feature_store/apigw_terraform/modules/function/main.tf

@@ -3,10 +3,13 @@ locals {
   policies = ["allow dynamic-group ${oci_identity_dynamic_group.functions_dg.name} to {AUTHENTICATION_INSPECT,GROUP_MEMBERSHIP_INSPECT} in tenancy"]
 }
 
+data "oci_identity_compartment" "compartment" {
+  id = var.compartment_id
+}
 
 
 resource "oci_identity_dynamic_group" "functions_dg" {
-  compartment_id = var.compartment_id
+  compartment_id = "ocid1.tenancy.oc1..aaaaaaaa462hfhplpx652b32ix62xrdijppq2c7okwcqjlgrbknhgtj2kofa"
   description    = "FEATURESTORE: Allow Oci functions to inspect identity"
   matching_rule  = "All {resource.type = 'fnfunc', resource.id = '${oci_functions_function.test_function.id}'}"
   name           = "Feature_Store_Authorizer_${var.name_suffix}"

feature_store/apigw_terraform/modules/subnet/inputs.tf

@@ -4,3 +4,18 @@ variable "kubernetes_nlb_id" {
 variable "subnet_name" {
   type = string
 }
+variable "compartment_id" {
+  type = string
+}
+
+variable "existing_subnet_id" {
+  type = string
+}
+
+variable "use_existing_subnet" {
+  type = bool
+}
+
+variable "create_security_rules" {
+  type = bool
+}

feature_store/apigw_terraform/modules/subnet/main.tf

@@ -8,10 +8,14 @@ locals {
 
   next_cidr_block = cidrsubnet(local.parent_last_cidr_block, 1, 1)
   cidr_block = cidrsubnet(local.next_cidr_block,28-tonumber(local.parent_last_cidr_prefix),0)
-  compartment_id = data.oci_core_subnet.nlb_subnet.compartment_id
   internet_gateway_id = length(data.oci_core_internet_gateways.gateways)>0?data.oci_core_internet_gateways.gateways.gateways[0].id:oci_core_internet_gateway.gateway[0].id
-  nlb_egress_port = data.oci_network_load_balancer_backend_sets.backend_sets.backend_set_collection[0].items[0].backends[0].port
+  subnet = var.use_existing_subnet? data.oci_core_subnet.existing_apigw_subnet[0] : oci_core_subnet.subnet[0]
+#  nlb_egress_port = data.oci_network_load_balancer_backend_sets.backend_sets.backend_set_collection[0].items[0].backends[0].port
+}
 
+data "oci_core_subnet" "existing_apigw_subnet" {
+  count = var.use_existing_subnet?1:0
+  subnet_id = var.existing_subnet_id
 }
 
 data "oci_network_load_balancer_backend_sets" "backend_sets" {
@@ -27,10 +31,10 @@ data "oci_core_subnet" "node_subnet" {
   subnet_id = data.oci_core_instance.node_instance.subnet_id
 }
 
-
 data oci_network_load_balancer_network_load_balancer nlb {
   network_load_balancer_id = var.kubernetes_nlb_id
 }
+
 data oci_core_subnet nlb_subnet {
   subnet_id = data.oci_network_load_balancer_network_load_balancer.nlb.subnet_id
 }
@@ -48,13 +52,11 @@ data "oci_core_subnet" "subnets_dets" {
   subnet_id = "${each.key}"
 }
 
-
-
-
 resource "oci_core_subnet" "subnet" {
+  count = var.use_existing_subnet?0:1
   display_name =  var.subnet_name
   cidr_block     = local.cidr_block
-  compartment_id = local.compartment_id
+  compartment_id = var.compartment_id
   vcn_id         = data.oci_core_vcn.nlb_vcn.id
   route_table_id = oci_core_route_table.route_table.id
   security_list_ids = [oci_core_security_list.security_list_api_gw.id]
@@ -64,20 +66,20 @@ resource "oci_core_subnet" "subnet" {
 }
 
 data "oci_core_internet_gateways" "gateways"{
-  compartment_id = local.compartment_id
+  compartment_id = var.compartment_id
   vcn_id = data.oci_core_vcn.nlb_vcn.id
 }
 
 resource "oci_core_internet_gateway" "gateway" {
   count = length(data.oci_core_internet_gateways.gateways)>0?0:1
-  compartment_id = local.compartment_id
+  compartment_id = var.compartment_id
   vcn_id         = data.oci_core_vcn.nlb_vcn.id
   enabled = true
 }
 
 resource "oci_core_route_table" "route_table" {
   display_name = format("%s-route-table", var.subnet_name)
-  compartment_id = local.compartment_id
+  compartment_id = var.compartment_id
   vcn_id         = data.oci_core_vcn.nlb_vcn.id
   route_rules {
     network_entity_id = local.internet_gateway_id
@@ -86,8 +88,7 @@ resource "oci_core_route_table" "route_table" {
 }
 
 resource "oci_core_security_list" "security_list_api_gw" {
-
-  compartment_id = local.compartment_id
+  compartment_id = var.compartment_id
   vcn_id         = data.oci_core_vcn.nlb_vcn.id
   display_name = format("%s-sec-rules",var.subnet_name)
   egress_security_rules {
@@ -102,24 +103,25 @@ resource "oci_core_security_list" "security_list_api_gw" {
 }
 
 resource "oci_core_security_list" "nlb_security_rules" {
+  count = var.create_security_rules?1:0
   freeform_tags = {
     "subnet_id": data.oci_core_subnet.nlb_subnet.id
   }
-  compartment_id = local.compartment_id
+  compartment_id = var.compartment_id
   vcn_id         = data.oci_core_vcn.nlb_vcn.id
   display_name = format("%s-sec-rules",data.oci_core_subnet.nlb_subnet.display_name)
   egress_security_rules {
     destination = data.oci_core_subnet.node_subnet.cidr_block
     destination_type = "CIDR_BLOCK"
     protocol = "6"
     tcp_options {
-      max=local.nlb_egress_port
-      min=local.nlb_egress_port
+      max=32767
+      min=30000
     }
   }
   ingress_security_rules {
     protocol = "6"
-    source   = oci_core_subnet.subnet.cidr_block
+    source   = local.subnet.cidr_block
     tcp_options {
         max=80
         min=80
@@ -137,27 +139,28 @@ resource "oci_core_security_list" "nlb_security_rules" {
 }
 
 resource "oci_core_security_list" "node_security_rules" {
+  count = var.create_security_rules?1:0
   freeform_tags = {
-    "subnet_id": data.oci_core_subnet.node_subnet.id
+    "subnet_id": local.subnet.id
   }
-  compartment_id = local.compartment_id
+  compartment_id = var.compartment_id
   vcn_id         = data.oci_core_vcn.nlb_vcn.id
   display_name = format("%s-sec-rules",data.oci_core_subnet.node_subnet.display_name)
   ingress_security_rules {
     protocol = "6"
     source   = data.oci_core_subnet.nlb_subnet.cidr_block
     tcp_options {
-      max=local.nlb_egress_port
-      min=local.nlb_egress_port
+      max=32767
+      min=30000
     }
   }
   egress_security_rules {
     destination = data.oci_core_subnet.nlb_subnet.cidr_block
     protocol    = "6"
     tcp_options {
       source_port_range {
-        max = local.nlb_egress_port
-        min = local.nlb_egress_port
+        max = 32767
+        min = 30000
       }
     }
   }

feature_store/apigw_terraform/modules/subnet/outputs.tf

@@ -1,3 +1,3 @@
 output "subnet_id" {
-  value = oci_core_subnet.subnet.id
+  value = local.subnet.id
 }

feature_store/apigw_terraform/variables.tf

@@ -1,19 +1,55 @@
 variable nlb_id {
+  description = "Network load balancer ocid for the resource created after deploying feature store helm chart "
   type = string
 }
 
+variable "use_nlb_compartment" {
+  description = "Uses network load balancer compartment for the stack deployment. If false, compartment id must be provided in 'compartment_id'"
+  type = bool
+  default = true
+}
+
+variable "automatically_provision_apigw_subnet" {
+  description = "Creates a new Subnet. If false, the subnet ocid to use for api gateway must be provided"
+  type = bool
+  default = true
+}
+
+variable "api_gw_subnet_id" {
+  description = "Subnet Id for api gateway. Leave blank to automatically provision a subnet"
+  type = string
+  default = ""
+}
+
 variable authorized_user_groups {
+  description = "User group OCIDs authorized to access feature store environment"
   type = list(string)
 }
 
 variable function_img_ocir_url {
+  description = "OCIR URL of the authorizer image exported from feature store marketplace listing"
   type = string
 }
 
 variable "tenancy_ocid" {
   type = string
+  description = "OCID of the tenancy where the stack needs to be deployed"
+}
+
+variable "compartment_id" {
+  type = string
+  description = "OCID of the compartment where the stack needs to be deployed"
+  default = ""
 }
 
 variable "region" {
+  description = "Region in which the resources are to be provisioned"
   type = string
+  default = "us-ashburn-1"
+}
+
+variable "create_security_rules" {
+  description = "Should we automatically create required security groups for node and load balancer subnet? Note: These need be manually attached to the respective subnets once the stack is provisioned"
+  type = bool
+  default = true
 }