1. Set up a Kubernetes cluster for deploying containerized applications
  2. Provision, Configure, and Remove Resources

Provision, Configure, and Remove Resources

Use Terraform to deploy, change, and remove your resources in the cloud efficiently.

About Terraform State Files

Terraform stores state information to track your managed infrastructure resources, map the deployed resources to your configuration, track metadata, and improve performance for large infrastructure deployments.

By default, the terraform.tfstate file is stored on the local host. This default behavior is not optimal in IT environments where multiple users need to create and destroy the resources that are defined in a given configuration. To control deploying and managing resources in a multi-user environment, store the Terraform state files in Oracle Cloud Infrastructure Object Storage, and share the state files and lock files between all the users.

See Using the Object Store for Terraform State Files.

Create the Resources

After you set the variables in terraform.tfvars file, use the Terraform CLI to deploy the resources defined in the Terraform configuration.

Before you begin, ensure that your local machine has internet access. If your local machine is behind a firewall, use an appropriate proxy to allow Terraform to reach the internet.
  1. On the computer where you installed Terraform, go to the directory that contains the terraform.tfvars file.
  2. Initialize Terraform, by running the following command:
    terraform init
    The command downloads the oci provider plugin and sets up the directory for use by Terraform.
  3. Verify that the syntax of the configuration has no errors:
    terraform validate
  4. If a syntax error exists, then fix the error, and repeat the previous step.
    To debug problems, you can configure logging:
    • Set the log level by using the TF_LOG environment variable. The supported log levels are TRACE, DEBUG, INFO, WARN, or ERROR. The TRACE level is the most verbose.
    • Set the log file path by using the TF_LOG_PATH environment variable.
  5. Review the resources defined in the configuration.
    terraform plan
    The output shows the details of all the actions that are performed when you apply this configuration, and a summary as shown in the following example.
    Plan: 8 to add, 0 to change, 0 to destroy.

    Note:

    The number 8 in the message is an example. The actual number depends on the settings that you defined in your Terraform configuration.
  6. If you want to make any changes, edit the configuration, validate it, and review the revised plan.
  7. Create the resources:
    terraform apply
  8. At the prompt Do you want to perform these actions?, enter yes
    As Terraform creates each resource, it displays the status of the operation.

    When all the resources are created, the message Apply complete is displayed, along with the number of resources added, changed, and destroyed, as shown in the following example. 

Apply complete! Resources: 33 added, 0 changed, 0 destroyed.

Outputs:

admin_private_ip = 10.0.1.10
bastion_public_ip = 203.0.113.101
kubeconfig = export KUBECONFIG=generated/kubeconfig
ocirtoken = <sensitive>
ssh_to_admin = ssh -i /home/joe/.ssh/id_rsa -J opc@203.0.113.101 opc@10.0.1.10
ssh_to_bastion = ssh -i /home/joe/.ssh/id_rsa opc@203.0.113.101
  • The kubeconfig output displays the command that you can use to set the KUBECONFIG environment variable on your local host. Run this command if you want to use the kubectl CLI from your local host to manage the Kubernetes cluster. The command sets KUBECONFIG to the file generated/kubeconfig, which Terraform creates while applying the configuration.
  • The ssh_to_admin output displays the ssh command that you can use to connect to the admin host.
  • The ssh_to_bastion output displays the ssh command that you can use to connect to the bastion host.

Note:

You can view this Terraform output at any time by running the command terraform output
Your Kubernetes topology in Oracle Cloud is ready. You can now deploy containerized applications.

Allow the Admin Host to Manage Resources

To allow the admin host to manage resources in the compartment, you can designate it as an instance principal. Use this feature if you intend to run CLI commands or make API calls from the admin host to manage resources in the topology.

A compute instance that's designated as an instance principal gets its own unique identity. It can authenticate using certificates that are created and assigned automatically to the instance. The certificates are rotated periodically. You don't need to distribute credentials to your admin host or rotate them.

Note:

Any user who can connect to a compute instance using SSH inherits the instance-principal privileges granted to the instance. Consider this when deciding whether to designate the admin host as an instance principal. You can turn this feature off or on at any time without any impact on the admin host.

  • To designate the admin host as an instance principal, set the following in terraform.tfvars, and then run terraform apply. 

    admin_instance_principal = true

    The admin host is made a member of a dynamic group, and a policy statement is created to allow the dynamic group to manage all the resources in the compartment.

  • To withdraw the instance principal privileges from the admin host, set the following in terraform.tfvars, and then run terraform apply. 

    admin_instance_principal = false

Enable or Disable Notifications for the Bastion Host

You can use the Oracle Cloud Infrastructure Notification service to receive status messages from the bastion host when updates are applied or when Oracle Ksplice detects a known exploit attempt.

Note:

The Terraform code in this solution configures notifications only when you use the default Oracle Autonomous Linux image.

  • To enable the notifications for the bastion host, set the following variables in terraform.tfvars: 

    bastion_notification_enabled = true
bastion_notification_endpoint = "email_address"
bastion_notification_protocol = "EMAIL"
bastion_notification_topic = "topic_name"

    Here's an example of terraform.tfvars with the notification-related variables defined. 

    bastion_notification_enabled = true
bastion_notification_endpoint = "joe@example.com"
bastion_notification_protocol = "EMAIL"
bastion_notification_topic = "bastion"
  • If the bastion host has already been created and you want to enable notifications now, then set these variables, and run terraform apply again.
    • The required policies are defined to allow the bastion host to publish notifications.
    • A notification topic is created, and the email address that you specified is subscribed to the topic.
    • The bastion host is configured to send notifications.

    After the resources are created, you’ll receive an email prompting you to confirm the subscription.

  • To disable notifications, set the following in terraform.tfvars, and run terraform apply. 

    bastion_notification_enabled = false
admin_notification_enabled = false

Remove All the Resources

  1. On the computer where you installed Terraform, go to the directory that contains the terraform.tfvars file.
  2. Enter the following command:
    terraform destroy
    Terraform displays the details of the resources that will be destroyed, as shown in this example:
    Plan: 0 to add, 0 to change, 12 to destroy.
  3. At the prompt Do you really want to destroy all resources?, enter yes
    As Terraform removes each resource, it displays the status of the operation.
    After all the resources are removed, the message Destroy complete is displayed, along with the number of resources destroyed, as shown in the following example:
    Destroy complete! Resources: 12 destroyed.