Provision, Configure, and Remove Resources
Use Terraform to deploy, change, and remove your resources in the cloud efficiently.
About Terraform State Files
Terraform stores state information to track your managed infrastructure resources, map the deployed resources to your configuration, track metadata, and improve performance for large infrastructure deployments.
By default, the terraform.tfstate
file is stored on the local host. This default behavior is not optimal in IT environments where multiple users need to create and destroy the resources that are defined in a given configuration. To control deploying and managing resources in a multi-user environment, store the Terraform state files in Oracle Cloud
Infrastructure Object Storage, and share the state files and lock files between all the users.
Create the Resources
After you set the variables in terraform.tfvars
file, use the Terraform CLI to deploy the resources defined in the Terraform configuration.
Apply complete! Resources: 33 added, 0 changed, 0 destroyed.
Outputs:
admin_private_ip = 10.0.1.10
bastion_public_ip = 203.0.113.101
kubeconfig = export KUBECONFIG=generated/kubeconfig
ocirtoken = <sensitive>
ssh_to_admin = ssh -i /home/joe/.ssh/id_rsa -J opc@203.0.113.101 opc@10.0.1.10
ssh_to_bastion = ssh -i /home/joe/.ssh/id_rsa opc@203.0.113.101
- The
kubeconfig
output displays the command that you can use to set theKUBECONFIG
environment variable on your local host. Run this command if you want to use thekubectl
CLI from your local host to manage the Kubernetes cluster. The command setsKUBECONFIG
to the filegenerated/kubeconfig
, which Terraform creates while applying the configuration. - The
ssh_to_admin
output displays thessh
command that you can use to connect to the admin host. - The
ssh_to_bastion
output displays thessh
command that you can use to connect to the bastion host.
Note:
You can view this Terraform output at any time by running the commandterraform output
Allow the Admin Host to Manage Resources
To allow the admin host to manage resources in the compartment, you can designate it as an instance principal. Use this feature if you intend to run CLI commands or make API calls from the admin host to manage resources in the topology.
Note:
Any user who can connect to a compute instance using SSH inherits the instance-principal privileges granted to the instance. Consider this when deciding whether to designate the admin host as an instance principal. You can turn this feature off or on at any time without any impact on the admin host.-
To designate the admin host as an instance principal, set the following in
terraform.tfvars
, and then runterraform apply
.admin_instance_principal = true
The admin host is made a member of a dynamic group, and a policy statement is created to allow the dynamic group to manage all the resources in the compartment.
-
To withdraw the instance principal privileges from the admin host, set the following in
terraform.tfvars
, and then runterraform apply
.admin_instance_principal = false
Enable or Disable Notifications for the Bastion Host
You can use the Oracle Cloud Infrastructure Notification service to receive status messages from the bastion host when updates are applied or when Oracle Ksplice detects a known exploit attempt.
Note:
The Terraform code in this solution configures notifications only when you use the default Oracle Autonomous Linux image.-
To enable the notifications for the bastion host, set the following variables in
terraform.tfvars
:bastion_notification_enabled = true bastion_notification_endpoint = "email_address" bastion_notification_protocol = "EMAIL" bastion_notification_topic = "topic_name"
Here's an example of
terraform.tfvars
with the notification-related variables defined.bastion_notification_enabled = true bastion_notification_endpoint = "joe@example.com" bastion_notification_protocol = "EMAIL" bastion_notification_topic = "bastion"
- If the bastion host has already been created and you want to enable notifications now, then set these variables, and run
terraform apply
again.- The required policies are defined to allow the bastion host to publish notifications.
- A notification topic is created, and the email address that you specified is subscribed to the topic.
- The bastion host is configured to send notifications.
After the resources are created, you’ll receive an email prompting you to confirm the subscription.
-
To disable notifications, set the following in
terraform.tfvars
, and runterraform apply
.bastion_notification_enabled = false admin_notification_enabled = false