2.1.2 VCN & public subnet (step-by-step in Terraform)

n.b: This tutorial is created in root compartment

Prerequisites: Terraform configured (if not configured yet, check one of my previous lessons "Install and configure Terraform")

We created in step 2.1.1 Create a virtual network using Start VCN Wizard the "vcnmysql" virtual network.

If you take a look at the created virtual network, you will notice that a VCN consists of:

• Resources (Subnets - public and/or private), CIDR Blocks, Route Tables, Internet Gateways, Dynamic Routing Gateway, Network Security Groups, Security Lists, DHCP Options, NAT Gateways, etc)

• DNS Resolver

• DNS Domain Name

1. Define a VCN

Let's create a VCN (without resources). We will add the resources one by one in the next steps.

For VCN creation, we will be using the Teraform OCI resource oci core vcn.

But first, let's create our working directory, and define our provider and variables.

root@deploymentmachine:/home/terra# mkdir vcn_public
root@deploymentmachine:/home/terra# cd vcn_public
root@deploymentmachine:/home/terra/vcn_public# # create the terraform files
root@deploymentmachine:/home/terra/vcn_public# touch provider.tf
root@deploymentmachine:/home/terra/vcn_public# touch variables.tf
root@deploymentmachine:/home/terra/vcn_public# touch vcn.tf
root@deploymentmachine:/home/terra/vcn_public# tree .
.
├── provider.tf
├── variables.tf
└── vcn.tf

If you paid attention at point 2.1.1, when we configured VCN, there was field "VCN CIDR Block".

This accepts an IPv4 CIDR Block (of range /16 or /30). Let's use same value "10.0.0.0/16", and define it in our variables.tf file:

root@deploymentmachine:/home/terra/vcn_public# more variables.tf

# required
variable "compartment_ocid" {
  default = "ocid1.tenancy.oc1..aaaaaaaafakerootcompartmentidhuehuehue12324"
}

# for vcn block

variable "cidrblockz" {
  type = list(string)
  default = ["10.0.0.0/16"]
}

My vcn.tf file has following content

root@deploymentmachine:/home/terra/vcn_public# more vcn.tf
resource "oci_core_virtual_network" "WildTestVCN" {
  cidr_blocks = var.cidrblockz
  compartment_id = var.compartment_ocid
  display_name = "WildTestVCN"
}

...and of course, the provider.tf, so that Terraform knows we work with OCI resources:

root@deploymentmachine:/home/terra/vcn_public# more provider.tf
provider "oci" {
  tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaafaketenancyocidhahahah123234234"
  user_ocid = "ocid1.user.oc1..aaaaaaafakeuserocidhahahah12312434"
  private_key_path = "/root/.oci/oci_api_key.pem"
  fingerprint = "xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx"
  region = "eu-frankfurt-1"
}

Run "terraform init" in the working directory

root@deploymentmachine:/home/terra/vcn_public# terraform init

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/oci...
- Installing hashicorp/oci v4.12.0...
- Installed hashicorp/oci v4.12.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

... then terraform plan, and if all good, "terraform apply"

root@deploymentmachine:/home/terra/vcn_public# terraform plan

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # oci_core_virtual_network.WildTestVCN will be created
  + resource "oci_core_virtual_network" "WildTestVCN" {
      + cidr_block               = (known after apply)
      + cidr_blocks              = [
          + "10.0.0.0/16",
        ]
        
      
[ ......... snip ............]

root@deploymentmachine:/home/terra/vcn_public#terraform apply

[ ......... snip ............]

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

oci_core_virtual_network.WildTestVCN: Creating...
oci_core_virtual_network.WildTestVCN: Creation complete after 0s [id=ocid1.vcn.oc1.eu-frankfurt-1.amaaaaaa34qs2dyae36yqymbevoeg52h7ijecnsokpft6swazq6e77fxqvlq]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

And let's check in the Cloud, to see if it has been created:

... still, no resources (subnets, especially) for this VCN (except a few default ones):

2. Create a Subnet

To add a subnet to a VCN, you need to use the Terraform resource oci core subnet

Time to remind ourselves once again, about what we did at "Start VCN Wizard" ... remember that we also defined the subnets CIDR:

Let's use "10.0.1.0/24" for our subnet, and define it in our "variable.tf" file:

root@deploymentmachine:/home/terra/vcn_public# more variables.tf

variable "compartment_ocid" {
  default = "ocid1.tenancy.oc1..aaaaaaaafakerootcompartmentidhuehuehue12324"
}

#for vcn block

variable "cidrblockz" {
  type = list(string)
  default = ["10.0.0.0/16"]
}

#for subnet

variable "cidrsubnet" {
  default = "10.0.1.0/24"
}

We obviously need to create a file where to define our subnet resource:

root@deploymentmachine:/home/terra/vcn_public# more subnet.tf

resource "oci_core_subnet" "WildTestSubnet"{

  cidr_block = var.cidrsubnet
  compartment_id = var.compartment_ocid
  vcn_id = oci_core_virtual_network.WildTestVCN.id

  display_name = "WildTestSubnet"
}

My working directory has the following files now:

root@deploymentmachine:/home/terra/vcn_public# tree -I *tfstate
.
├── provider.tf
├── subnet.tf
├── variables.tf
└── vcn.tf

0 directories, 4 files

Run command "terraform refresh" ...

root@deploymentmachine:/home/terra/vcn_public#  terraform refresh
oci_core_virtual_network.WildTestVCN: Refreshing state... [id=ocid1.vcn.oc1.eu-frankfurt-1.amaaaaaafakefakefakefakeidoverhere1231232]

... then, run "terraform plan" to see the changes that are about to be implemented

... and of course, make changes with "terraform apply"

root@deploymentmachine:/home/terra/vcn_public#  terraform apply

[ ......... snip ............]

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

oci_core_subnet.WildTestSubnet: Creating...
oci_core_subnet.WildTestSubnet: Creation complete after 1s [id=ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaahahahahafakeid12334324342]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
root@deploymentmachine:/home/terra/vcn_public#

And let's check in the Cloud:

3. Public Subnet, Security List and Internet Gateway

What does a Public Subnet imply? - access the Internet, inbound and outbound. This means that my VCN requires an Internet Gateway if I want to reach directly from workstation the instances/services that I deploy inside the VCN.

What else? This "public access" comes with a high price - I can't just leave my instances/services in plain sight, therefore I need to apply Security Lists (virtual firewall) that can control the traffic.

3.1 Create the internet gateway

For internet gateway creation, we will be using the Terraform resource oci core internet gatewayFor this too, I will create another file, int_gateway.tf, under my working directory.

The content for int_gateway.tf:

root@deploymentmachine:/home/terra/vcn_public#  more int_gateway.tf

resource "oci_core_internet_gateway" "WildTestInternetGateway" {
  compartment_id = var.compartment_ocid
  display_name = "WildTestInternetGateway"
  vcn_id = oci_core_virtual_network.WildTestVCN.id
}

3.2 Create the Security Rules (Security List)

For security rules creation, we will be using the Terraform resource oci core security list.

Before creating the security rules terraform file, we need to modify the variables.tf files accordingly:

- range of IP addresses from which traffic can be accepted ("10.0.0.0/16" for ingress)

- TCP ports on which traffic is allowed (22, respectively 8666; feel free to add any other port of >1024 value)

root@deploymentmachine:/home/terra/vcn_public# more variables.tf

variable "compartment_ocid" {
  default = "ocid1.tenancy.oc1..aaaaaaaafakerootcompartmentidhuehuehue12324"
}

#for vcn block

variable "cidrblockz" {
  type = list(string)
  default = ["10.0.0.0/16"]
}

#for subnet

variable "cidrsubnet" {
  default = "10.0.1.0/24"
}

# for ingress source

variable "cidr_ingress" {
  default = "10.0.0.0/16"
}

# for security list

variable "portz" {
 default = [22, 8666]
}

The content of terraform file for Security List (for egress and ingress)

root@deploymentmachine:/home/terra/vcn_public# more security_list.tf
resource "oci_core_security_list" "WildTestSecurityList" {
  compartment_id = var.compartment_ocid

  display_name = "WildTestSecurityList"

  vcn_id = oci_core_virtual_network.WildTestVCN.id

  egress_security_rules {
    stateless = false
    protocol = "6"
    destination = "0.0.0.0/0"
 }


  ingress_security_rules {
    protocol = "6"
    source = "0.0.0.0/0"
    stateless = false

    tcp_options {
      max = 22
      min = 22
    }
  }


  ingress_security_rules {
    protocol = "6"
    source = "0.0.0.0/0"
    stateless = false

    tcp_options {
      max = 8666
      min = 8666
    }
  }

  ingress_security_rules {
    stateless = false
    protocol = "6"
    source = var.cidr_ingress
  }
}

root@deploymentmachine:/home/terra/vcn_public#

My working directory contains the following files now:

root@deploymentmachine:/home/terra/vcn_public#   tree -I '*.tfstate|*.backup'
.
├── int_gateway.tf
├── provider.tf
├── security_list.tf
├── subnet.tf
├── variables.tf
└── vcn.tf

0 directories, 6 files

root@deploymentmachine:/home/terra/vcn_public# 

Perform again "terraform refresh", "terraform plan"

root@deploymentmachine:/home/terra/vcn_public# terraform refresh
oci_core_virtual_network.WildTestVCN: Refreshing state... [id=ocid1.vcn.oc1.eu-frankfurt-1.aaaaaaafakewildtestvcnidhahaha42342]
oci_core_subnet.WildTestSubnet: Refreshing state... [id=ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaafakewildtestvcnidhahahasdsdd]

... and make the new changes with "terraform apply"

root@deploymentmachine:/home/terra/vcn_public#  terraform apply

[ ......... snip ............]

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

oci_core_internet_gateway.WildTestInternetGateway: Creating...
oci_core_security_list.WildTestSecurityList: Creating...
oci_core_internet_gateway.WildTestInternetGateway: Creation complete after 1s [id=ocid1.internetgateway.oc1.eu-frankfurt-1.aaaaaaaaaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
oci_core_security_list.WildTestSecurityList: Creation complete after 1s [id=ocid1.securitylist.oc1.eu-frankfurt-1.aaaaaaaaayyyyyyyyyyyyyyyyyyyyyyyyy]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

And let's check again in our Cloud:

• for security list (ingress and egress):

• for internet gateway

4. Route table

At 'Internet Gateway', notice the "Default Route Table" is set to "Default Route Table for WildTestVCN", and there is only one resource of Route Tables:

Route tables are used to direct the traffic; not to mention that in our case we have a Public IP that needs to access directly the internet.

For the creation of the route table, we will use the Terraform resource oci core route table

Our route.tf file will have the following content:

root@deploymentmachine:/home/terra/vcn_public# more route.tf
resource "oci_core_route_table" "WildTestRouteTable" {
  compartment_id = var.compartment_ocid
  vcn_id = oci_core_virtual_network.WildTestVCN.id
  display_name = "WildTestRouteTable"

  route_rules {
    destination = "0.0.0.0/0"
    network_entity_id = oci_core_internet_gateway.WildTestInternetGateway.id
  }
}

The working directory contains now the following terraform files:

root@deploymentmachine:/home/terra/vcn_public# tree -I '*.tfstate|*.backup'
.
├── int_gateway.tf
├── provider.tf
├── route.tf
├── security_list.tf
├── subnet.tf
├── variables.tf
└── vcn.tf

0 directories, 7 files

As usual: "terraform refresh", "terraform plan" and "terraform apply"

root@deploymentmachine:/home/terra/vcn_public# terraform refresh
oci_core_virtual_network.WildTestVCN: Refreshing state... [id=ocid1.vcn.oc1.eu-frankfurt-1.aaaaaaaaasdfsdfsdfsdfsdfgsdfgawfdfdfsdfsdfsdfsdfsdf454]
oci_core_subnet.WildTestSubnet: Refreshing state... [id=ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaaasdfsdfsdfsdfsdfgsdfgawfdfdfsdfsdfsdfsdfsdf454a5yfe5aq]
oci_core_security_list.WildTestSecurityList: Refreshing state... [id=ocid1.securitylist.oc1.eu-frankfurt-1.aaaaaaaaaaasdfsdfsdfsdfsdfgsdfgawfdfdfsdfsdfsdfsdfsdf454egnufq]
oci_core_internet_gateway.WildTestInternetGateway: Refreshing state... [id=ocid1.internetgateway.oc1.eu-frankfurt-1.aaaaaaaaasdfsdfsdfsdfsdfgsdfgawfdfdfsdfsdfsdfsdfsdf454p2ru6a]
root@deploymentmachine:/home/terra/vcn_public# 

root@deploymentmachine:/home/terra/vcn_public#  terraform apply


Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

oci_core_route_table.WildTestRouteTable: Creating...
oci_core_route_table.WildTestRouteTable: Creation complete after 1s [id=ocid1.routetable.oc1.eu-frankfurt-1.aaaaaaaaxyzkdfsdfsdfsdfsdfsdf123]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

And let's check in the Cloud if it has been created:

5. DHCP Options, DNS and, once again, Subnet

You need the DHCP options to specify the DNS type of each instance.

In OCI, for DNS, you have two options:

• default choice: internet and vcn resolver

• custom resolver

For creating the DHCP options we will use the Terraform resource oci core dhcp options

Our file dhcp_opt.tf will have the following content:

root@deploymentmachine:/home/terra/vcn_public# more dhcp_opt.tf

resource "oci_core_dhcp_options" "WildTestDHCPOptions" {

  compartment_id = var.compartment_ocid
  vcn_id = oci_core_virtual_network.WildTestVCN.id
  display_name = "WildTestDHCPOptions"

  options {
    type = "DomainNameServer"
    server_type = "VcnLocalPlusInternet"
  }

  options {
    type = "SearchDomain"
    search_domain_names = ["wildtest.com"]
  }

 }

File subnet.tf will now look like this (comments for the newly added lines)

root@deploymentmachine:/home/terra/vcn_public#  more subnet.tf
resource "oci_core_subnet" "WildTestSubnet"{

  cidr_block = var.cidrsubnet
  compartment_id = var.compartment_ocid
  vcn_id = oci_core_virtual_network.WildTestVCN.id

  display_name = "WildTestSubnet"

  # security list

  security_list_ids = [oci_core_security_list.WildTestSecurityList.id]

  # route table

  route_table_id = oci_core_route_table.WildTestRouteTable.id

  # dhcp
  
  dhcp_options_id = oci_core_dhcp_options.WildTestDHCPOptions.id

  # dns
  dns_label = "WildTest"

}

And file vcn.tf will have the following line added:

root@deploymentmachine:/home/terra/vcn_public#  more vcn.tf

resource "oci_core_virtual_network" "WildTestVCN" {
  cidr_blocks = var.cidrblockz
  compartment_id = var.compartment_ocid
  display_name = "WildTestVCN"

  # for dns

  dns_label = "WildTestVCN"
}

My working directory has the following files:

root@deploymentmachine:/home/terra/vcn_public# tree -I '*.tfstate|*.backup'
.
├── dhcp_opt.tf
├── int_gateway.tf
├── provider.tf
├── route.tf
├── security_list.tf
├── subnet.tf
├── variables.tf
└── vcn.tf

0 directories, 8 files

And, of course... "terraform refresh", "terraform plan", and "terraform apply"

root@deploymentmachine:/home/terra/vcn_public# terraform refresh
oci_core_virtual_network.WildTestVCN: Refreshing state... [id=ocid1.vcn.oc1.eu-frankfurt-1.aaaaaaaasdfsdfsdfsdfsdfdfsdfsdfsdfsdfsdf4545]
oci_core_internet_gateway.WildTestInternetGateway: Refreshing state... [id=ocid1.internetgateway.oc1.eu-frankfurt-1.aaaaaaaaasdfsdfsdfsdfsdfgsdfgawfdfdfsdfsdfsdfsdfsdf4545]
oci_core_security_list.WildTestSecurityList: Refreshing state... [id=ocid1.securitylist.oc1.eu-frankfurt-1.aaaaaasrrrqqqqqsdfsdfsdf4545]
oci_core_route_table.WildTestRouteTable: Refreshing state... [id=ocid1.routetable.oc1.eu-frankfurt-1.aaaaaaa34234234sdfsdfsdfsdfsdfsdf]
oci_core_subnet.WildTestSubnet: Refreshing state... [id=ocid1.subnet.oc1.eu-frankfurt-1.aaaaaaaxxxxxxw4534534ergdfgdfgf]
root@deploymentmachine:/home/terra/vcn_public#

root@deploymentmachine:/home/terra/vcn_public# terraform apply
[.................. snip ....................]

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes
  
[.................. snip ....................]

Apply complete! Resources: 6 added, 0 changed, 5 destroyed.

And let's check in the Cloud

• for DNS:

• for DHCP

6. Test your VCN

Let's create an instance in the OCI UI that will be deployed in the VCN we just created, and see if we can access it via ssh:

Provide the ssh keys (here, providing the workstation's ssh keys):

After the creation, log in via ssh, using the public IP:

7. Destroy VCN resources

Terminate the instance you created as an example, and then, proceed to terminate the VCN and its resources with "terraform destroy":

root@deploymentmachine:/home/terra/vcn_public# terraform destroy

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy
  
  [ ............  snip  ............ ]
  
  Destroy complete! Resources: 6 destroyed