Mirrors/kasm-terraform
1
0
Fork 0
mirror of https://github.com/kasmtech/terraform.git synced 2026-01-23 02:24:11 +00:00
Code Issues Projects Releases Wiki Activity

Simplified TF, added CPX, updated download URL

Browse source
This commit is contained in:
Bryan Scarbrough 2024-02-12 22:45:26 +00:00
parent a27368ea3d
commit ebd13ab824
No known key found for this signature in database
116 changed files with 3880 additions and 1491 deletions
Download patch file Download diff file Expand all files Collapse all files

90
oci/single_server/README.md
View file

@ -34,48 +34,76 @@ Create an SSL certificate that matches the desired domain for the deployment. e.
terraform init
2. Open `settings.tfvars` and update the variables. The variable definitions, descriptions, and validation requirements can be found in `variables.tf`, or in the [table](#oci-terraform-variable-definitions) below.
3. Verify the configuration
terraform plan -var-file settings.tfvars
terraform plan
4. Deploy
terraform apply -var-file settings.tfvars
terraform apply
5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com`. Single server installs download all workspaces images during the install process so it may take ~15 minutes for the server to fully come online.
# OCI Terraform Variable definitions
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Variable | Description | Variable type | Example |
|:--------:|-------------|---------------|---------|
| `tenancy_ocid` | The OCI Tenancy OCID | String | `"ocid1.tenancy.oc1..aaaaaaaaai06vvcguozt39d4ilmwtpdovl998wsxpyn0hjkab2kuh7z16po7"` |
| `compartment_ocid` | The OCI Compartment OCID | String | `"ocid1.compartment.oc1..aaaaaaaauepg1z967huiazuiwjt80rtbszp64x9oxaidkoi7wz0pgr950bzb"` |
| `region` | The OCI Region name | String | `"us-ashburn-1"` |
| `user_ocid` | The OCI User OCID | String | `"ocid1.user.oc1..aaaaaaaau3me8nojmdjrbj2vzfxeouscc1i7cf9w0aoy0iyv9b38t2y0a1ba"` |
| `fingerprint` | The OCI User API Key fingerprint | String | `"66:e5:d1:85:cd:ba:ca:6a:d0:76:86:ef:1c:11:63:97"` |
| `private_key_path` | The path for the API Key PEM encoded Private Key for the OCI User. ***NOTE:*** *Ensure the API Key contents are a valid PEM encoded RSA key file. You can tell this by ensuring that the value `-----BEGIN RSA PRIVATE KEY-----` is the first line in the key file. Otherwise, you can validate the key file by running the `openssl rsa -in oci-private-key.pem -check` command.* | String | `"./oci-private-key.pem"` |
| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` |
| `oci_domain_name` | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name using https. | String | `"kasm.contoso.com"` |
| `letsencrypt_cert_support_email` | Email address to use for Terraform-generated Let's Encrypt SSL certificates | String | `"support@contoso.com"` |
| `letsencrypt_server_type` | SSL Server type for certificate generation. Valid options are staging, prod, and empty string (""). Refer to [SSL Certificate Options](#ssl-certificate-options) section of this document for more information. | String | "prod" |
| `kasm_ssl_crt_path` | Bring Your own Certificate - The file path fo the PEM encoded SSL Certificate file generated outside of Terraform. Copy/paste the contents of your generated SSL Certificate to the file designated in this path variable. | String | `"./kasm_ssl.crt"` |
| `kasm_ssl_key_path` | Bring Your own Certificate - The file path to the PEM encoded SSL Private Key file generated outside of Terraform. Copy/paste the contents of your generated SSL Private Key to the file designated in this path variable. | String | `"./kasm_ssl.key"` |
| `vcn_subnet_cidr` | The OCI VCN Subnet CIDR of the VCN where you wish to deploy Kasm | String | `"10.0.0.0/16"` |
| `ssh_authorized_keys` | The SSH Public key to be installed on the Kasm servers for SSH access | String | `"ssh-rsa some_base64_encoded_ssh_public_key_data"` |
| `instance_image_ocid` | The OCI Image OCID value of the OS to use. Kasm recommends using lates Ubuntu 20.04 LTS-Minimal for speed and efficiency. | String | `"ocid1.image.oc1.iad.aaaaaaaahiz6xym3a76xhwkmwmhrz6luyiehho7dpxpkphxhsq5q6z4m3nlq"` |
| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers | List(String) | `["10.0.0.0/16","172.217.22.14/32"]` |
| `allow_web_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers | List(String) | `["0.0.0.0/0"]` |
| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `kasm_build_url` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` |
| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` |
| `instance_shape` | The OCI instance shape to use for Kasm deployment. Kasm recommends using a Flex instance type. | String | `"VM.Standard.E4.Flex"` |
| `kasm_server_cpus` | The number of CPUs, memory in GB, and HDD size to use for Kasm WebApps. | Number | `4` |
| `kasm_server_memory` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Database server. | Number | `8` |
| `kasm_server_hdd_size` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Agent server(s). | Number | `120` |
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_acme"></a> [acme](#requirement\_acme) | ~> 2.0 |
| <a name="requirement_oci"></a> [oci](#requirement\_oci) | ~> 5.0 |
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 4.0 |
## Providers
No providers.
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_kasm"></a> [kasm](#module\_kasm) | ./module | n/a |
## Resources
No resources.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes |
| <a name="input_allow_ssh_cidrs"></a> [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | The CIDR notation to allow SSH access to the systems. | `list(string)` | n/a | yes |
| <a name="input_allow_web_cidrs"></a> [allow\_web\_cidrs](#input\_allow\_web\_cidrs) | The CIDR notation to allow HTTPS access to the systems. | `list(string)` | n/a | yes |
| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid) | The Compartment OCID | `string` | n/a | yes |
| <a name="input_fingerprint"></a> [fingerprint](#input\_fingerprint) | API Key Fingerprint | `string` | n/a | yes |
| <a name="input_instance_image_ocid"></a> [instance\_image\_ocid](#input\_instance\_image\_ocid) | The OCID for the instance image , such as ubuntu 20.04, to use. | `string` | n/a | yes |
| <a name="input_instance_shape"></a> [instance\_shape](#input\_instance\_shape) | The instance shape to use. Should be a Flex type. | `string` | n/a | yes |
| <a name="input_kasm_build_url"></a> [kasm\_build\_url](#input\_kasm\_build\_url) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_kasm_server_cpus"></a> [kasm\_server\_cpus](#input\_kasm\_server\_cpus) | The number of CPUs to configure for the Kasm instance | `number` | n/a | yes |
| <a name="input_kasm_server_hdd_size"></a> [kasm\_server\_hdd\_size](#input\_kasm\_server\_hdd\_size) | The size in GBs of the Kasm instance HDD | `number` | n/a | yes |
| <a name="input_kasm_server_memory"></a> [kasm\_server\_memory](#input\_kasm\_server\_memory) | The amount of memory to configure for the Kasm instance | `number` | n/a | yes |
| <a name="input_kasm_ssl_crt_path"></a> [kasm\_ssl\_crt\_path](#input\_kasm\_ssl\_crt\_path) | The file path to the PEM encoded SSL Certificate. Leave this empty if you are using Lets Encrypt to automatically generate your certificates. | `string` | `""` | no |
| <a name="input_kasm_ssl_key_path"></a> [kasm\_ssl\_key\_path](#input\_kasm\_ssl\_key\_path) | The file path to the PEM encoded SSL Certificate Key. Leave this empty if you are using Lets Encrypt to automatically generate your certificates. | `string` | `""` | no |
| <a name="input_letsencrypt_cert_support_email"></a> [letsencrypt\_cert\_support\_email](#input\_letsencrypt\_cert\_support\_email) | Email address to use for Let's Encrypt SSL certificates for OCI Deployment | `string` | `""` | no |
| <a name="input_letsencrypt_server_type"></a> [letsencrypt\_server\_type](#input\_letsencrypt\_server\_type) | SSL Server type to generate. Valid options are staging and prod, and prod certificates are limited to 5 certificates per week. | `string` | `""` | no |
| <a name="input_oci_domain_name"></a> [oci\_domain\_name](#input\_oci\_domain\_name) | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_private_key_path"></a> [private\_key\_path](#input\_private\_key\_path) | The path to the OCI API Key PEM encoded Private Key | `string` | n/a | yes |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | The OCI Region eg: (us-ashburn-1) | `string` | n/a | yes |
| <a name="input_ssh_authorized_keys"></a> [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | The SSH Public Keys to be installed on the OCI compute instance | `string` | n/a | yes |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | The Tenancy OCID. | `string` | n/a | yes |
| <a name="input_user_ocid"></a> [user\_ocid](#input\_user\_ocid) | The User OCID. | `string` | n/a | yes |
| <a name="input_user_password"></a> [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes |
| <a name="input_vcn_subnet_cidr"></a> [vcn\_subnet\_cidr](#input\_vcn\_subnet\_cidr) | VCN Subnet CIDR where you wish to deploy Kasm | `string` | n/a | yes |
## Outputs
No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
# Detailed Terraform Deployment Diagram

79
oci/single_server/module/README.md Normal file
View file

@ -0,0 +1,79 @@
# module
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_acme"></a> [acme](#requirement\_acme) | ~> 2.0 |
| <a name="requirement_oci"></a> [oci](#requirement\_oci) | ~> 5.0 |
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 4.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_acme"></a> [acme](#provider\_acme) | 2.20.0 |
| <a name="provider_oci"></a> [oci](#provider\_oci) | 5.28.0 |
| <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.5 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [acme_certificate.certificate](https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/certificate) | resource |
| [acme_registration.registration](https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/registration) | resource |
| [oci_core_default_route_table.default_route_table](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_default_route_table) | resource |
| [oci_core_instance.kasm_instance](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource |
| [oci_core_internet_gateway.kasm_internet_gateway](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_internet_gateway) | resource |
| [oci_core_security_list.allow_ssh](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_security_list.allow_web](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_subnet.kasm_subnet](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource |
| [oci_core_vcn.kasm_vcn](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_vcn) | resource |
| [oci_dns_rrset.kasm_a_record](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/dns_rrset) | resource |
| [tls_cert_request.kasm_certificate_request](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_private_key.certificate_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.registration_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [oci_dns_zones.kasm_dns_zone](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/dns_zones) | data source |
| [oci_identity_availability_domain.ad](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domain) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes |
| <a name="input_allow_ssh_cidrs"></a> [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | The CIDR notation to allow SSH access to the systems. | `list(string)` | n/a | yes |
| <a name="input_allow_web_cidrs"></a> [allow\_web\_cidrs](#input\_allow\_web\_cidrs) | The CIDR notation to allow HTTPS access to the systems. | `list(string)` | n/a | yes |
| <a name="input_anywhere"></a> [anywhere](#input\_anywhere) | Anywhere route subnet | `string` | `"0.0.0.0/0"` | no |
| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid) | The Compartment OCID | `string` | n/a | yes |
| <a name="input_fingerprint"></a> [fingerprint](#input\_fingerprint) | API Key Fingerprint | `string` | n/a | yes |
| <a name="input_instance_image_ocid"></a> [instance\_image\_ocid](#input\_instance\_image\_ocid) | The OCID for the instance image , such as ubuntu 20.04, to use. | `string` | n/a | yes |
| <a name="input_instance_shape"></a> [instance\_shape](#input\_instance\_shape) | The instance shape to use. Should be a Flex type. | `string` | n/a | yes |
| <a name="input_kasm_build_url"></a> [kasm\_build\_url](#input\_kasm\_build\_url) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_kasm_server_cpus"></a> [kasm\_server\_cpus](#input\_kasm\_server\_cpus) | The number of CPUs to configure for the Kasm instance | `number` | n/a | yes |
| <a name="input_kasm_server_hdd_size"></a> [kasm\_server\_hdd\_size](#input\_kasm\_server\_hdd\_size) | The size in GBs of the Kasm instance HDD | `number` | n/a | yes |
| <a name="input_kasm_server_memory"></a> [kasm\_server\_memory](#input\_kasm\_server\_memory) | The amount of memory to configure for the Kasm instance | `number` | n/a | yes |
| <a name="input_kasm_ssl_crt_path"></a> [kasm\_ssl\_crt\_path](#input\_kasm\_ssl\_crt\_path) | The file path to the PEM encoded SSL Certificate | `string` | n/a | yes |
| <a name="input_kasm_ssl_key_path"></a> [kasm\_ssl\_key\_path](#input\_kasm\_ssl\_key\_path) | The file path to the PEM encoded SSL Certificate Key | `string` | n/a | yes |
| <a name="input_letsencrypt_cert_support_email"></a> [letsencrypt\_cert\_support\_email](#input\_letsencrypt\_cert\_support\_email) | Email address to use for Let's Encrypt SSL certificates for OCI Deployment | `string` | n/a | yes |
| <a name="input_letsencrypt_server_type"></a> [letsencrypt\_server\_type](#input\_letsencrypt\_server\_type) | SSL Server type to generate. Valid options are staging, prod, and empty string. Prod certificates are limited to 5 per week per domain. | `string` | n/a | yes |
| <a name="input_oci_domain_name"></a> [oci\_domain\_name](#input\_oci\_domain\_name) | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_private_key_path"></a> [private\_key\_path](#input\_private\_key\_path) | The path to the API Key PEM encoded Private Key | `string` | n/a | yes |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | The OCI Region eg: (us-ashburn-1) | `string` | n/a | yes |
| <a name="input_ssh_authorized_keys"></a> [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | The SSH Public Keys to be installed on the OCI compute instance | `string` | n/a | yes |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | The Tenancy OCID. | `string` | n/a | yes |
| <a name="input_user_ocid"></a> [user\_ocid](#input\_user\_ocid) | The User OCID. | `string` | n/a | yes |
| <a name="input_user_password"></a> [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes |
| <a name="input_vcn_subnet_cidr"></a> [vcn\_subnet\_cidr](#input\_vcn\_subnet\_cidr) | VPC Subnet CIDR where you wish to deploy Kasm | `string` | n/a | yes |
## Outputs
No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

8
oci/single_server/module/provider.tf
View file

@ -1,16 +1,18 @@
terraform {
required_version = "~> 1.0"
required_providers {
oci = {
source = "oracle/oci"
version = ">= 4.0.0"
version = "~> 5.0"
}
acme = {
source = "vancluever/acme"
version = ">= 2.0"
version = "~> 2.0"
}
tls = {
source = "hashicorp/tls"
version = ">= 4.0.0"
version = "~> 4.0"
}
}
}

8
oci/single_server/provider.tf
View file

@ -1,16 +1,18 @@
terraform {
required_version = "~> 1.0"
required_providers {
oci = {
source = "oracle/oci"
version = ">= 4.0.0"
version = "~> 5.0"
}
acme = {
source = "vancluever/acme"
version = ">= 2.0"
version = "~> 2.0"
}
tls = {
source = "hashicorp/tls"
version = ">= 4.0.0"
version = "~> 4.0"
}
}
}

4
oci/single_server/settings.tfvars → oci/single_server/terraform.tfvars
View file

@ -32,7 +32,7 @@ user_password = "changeme"
ssh_authorized_keys = "changeme"
## OCI VM Settings
instance_image_ocid = "ocid1.image.oc1.iad.aaaaaaaahiz6xym3a76xhwkmwmhrz6luyiehho7dpxpkphxhsq5q6z4m3nlq"
instance_image_ocid = ""
instance_shape = "VM.Standard.E4.Flex"
swap_size = 2048
kasm_server_cpus = 2
@ -40,4 +40,4 @@ kasm_server_memory = 2
kasm_server_hdd_size = 120
## Kasm download URL
kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"
kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3a7abb.tar.gz"

106
oci/standard/README.md
View file

@ -35,56 +35,84 @@ Create an SSL certificate that matches the desired domain for the deployment. e.
terraform init
2. Open `settings.tfvars` and update the variables. The variable definitions, descriptions, and validation requirements can be found in `variables.tf`, or in the [table](#oci-terraform-variable-definitions) below.
3. Verify the configuration
terraform plan -var-file settings.tfvars
terraform plan
4. Deploy
terraform apply -var-file settings.tfvars
terraform apply
5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com`. It may take several minutes for the deployment to fully come online.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
# OCI Terraform Variable definitions
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_acme"></a> [acme](#requirement\_acme) | ~> 2.0 |
| <a name="requirement_oci"></a> [oci](#requirement\_oci) | ~> 5.0 |
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 4.0 |
| Variable | Description | Variable type | Example |
|:--------:|-------------|---------------|---------|
| `tenancy_ocid` | The OCI Tenancy OCID | String | `"ocid1.tenancy.oc1..aaaaaaaaai06vvcguozt39d4ilmwtpdovl998wsxpyn0hjkab2kuh7z16po7"` |
| `compartment_ocid` | The OCI Compartment OCID | String | `"ocid1.compartment.oc1..aaaaaaaauepg1z967huiazuiwjt80rtbszp64x9oxaidkoi7wz0pgr950bzb"` |
| `region` | The OCI Region name | String | `"us-ashburn-1"` |
| `user_ocid` | The OCI User OCID | String | `"ocid1.user.oc1..aaaaaaaau3me8nojmdjrbj2vzfxeouscc1i7cf9w0aoy0iyv9b38t2y0a1ba"` |
| `fingerprint` | The OCI User API Key fingerprint | String | `"66:e5:d1:85:cd:ba:ca:6a:d0:76:86:ef:1c:11:63:97"` |
| `private_key_path` | The path for the API Key PEM encoded Private Key for the OCI User. ***NOTE:*** *Ensure the API Key contents are a valid PEM encoded RSA key file. You can tell this by ensuring that the value `-----BEGIN RSA PRIVATE KEY-----` is the first line in the key file. Otherwise, you can validate the key file by running the `openssl rsa -in oci-private-key.pem -check` command.* | String | `"./oci-private-key.pem"` |
| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` |
| `oci_domain_name` | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name using https. | String | `"kasm.contoso.com"` |
| `letsencrypt_cert_support_email` | Email address to use for Terraform-generated Let's Encrypt SSL certificates | String | `"support@contoso.com"` |
| `letsencrypt_server_type` | SSL Server type for certificate generation. Valid options are staging, prod, and empty string (""). Refer to [SSL Certificate Options](#ssl-certificate-options) section of this document for more information. | String | "prod" |
| `kasm_ssl_crt_path` | Bring Your own Certificate - The file path fo the PEM encoded SSL Certificate file generated outside of Terraform. Copy/paste the contents of your generated SSL Certificate to the file designated in this path variable. | String | `"./kasm_ssl.crt"` |
| `kasm_ssl_key_path` | Bring Your own Certificate - The file path to the PEM encoded SSL Private Key file generated outside of Terraform. Copy/paste the contents of your generated SSL Private Key to the file designated in this path variable. | String | `"./kasm_ssl.key"` |
| `vcn_subnet_cidr` | The OCI VCN Subnet CIDR of the VCN where you wish to deploy Kasm | String | `"10.0.0.0/16"` |
| `ssh_authorized_keys` | The SSH Public key to be installed on the Kasm servers for SSH access | String | `"ssh-rsa some_base64_encoded_ssh_public_key_data"` |
| `instance_image_ocid` | The OCI Image OCID value of the OS to use. Kasm recommends using lates Ubuntu 20.04 LTS-Minimal for speed and efficiency. | String | `"ocid1.image.oc1.iad.aaaaaaaahiz6xym3a76xhwkmwmhrz6luyiehho7dpxpkphxhsq5q6z4m3nlq"` |
| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers | List(String) | `["10.0.0.0/16","172.217.22.14/32"]` |
| `allow_web_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers | List(String) | `["0.0.0.0/0"]` |
| `num_webapps` | The number of WebApp role servers to create in this deployment. Acceptable ranges from 1-3. | Number | `2` |
| `num_agents` | The number of static Kasm Agents to create in this deploymenbt. Acceptable ranges from 0-100. | Number | `2` |
| `num_guac_rdp_nodes` | The number of Guacamole RDP access servers to create in this deployment. Acceptable ranges from 0-100. | Number | `1` |
| `database_password` | The Kasm PostgreSQL database password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `redis_password` | The Kasm Redis password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `manager_token` | The manager token value used by Kasm agents to authenticate to the Kasm WebApps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `service_registration_token` | The service registration token value used by Guac RDP servers to authenticate to the Kasm Webapps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` |
| `kasm_build_url` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` |
| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` |
| `instance_shape` | The OCI instance shape to use for Kasm deployment. Kasm recommends using a Flex instance type. | String | `"VM.Standard.E4.Flex"` |
| `kasm_webapp_vm_settings` | The number of CPUs, memory in GB, and HDD size to use for Kasm WebApps. | Map(Any) | <pre align=left>{<br/>&nbsp;&nbsp;cpus = 2<br/>&nbsp;&nbsp;memory = 2<br/>&nbsp;&nbsp;hdd_size_gb = 50<br/>}</pre> |
| `kasm_database_vm_settings` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Database server. | Map(Any) | <pre align=left>{<br/>&nbsp;&nbsp;cpus = 2<br/>&nbsp;&nbsp;memory = 2<br/>&nbsp;&nbsp;hdd_size_gb = 50<br/>}</pre> |
| `kasm_agent_vm_settings` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Agent server(s). | Map(Any) | <pre align=left>{<br/>&nbsp;&nbsp;cpus = 4<br/>&nbsp;&nbsp;memory = 8<br/>&nbsp;&nbsp;hdd_size_gb = 120<br/>}</pre> |
| `kasm_guac_vm_settings` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Guac RDP server(s). | Map(Any) | <pre align=left>{<br/>&nbsp;&nbsp;cpus = 4<br/>&nbsp;&nbsp;memory = 4<br/>&nbsp;&nbsp;hdd_size_gb = 50<br/>}</pre> |
## Providers
No providers.
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_kasm"></a> [kasm](#module\_kasm) | ./module | n/a |
## Resources
No resources.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes |
| <a name="input_allow_ssh_cidrs"></a> [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | The CIDR notation to allow SSH access to the systems. | `list(string)` | n/a | yes |
| <a name="input_allow_web_cidrs"></a> [allow\_web\_cidrs](#input\_allow\_web\_cidrs) | The CIDR notation to allow HTTPS access to the systems. | `list(string)` | n/a | yes |
| <a name="input_bastion_vm_settings"></a> [bastion\_vm\_settings](#input\_bastion\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm SSH Bastion instance | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid) | The Compartment OCID | `string` | n/a | yes |
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_fingerprint"></a> [fingerprint](#input\_fingerprint) | API Key Fingerprint | `string` | n/a | yes |
| <a name="input_instance_image_ocid"></a> [instance\_image\_ocid](#input\_instance\_image\_ocid) | The OCID for the instance image, such as ubuntu 22.04, to use. | `string` | n/a | yes |
| <a name="input_instance_shape"></a> [instance\_shape](#input\_instance\_shape) | The instance shape to use. Should be a Flex type. | `string` | n/a | yes |
| <a name="input_kasm_agent_vm_settings"></a> [kasm\_agent\_vm\_settings](#input\_kasm\_agent\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Agent instances | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_kasm_build_url"></a> [kasm\_build\_url](#input\_kasm\_build\_url) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_kasm_cpx_vm_settings"></a> [kasm\_cpx\_vm\_settings](#input\_kasm\_cpx\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm cpx RDP instances | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_kasm_database_vm_settings"></a> [kasm\_database\_vm\_settings](#input\_kasm\_database\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Database instance | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_kasm_ssl_crt_path"></a> [kasm\_ssl\_crt\_path](#input\_kasm\_ssl\_crt\_path) | The file path to the PEM encoded SSL Certificate | `string` | `""` | no |
| <a name="input_kasm_ssl_key_path"></a> [kasm\_ssl\_key\_path](#input\_kasm\_ssl\_key\_path) | The file path to the PEM encoded SSL Certificate Key | `string` | `""` | no |
| <a name="input_kasm_webapp_vm_settings"></a> [kasm\_webapp\_vm\_settings](#input\_kasm\_webapp\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm WebApp instances | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_letsencrypt_cert_support_email"></a> [letsencrypt\_cert\_support\_email](#input\_letsencrypt\_cert\_support\_email) | Email address to use for Let's Encrypt SSL certificates for OCI Deployment | `string` | `""` | no |
| <a name="input_letsencrypt_server_type"></a> [letsencrypt\_server\_type](#input\_letsencrypt\_server\_type) | SSL Server type to generate. Valid options are staging and prod, and prod certificates are limited to 5 certificates per week. | `string` | `""` | no |
| <a name="input_manager_token"></a> [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_num_agents"></a> [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_cpx_nodes"></a> [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx RDP Role Servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_webapps"></a> [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes |
| <a name="input_oci_domain_name"></a> [oci\_domain\_name](#input\_oci\_domain\_name) | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_private_key_path"></a> [private\_key\_path](#input\_private\_key\_path) | The path to the API Key PEM encoded Private Key | `string` | n/a | yes |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_redis_password"></a> [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | The OCI Region eg: (us-ashburn-1) | `string` | n/a | yes |
| <a name="input_service_registration_token"></a> [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_ssh_authorized_keys"></a> [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | The SSH Public Keys to be installed on the OCI compute instance | `string` | n/a | yes |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | The Tenancy OCID. | `string` | n/a | yes |
| <a name="input_user_ocid"></a> [user\_ocid](#input\_user\_ocid) | The User OCID. | `string` | n/a | yes |
| <a name="input_user_password"></a> [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes |
| <a name="input_vcn_subnet_cidr"></a> [vcn\_subnet\_cidr](#input\_vcn\_subnet\_cidr) | VCN Subnet CIDR where you wish to deploy Kasm | `string` | n/a | yes |
## Outputs
No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
# Detailed Terraform Deployment Diagram

6
oci/standard/deployment.tf
View file

@ -18,6 +18,7 @@ module "kasm" {
# Let TF generate Let's Encrypt SSL Certificates automatically
letsencrypt_cert_support_email = var.letsencrypt_cert_support_email
letsencrypt_server_type = var.letsencrypt_server_type
# Bring your own SSL Certificates
kasm_ssl_crt_path = var.kasm_ssl_crt_path
kasm_ssl_key_path = var.kasm_ssl_key_path
@ -26,14 +27,15 @@ module "kasm" {
instance_shape = var.instance_shape
num_agents = var.num_agents
num_webapps = var.num_webapps
num_guac_rdp_nodes = var.num_guac_rdp_nodes
num_cpx_nodes = var.num_cpx_nodes
kasm_agent_vm_settings = var.kasm_agent_vm_settings
kasm_database_vm_settings = var.kasm_database_vm_settings
kasm_webapp_vm_settings = var.kasm_webapp_vm_settings
kasm_guac_vm_settings = var.kasm_guac_vm_settings
kasm_cpx_vm_settings = var.kasm_cpx_vm_settings
allow_ssh_cidrs = var.allow_ssh_cidrs
allow_web_cidrs = var.allow_web_cidrs
swap_size = var.swap_size
bastion_vm_settings = var.bastion_vm_settings
manager_token = var.manager_token
admin_password = var.admin_password

111
oci/standard/module/README.md Normal file
View file

@ -0,0 +1,111 @@
# module
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_acme"></a> [acme](#requirement\_acme) | ~> 2.0 |
| <a name="requirement_oci"></a> [oci](#requirement\_oci) | ~> 5.0 |
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 4.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_acme"></a> [acme](#provider\_acme) | 2.20.0 |
| <a name="provider_oci"></a> [oci](#provider\_oci) | 5.28.0 |
| <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.5 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [acme_certificate.this](https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/certificate) | resource |
| [acme_registration.this](https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/registration) | resource |
| [oci_core_instance.agent](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource |
| [oci_core_instance.bastion](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource |
| [oci_core_instance.cpx](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource |
| [oci_core_instance.db](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource |
| [oci_core_instance.webapp](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource |
| [oci_core_internet_gateway.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_internet_gateway) | resource |
| [oci_core_nat_gateway.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_nat_gateway) | resource |
| [oci_core_route_table.internet_gateway](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_route_table) | resource |
| [oci_core_route_table.nat_gateway](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_route_table) | resource |
| [oci_core_security_list.allow_bastion_ssh](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_security_list.allow_db_redis](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_security_list.allow_public_ssh](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_security_list.allow_rdp_to_windows](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_security_list.allow_web](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_security_list.allow_web_from_lb](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_security_list.allow_web_from_webapp](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource |
| [oci_core_subnet.agent](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource |
| [oci_core_subnet.cpx](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource |
| [oci_core_subnet.db](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource |
| [oci_core_subnet.lb](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource |
| [oci_core_subnet.webapp](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource |
| [oci_core_subnet.windows](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource |
| [oci_core_vcn.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_vcn) | resource |
| [oci_dns_rrset.kasm_a_record](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/dns_rrset) | resource |
| [oci_load_balancer.public](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer) | resource |
| [oci_load_balancer_backend.public](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer_backend) | resource |
| [oci_load_balancer_backend_set.public](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer_backend_set) | resource |
| [oci_load_balancer_certificate.public](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer_certificate) | resource |
| [oci_load_balancer_listener.kasm_https_ssl_listener](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer_listener) | resource |
| [tls_cert_request.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_private_key.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.registration](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [oci_dns_zones.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/dns_zones) | data source |
| [oci_identity_availability_domains.kasm_ads](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source |
| [oci_load_balancer_ssl_cipher_suite.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/load_balancer_ssl_cipher_suite) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_admin_password"></a> [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes |
| <a name="input_allow_ssh_cidrs"></a> [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | The CIDR notation to allow SSH access to the systems. | `list(string)` | n/a | yes |
| <a name="input_allow_web_cidrs"></a> [allow\_web\_cidrs](#input\_allow\_web\_cidrs) | The CIDR notation to allow HTTPS access to the systems. | `list(string)` | n/a | yes |
| <a name="input_anywhere"></a> [anywhere](#input\_anywhere) | Anywhere route subnet | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
| <a name="input_bastion_vm_settings"></a> [bastion\_vm\_settings](#input\_bastion\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm SSH Bastion instance | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_bastion_vm_utilization"></a> [bastion\_vm\_utilization](#input\_bastion\_vm\_utilization) | The VM compute utilization. Defaults to 12.5% to reduce costs on long-running instances. | `string` | `"BASELINE_1_8"` | no |
| <a name="input_compartment_ocid"></a> [compartment\_ocid](#input\_compartment\_ocid) | The Compartment OCID | `string` | n/a | yes |
| <a name="input_database_password"></a> [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes |
| <a name="input_fingerprint"></a> [fingerprint](#input\_fingerprint) | API Key Fingerprint | `string` | n/a | yes |
| <a name="input_instance_image_ocid"></a> [instance\_image\_ocid](#input\_instance\_image\_ocid) | The OCID for the instance image , such as ubuntu 20.04, to use. | `string` | n/a | yes |
| <a name="input_instance_shape"></a> [instance\_shape](#input\_instance\_shape) | The instance shape to use. Should be a Flex type. | `string` | n/a | yes |
| <a name="input_kasm_agent_vm_settings"></a> [kasm\_agent\_vm\_settings](#input\_kasm\_agent\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Agent instances | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_kasm_build_url"></a> [kasm\_build\_url](#input\_kasm\_build\_url) | The URL for the Kasm Workspaces build | `string` | n/a | yes |
| <a name="input_kasm_cpx_vm_settings"></a> [kasm\_cpx\_vm\_settings](#input\_kasm\_cpx\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm cpx RDP instances | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_kasm_database_vm_settings"></a> [kasm\_database\_vm\_settings](#input\_kasm\_database\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Database instance | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_kasm_ssl_crt_path"></a> [kasm\_ssl\_crt\_path](#input\_kasm\_ssl\_crt\_path) | The file path to the PEM encoded SSL Certificate | `string` | n/a | yes |
| <a name="input_kasm_ssl_key_path"></a> [kasm\_ssl\_key\_path](#input\_kasm\_ssl\_key\_path) | The file path to the PEM encoded SSL Certificate Key | `string` | n/a | yes |
| <a name="input_kasm_webapp_vm_settings"></a> [kasm\_webapp\_vm\_settings](#input\_kasm\_webapp\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm WebApp instances | <pre>object({<br> cpus = number<br> memory = number<br> hdd_size_gb = number<br> })</pre> | n/a | yes |
| <a name="input_letsencrypt_cert_support_email"></a> [letsencrypt\_cert\_support\_email](#input\_letsencrypt\_cert\_support\_email) | Email address to use for Let's Encrypt SSL certificates for OCI Deployment | `string` | n/a | yes |
| <a name="input_letsencrypt_server_type"></a> [letsencrypt\_server\_type](#input\_letsencrypt\_server\_type) | SSL Server type to generate. Valid options are staging and prod, and prod certificates are limited to 5 certificates per week. | `string` | n/a | yes |
| <a name="input_manager_token"></a> [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_num_agents"></a> [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_cpx_nodes"></a> [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes |
| <a name="input_num_webapps"></a> [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes |
| <a name="input_oci_domain_name"></a> [oci\_domain\_name](#input\_oci\_domain\_name) | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes |
| <a name="input_private_key_path"></a> [private\_key\_path](#input\_private\_key\_path) | The path to the API Key PEM encoded Private Key | `string` | n/a | yes |
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes |
| <a name="input_redis_password"></a> [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | The OCI Region eg: (us-ashburn-1) | `string` | n/a | yes |
| <a name="input_service_registration_token"></a> [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes |
| <a name="input_ssh_authorized_keys"></a> [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | The SSH Public Keys to be installed on the OCI compute instance | `string` | n/a | yes |
| <a name="input_swap_size"></a> [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes |
| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | The Tenancy OCID. | `string` | n/a | yes |
| <a name="input_user_ocid"></a> [user\_ocid](#input\_user\_ocid) | The User OCID. | `string` | n/a | yes |
| <a name="input_user_password"></a> [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes |
| <a name="input_vcn_subnet_cidr"></a> [vcn\_subnet\_cidr](#input\_vcn\_subnet\_cidr) | VCN Subnet CIDR where you wish to deploy Kasm | `string` | n/a | yes |
## Outputs
No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

11
oci/standard/module/agent.tf
View file

@ -1,6 +1,7 @@
resource "oci_core_instance" "kasm_agent_instance" {
count = var.num_agents
availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name
resource "oci_core_instance" "agent" {
count = var.num_agents
availability_domain = local.availability_domains[0].name
compartment_id = var.compartment_ocid
display_name = "${var.project_name}-Kasm-Agent-${count.index}"
shape = var.instance_shape
@ -11,8 +12,8 @@ resource "oci_core_instance" "kasm_agent_instance" {
}
create_vnic_details {
subnet_id = data.oci_core_subnet.data-kasm_agent_subnet.id
display_name = "${var.project_name}-Primaryvnic-${count.index}"
subnet_id = oci_core_subnet.agent.id
display_name = "${var.project_name}-Agent-Primaryvnic-${count.index}"
assign_public_ip = true
assign_private_dns_record = true
hostname_label = "${var.project_name}-Kasm-Agent-${count.index}"

30
oci/standard/module/bastion.tf Normal file
View file

@ -0,0 +1,30 @@
resource "oci_core_instance" "bastion" {
availability_domain = local.availability_domains[0].name
compartment_id = var.compartment_ocid
display_name = "${var.project_name}-Kasm-SSH-Bastion"
shape = var.instance_shape
shape_config {
baseline_ocpu_utilization = var.bastion_vm_utilization
ocpus = var.bastion_vm_settings.cpus
memory_in_gbs = var.bastion_vm_settings.memory
}
create_vnic_details {
subnet_id = oci_core_subnet.lb.id
display_name = "${var.project_name}-Bastion-Primaryvnic"
assign_public_ip = true
assign_private_dns_record = true
hostname_label = "${var.project_name}-Kasm-Bastion"
}
source_details {
source_type = "image"
source_id = var.instance_image_ocid
boot_volume_size_in_gbs = var.bastion_vm_settings.hdd_size_gb
}
metadata = {
ssh_authorized_keys = var.ssh_authorized_keys
}
}

23
oci/standard/module/guac_rdp.tf → oci/standard/module/cpx.tf
View file

@ -1,33 +1,34 @@
resource "oci_core_instance" "kasm_guac_instance" {
count = var.num_guac_rdp_nodes
availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name
resource "oci_core_instance" "cpx" {
count = var.num_cpx_nodes
availability_domain = length(local.availability_domains) > 1 ? local.availability_domains[(count.index)].name : local.availability_domains[0].name
compartment_id = var.compartment_ocid
display_name = "${var.project_name}-Kasm-Guac-${count.index}"
display_name = "${var.project_name}-Kasm-cpx-${count.index}"
shape = var.instance_shape
shape_config {
ocpus = var.kasm_guac_vm_settings.cpus
memory_in_gbs = var.kasm_guac_vm_settings.memory
ocpus = var.kasm_cpx_vm_settings.cpus
memory_in_gbs = var.kasm_cpx_vm_settings.memory
}
create_vnic_details {
subnet_id = data.oci_core_subnet.data-kasm_guac_subnet.id
display_name = "${var.project_name}-Primaryvnic-${count.index}"
subnet_id = one(oci_core_subnet.cpx[*].id)
display_name = "${var.project_name}-CPX-Primaryvnic-${count.index}"
assign_public_ip = true
assign_private_dns_record = true
hostname_label = "${var.project_name}-Kasm-Guac-${count.index}"
hostname_label = "${var.project_name}-Kasm-cpx-${count.index}"
}
source_details {
source_type = "image"
source_id = var.instance_image_ocid
boot_volume_size_in_gbs = var.kasm_guac_vm_settings.hdd_size_gb
boot_volume_size_in_gbs = var.kasm_cpx_vm_settings.hdd_size_gb
}
metadata = {
ssh_authorized_keys = var.ssh_authorized_keys
user_data = base64encode(templatefile("${path.module}/userdata/guac_bootstrap.sh",
user_data = base64encode(templatefile("${path.module}/userdata/cpx_bootstrap.sh",
{
kasm_build_url = var.kasm_build_url
swap_size = var.swap_size

12
oci/standard/module/db.tf
View file

@ -1,5 +1,5 @@
resource "oci_core_instance" "kasm_db_instance" {
availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name
resource "oci_core_instance" "db" {
availability_domain = local.availability_domains[0].name
compartment_id = var.compartment_ocid
display_name = "${var.project_name}-Kasm-DB"
shape = var.instance_shape
@ -10,8 +10,8 @@ resource "oci_core_instance" "kasm_db_instance" {
}
create_vnic_details {
subnet_id = oci_core_subnet.kasm-db-subnet.id
display_name = "${var.project_name}-Primaryvnic"
subnet_id = oci_core_subnet.db.id
display_name = "${var.project_name}-DB-Primaryvnic"
assign_public_ip = true
assign_private_dns_record = true
hostname_label = "${var.project_name}-Kasm-DB"
@ -39,7 +39,3 @@ resource "oci_core_instance" "kasm_db_instance" {
))
}
}
data "oci_core_instance" "data-kasm_db_instance" {
instance_id = oci_core_instance.kasm_db_instance.id
}

16
oci/standard/module/dependencies.tf Normal file
View file

@ -0,0 +1,16 @@
locals {
kasm_vcn_subnet_cidr_mask = split("/", var.vcn_subnet_cidr)[1]
kasm_server_subnet_cidr_calculation = (8 - (local.kasm_vcn_subnet_cidr_mask - 16))
kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 3 ? 3 : local.kasm_server_subnet_cidr_calculation
availability_domains = data.oci_identity_availability_domains.kasm_ads.availability_domains
}
data "oci_dns_zones" "this" {
compartment_id = var.compartment_ocid
name = var.oci_domain_name
}
data "oci_identity_availability_domains" "kasm_ads" {
compartment_id = var.compartment_ocid
}

10
oci/standard/module/dns.tf
View file

@ -1,16 +1,12 @@
data "oci_dns_zones" "kasm_dns_zone" {
compartment_id = var.compartment_ocid
name = var.oci_domain_name
}
resource "oci_dns_rrset" "kasm_a_record" {
compartment_id = var.compartment_ocid
domain = var.oci_domain_name
zone_name_or_id = data.oci_dns_zones.kasm_dns_zone.zones[0].name
zone_name_or_id = data.oci_dns_zones.this.zones[0].name
rtype = "A"
items {
domain = var.oci_domain_name
rdata = oci_load_balancer.kasm_load_balancer.ip_address_details[0].ip_address
rdata = oci_load_balancer.public.ip_address_details[0].ip_address
rtype = "A"
ttl = 300
}

29
oci/standard/module/letsencrypt.tf
View file

@ -1,28 +1,33 @@
resource "tls_private_key" "registration_private_key" {
resource "tls_private_key" "registration" {
algorithm = "RSA"
}
resource "tls_private_key" "certificate_private_key" {
resource "tls_private_key" "certificate" {
algorithm = "RSA"
}
resource "acme_registration" "registration" {
account_key_pem = tls_private_key.registration_private_key.private_key_pem
resource "acme_registration" "this" {
account_key_pem = tls_private_key.registration.private_key_pem
email_address = var.letsencrypt_cert_support_email
}
resource "tls_cert_request" "kasm_certificate_request" {
private_key_pem = tls_private_key.certificate_private_key.private_key_pem
dns_names = [data.oci_dns_zones.kasm_dns_zone.zones[0].name, "*.${data.oci_dns_zones.kasm_dns_zone.zones[0].name}"]
resource "tls_cert_request" "this" {
private_key_pem = tls_private_key.certificate.private_key_pem
dns_names = [
var.oci_domain_name,
"*.${var.oci_domain_name}"
]
subject {
common_name = data.oci_dns_zones.kasm_dns_zone.zones[0].name
common_name = var.oci_domain_name
}
}
resource "acme_certificate" "certificate" {
account_key_pem = acme_registration.registration.account_key_pem
certificate_request_pem = tls_cert_request.kasm_certificate_request.cert_request_pem
resource "acme_certificate" "this" {
account_key_pem = acme_registration.this.account_key_pem
certificate_request_pem = tls_cert_request.this.cert_request_pem
recursive_nameservers = [
"8.8.8.8:53",
"4.4.2.2:53"
@ -44,5 +49,5 @@ resource "acme_certificate" "certificate" {
}
}
depends_on = [acme_registration.registration]
depends_on = [acme_registration.this]
}

49
oci/standard/module/load_balancer.tf
View file

@ -1,32 +1,32 @@
resource "oci_load_balancer" "kasm_load_balancer" {
resource "oci_load_balancer" "public" {
shape = "flexible"
compartment_id = var.compartment_ocid
subnet_ids = [for subnet_id in data.oci_core_subnets.data-kasm_webapp_subnets : subnet_id.subnets[0].id]
subnet_ids = [oci_core_subnet.lb.id]
shape_details {
minimum_bandwidth_in_mbps = 10
maximum_bandwidth_in_mbps = 100
maximum_bandwidth_in_mbps = 1000
}
display_name = "${var.project_name}-kasm-load_balancer"
}
resource "oci_load_balancer_certificate" "kasm_lb_certificate" {
resource "oci_load_balancer_certificate" "public" {
certificate_name = "${var.project_name}-kasm-cert"
load_balancer_id = oci_load_balancer.kasm_load_balancer.id
load_balancer_id = oci_load_balancer.public.id
ca_certificate = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_crt_path) : acme_certificate.certificate.certificate_pem
public_certificate = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_crt_path) : acme_certificate.certificate.certificate_pem
private_key = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_key_path) : tls_private_key.certificate_private_key.private_key_pem
ca_certificate = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_crt_path) : acme_certificate.this.certificate_pem
public_certificate = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_crt_path) : acme_certificate.this.certificate_pem
private_key = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_key_path) : tls_private_key.certificate.private_key_pem
lifecycle {
create_before_destroy = true
}
}
resource "oci_load_balancer_backend_set" "kasm_load_balancer_backend_set" {
resource "oci_load_balancer_backend_set" "public" {
name = "${var.project_name}-kasm-backend_set"
load_balancer_id = oci_load_balancer.kasm_load_balancer.id
load_balancer_id = oci_load_balancer.public.id
policy = "ROUND_ROBIN"
health_checker {
@ -42,22 +42,22 @@ resource "oci_load_balancer_backend_set" "kasm_load_balancer_backend_set" {
ssl_configuration {
protocols = [
"TLSv1.1",
"TLSv1.2"
]
cipher_suite_name = data.oci_load_balancer_ssl_cipher_suite.data-kasm_load_balancer_cipher_suite.name
certificate_name = oci_load_balancer_certificate.kasm_lb_certificate.certificate_name
cipher_suite_name = data.oci_load_balancer_ssl_cipher_suite.this.name
certificate_name = oci_load_balancer_certificate.public.certificate_name
verify_peer_certificate = false
}
}
resource "oci_load_balancer_backend" "kasm_webapp_load_balancer_backend" {
count = var.num_webapps
backendset_name = oci_load_balancer_backend_set.kasm_load_balancer_backend_set.name
resource "oci_load_balancer_backend" "public" {
count = var.num_webapps
backendset_name = oci_load_balancer_backend_set.public.name
backup = false
drain = false
load_balancer_id = oci_load_balancer.kasm_load_balancer.id
ip_address = data.oci_core_instance.data-kasm_webapp_instances[count.index].private_ip
load_balancer_id = oci_load_balancer.public.id
ip_address = oci_core_instance.webapp[(count.index)].private_ip
offline = false
port = 443
weight = 1
@ -65,24 +65,23 @@ resource "oci_load_balancer_backend" "kasm_webapp_load_balancer_backend" {
resource "oci_load_balancer_listener" "kasm_https_ssl_listener" {
name = "${var.project_name}-https-ssl-listener"
load_balancer_id = oci_load_balancer.kasm_load_balancer.id
default_backend_set_name = oci_load_balancer_backend_set.kasm_load_balancer_backend_set.name
load_balancer_id = oci_load_balancer.public.id
default_backend_set_name = oci_load_balancer_backend_set.public.name
port = "443"
protocol = "HTTP"
ssl_configuration {
protocols = [
"TLSv1.1",
"TLSv1.2"
]
server_order_preference = "ENABLED"
verify_peer_certificate = false
cipher_suite_name = data.oci_load_balancer_ssl_cipher_suite.data-kasm_load_balancer_cipher_suite.name
certificate_name = oci_load_balancer_certificate.kasm_lb_certificate.certificate_name
cipher_suite_name = data.oci_load_balancer_ssl_cipher_suite.this.name
certificate_name = oci_load_balancer_certificate.public.certificate_name
}
}
data "oci_load_balancer_ssl_cipher_suite" "data-kasm_load_balancer_cipher_suite" {
data "oci_load_balancer_ssl_cipher_suite" "this" {
name = "oci-default-ssl-cipher-suite-v1"
load_balancer_id = oci_load_balancer.kasm_load_balancer.id
load_balancer_id = oci_load_balancer.public.id
}

10
oci/standard/module/provider.tf
View file

@ -1,12 +1,18 @@
terraform {
required_version = "~> 1.0"
required_providers {
oci = {
source = "oracle/oci"
version = ">= 4.0.0"
version = "~> 5.0"
}
acme = {
source = "vancluever/acme"
version = ">= 2.0.0"
version = "~> 2.0"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
}
}

152
oci/standard/module/security_lists.tf
View file

@ -1,6 +1,6 @@
resource "oci_core_security_list" "allow_web" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.kasm_vcn.id
vcn_id = oci_core_vcn.this.id
display_name = "allow_web"
dynamic "egress_security_rules" {
@ -26,15 +26,10 @@ resource "oci_core_security_list" "allow_web" {
}
}
data "oci_core_security_lists" "data-allow_web" {
resource "oci_core_security_list" "allow_public_ssh" {
compartment_id = var.compartment_ocid
display_name = oci_core_security_list.allow_web.display_name
}
resource "oci_core_security_list" "allow_ssh" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.kasm_vcn.id
display_name = "allow_ssh"
vcn_id = oci_core_vcn.this.id
display_name = "allow_public_ssh"
dynamic "egress_security_rules" {
for_each = var.anywhere
@ -59,14 +54,24 @@ resource "oci_core_security_list" "allow_ssh" {
}
}
data "oci_core_security_lists" "data-allow_ssh" {
resource "oci_core_security_list" "allow_bastion_ssh" {
compartment_id = var.compartment_ocid
display_name = oci_core_security_list.allow_ssh.display_name
vcn_id = oci_core_vcn.this.id
display_name = "allow_bastion_ssh"
ingress_security_rules {
protocol = "6"
source = "${oci_core_instance.bastion.private_ip}/32"
tcp_options {
max = "22"
min = "22"
}
}
}
resource "oci_core_security_list" "allow_db_redis" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.kasm_vcn.id
vcn_id = oci_core_vcn.this.id
display_name = "allow_db_redis"
dynamic "egress_security_rules" {
@ -79,39 +84,28 @@ resource "oci_core_security_list" "allow_db_redis" {
}
}
dynamic "ingress_security_rules" {
for_each = [for cidr_block in data.oci_core_subnets.data-kasm_webapp_subnets : cidr_block.subnets[0].cidr_block]
content {
protocol = "6"
source = ingress_security_rules.value
tcp_options {
max = "5432"
min = "5432"
}
ingress_security_rules {
protocol = "6"
source = oci_core_subnet.webapp.cidr_block
tcp_options {
max = "5432"
min = "5432"
}
}
dynamic "ingress_security_rules" {
for_each = [for cidr_block in data.oci_core_subnets.data-kasm_webapp_subnets : cidr_block.subnets[0].cidr_block]
content {
protocol = "6"
source = ingress_security_rules.value
tcp_options {
max = "6379"
min = "6379"
}
ingress_security_rules {
protocol = "6"
source = oci_core_subnet.webapp.cidr_block
tcp_options {
max = "6379"
min = "6379"
}
}
}
data "oci_core_security_lists" "data-allow_db_redis" {
resource "oci_core_security_list" "allow_web_from_lb" {
compartment_id = var.compartment_ocid
display_name = oci_core_security_list.allow_db_redis.display_name
}
resource "oci_core_security_list" "allow_web_from_webapp" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.kasm_vcn.id
vcn_id = oci_core_vcn.this.id
display_name = "allow_web_from_webapp"
dynamic "egress_security_rules" {
@ -124,20 +118,82 @@ resource "oci_core_security_list" "allow_web_from_webapp" {
}
}
dynamic "ingress_security_rules" {
for_each = [for cidr_block in data.oci_core_subnets.data-kasm_webapp_subnets : cidr_block.subnets[0].cidr_block]
content {
protocol = "6"
source = ingress_security_rules.value
tcp_options {
max = "443"
min = "443"
}
ingress_security_rules {
protocol = "6"
source = oci_core_subnet.lb.cidr_block
tcp_options {
max = "443"
min = "443"
}
}
}
data "oci_core_security_lists" "data-allow_web_from_webapp" {
resource "oci_core_security_list" "allow_web_from_webapp" {
compartment_id = var.compartment_ocid
display_name = oci_core_security_list.allow_web_from_webapp.display_name
vcn_id = oci_core_vcn.this.id
display_name = "allow_web_from_webapp"
dynamic "egress_security_rules" {
for_each = var.anywhere
content {
destination = egress_security_rules.value
protocol = "all"
stateless = "false"
}
}
ingress_security_rules {
protocol = "6"
source = oci_core_subnet.webapp.cidr_block
tcp_options {
max = "443"
min = "443"
}
}
}
resource "oci_core_security_list" "allow_rdp_to_windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.this.id
display_name = "allow_rdp_for_windows"
dynamic "egress_security_rules" {
for_each = var.anywhere
content {
destination = egress_security_rules.value
protocol = "all"
stateless = "false"
}
}
ingress_security_rules {
protocol = "6"
source = oci_core_subnet.webapp.cidr_block
tcp_options {
max = "4902"
min = "4902"
}
}
ingress_security_rules {
protocol = "6"
source = one(oci_core_subnet.cpx[*].cidr_block)
tcp_options {
max = "3389"
min = "3389"
}
}
ingress_security_rules {
protocol = "6"
source = one(oci_core_subnet.cpx[*].cidr_block)
tcp_options {
max = "4902"
min = "4902"
}
}
}

90
oci/standard/module/subnet.tf
View file

@ -1,90 +0,0 @@
locals {
kasm_vcn_subnet_cidr_mask = split("/", var.vcn_subnet_cidr)[1]
kasm_server_subnet_cidr_calculation = (8 - (local.kasm_vcn_subnet_cidr_mask - 16))
kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 3 ? 3 : local.kasm_server_subnet_cidr_calculation
kasm_agent_subnet_id = (var.num_webapps + 1)
}
## Will create Agent subnet x.x.0.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "kasm-db-subnet" {
compartment_id = var.compartment_ocid
vcn_id = data.oci_core_vcn.data-kasm_vcn.id
route_table_id = oci_core_route_table.default_route_table.id
dhcp_options_id = data.oci_core_vcn.data-kasm_vcn.default_dhcp_options_id
availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 0)
display_name = "${var.project_name}-db-subnet"
dns_label = "${var.project_name}db"
security_list_ids = [
data.oci_core_security_lists.data-allow_db_redis.security_lists[0].id,
data.oci_core_security_lists.data-allow_ssh.security_lists[0].id
]
}
data "oci_core_subnet" "data-kasm_db_subnet" {
subnet_id = oci_core_subnet.kasm-db-subnet.id
}
## Will create WebApp subnets x.x.1.x/24 and x.x.2.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21, and 2 WebApps)
resource "oci_core_subnet" "kasm-webapp-subnets" {
count = var.num_webapps
compartment_id = var.compartment_ocid
vcn_id = data.oci_core_vcn.data-kasm_vcn.id
route_table_id = oci_core_route_table.default_route_table.id
dhcp_options_id = data.oci_core_vcn.data-kasm_vcn.default_dhcp_options_id
availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[count.index].name
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 1))
display_name = "${var.project_name}-webapp-subnet${count.index}"
dns_label = "${var.project_name}webapp${count.index}"
security_list_ids = [
data.oci_core_security_lists.data-allow_web.security_lists[0].id,
data.oci_core_security_lists.data-allow_ssh.security_lists[0].id
]
}
data "oci_core_subnets" "data-kasm_webapp_subnets" {
count = var.num_webapps
compartment_id = var.compartment_ocid
vcn_id = data.oci_core_vcn.data-kasm_vcn.id
display_name = oci_core_subnet.kasm-webapp-subnets[count.index].display_name
}
## Will create Agent subnet x.x.3.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "kasm-agent-subnet" {
compartment_id = var.compartment_ocid
vcn_id = data.oci_core_vcn.data-kasm_vcn.id
route_table_id = oci_core_route_table.default_route_table.id
dhcp_options_id = data.oci_core_vcn.data-kasm_vcn.default_dhcp_options_id
availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, local.kasm_agent_subnet_id)
display_name = "${var.project_name}-agent-subnet"
dns_label = "${var.project_name}agent"
security_list_ids = [
data.oci_core_security_lists.data-allow_web_from_webapp.security_lists[0].id,
data.oci_core_security_lists.data-allow_ssh.security_lists[0].id
]
}
data "oci_core_subnet" "data-kasm_agent_subnet" {
subnet_id = oci_core_subnet.kasm-agent-subnet.id
}
## Will create Guac subnet x.x.4.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "kasm-guac-subnet" {
compartment_id = var.compartment_ocid
vcn_id = data.oci_core_vcn.data-kasm_vcn.id
route_table_id = oci_core_route_table.default_route_table.id
dhcp_options_id = data.oci_core_vcn.data-kasm_vcn.default_dhcp_options_id
availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, (local.kasm_agent_subnet_id + 1))
display_name = "${var.project_name}-guac-subnet"
dns_label = "${var.project_name}guac"
security_list_ids = [
data.oci_core_security_lists.data-allow_web_from_webapp.security_lists[0].id,
data.oci_core_security_lists.data-allow_ssh.security_lists[0].id
]
}
data "oci_core_subnet" "data-kasm_guac_subnet" {
subnet_id = oci_core_subnet.kasm-guac-subnet.id
}

90
oci/standard/module/subnets.tf Normal file
View file

@ -0,0 +1,90 @@
## Will create WebApp subnets x.x.0.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "lb" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.this.id
route_table_id = oci_core_route_table.internet_gateway.id
dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 0)
display_name = "${var.project_name}-public-lb-subnet"
dns_label = "${var.project_name}lb"
security_list_ids = [
oci_core_security_list.allow_web.id,
oci_core_security_list.allow_public_ssh.id
]
}
## Will create WebApp subnets x.x.1.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "webapp" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.this.id
route_table_id = oci_core_route_table.nat_gateway.id
dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 1)
display_name = "${var.project_name}-webapp-subnet"
dns_label = "${var.project_name}webapp"
security_list_ids = [
oci_core_security_list.allow_web_from_lb.id,
oci_core_security_list.allow_bastion_ssh.id
]
}
## Will create Agent subnet x.x.2.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "db" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.this.id
route_table_id = oci_core_route_table.nat_gateway.id
dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 2)
display_name = "${var.project_name}-db-subnet"
dns_label = "${var.project_name}db"
security_list_ids = [
oci_core_security_list.allow_db_redis.id,
oci_core_security_list.allow_bastion_ssh.id
]
}
## Will create Agent subnet x.x.3.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "agent" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.this.id
route_table_id = oci_core_route_table.internet_gateway.id
dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 3)
display_name = "${var.project_name}-agent-subnet"
dns_label = "${var.project_name}agent"
security_list_ids = [
oci_core_security_list.allow_web_from_webapp.id,
oci_core_security_list.allow_bastion_ssh.id
]
}
## Will create Guac subnet x.x.4.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "cpx" {
count = var.num_cpx_nodes > 0 ? 1 : 0
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.this.id
route_table_id = oci_core_route_table.nat_gateway.id
dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 4)
display_name = "${var.project_name}-cpx-subnet"
dns_label = "${var.project_name}cpx"
security_list_ids = [
oci_core_security_list.allow_web_from_webapp.id,
oci_core_security_list.allow_bastion_ssh.id
]
}
## Will create Guac subnet x.x.5.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21)
resource "oci_core_subnet" "windows" {
count = var.num_cpx_nodes > 0 ? 1 : 0
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.this.id
route_table_id = oci_core_route_table.internet_gateway.id
dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id
cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 5)
display_name = "${var.project_name}-windows-subnet"
dns_label = "${var.project_name}win"
security_list_ids = oci_core_security_list.allow_rdp_to_windows[*].id
}

0
oci/standard/module/userdata/guac_bootstrap.sh → oci/standard/module/userdata/cpx_bootstrap.sh
View file

53
oci/standard/module/variables.tf
View file

@ -94,7 +94,7 @@ variable "num_webapps" {
type = number
}
variable "num_guac_rdp_nodes" {
variable "num_cpx_nodes" {
description = "The number of WebApp role servers to create in the deployment"
type = number
}
@ -130,7 +130,7 @@ variable "manager_token" {
}
variable "service_registration_token" {
description = "The service registration token value for Guac RDP servers to authenticate to webapps. No special characters"
description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters"
type = string
sensitive = true
}
@ -151,23 +151,54 @@ variable "instance_shape" {
}
variable "kasm_webapp_vm_settings" {
description = "The amount of memory, in GB, to configure for the Kasm WebApp instance"
type = map(any)
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm WebApp instances"
type = object({
cpus = number
memory = number
hdd_size_gb = number
})
}
variable "kasm_database_vm_settings" {
description = "The amount of memory, in GB, to configure for the Kasm DB instance"
type = map(any)
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Database instance"
type = object({
cpus = number
memory = number
hdd_size_gb = number
})
}
variable "kasm_agent_vm_settings" {
description = "The amount of memory, in GB, to configure for the Kasm Agent instance"
type = map(any)
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Agent instances"
type = object({
cpus = number
memory = number
hdd_size_gb = number
})
}
variable "kasm_guac_vm_settings" {
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Guac RDP instance"
type = map(any)
variable "kasm_cpx_vm_settings" {
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm cpx RDP instances"
type = object({
cpus = number
memory = number
hdd_size_gb = number
})
}
variable "bastion_vm_settings" {
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm SSH Bastion instance"
type = object({
cpus = number
memory = number
hdd_size_gb = number
})
}
variable "bastion_vm_utilization" {
description = "The VM compute utilization. Defaults to 12.5% to reduce costs on long-running instances."
type = string
default = "BASELINE_1_8"
}
## Pre-set values

43
oci/standard/module/vcn.tf
View file

@ -1,43 +1,42 @@
resource "oci_core_vcn" "kasm_vcn" {
resource "oci_core_vcn" "this" {
cidr_block = "10.0.0.0/16"
compartment_id = var.compartment_ocid
display_name = "${var.project_name}-VCN"
dns_label = "${var.project_name}vcn"
}
data "oci_core_vcn" "data-kasm_vcn" {
vcn_id = oci_core_vcn.kasm_vcn.id
resource "oci_core_internet_gateway" "this" {
compartment_id = var.compartment_ocid
display_name = "${var.project_name}-Internet-Gateway"
vcn_id = oci_core_vcn.this.id
}
resource "oci_core_internet_gateway" "kasm_internet_gateway" {
resource "oci_core_nat_gateway" "this" {
compartment_id = var.compartment_ocid
display_name = "${var.project_name}-Gateway"
vcn_id = oci_core_vcn.kasm_vcn.id
display_name = "${var.project_name}-NAT-Gateway"
vcn_id = oci_core_vcn.this.id
}
data "oci_core_internet_gateways" "data-kasm_internet_gateway" {
resource "oci_core_route_table" "internet_gateway" {
compartment_id = var.compartment_ocid
vcn_id = data.oci_core_vcn.data-kasm_vcn.id
}
resource "oci_core_route_table" "default_route_table" {
compartment_id = var.compartment_ocid
vcn_id = data.oci_core_vcn.data-kasm_vcn.id
display_name = "KasmRouteTable"
vcn_id = oci_core_vcn.this.id
display_name = "Kasm-IG-RouteTable"
route_rules {
destination = var.anywhere[0]
destination_type = "CIDR_BLOCK"
network_entity_id = oci_core_internet_gateway.kasm_internet_gateway.id #data.oci_core_internet_gateways.data-kasm_internet_gateway.gateways[0].id
network_entity_id = oci_core_internet_gateway.this.id
}
}
# data "oci_core_route_tables" "data-default_route_table" {
# compartment_id = var.compartment_ocid
# vcn_id = data.oci_core_vcn.data-kasm_vcn.id
# display_name = oci_core_route_table.default_route_table.display_name
# }
resource "oci_core_route_table" "nat_gateway" {
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.this.id
display_name = "Kasm-NAT-RouteTable"
data "oci_identity_availability_domains" "kasm_ads" {
compartment_id = var.tenancy_ocid
route_rules {
destination = var.anywhere[0]
destination_type = "CIDR_BLOCK"
network_entity_id = oci_core_nat_gateway.this.id
}
}

18
oci/standard/module/webapp.tf
View file

@ -1,6 +1,7 @@
resource "oci_core_instance" "kasm_webapp_instance" {
count = var.num_webapps
availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[count.index].name
resource "oci_core_instance" "webapp" {
count = var.num_webapps
availability_domain = length(local.availability_domains) > 1 ? local.availability_domains[(count.index)].name : local.availability_domains[0].name
compartment_id = var.compartment_ocid
display_name = "${var.project_name}-Kasm-Webapp-${count.index}"
shape = var.instance_shape
@ -11,8 +12,8 @@ resource "oci_core_instance" "kasm_webapp_instance" {
}
create_vnic_details {
subnet_id = data.oci_core_subnets.data-kasm_webapp_subnets[count.index].subnets[0].id
display_name = "${var.project_name}-Primaryvnic"
subnet_id = oci_core_subnet.webapp.id
display_name = "${var.project_name}-WebApp-Primaryvnic"
assign_public_ip = true
assign_private_dns_record = true
hostname_label = "${var.project_name}-Kasm-Webapp-${count.index}"
@ -29,7 +30,7 @@ resource "oci_core_instance" "kasm_webapp_instance" {
user_data = base64encode(templatefile("${path.module}/userdata/webapp_bootstrap.sh",
{
kasm_build_url = var.kasm_build_url
db_ip = data.oci_core_instance.data-kasm_db_instance.private_ip
db_ip = oci_core_instance.db.private_ip
database_password = var.database_password
redis_password = var.redis_password
swap_size = var.swap_size
@ -39,8 +40,3 @@ resource "oci_core_instance" "kasm_webapp_instance" {
}
}
data "oci_core_instance" "data-kasm_webapp_instances" {
count = var.num_webapps
instance_id = oci_core_instance.kasm_webapp_instance[count.index].id
}

8
oci/standard/provider.tf
View file

@ -1,16 +1,18 @@
terraform {
required_version = "~> 1.0"
required_providers {
oci = {
source = "oracle/oci"
version = ">= 4.0.0"
version = "~> 5.0"
}
acme = {
source = "vancluever/acme"
version = ">= 2.0"
version = "~> 2.0"
}
tls = {
source = "hashicorp/tls"
version = ">= 4.0.0"
version = "~> 4.0"
}
}
}

18
oci/standard/settings.tfvars → oci/standard/terraform.tfvars
View file

@ -1,7 +1,7 @@
## Kasm deployment settings
oci_domain_name = "kasm.contoso.com"
project_name = "contoso"
kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"
kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3a7abb.tar.gz"
vcn_subnet_cidr = "10.0.0.0/16"
## OCI Authentication variables
@ -33,16 +33,16 @@ redis_password = "changeme"
database_password = "changeme"
service_registration_token = "changeme"
## SSH Public Keys
## SSH Public Key
ssh_authorized_keys = "changeme"
## OCI VM Settings
instance_image_ocid = "ocid1.image.oc1.iad.aaaaaaaahiz6xym3a76xhwkmwmhrz6luyiehho7dpxpkphxhsq5q6z4m3nlq"
instance_image_ocid = ""
instance_shape = "VM.Standard.E4.Flex"
swap_size = 2048
num_webapps = 2
num_agents = 2
num_guac_rdp_nodes = 1
num_cpx_nodes = 1
kasm_webapp_vm_settings = {
cpus = 2
@ -62,8 +62,14 @@ kasm_agent_vm_settings = {
hdd_size_gb = 120
}
kasm_guac_vm_settings = {
kasm_cpx_vm_settings = {
cpus = 4
memory = 4
hdd_size_gb = 50
}
}
bastion_vm_settings = {
cpus = 1
memory = 2
hdd_size_gb = 50
}

54
oci/standard/variables.tf
View file

@ -104,8 +104,8 @@ variable "ssh_authorized_keys" {
}
variable "instance_image_ocid" {
description = "The OCID for the instance image , such as ubuntu 20.04, to use."
default = "ocid1.image.oc1.iad.aaaaaaaafg6lg7dejwjebjqontwzyvutgf6qs5awyze6fgoiqepyj5qkvcuq"
description = "The OCID for the instance image, such as ubuntu 22.04, to use."
type = string
validation {
condition = can(regex("^(ocid\\d)\\.(image)\\.(oc\\d)\\.[a-z]{3,}\\.[a-z0-9]{60}", var.instance_image_ocid))
@ -244,7 +244,7 @@ variable "manager_token" {
}
variable "service_registration_token" {
description = "The service registration token value for Guac RDP servers to authenticate to webapps. No special characters"
description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters"
type = string
sensitive = true
@ -264,13 +264,13 @@ variable "num_agents" {
}
}
variable "num_guac_rdp_nodes" {
description = "The number of Guac RDP Role Servers to create in the deployment"
variable "num_cpx_nodes" {
description = "The number of cpx RDP Role Servers to create in the deployment"
type = number
validation {
condition = var.num_guac_rdp_nodes >= 0 && var.num_guac_rdp_nodes <= 100 && floor(var.num_guac_rdp_nodes) == var.num_guac_rdp_nodes
error_message = "Acceptable number of Kasm Guac RDP nodes range between 0-100."
condition = var.num_cpx_nodes >= 0 && var.num_cpx_nodes <= 100 && floor(var.num_cpx_nodes) == var.num_cpx_nodes
error_message = "Acceptable number of Kasm cpx RDP nodes range between 0-100."
}
}
@ -333,7 +333,7 @@ variable "kasm_database_vm_settings" {
error_message = "Kasm Webapps should have at least 2 GB Memory to ensure enough resources for Kasm services."
}
validation {
condition = car.kasm_database_vm_settings.hdd_size_gb >= 50
condition = var.kasm_database_vm_settings.hdd_size_gb >= 50
error_message = "Kasm Webapps should have at least a 50 GB HDD to meet OCI minimum requirements, and ensure enough space Kasm services."
}
}
@ -360,8 +360,8 @@ variable "kasm_agent_vm_settings" {
}
}
variable "kasm_guac_vm_settings" {
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Guac RDP instances"
variable "kasm_cpx_vm_settings" {
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm cpx RDP instances"
type = object({
cpus = number
memory = number
@ -369,16 +369,38 @@ variable "kasm_guac_vm_settings" {
})
validation {
condition = var.kasm_guac_vm_settings.cpus >= 2
error_message = "Kasm Guac RDP servers should have at least 2 CPUs to ensure enough resources for Kasm services."
condition = var.kasm_cpx_vm_settings.cpus >= 2
error_message = "Kasm cpx RDP servers should have at least 2 CPUs to ensure enough resources for Kasm services."
}
validation {
condition = var.kasm_guac_vm_settings.memory >= 2
error_message = "Kasm Guac RDP servers should have at least 2 GB Memory to ensure enough resources for Kasm services."
condition = var.kasm_cpx_vm_settings.memory >= 2
error_message = "Kasm cpx RDP servers should have at least 2 GB Memory to ensure enough resources for Kasm services."
}
validation {
condition = var.kasm_guac_vm_settings.hdd_size_gb >= 50
error_message = "Kasm Guac RDP servers should have at least a 50 GB HDD to meet OCI minimum requirements, and ensure enough space Kasm services."
condition = var.kasm_cpx_vm_settings.hdd_size_gb >= 50
error_message = "Kasm cpx RDP servers should have at least a 50 GB HDD to meet OCI minimum requirements, and ensure enough space Kasm services."
}
}
variable "bastion_vm_settings" {
description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm SSH Bastion instance"
type = object({
cpus = number
memory = number
hdd_size_gb = number
})
validation {
condition = var.bastion_vm_settings.cpus >= 1
error_message = "Kasm SSH Bastion should have at least 2 CPUs to ensure enough resources for Kasm services."
}
validation {
condition = var.bastion_vm_settings.memory >= 1
error_message = "Kasm SSH Bastion should have at least 2 GB Memory to ensure enough resources for Kasm services."
}
validation {
condition = var.bastion_vm_settings.hdd_size_gb >= 50
error_message = "Kasm SSH Bastion should have at least a 50 GB HDD to meet OCI minimum requirements."
}
}