OCI Hybrid Cloud Infrastructure

This repository contains the Terraform root module that manages my Oracle Cloud Infrastructure (OCI) tenant. It is designed to extend my on-premise homelab into the cloud, creating a seamless Hybrid Cloud environment.

It goes beyond simple resource provisioning by orchestrating complex networking (IPsec/BGP), Identity (IAM), and Storage, centered around an Oracle Kubernetes Engine (OKE) cluster.

Architecture

The infrastructure is designed as a "Virtual Data Center" connected via Site-to-Site VPN.

• Compute: ARM-based OKE Node Pools (VM.Standard.A1.Flex) for cost-efficient compute.
• Networking: A VCN with strict security lists, utilizing a Dynamic Routing Gateway (DRG) for transit routing.
• Connectivity: High-availability IPsec VPN with BGP routing, connecting OCI to my on-premise gateway.
• DNS: Custom OCI DNS Private Resolvers configured for split-horizon resolution (forwarding internal lab domains over the VPN).
• Security: IAM Policies, KMS-backed Object Storage, and Network Security Groups (NSGs).

Key Modules

This project composes several custom and forked modules.

1. Kubernetes (OKE)

The core workload engine. This module invokes a custom fork of the official terraform-oci-oke located here.

• Customization: The fork was necessary to inject specific Transit Routing rules into the VCN's route tables, ensuring that Pods and Nodes can route traffic back to the on-premise CIDRs via the DRG.
• Topology: Separates control plane, workers, and load balancers into distinct subnets.

2. Hybrid Connectivity (IPsec)

Managed via module-ipsec.tf. This configures the "Site-to-Site" link. This module is located here.

• Protocol: IKEv2 with BGP.
• Redundancy: Configures dual tunnels (Primary/Secondary) with ECMP support (where supported).
• Route Propagation: The DRG dynamically learns routes from the on-premise router, eliminating the need to manually update OCI route tables when the home network changes.

3. Split-Horizon DNS

Managed via module-dns.tf. This module is located here

• Forwarder: A listening endpoint that accepts queries from the VCN.
• Rules: Conditional forwarding rules are applied. For example, queries for *.site-1.com are intercepted by the OCI resolver and forwarded across the IPsec tunnel to the on-premise Bind/CoreDNS servers. This allows OKE pods to resolve on-prem services by name.

4. Storage & Backups

Managed via module-object-storage.tf. This module is located here.

• Provisions immutable Object Storage buckets.
• Integrates with IAM to generate specific access keys for Longhorn, allowing the Kubernetes storage layer to push encrypted volume backups to OCI Object Storage.

Usage

This project uses a standard Terraform workflow, with state managed remotely (e.g., GitLab HTTP backend or OCI Object Storage).

Prerequisites:

• OCI API Keys configured.

• Terraform 1.5+.

• A terraform.tfvars file (example structure provided in repo).

Provisioning:

 
# Initialize modules and backend
terraform init

# Review the plan (Crucial for IAM/Network changes)
terraform plan -out=tfplan

# Apply
terraform apply tfplan

Variable Configuration

The terraform.tfvars controls the geometry of the infrastructure. Key configurations include:

• worker_pools: Defines the shape (VM.Standard.A1.Flex) and size of the Kubernetes node pools.

• customer_premise_equipments: Defines the public IP and BGP ASN of the on-premise firewall.

• dns_resolver_qname_cover_conditions: List of domains (e.g., prod.site-1.com) that should be routed over the VPN.

Automation

• Renovate: Configured via renovate.json to automatically track and update the referenced Terraform module versions and provider versions.