Part 2: Applying Security List to subnets in Oracle Cloud using Terraform
In the previous article (Part 1), Mohammed Binsabbar explained how to build a simple infrastructure in Oracle Cloud using Terraform. In “PART 2”, I’ll show you how to apply a security lists with ingress and egress rules to specify the types of traffic allowed in and out to your previously created infrastructure.
Note: All used modules in this article and the upcoming parts can be found here
As an outcomes of the previous article , you are supposed to have a VCN with 2 subnets, by default each VCN comes with a default security list, So we need to specify a custom security list for our subnet. The full code used in this article can be found here
Using the security list module
Let’s add security-list module section to the same main.tf file used in part 1 as the below:
module "security_lists" {
source = "github.com/Binsabbar/oracle-cloud-terraform//modules/security-list?ref=v1.0"
vcn_id = module.network.vcn.id
compartment_id = var.tenancy_ocid
security_lists = local.security_lists}
The module requires some variables declared in variables.tffile , the module expects below as inputs:
- vcn_id: virtual cloud network ID.
- compartment_id: we will use the root compartement ID.
- security_lists: map of egress and ingress objects that contains rules.
variable "vcn_id" { type = string }
variable "compartment_id" { type = string }
variable "security_lists" {
type = map(object({
egress_rules = map(object({
protocol = number
ports = object({ min : number, max : number })
destination = string
optionals = map(any)
}))
ingress_rules = map(object({
protocol = number
ports = object({ min : number, max : number })
source = string
optionals = map(any)
}))
}))
}using above variables we will create our security-lists and define the rules in security-list.tf
locals {
protocols = {
icmp = 1
tcp = 6
}
security_lists = {
//public subnet security rules
"public_subnets" = {
ingress_rules = {
"lb8081" = {
ports = { min : 8081, max : 8081 }
source = "0.0.0.0/0"
protocol = local.protocols.tcp
optionals = {}
}
"lb8080" = {
ports = { min : 8080, max : 8080 }
source = "0.0.0.0/0"
protocol = local.protocols.tcp
optionals = {}
}
}
egress_rules = {
"lb-http-port" = {
ports = { min : 8082, max : 8082 }
destination = "192.168.1.0/24"
protocol = local.protocols.tcp
optionals = {}
}
"lb-http-redirector-port" = {
ports = { min : 8083, max : 8083 }
destination = "192.168.1.0/24"
protocol = local.protocols.tcp
optionals = {}
}
}
}
// Private Subnet security lists
"private_subnets" = {
ingress_rules = {
"http" = {
ports = { min : 8082, max : 8082 }
source = "0.0.0.0/0"
protocol = local.protocols.tcp
optionals = {}
}
"https" = {
ports = { min : 1443, max : 1443 }
source = "0.0.0.0/0"
protocol = local.protocols.tcp
optionals = {}
}
"http-redictor" = {
ports = { min : 8083, max : 8083 }
source = "0.0.0.0/0"
protocol = local.protocols.tcp
optionals = {}
}
}
egress_rules = {}
}
}
}Runterraform init to download the module
After downloading the module, let’s run terrafom plan to review the execution plan before we apply.
Run terraform apply -auto-approve to apply your security lists to your subnets. Here is a snippet from the terminal output when apply is completed:
check the security lists from Oracle Cloud console, as you see there are two lists are created public_subnets and private_subnets.
View the ingress/egress rules under the security lists.
Lastly, we need to assign the security lists to our previously created subnets, by adding security_list_ids
private_subnets = {
"private1" = {
cidr_block = "192.168.1.0/24"
security_list_ids =[module.security_lists.ids.private_subnets]
optionals = {}
}
}public_subnets = {
"public1" = {
cidr_block = "192.168.2.0/24"
security_list_ids = [module.security_lists.ids.public_subnets]
optionals = {}
}
}
terraform apply -auto-approve will associate our subnets with the desired security lists.
By checking OCI dashbaord you can see that your subnets have security lists associated with it.
ℹ️ Please, come back to check Part 3 of this series with Mohammed Binsabbar.
Thank You! 🌸
Abeer Alotaibi
