1. Set up the infrastructure to host multiple single-tenant SaaS applications
  2. Configure the Terraform Modules

Configure the Terraform Modules

The networking resources necessary to host single-tenant SaaS applications on Oracle Cloud are defined in Terraform modules. Download the modules and set the required variables.

Download the Terraform Code

The Terraform code for this solution is available on GitHub.

  1. In the navigation pane on the left, click Download Code.
  2. Click Git Repo.
  3. Clone or download the repository to your local computer.

About the Terraform Code

The Terraform code for this solution is organized into several modules, each containing the resources for a specific component of the target topology.

The Terraform code contains the following directories and files at the top level:
  • chef: This directory contains the Chef recipes for installing and configuring the routing gateways.
  • examples: This directory contains the Terraform code required to implement this solution. The code in this directory uses the modules defined in the modules directory.
  • LICENSE.txt: This file contains the license terms and conditions for the sample code.
  • modules: This directory contains the Terraform modules that provide the building blocks for the solution.
  • README.md: This file provides a brief description of the code and basic instructions to use the code.
  • test: This directory contains test scripts that you can use to verify the deployment.
The examples/full-deployment directory contains the code that calls the Terraform modules required for this solution. It contains the following subdirectories and files:
examples/full-deployment
├── common
│   ├── compartments
│   └── configuration
├── Makefile
├── management
│   ├── access
│   ├── network
│   ├── server_attachment
│   └── servers
├── peering
│   ├── network
│   └── routing
├── README.md
├── tenant
│   ├── network
│   └── servers
├── terraform.tfvars.sample
└── terragrunt.hcl
Configuration Directory or File Resources Defined in the Configuration
common/configuration None.

The code in this directory uses the Terraform module in examples/network_calculator, to calculate the number of tenant VCNs and peering VCNs required, the CIDR size of each VCN, and the mapping between the tenant VCNs and the peering VCNs. The results of the calculation are used when the VCNs and other networking resources are created.

common/compartments
  • A management compartment.
  • One or more compartments for the peering VCNs.
  • A compartment for each tenant.
management/access An Oracle Linux compute instance attached to a public subnet in the ISV VCN. This instance is the bastion server for the topology.
management/network
  • The ISV VCN, also called the management VCN.
  • NAT and internet gateways for the ISV VCN.
  • The following subnets:
    • A private management subnet for the management server.
    • A public access subnet for the bastion server.
    • A private peering subnet for the routing gateways
  • The default route table for the VCN, with a rule to route traffic bound for the public internet through the internet gateway.
  • A route table for the peering subnet, with a rule to route traffic bound for the public internet through the NAT gateway.
  • A security list for the access subnet, with the following rules:
    • Allow inbound ICMP traffic from any source.
    • Allow outbound TCP traffic bound for any destination.
  • A security list for the peering subnet, with the following rules:
    • Allow outbound TCP traffic bound for any destination.
    • Allow inbound ICMP traffic from any source.
    • Allow inbound TCP traffic from any source to port 5666.
  • A security list for the management subnet, with the following rules:
    • Allow inbound ICMP traffic from the access subnet.
    • Allow inbound HTTP traffic from the access subnet to port 80.
    • Allow outbound TCP traffic bound for any destination.
management/server_attachment
  • A route table attached to the management subnet, with the following rules:
    • Route traffic bound for the public internet through the NAT gateway.
    • Route traffic bound for each of the tenant VCNs to the appropriate routing gateway instance.
  • A route table attached to the access subnet, with the following rules:
    • Route traffic bound for the public internet through the internet gateway.
    • Route traffic bound for each of the tenant VCNs to the appropriate routing gateway instance.
management/servers An Oracle Linux compute instance attached to the management subnet in the ISV VCN.

You can use the management server to install and run an infrastructure monitoring application, such as Nagios Core.
peering/network
  • A dynamic group consisting of the compute instances that host the routing gateways.
  • A policy to allow the dynamic group defined in this configuration to use the VNICs and private addresses in the compartment.
  • Two peering VCNs, with a subnet in each VCN.
  • A local peering gateway (LPG) for each VCN.
  • A security list for each subnet, with rules to allow all inbound ICMP traffic and all outbound TCP traffic.
  • A route table for each subnet, with rules to route traffic bound for each tenant VCN through the LPG of the appropriate peering VCN.
peering/routing
  • Two routing gateways:
    • One gateway is a pair of compute instances, each in a different fault domain, with Pacemaker installed on them to enable high availability. Each of the compute instances has two secondary VNICs, with a floating IP address attached to the first secondary VNIC. This gateway is intended to demonstrate HA failover for the routing gateway.
    • The other gateway is a single compute instance.
  • A network security group with the following rules:
    • Allow all TCP traffic within the group to ports 3121, 2224, and 21064.
    • Allow all UDP traffic within the group to port 4505.
tenant/network The following resources for each tenant:
  • A tenant VCN.
  • NAT and internet gateways for the tenant VCN.
  • Two subnets, one public and the other private.
  • An LPG for the VCN.
  • A route table for the public subnet, with the following rules:
    • Route traffic bound for the public internet through the internet gateway.
    • Route traffic bound for the peering subnet through the LPG.
    • Route traffic bound for the management subnet through the LPG.
  • A route table for the private subnet, with the following rules:
    • Route traffic bound for the public internet through the NAT gateway.
    • Route traffic bound for the peering subnet through the LPG.
    • Route traffic bound for the management subnet through the LPG.
  • A security list for the public subnet, with the following rules:
    • Allow inbound ICMP traffic from any destination.
    • Allow outbound TCP traffic to any destination.
  • A security list for the private subnet, with the following rules:
    • Allow inbound ICMP traffic from any destination.
    • Allow outbound TCP traffic to any destination.
    • Allow inbound TCP traffic to port 5666.
tenant/servers An Oracle Linux compute instance in each of the tenant compartments.

You can use this instance to install and run an infrastructure monitoring agent. For example, if you install Nagios Core in the management server in the ISV VCN, then you can install the Nagios agent in the compute instance in each tenant compartment. The agent can monitor the servers in the compartment and send metrics to the Nagios monitoring server.
terraform.tfvars.sample A template for the Terraform variables file.
terragrunt.hcl The Terragrunt configuration.

Set the Terraform Variables

Specify the parameters required for Terraform to connect to the Oracle Cloud Infrastructure tenancy, SSH keys for the compute instances, and the password for the routing cluster.

  1. Copy examples/full-deployment/terraform.tfvars.sample to examples/full-deployment/terraform.tfvars.
  2. Open examples/full-deployment/terraform.tfvars in a plain-text editor, and set values for the variables in it as follows:
    Variable Description
    tenancy_ocid The OCID of your tenancy.

    You can find your tenancy's OCID in the Oracle Cloud Infrastructure web console. Select Administration from the services menu, and then click Tenancy Details.

    user_ocid The OCID of the user that you want Terraform to use to authenticate with Oracle Cloud Infrastructure.

    To find the user's OCID, select Identity from the services menu, and then select Users. Locate your user name in the list, and copy its OCID.

    fingerprint The fingerprint of the API signing key that you uploaded.
    private_key_path The full path and name of the file that contains your private API signing key.
    region The ID of region where you want to create the resources.

    For example, the ID of the US East (Ashburn) region is us-ashburn-1.

    See Regions and Availability Domains.

    compartment_ocid The OCID of the compartment in which you want to create the resources.

    The compartment that you specify will be the parent compartment for the topology.

    To find a compartment's OCID, select Identity from the services menu, and then select Compartments. Locate the compartment that you need in the list, and copy its OCID.

    bastion_ssh_public_key_file The full path and name of the file containing the SSH public key for the bastion server.
    bastion_ssh_private_key_file The full path and name of the file containing the SSH private key for the bastion server.
    remote_ssh_public_key_file The full path and name of the file containing the SSH public key for the private compute instances in the topology.
    remote_ssh_private_key_file The full path and name of the file containing the SSH private key for the private compute instances in the topology.

    Save and close terraform.tfvars.

    The following is an example of a completed terraform.tfvars file: 

    tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaa2 (truncated)"
user_ocid = "ocid1.user.oc1..aaaaaaaag (truncated)"
fingerprint = "56:f6:8e:bf: (truncated)"
private_key_path = "/home/joe/.oci/oci_api_key.pem"
region = "us-ashburn-1"

compartment_ocid = "ocid1.compartment.oc1..aaaaaaaam (truncated)"

bastion_ssh_public_key_file = "/home/joe/.ssh/ida_rsa_bastion.pub"
bastion_ssh_private_key_file = "/home/joe/.ssh/ida_rsa_bastion"
remote_ssh_public_key_file = "/home/joe/.ssh/ida_rsa_remote.pub"
remote_ssh_private_key_file = "/home/joe/.ssh/ida_rsa_remote"
  3. Set a shared secret for the routing cluster in an environment variable.
    export TF_VAR_hacluster_password="somePassword"

    The password must contain at least eight characters. It must include at least one uppercase letter, one lowercase letter, a numeral, and a special (non-alphanumeric) character.