From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4483C3C3C
	for <kdevops@lists.linux.dev>; Tue,  1 Apr 2025 01:00:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1743469223; cv=none; b=VTGNPOwk2NJMNxPcmJ7lzhNY/SRwceC/0K5IVenvtYf2WZaZ0TNsT8stJtr0PaOPPcYkXKiZgfYPBGwzH1svmE/ZA8M0HiiHEb4QrOGN3gavl+yhRSZDK3lZlSi5hd7jDOP8e9iELdumHlcj57JXFqnxSaeSmzuRw8fZ8HSd8kY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1743469223; c=relaxed/simple;
	bh=Fb+ESY58OyfFJPw1Nhz+9avMvuC5QXNhZJYSJ9BtRXQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=k04JNdAL+vJcpo1hdeyR/y9gzpkc/ZltCa8V+Lono7RLfohAf+G7FKxHqJ3VsLLl9Qz3dx2N+sS8yjewVjx38Ydy380sWDZJEXCeHRWEzBbCIJesKjvNCEkDeIRtxWn8ORFPgsjF4BKpJ8epNBPr5lXMf4+H2Llt32OjQ0bZ6sU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=M6G+ljeD; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="M6G+ljeD"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B88E1C4CEE5;
	Tue,  1 Apr 2025 01:00:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1743469223;
	bh=Fb+ESY58OyfFJPw1Nhz+9avMvuC5QXNhZJYSJ9BtRXQ=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=M6G+ljeDLbNZlmSchauzjbO6io4paDBw6/nEEfU77eeNBNb4xrlgdkhul1FBKxPs0
	 LFPw87WYlAK0xGIsti4fZ0MqmVvteKHbV2BqgEH2+ez1EkVly1SNN9Z+25N6Ngp3rq
	 OQ3Cf7pxq1yK4PMQDzdRDZe3drf0i0L+pRdqM2MSKwfQj/rVdJq3QbSGArN6N47Sjq
	 FGT5cImAJzuXCQQrZnWIQL15e9NfhMQ2mMBEQPDHqY5EKRo4RJ+ctIik9TBo2gRQrr
	 5dRirZByFqA1CM4FPDkl1jCjYlDx2daog5v+JRbsui2fmrkdfACJDteQ3ryuHaqhnH
	 2gUeG0PkciGzg==
From: cel@kernel.org
To: <kdevops@lists.linux.dev>
Cc: Chandan Babu R <chandanbabu@kernel.org>,
	Chuck Lever <chuck.lever@oracle.com>
Subject: [RFC PATCH 26/31] terraform/OCI: Add a default VCN
Date: Mon, 31 Mar 2025 20:59:55 -0400
Message-ID: <20250401010000.764234-27-cel@kernel.org>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250401010000.764234-1-cel@kernel.org>
References: <20250401010000.764234-1-cel@kernel.org>
Precedence: bulk
X-Mailing-List: kdevops@lists.linux.dev
List-Id: <kdevops.lists.linux.dev>
List-Subscribe: <mailto:kdevops+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kdevops+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Chuck Lever <chuck.lever@oracle.com>

The kdevops set-up for other cloud providers assumes that kdevops
will provision a VCN/subnet for use during test runs. OCI does not
have that option; it assumes that a long-lived subnet already
exists to which kdevops instances should be attached.

In a moment I will introduced a Kconfig option to use network
resources that kdevops manages instead of a pre-existing subnet.
This patch adds those resources, but does not yet use them, so that
the new network resource configuration can be reviewed easily.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 terraform/oci/main.tf | 112 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 112 insertions(+)

diff --git a/terraform/oci/main.tf b/terraform/oci/main.tf
index f6596a104c51..250c3b722537 100644
--- a/terraform/oci/main.tf
+++ b/terraform/oci/main.tf
@@ -51,3 +51,115 @@ module "volumes" {
   vol_volume_count        = var.oci_volumes_per_instance
   vol_volume_size         = var.oci_volumes_size
 }
+
+resource "oci_core_vcn" "kdevops_vcn" {
+  cidr_blocks = [
+    "10.0.0.0/16",
+  ]
+  compartment_id = data.oci_identity_compartments.kdevops_compartment.compartments[0].id
+  display_name   = "kdevops VCN"
+  dns_label      = "kdevops"
+  is_ipv6enabled = false
+}
+
+resource "oci_core_internet_gateway" "kdevops_internet_gateway" {
+  compartment_id = data.oci_identity_compartments.kdevops_compartment.compartments[0].id
+  display_name   = "kdevops internet gateway"
+  vcn_id         = oci_core_vcn.kdevops_vcn.id
+}
+
+resource "oci_core_dhcp_options" "kdevops_dhcp_options" {
+  compartment_id = data.oci_identity_compartments.kdevops_compartment.compartments[0].id
+  display_name   = "kdevops dhcp options"
+  vcn_id         = oci_core_vcn.kdevops_vcn.id
+
+  options {
+    type        = "DomainNameServer"
+    server_type = "VcnLocalPlusInternet"
+  }
+  options {
+    type                = "SearchDomain"
+    search_domain_names = ["kdevops.oraclevcn.com"]
+  }
+}
+
+resource "oci_core_route_table" "kdevops_route_table" {
+  compartment_id = data.oci_identity_compartments.kdevops_compartment.compartments[0].id
+  display_name   = "kdevops route table"
+  vcn_id         = oci_core_vcn.kdevops_vcn.id
+  route_rules {
+    destination       = "0.0.0.0/0"
+    destination_type  = "CIDR_BLOCK"
+    network_entity_id = oci_core_internet_gateway.kdevops_internet_gateway.id
+  }
+}
+
+resource "oci_core_security_list" "kdevops_security_list" {
+  compartment_id = data.oci_identity_compartments.kdevops_compartment.compartments[0].id
+  display_name   = "kdevops security list"
+  vcn_id         = oci_core_vcn.kdevops_vcn.id
+
+  egress_security_rules {
+    description      = "Allow all outbound traffic"
+    destination      = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    protocol         = "all"
+    stateless        = false
+  }
+
+  ingress_security_rules {
+    description = "Enable Path MTU Discovery to work"
+    icmp_options {
+      code = 4
+      type = 3
+    }
+    protocol    = 1
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = false
+  }
+  ingress_security_rules {
+    description = "Allow applications within VCN to fail fast"
+    icmp_options {
+      type = 3
+    }
+    protocol    = 1
+    source      = "10.0.0.0/16"
+    source_type = "CIDR_BLOCK"
+    stateless   = false
+  }
+  ingress_security_rules {
+    description = "Enable instance management via Ansible"
+    protocol    = 6
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    stateless   = false
+    tcp_options {
+      min = 22
+      max = 22
+    }
+  }
+  ingress_security_rules {
+    description = "Allow VCN-local TCP traffic for ports: all"
+    protocol    = 6
+    source      = "10.0.0.0/16"
+    source_type = "CIDR_BLOCK"
+    stateless   = false
+    tcp_options {
+      min = 1
+      max = 65535
+    }
+  }
+}
+
+resource "oci_core_subnet" "kdevops_subnet" {
+  availability_domain = data.oci_identity_availability_domain.kdevops_av_domain.name
+  cidr_block          = "10.0.0.0/24"
+  compartment_id      = data.oci_identity_compartments.kdevops_compartment.compartments[0].id
+  dhcp_options_id     = oci_core_dhcp_options.kdevops_dhcp_options.id
+  dns_label           = "runners"
+  display_name        = "kdevops subnet"
+  route_table_id      = oci_core_route_table.kdevops_route_table.id
+  security_list_ids   = ["${oci_core_security_list.kdevops_security_list.id}"]
+  vcn_id              = oci_core_vcn.kdevops_vcn.id
+}
-- 
2.48.1