fix: missing rule for bastion nsg to get yum updates.

hyder · hyder · commit d537b48f609d · 2023-10-14T11:17:59.000+11:00
Updated cloud-init for operator so users can select Oracle Linux 9

Signed-off-by: Ali Mukadam &lt;ali.mukadam@oracle.com&gt;
diff --git a/module-operator.tf b/module-operator.tf
@@ -54,25 +54,26 @@ module "operator" {
   bastion_user = var.bastion_user
 
   # Operator
-  assign_dns            = var.assign_dns
-  availability_domain   = coalesce(var.operator_availability_domain, lookup(local.ad_numbers_to_names, local.ad_numbers[0]))
-  cloud_init            = var.operator_cloud_init
-  image_id              = local.operator_image_id
-  install_helm          = var.operator_install_helm
-  install_k9s           = var.operator_install_k9s
-  install_kubectx       = var.operator_install_kubectx
-  kubeconfig            = yamlencode(local.kubeconfig_private)
-  kubernetes_version    = var.kubernetes_version
-  nsg_ids               = compact(flatten([var.operator_nsg_ids, try(module.network.operator_nsg_id, null)]))
-  pv_transit_encryption = var.operator_pv_transit_encryption
-  shape                 = var.operator_shape
-  ssh_private_key       = sensitive(local.ssh_private_key) # to await cloud-init completion
-  ssh_public_key        = local.ssh_public_key
-  subnet_id             = try(module.network.operator_subnet_id, "") # safe destroy; validated in submodule
-  timezone              = var.timezone
-  upgrade               = var.operator_upgrade
-  user                  = var.operator_user
-  volume_kms_key_id     = var.operator_volume_kms_key_id
+  assign_dns                = var.assign_dns
+  availability_domain       = coalesce(var.operator_availability_domain, lookup(local.ad_numbers_to_names, local.ad_numbers[0]))
+  cloud_init                = var.operator_cloud_init
+  image_id                  = local.operator_image_id
+  install_helm              = var.operator_install_helm
+  install_k9s               = var.operator_install_k9s
+  install_kubectx           = var.operator_install_kubectx
+  kubeconfig                = yamlencode(local.kubeconfig_private)
+  kubernetes_version        = var.kubernetes_version
+  nsg_ids                   = compact(flatten([var.operator_nsg_ids, try(module.network.operator_nsg_id, null)]))
+  operator_image_os_version = var.operator_image_os_version
+  pv_transit_encryption     = var.operator_pv_transit_encryption
+  shape                     = var.operator_shape
+  ssh_private_key           = sensitive(local.ssh_private_key) # to await cloud-init completion
+  ssh_public_key            = local.ssh_public_key
+  subnet_id                 = try(module.network.operator_subnet_id, "") # safe destroy; validated in submodule
+  timezone                  = var.timezone
+  upgrade                   = var.operator_upgrade
+  user                      = var.operator_user
+  volume_kms_key_id         = var.operator_volume_kms_key_id
 
   # Standard tags as defined if enabled for use, or freeform
   # User-provided tags are merged last and take precedence
diff --git a/modules/network/nsg-bastion.tf b/modules/network/nsg-bastion.tf
@@ -20,6 +20,11 @@ locals {
         protocol = local.tcp_protocol, port = local.ssh_port, source = cidr, source_type = local.rule_type_cidr,
       }
     },
+    {
+      "Allow TCP egress from bastion to OCI services" : {
+        protocol = local.tcp_protocol, port = local.all_ports, destination = local.osn, destination_type = local.rule_type_service,
+      },
+    },
     local.operator_nsg_enabled ? {
       "Allow SSH egress from bastion to operator" = {
         protocol = local.tcp_protocol, port = local.ssh_port, destination = local.operator_nsg_id, destination_type = local.rule_type_nsg,
diff --git a/modules/operator/cloudinit.tf b/modules/operator/cloudinit.tf
@@ -7,6 +7,11 @@ locals {
 
   # https://canonical-cloud-init.readthedocs-hosted.com/en/latest/reference/merging.html
   default_cloud_init_merge_type = "list(append)+dict(no_replace,recurse_list)+str(append)"
+
+  baserepo        = "ol${var.operator_image_os_version}"
+  developer_EPEL  = "${local.baserepo}_developer_EPEL"
+  olcne17         = "${local.baserepo}_olcne17"
+  developer_olcne = "${local.baserepo}_developer_olcne"
 }
 
 # https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/cloudinit_config.html
@@ -29,23 +34,23 @@ data "cloudinit_config" "operator" {
         var.install_helm ? "helm" : null,
       ])
       yum_repos = {
-        ol8_developer_EPEL = {
+        "${local.developer_EPEL}" = {
           name     = "Oracle Linux $releasever EPEL Packages for Development ($basearch)"
-          baseurl  = "https://yum$ociregion.$ocidomain/repo/OracleLinux/OL8/developer/EPEL/$basearch/"
+          baseurl  = "https://yum$ociregion.$ocidomain/repo/OracleLinux/OL${var.operator_image_os_version}/developer/EPEL/$basearch/"
           gpgkey   = "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle"
           gpgcheck = true
           enabled  = true
         }
-        ol8_olcne17 = {
+        "${local.olcne17}" = {
           name     = "Oracle Linux Cloud Native Environment 1.7 ($basearch)"
-          baseurl  = "https://yum$ociregion.$ocidomain/repo/OracleLinux/OL8/olcne17/$basearch/"
+          baseurl  = "https://yum$ociregion.$ocidomain/repo/OracleLinux/OL${var.operator_image_os_version}/olcne17/$basearch/"
           gpgkey   = "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle"
           gpgcheck = true
           enabled  = true
         }
-        ol8_developer_olcne = {
+        "${local.developer_olcne}" = {
           name     = "Developer Preview for Oracle Linux Cloud Native Environment ($basearch)"
-          baseurl  = "https://yum$ociregion.$ocidomain/repo/OracleLinux/OL8/developer/olcne/$basearch/"
+          baseurl  = "https://yum$ociregion.$ocidomain/repo/OracleLinux/OL${var.operator_image_os_version}/developer/olcne/$basearch/"
           gpgkey   = "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle"
           gpgcheck = true
           enabled  = false
diff --git a/modules/operator/variables.tf b/modules/operator/variables.tf
@@ -20,6 +20,7 @@ variable "install_kubectx" { type = bool }
 variable "kubeconfig" { type = string }
 variable "kubernetes_version" { type = string }
 variable "nsg_ids" { type = list(string) }
+variable "operator_image_os_version" { type = string}
 variable "pv_transit_encryption" { type = bool }
 variable "shape" { type = map(any) }
 variable "ssh_private_key" {
