scpのProxyCommand

その他

 

https://qiita.com/ponsuke0531/items/4721ac64f82a8e191580
https://qiita.com/S-T/items/18af2bfcc4e5a72202da

https://webmasters-journal.com/application/winscp-ssh-tunnel/
https://docs.oracle.com/ja/learn/generate_ssh_keys/index.html#use-putty

 

前提: 
subnet01,vm01,sl01,rt01,パブリックサブネット
subnet02,vm02,sl02,rt02,プライベートサブネット,サービス・ゲートウェイのみ

subnet01~subnet02間の全通信許可


-- 1. 環境準備 (OCIを使用する)

cat <<-'EOF' > variables.tf

locals {
  tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"
# MYIP
  myip = "192.0.2.1/32"

}

variable "compartment_name" {
  description = "compartment_name"
  type = string
  default = "cmp01"
}

EOF

 

cat <<-'EOF' > main.tf

terraform {
  required_version = ">= 1.0.0, < 2.0.0"
  required_providers {
    oci = {
       source  = "hashicorp/oci"
       version = "= 5.23.0"
    }
  }
}

provider "oci" {
  tenancy_ocid = local.tenancy_ocid
  user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111" 
  private_key_path = "~/.oci/oci_api_key.pem"
  fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
  region = "us-ashburn-1"
}


resource "oci_identity_compartment" "cmp01" {
    # Required
    compartment_id = local.tenancy_ocid
    description = var.compartment_name
    name = var.compartment_name
    
    enable_delete = true
}

resource "oci_core_vcn" "vcn01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id

    #Optional
    cidr_block = "10.0.0.0/16"
    display_name = "vcn01"
    dns_label = "vcn01"

}


resource "oci_core_internet_gateway" "igw01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    enabled = true
    display_name = "igw01"
}

 

 

resource "oci_core_route_table" "rt01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "rt01"
    route_rules {
        #Required
        network_entity_id = oci_core_internet_gateway.igw01.id
        #Optional
        destination = "0.0.0.0/0"
    }
    
}


resource "oci_core_route_table" "rt02" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "rt02"
    
}

resource "oci_core_security_list" "sl01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sl01"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    
    ingress_security_rules {
        protocol = "6"
        source = local.myip
        stateless = false
        tcp_options {
            max = 22
            min = 22
        }
    }
    ingress_security_rules {
        protocol = "all"
        source = "10.0.2.0/24"
        stateless = false
    }
}


resource "oci_core_security_list" "sl02" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sl02"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    

    ingress_security_rules {
        protocol = "all"
        source = "10.0.1.0/24"
        stateless = false
    }

}

 

resource "oci_core_subnet" "subnet01" {
    #Required
    cidr_block = "10.0.1.0/24"
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional

    display_name = "subnet01"
    dns_label = "subnet01"
    route_table_id = oci_core_route_table.rt01.id
    security_list_ids = [oci_core_security_list.sl01.id]
}

resource "oci_core_subnet" "subnet02" {
    #Required
    cidr_block = "10.0.2.0/24"
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional

    display_name = "subnet02"
    dns_label = "subnet02"
    route_table_id = oci_core_route_table.rt02.id
    security_list_ids = [oci_core_security_list.sl02.id]
}

 


EOF

 


# インスタンス(always free)
# Canonical-Ubuntu-22.04-aarch64-2023.10.13-0
# VM.Standard.A1.Flex


cat <<-'EOF' > instance.tf


resource "oci_core_instance" "vm01" {
    #Required
    availability_domain = "OEIw:US-ASHBURN-AD-1"
    compartment_id = oci_identity_compartment.cmp01.id
    shape = "VM.Standard.A1.Flex"

    shape_config {

        memory_in_gbs = 6
        ocpus = 1
    }
        
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = true
        subnet_id = oci_core_subnet.subnet01.id
    }

    display_name = "vm01"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.iad.aaaaaaaamphrdqdgcjfdmo5fzql4m6ewcuxkbepjbobgky254svsk3ueppfa"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

resource "oci_core_instance" "vm02" {
    #Required
    availability_domain = "OEIw:US-ASHBURN-AD-1"
    compartment_id = oci_identity_compartment.cmp01.id
    shape = "VM.Standard.A1.Flex"

    shape_config {

        memory_in_gbs = 6
        ocpus = 1
    }
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = false
        subnet_id = oci_core_subnet.subnet02.id
    }

    display_name = "vm02"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.iad.aaaaaaaamphrdqdgcjfdmo5fzql4m6ewcuxkbepjbobgky254svsk3ueppfa"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

EOF

 


cat <<-'EOF' > outputs.tf

output "cmp01_id" {
  value = oci_identity_compartment.cmp01.id
  description = "cmp01.id"
}

output "vcn01_id" {
  value = oci_core_vcn.vcn01.id
  description = "vcn01.id"
}

output "igw01_id" {
  value = oci_core_internet_gateway.igw01.id
  description = "igw01.id"
}


output "rt01_id" {
  value = oci_core_route_table.rt01.id
  description = "rt01.id"
}
output "rt02_id" {
  value = oci_core_route_table.rt02.id
  description = "rt02.id"
}


output "sl01_id" {
  value = oci_core_security_list.sl01.id
  description = "sl01.id"
}

output "sl02_id" {
  value = oci_core_security_list.sl02.id
  description = "sl02.id"
}

output "subnet01_id" {
  value = oci_core_subnet.subnet01.id
  description = "subnet01.id"
}
output "subnet02_id" {
  value = oci_core_subnet.subnet02.id
  description = "subnet02.id"
}

output "vm01_id" {
  value = oci_core_instance.vm01.id
  description = "vm01.id"
}

output "vm02_id" {
  value = oci_core_instance.vm02.id
  description = "vm02.id"
}


output "vm01_public_ip" {
  value = oci_core_instance.vm01.public_ip
  description = "vm01.public_ip"
}

output "vm01_private_ip" {
  value = oci_core_instance.vm01.private_ip
  description = "vm01.private_ip"
}

output "vm02_private_ip" {
  value = oci_core_instance.vm02.private_ip
  description = "vm02.private_ip"
}

 

EOF

 


terraform init
terraform fmt
terraform -version

terraform plan

terraform apply -auto-approve

 

# terraform destroy -auto-approve

 


-- 2. 動作確認


-- 2.1 多段接続する場合

scp -i {接続先鍵} -r -o ProxyCommand='ssh -i {踏み台鍵} {踏み台ユーザ}@{踏み台アドレス} -W %h:%p' {ローカルファイル} {接続先ユーザ}@{接続先アドレス}:{接続先パス}

ssh -i {接続先鍵}    -o ProxyCommand='ssh -i {踏み台鍵} {踏み台ユーザ}@{踏み台アドレス} -W %h:%p'                    {接続先ユーザ}@{接続先アドレス}

 

scp -i $HOME/.ssh/id_rsa -r -o ProxyCommand='ssh -i $HOME/.ssh/id_rsa ubuntu@192.0.2.2 -W %h:%p' oci-cli-3.39.0-Oracle-Linux-9-Offline.zip ubuntu@10.0.2.89:/home/ubuntu

ssh -i $HOME/.ssh/id_rsa    -o ProxyCommand='ssh -i $HOME/.ssh/id_rsa ubuntu@192.0.2.2 -W %h:%p' ubuntu@10.0.2.89

 

-- 2.2 順番に接続する場合

scp -i $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa ubuntu@192.0.2.2:/home/ubuntu
ssh -i $HOME/.ssh/id_rsa ubuntu@192.0.2.2
ssh -i $HOME/id_rsa ubuntu@10.0.2.89

 

 


WinSCPを使用する場合、ppkファイルを使用する必要がある

ノート: PuTTYは、OpenSSH互換形式でキーを保存しません。
したがって、OpenSSHを使用してPuTTYで作成された公開キー・ファイルをLinux/Unixシステムにアップロードすると、キーは正しく読み取られません。
ただし、PuTTYgenアプリケーションから直接コピーすると、キー情報自体は、貼り付けされたフィールドに対して正しく動作し、
その情報を使用して適切なOpenSSH互換キーを作成します。
たとえば、OCIでインスタンスを作成する場合は、PuTTYからSSHキーを貼り付け、正常に動作します。

https://docs.oracle.com/ja/learn/generate_ssh_keys/index.html#use-putty

 

 

 

{OCI 仮想クラウド・ネットワーク} アップグレードされたDRGを介したリモートVCNピアリング

OCI

 

https://docs.oracle.com/ja-jp/iaas/Content/Network/Tasks/scenario_e.htm

https://blogs.techvan.co.jp/oci/2021/05/25/%E3%83%AA%E3%83%A2%E3%83%BC%E3%83%88vcn%E3%83%94%E3%82%A2%E3%83%AA%E3%83%B3%E3%82%B0%E3%81%A7%E6%9D%B1%E4%BA%AC%EF%BD%9E%E5%A4%A7%E9%98%AA%E3%83%AA%E3%83%BC%E3%82%B8%E3%83%A7%E3%83%B3%E9%96%93/

https://qiita.com/dingtianhongjie/items/485c8abf7b3af9529f69

https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.39.1/oci_cli_docs/cmdref/network/remote-peering-connection.html

https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/Network/Tasks/drg-rpc-connect.htm


確認事項: ashburnリージョンでインターネットを使用せずにtokyoリージョンのオブジェクトAPIを実行する

 

前提: 
-- ashburn
subnet01,vm01,sl01,rt01,パブリックサブネット
subnet02,vm02,sl02,rt02,プライベートサブネット,サービス・ゲートウェイのみ

subnet01~subnet02間の全通信許可
subnet02~subnet12間の全通信許可

-- tokyo
subnet11,vm11,sl11,rt11,パブリックサブネット
subnet12,vm12,sl12,rt12,プライベートサブネット,サービス・ゲートウェイのみ

subnet11~subnet12間の全通信許可
subnet02~subnet12間の全通信許可


DRGはrt02やrt12に紐づける

drg01
drg0101 <== VCNアタッチメント名
drg0102 <== RPCアタッチメント名

drg11
drg1101 <== VCNアタッチメント名
drg1102 <== RPCアタッチメント名


-- 1. VCN作成 (ashburn)

mkdir ashburn
cd ashburn


cat <<-'EOF' > variables.tf

locals {
  tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"
# MYIP
  myip = "192.0.2.1/32"

}

variable "compartment_name" {
  description = "compartment_name"
  type = string
  default = "cmp20240421"
}

EOF

 

cat <<-'EOF' > main.tf

terraform {
  required_version = ">= 1.0.0, < 2.0.0"
  required_providers {
    oci = {
       source  = "hashicorp/oci"
       version = "= 5.23.0"
    }
  }
}

provider "oci" {
  tenancy_ocid = local.tenancy_ocid
  user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111" 
  private_key_path = "~/.oci/oci_api_key.pem"
  fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
  region = "us-ashburn-1"
}


resource "oci_identity_compartment" "cmp01" {
    # Required
    compartment_id = local.tenancy_ocid
    description = var.compartment_name
    name = var.compartment_name
    
    enable_delete = true
}

resource "oci_core_vcn" "vcn01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id

    #Optional
    cidr_block = "10.0.0.0/16"
    display_name = "vcn01"
    dns_label = "vcn01"

}


resource "oci_core_internet_gateway" "igw01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    enabled = true
    display_name = "igw01"
}


data "oci_core_services" "svc01" {
  filter {
    name   = "name"
    values = ["All .* Services In Oracle Services Network"]
    regex  = true
  }
}


resource "oci_core_service_gateway" "sgw01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    services {
        #Required
        service_id = data.oci_core_services.svc01.services.0.id
    }
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sgw01"
}

 

resource "oci_core_route_table" "rt01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "rt01"
    route_rules {
        #Required
        network_entity_id = oci_core_internet_gateway.igw01.id
        #Optional
        destination = "0.0.0.0/0"
    }
    
}


resource "oci_core_route_table" "rt02" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "rt02"
    route_rules {
        #Required
        network_entity_id = oci_core_service_gateway.sgw01.id
        #Optional
        destination = "all-iad-services-in-oracle-services-network"
        destination_type = "SERVICE_CIDR_BLOCK"
    }
    
}

resource "oci_core_security_list" "sl01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sl01"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    
    ingress_security_rules {
        protocol = "6"
        source = local.myip
        stateless = false
        tcp_options {
            max = 22
            min = 22
        }
    }
    ingress_security_rules {
        protocol = "all"
        source = "10.0.2.0/24"
        stateless = false
    }
}


resource "oci_core_security_list" "sl02" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sl02"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    

    ingress_security_rules {
        protocol = "all"
        source = "10.0.1.0/24"
        stateless = false
    }
    ingress_security_rules {
        protocol = "all"
        source = "10.1.2.0/24"
        stateless = false
    }
}

 

resource "oci_core_subnet" "subnet01" {
    #Required
    cidr_block = "10.0.1.0/24"
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional

    display_name = "subnet01"
    dns_label = "subnet01"
    route_table_id = oci_core_route_table.rt01.id
    security_list_ids = [oci_core_security_list.sl01.id]
}

resource "oci_core_subnet" "subnet02" {
    #Required
    cidr_block = "10.0.2.0/24"
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional

    display_name = "subnet02"
    dns_label = "subnet02"
    route_table_id = oci_core_route_table.rt02.id
    security_list_ids = [oci_core_security_list.sl02.id]
}

 


EOF

 

 

cat <<-'EOF' > instance.tf


resource "oci_core_instance" "vm01" {
    #Required
    availability_domain = "OEIw:US-ASHBURN-AD-1"
    compartment_id = oci_identity_compartment.cmp01.id
    shape = "VM.Standard.E2.1"
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = true
        subnet_id = oci_core_subnet.subnet01.id
    }

    display_name = "vm01"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

resource "oci_core_instance" "vm02" {
    #Required
    availability_domain = "OEIw:US-ASHBURN-AD-1"
    compartment_id = oci_identity_compartment.cmp01.id
    shape = "VM.Standard.E2.1"
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = false
        subnet_id = oci_core_subnet.subnet02.id
    }

    display_name = "vm02"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

EOF


cat <<-'EOF' > bucket.tf


data "oci_objectstorage_namespace" "ns01" {
    compartment_id = local.tenancy_ocid
}

resource "oci_objectstorage_bucket" "bucket01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    name = "bucket01"
    namespace = data.oci_objectstorage_namespace.ns01.namespace

    #Optional
    access_type = "NoPublicAccess"
    auto_tiering = "Disabled"
    object_events_enabled = false
    storage_tier = "Standard"
    versioning = "Disabled"
    
}


EOF

 

cat <<-'EOF' > outputs.tf

output "cmp01_id" {
  value = oci_identity_compartment.cmp01.id
  description = "cmp01.id"
}

output "vcn01_id" {
  value = oci_core_vcn.vcn01.id
  description = "vcn01.id"
}

output "igw01_id" {
  value = oci_core_internet_gateway.igw01.id
  description = "igw01.id"
}

output "sgw01_id" {
  value = oci_core_service_gateway.sgw01.id
  description = "sgw01.id"
}

output "rt01_id" {
  value = oci_core_route_table.rt01.id
  description = "rt01.id"
}
output "rt02_id" {
  value = oci_core_route_table.rt02.id
  description = "rt02.id"
}


output "sl01_id" {
  value = oci_core_security_list.sl01.id
  description = "sl01.id"
}

output "sl02_id" {
  value = oci_core_security_list.sl02.id
  description = "sl02.id"
}

output "subnet01_id" {
  value = oci_core_subnet.subnet01.id
  description = "subnet01.id"
}
output "subnet02_id" {
  value = oci_core_subnet.subnet02.id
  description = "subnet02.id"
}

output "vm01_id" {
  value = oci_core_instance.vm01.id
  description = "vm01.id"
}

output "vm02_id" {
  value = oci_core_instance.vm02.id
  description = "vm02.id"
}


output "vm01_public_ip" {
  value = oci_core_instance.vm01.public_ip
  description = "vm01.public_ip"
}

output "vm01_private_ip" {
  value = oci_core_instance.vm01.private_ip
  description = "vm01.private_ip"
}

output "vm02_private_ip" {
  value = oci_core_instance.vm02.private_ip
  description = "vm02.private_ip"
}

 

EOF

 


terraform init
terraform fmt
terraform -version

terraform plan

terraform apply -auto-approve

 

 

-- 2. OCIインストール (ashburn)

-- 2.1 vm01からvm02にログイン

scp -i $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa opc@192.0.2.2:/home/opc
scp -i $HOME/.ssh/id_rsa  oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@192.0.2.2:/home/opc

ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2

scp -i $HOME/id_rsa oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@10.0.2.162:/home/opc

ssh -i $HOME/id_rsa opc@10.0.2.162


-- 2.2 vm02からインターネットアクセスできないことを確認

curl --connect-timeout 10 https://www.oracle.com/

-- 2.3 OCIインストール (vm02での作業)

unzip oci-cli-3.39.0-Oracle-Linux-9-Offline.zip

cd oci-cli-installation

bash install.sh --offline-install
exec -l $SHELL
oci -v

 

 


-- 3. VCN作成 (tokyo)

mkdir tokyo
cd tokyo


cat <<-'EOF' > variables.tf

locals {
  tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"
# MYIP
  myip = "192.0.2.1/32"

}

#variable "compartment_name" {
#  description = "compartment_name"
#  type = string
#  default = "cmp21240419"
#}

variable "compartment_id" {
  description = "compartment_id"
  type = string
  default = "ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111"
}

EOF

 

cat <<-'EOF' > main.tf

terraform {
  required_version = ">= 1.0.0, < 2.0.0"
  required_providers {
    oci = {
       source  = "hashicorp/oci"
       version = "= 5.23.0"
    }
  }
}

provider "oci" {
  tenancy_ocid = local.tenancy_ocid
  user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111" 
  private_key_path = "~/.oci/oci_api_key.pem"
  fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
  region = "ap-tokyo-1"
}


#resource "oci_identity_compartment" "cmp11" {
#    # Required
#    compartment_id = local.tenancy_ocid
#    description = var.compartment_name
#    name = var.compartment_name
#    
#    enable_delete = true
#}

 

resource "oci_core_vcn" "vcn11" {
    #Required
    compartment_id = var.compartment_id

    #Optional
    cidr_block = "10.1.0.0/16"
    display_name = "vcn11"
    dns_label = "vcn11"

}


resource "oci_core_internet_gateway" "igw11" {
    #Required
    compartment_id = var.compartment_id
    vcn_id = oci_core_vcn.vcn11.id

    #Optional
    enabled = true
    display_name = "igw11"
}


data "oci_core_services" "svc11" {
  filter {
    name   = "name"
    values = ["All .* Services In Oracle Services Network"]
    regex  = true
  }
}


resource "oci_core_service_gateway" "sgw11" {
    #Required
    compartment_id = var.compartment_id
    services {
        #Required
        service_id = data.oci_core_services.svc11.services.0.id
    }
    vcn_id = oci_core_vcn.vcn11.id

    #Optional
    display_name = "sgw11"
}

 

resource "oci_core_route_table" "rt11" {
    #Required
    compartment_id = var.compartment_id
    vcn_id = oci_core_vcn.vcn11.id

    #Optional
    display_name = "rt11"
    route_rules {
        #Required
        network_entity_id = oci_core_internet_gateway.igw11.id
        #Optional
        destination = "0.0.0.0/0"
    }
    
}


resource "oci_core_route_table" "rt12" {
    #Required
    compartment_id = var.compartment_id
    vcn_id = oci_core_vcn.vcn11.id

    #Optional
    display_name = "rt12"
    route_rules {
        #Required
        network_entity_id = oci_core_service_gateway.sgw11.id
        #Optional
        destination = "all-nrt-services-in-oracle-services-network"
        destination_type = "SERVICE_CIDR_BLOCK"
    }
    
}

resource "oci_core_security_list" "sl11" {
    #Required
    compartment_id = var.compartment_id
    vcn_id = oci_core_vcn.vcn11.id

    #Optional
    display_name = "sl11"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    
    ingress_security_rules {
        protocol = "6"
        source = local.myip
        stateless = false
        tcp_options {
            max = 22
            min = 22
        }
    }
    ingress_security_rules {
        protocol = "all"
        source = "10.1.2.0/24"
        stateless = false
    }
}


resource "oci_core_security_list" "sl12" {
    #Required
    compartment_id = var.compartment_id
    vcn_id = oci_core_vcn.vcn11.id

    #Optional
    display_name = "sl12"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    

    ingress_security_rules {
        protocol = "all"
        source = "10.1.1.0/24"
        stateless = false
    }
    ingress_security_rules {
        protocol = "all"
        source = "10.0.2.0/24"
        stateless = false
    }
}

 

resource "oci_core_subnet" "subnet11" {
    #Required
    cidr_block = "10.1.1.0/24"
    compartment_id = var.compartment_id
    vcn_id = oci_core_vcn.vcn11.id

    #Optional

    display_name = "subnet11"
    dns_label = "subnet11"
    route_table_id = oci_core_route_table.rt11.id
    security_list_ids = [oci_core_security_list.sl11.id]
}

resource "oci_core_subnet" "subnet12" {
    #Required
    cidr_block = "10.1.2.0/24"
    compartment_id = var.compartment_id
    vcn_id = oci_core_vcn.vcn11.id

    #Optional

    display_name = "subnet12"
    dns_label = "subnet12"
    route_table_id = oci_core_route_table.rt12.id
    security_list_ids = [oci_core_security_list.sl12.id]
}

 


EOF

 

 

cat <<-'EOF' > instance.tf


resource "oci_core_instance" "vm11" {
    #Required
    availability_domain = "OEIw:AP-TOKYO-1-AD-1"
    compartment_id = var.compartment_id
    shape = "VM.Standard.E2.1"
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = true
        subnet_id = oci_core_subnet.subnet11.id
    }

    display_name = "vm11"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

resource "oci_core_instance" "vm12" {
    #Required
    availability_domain = "OEIw:AP-TOKYO-1-AD-1"
    compartment_id = var.compartment_id
    shape = "VM.Standard.E2.1"
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = false
        subnet_id = oci_core_subnet.subnet12.id
    }

    display_name = "vm12"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

EOF


cat <<-'EOF' > bucket.tf


data "oci_objectstorage_namespace" "ns11" {
    compartment_id = local.tenancy_ocid
}

resource "oci_objectstorage_bucket" "bucket11" {
    #Required
    compartment_id = var.compartment_id
    name = "bucket11"
    namespace = data.oci_objectstorage_namespace.ns11.namespace

    #Optional
    access_type = "NoPublicAccess"
    auto_tiering = "Disabled"
    object_events_enabled = false
    storage_tier = "Standard"
    versioning = "Disabled"
    
}


EOF

 

cat <<-'EOF' > outputs.tf

#output "cmp11_id" {
#  value = oci_identity_compartment.cmp11.id
#  description = "cmp11.id"
#}

output "vcn11_id" {
  value = oci_core_vcn.vcn11.id
  description = "vcn11.id"
}

output "igw11_id" {
  value = oci_core_internet_gateway.igw11.id
  description = "igw11.id"
}

output "sgw11_id" {
  value = oci_core_service_gateway.sgw11.id
  description = "sgw11.id"
}

output "rt11_id" {
  value = oci_core_route_table.rt11.id
  description = "rt11.id"
}
output "rt12_id" {
  value = oci_core_route_table.rt12.id
  description = "rt12.id"
}


output "sl11_id" {
  value = oci_core_security_list.sl11.id
  description = "sl11.id"
}

output "sl12_id" {
  value = oci_core_security_list.sl12.id
  description = "sl12.id"
}

output "subnet11_id" {
  value = oci_core_subnet.subnet11.id
  description = "subnet11.id"
}
output "subnet12_id" {
  value = oci_core_subnet.subnet12.id
  description = "subnet12.id"
}

output "vm11_id" {
  value = oci_core_instance.vm11.id
  description = "vm11.id"
}

output "vm12_id" {
  value = oci_core_instance.vm12.id
  description = "vm12.id"
}


output "vm11_public_ip" {
  value = oci_core_instance.vm11.public_ip
  description = "vm11.public_ip"
}

output "vm11_private_ip" {
  value = oci_core_instance.vm11.private_ip
  description = "vm11.private_ip"
}

output "vm12_private_ip" {
  value = oci_core_instance.vm12.private_ip
  description = "vm12.private_ip"
}

 

EOF

 


terraform init
terraform fmt
terraform -version

terraform plan

terraform apply -auto-approve

 


-- 4. OCIインストール (tokyo)

-- 4.1 vm11からvm12にログイン

scp -i $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa opc@192.0.2.3:/home/opc
scp -i $HOME/.ssh/id_rsa  oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@192.0.2.3:/home/opc

ssh -i $HOME/.ssh/id_rsa opc@192.0.2.3

scp -i $HOME/id_rsa oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@10.1.2.10:/home/opc

ssh -i $HOME/id_rsa opc@10.1.2.10


-- 4.2 vm12からインターネットアクセスできないことを確認

curl --connect-timeout 10 https://www.oracle.com/

-- 4.3 OCIインストール (vm12での作業)

unzip oci-cli-3.39.0-Oracle-Linux-9-Offline.zip

cd oci-cli-installation

bash install.sh --offline-install
exec -l $SHELL
oci -v

 

 

 

-- 5. DRG作成

oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 


oci network drg create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 \
--display-name drg01 

 

oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 


oci network drg create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 \
--display-name drg11 

 

-- 6. DRGアタッチメント(VCN側)作成

oci network drg-attachment create  --generate-full-command-json-input

 

oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 

oci network drg-attachment create \
--region us-ashburn-1 \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg0101 \
--network-details '{
        "id": "ocid1.vcn.oc1.iad.111111111111111111111111111111111111111111111111111111111111",
        "route-table-id": null,
        "type": "VCN",
        "vcn-route-type": "SUBNET_CIDRS"
      }' 

 


oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 

oci network drg-attachment create \
--region ap-tokyo-1 \
--drg-id ocid1.drg.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg1101 \
--network-details '{
        "id": "ocid1.vcn.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111",
        "route-table-id": null,
        "type": "VCN",
        "vcn-route-type": "SUBNET_CIDRS"
      }' 

 

 


-- 7. DRGアタッチメント(RPC側)作成

oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 

oci network remote-peering-connection create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg0102 

 


oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 

 

oci network remote-peering-connection create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 \
--drg-id ocid1.drg.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--display-name drg1102

 


-- 8. RPC接続

oci network remote-peering-connection connect \
--peer-id ocid1.remotepeeringconnection.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--peer-region-name ap-tokyo-1 \
--remote-peering-connection-id ocid1.remotepeeringconnection.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 

 

oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 

oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 

 

 

-- 9. ルートテーブルにルートルール追加

 


cd ashburn
vi main.tf

resource "oci_core_route_table" "rt02" {

    route_rules {
        #Required
        network_entity_id = "ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
        #Optional
        destination = "10.1.0.0/16"
    }


terraform plan
terraform apply -auto-approve

 

cd tokyo
vi main.tf

resource "oci_core_route_table" "rt12" {

    route_rules {
        #Required
        network_entity_id = "ocid1.drg.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111"
        #Optional
        destination = "10.0.0.0/16"
    }

terraform plan
terraform apply -auto-approve

 

-- 10. 疎通確認


ping 10.1.2.10

ping 10.0.2.162

 

 

 

-- 11. 動的グループ作成

 

oci iam dynamic-group list 


oci iam dynamic-group create \
--description dg01 \
--matching-rule "Any {instance.compartment.id = 'ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111'}" \
--name dg01 


-- 12. 動的グループポリシー作成


oci iam policy list \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111 

oci iam policy create \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--description policy11 \
--name policy11 \
--statements '[
"Allow dynamic-group dg01 to manage all-resources in tenancy"
]' 

 


-- 13. squidインストール (vm12での作業)


※サービスゲートウェイがあるため、dnfでsquidインストール可能な模様

sudo su -
dnf install squid

 

cp /etc/squid/squid.conf /etc/squid/squid.conf.org

cat <<-'EOF' > /etc/squid/squid.conf

# should be allowed
acl localnet src 10.0.0.0/16

# Squid normally listens to port 3128
http_port 3128

# Wite List
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow whitelist

EOF

cat <<-'EOF' > /etc/squid/whitelist

objectstorage.ap-tokyo-1.oraclecloud.com
auth.ap-tokyo-1.oraclecloud.com


EOF

systemctl restart squid
systemctl status squid
systemctl enable squid

systemctl stop firewalld
systemctl status firewalld
systemctl disable firewalld


tail -f /var/log/squid/access.log

 

 


-- 14. 動作確認 (vm02での作業)
export OCI_CLI_AUTH=instance_principal

インスタンスプリンシパル反映まで時間がかかる場合あり

 

oci os object list \
--bucket-name bucket11 \
--region  ap-tokyo-1 

tokyoのプライベートサブネットのプロキシを使用する
※auth.us-ashburn-1.oraclecloud.com への通信が発生するので、ashburnのサービスゲートウェイも必要
※auth.us-ashburn-1.oraclecloud.com への通信はプロキシ対象外とする必要あり


export https_proxy="http://10.1.2.10:3128"
export no_proxy=auth.us-ashburn-1.oraclecloud.com

env | grep proxy

oci os object list \
--bucket-name bucket11 \
--region  ap-tokyo-1 

 

 

 


-- 15. クリーンアップ

-- 動的グループポリシー削除

oci iam policy list \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111 

oci iam policy delete \
--policy-id ocid1.policy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force 


-- 動的グループ削除

oci iam dynamic-group list 

oci iam dynamic-group delete \
--dynamic-group-id ocid1.dynamicgroup.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force 

 


-- DRGアタッチメント(RPC側)削除

oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 


oci network remote-peering-connection delete \
--region us-ashburn-1 \
--remote-peering-connection-id ocid1.remotepeeringconnection.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force

oci network remote-peering-connection list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 


oci network remote-peering-connection delete \
--region ap-tokyo-1 \
--remote-peering-connection-id ocid1.remotepeeringconnection.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--force

 


-- DRGアタッチメント(VCN側)削除

oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 


oci network drg-attachment delete \
--region us-ashburn-1 \
--drg-attachment-id ocid1.drgattachment.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force 


oci network drg-attachment list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 

 

oci network drg-attachment delete \
--region ap-tokyo-1 \
--drg-attachment-id ocid1.drgattachment.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--force 

 

-- DRG削除

oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region us-ashburn-1 

oci network drg delete \
--region us-ashburn-1 \
--drg-id ocid1.drg.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force 

oci network drg list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--region ap-tokyo-1 


oci network drg delete \
--region ap-tokyo-1 \
--drg-id ocid1.drg.oc1.ap-tokyo-1.111111111111111111111111111111111111111111111111111111111111 \
--force 

 

 


cd tokyo
terraform destroy -auto-approve

 

cd ashburn

terraform destroy -auto-approve

 

 

 

 

 

 

OCI CLIでプロキシ使用

OCI

https://qiita.com/dingtianhongjie/items/485c8abf7b3af9529f69

https://qiita.com/shirok/items/dc3908c85b6bd448fed9

 

前提: 
subnet01,vm01,sl01,rt01,パブリックサブネット
subnet02,vm02,sl02,rt02,プライベートサブネット,サービス・ゲートウェイのみ

subnet01~subnet02間の全通信許可

vm01にsquidをインストールし、vm02からプロキシ経由でociコマンド実行

 

-- 1. VCN作成

mkdir ashburn
cd ashburn


cat <<-'EOF' > variables.tf

locals {
  tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"
# MYIP
  myip = "192.0.2.1/32"

}

variable "compartment_name" {
  description = "compartment_name"
  type = string
  default = "cmp01"
}

EOF

 

cat <<-'EOF' > main.tf

terraform {
  required_version = ">= 1.0.0, < 2.0.0"
  required_providers {
    oci = {
       source  = "hashicorp/oci"
       version = "= 5.23.0"
    }
  }
}

provider "oci" {
  tenancy_ocid = local.tenancy_ocid
  user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111" 
  private_key_path = "~/.oci/oci_api_key.pem"
  fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
  region = "us-ashburn-1"
}


resource "oci_identity_compartment" "cmp01" {
    # Required
    compartment_id = local.tenancy_ocid
    description = var.compartment_name
    name = var.compartment_name
    
    enable_delete = true
}

resource "oci_core_vcn" "vcn01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id

    #Optional
    cidr_block = "10.0.0.0/16"
    display_name = "vcn01"
    dns_label = "vcn01"

}


resource "oci_core_internet_gateway" "igw01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    enabled = true
    display_name = "igw01"
}


data "oci_core_services" "svc01" {
  filter {
    name   = "name"
    values = ["All .* Services In Oracle Services Network"]
    regex  = true
  }
}


resource "oci_core_service_gateway" "sgw01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    services {
        #Required
        service_id = data.oci_core_services.svc01.services.0.id
    }
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sgw01"
}

 

resource "oci_core_route_table" "rt01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "rt01"
    route_rules {
        #Required
        network_entity_id = oci_core_internet_gateway.igw01.id
        #Optional
        destination = "0.0.0.0/0"
    }
    
}


resource "oci_core_route_table" "rt02" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "rt02"
#    route_rules {
#        #Required
#        network_entity_id = oci_core_service_gateway.sgw01.id
#        #Optional
#        destination = "all-iad-services-in-oracle-services-network"
#        destination_type = "SERVICE_CIDR_BLOCK"
#    }
    
}

resource "oci_core_security_list" "sl01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sl01"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    
    ingress_security_rules {
        protocol = "6"
        source = local.myip
        stateless = false
        tcp_options {
            max = 22
            min = 22
        }
    }
    ingress_security_rules {
        protocol = "all"
        source = "10.0.2.0/24"
        stateless = false
    }
}


resource "oci_core_security_list" "sl02" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional
    display_name = "sl02"
    
    egress_security_rules {
        destination = "0.0.0.0/0"
        protocol = "all"
        stateless = false
    }
    

    ingress_security_rules {
        protocol = "all"
        source = "10.0.1.0/24"
        stateless = false
    }
}

 

resource "oci_core_subnet" "subnet01" {
    #Required
    cidr_block = "10.0.1.0/24"
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional

    display_name = "subnet01"
    dns_label = "subnet01"
    route_table_id = oci_core_route_table.rt01.id
    security_list_ids = [oci_core_security_list.sl01.id]
}

resource "oci_core_subnet" "subnet02" {
    #Required
    cidr_block = "10.0.2.0/24"
    compartment_id = oci_identity_compartment.cmp01.id
    vcn_id = oci_core_vcn.vcn01.id

    #Optional

    display_name = "subnet02"
    dns_label = "subnet02"
    route_table_id = oci_core_route_table.rt02.id
    security_list_ids = [oci_core_security_list.sl02.id]
}

 


EOF

 

 

cat <<-'EOF' > instance.tf


resource "oci_core_instance" "vm01" {
    #Required
    availability_domain = "OEIw:US-ASHBURN-AD-1"
    compartment_id = oci_identity_compartment.cmp01.id
    shape = "VM.Standard.E2.1"
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = true
        subnet_id = oci_core_subnet.subnet01.id
    }

    display_name = "vm01"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

resource "oci_core_instance" "vm02" {
    #Required
    availability_domain = "OEIw:US-ASHBURN-AD-1"
    compartment_id = oci_identity_compartment.cmp01.id
    shape = "VM.Standard.E2.1"
    
    #Optional

    create_vnic_details {
        #Optional
        assign_public_ip = false
        subnet_id = oci_core_subnet.subnet02.id
    }

    display_name = "vm02"

    metadata = {
        ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
    } 

    source_details {
        #Required
        source_id = "ocid1.image.oc1.iad.111111111111111111111111111111111111111111111111111111111111"
        source_type = "image"

        #Optional
        boot_volume_size_in_gbs = 50
    }
    preserve_boot_volume = false
}

EOF


cat <<-'EOF' > bucket.tf


data "oci_objectstorage_namespace" "ns01" {
    compartment_id = local.tenancy_ocid
}

resource "oci_objectstorage_bucket" "bucket01" {
    #Required
    compartment_id = oci_identity_compartment.cmp01.id
    name = "bucket01"
    namespace = data.oci_objectstorage_namespace.ns01.namespace

    #Optional
    access_type = "NoPublicAccess"
    auto_tiering = "Disabled"
    object_events_enabled = false
    storage_tier = "Standard"
    versioning = "Disabled"
    
}


EOF

 

cat <<-'EOF' > outputs.tf

output "cmp01_id" {
  value = oci_identity_compartment.cmp01.id
  description = "cmp01.id"
}

output "vcn01_id" {
  value = oci_core_vcn.vcn01.id
  description = "vcn01.id"
}

output "igw01_id" {
  value = oci_core_internet_gateway.igw01.id
  description = "igw01.id"
}

output "sgw01_id" {
  value = oci_core_service_gateway.sgw01.id
  description = "sgw01.id"
}

output "rt01_id" {
  value = oci_core_route_table.rt01.id
  description = "rt01.id"
}
output "rt02_id" {
  value = oci_core_route_table.rt02.id
  description = "rt02.id"
}


output "sl01_id" {
  value = oci_core_security_list.sl01.id
  description = "sl01.id"
}

output "sl02_id" {
  value = oci_core_security_list.sl02.id
  description = "sl02.id"
}

output "subnet01_id" {
  value = oci_core_subnet.subnet01.id
  description = "subnet01.id"
}
output "subnet02_id" {
  value = oci_core_subnet.subnet02.id
  description = "subnet02.id"
}

output "vm01_id" {
  value = oci_core_instance.vm01.id
  description = "vm01.id"
}

output "vm02_id" {
  value = oci_core_instance.vm02.id
  description = "vm02.id"
}


output "vm01_public_ip" {
  value = oci_core_instance.vm01.public_ip
  description = "vm01.public_ip"
}

output "vm01_private_ip" {
  value = oci_core_instance.vm01.private_ip
  description = "vm01.private_ip"
}

output "vm02_private_ip" {
  value = oci_core_instance.vm02.private_ip
  description = "vm02.private_ip"
}

 

EOF

 


terraform init
terraform fmt
terraform -version

terraform plan

terraform apply -auto-approve

 

 

-- 2. 動的グループ作成

 

oci iam dynamic-group list 


oci iam dynamic-group create \
--description dg01 \
--matching-rule "Any {instance.compartment.id = 'ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111'}" \
--name dg01 


-- 3. 動的グループポリシー作成


oci iam policy list \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111 

oci iam policy create \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--description policy11 \
--name policy11 \
--statements '[
"Allow dynamic-group dg01 to manage all-resources in tenancy"
]' 

 

-- 4. OCIインストール

-- 4.1 vm01からvm02にログイン

scp -i $HOME/.ssh/id_rsa $HOME/.ssh/id_rsa opc@192.0.2.2:/home/opc
scp -i $HOME/.ssh/id_rsa  oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@192.0.2.2:/home/opc

ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2

scp -i $HOME/id_rsa oci-cli-3.39.0-Oracle-Linux-9-Offline.zip opc@10.0.2.166:/home/opc

ssh -i $HOME/id_rsa opc@10.0.2.166


-- 4.2 vm02からインターネットアクセスできないことを確認

curl --connect-timeout 10 https://www.oracle.com/

-- 4.3 OCIインストール (vm02での作業)

unzip oci-cli-3.39.0-Oracle-Linux-9-Offline.zip

cd oci-cli-installation

bash install.sh --offline-install
exec -l $SHELL
oci -v

 


-- 5. squidインストール (vm01での作業)

sudo su -
dnf install squid

cp /etc/squid/squid.conf /etc/squid/squid.conf.org

cat <<-'EOF' > /etc/squid/squid.conf

# should be allowed
acl localnet src 10.0.0.0/16

# Squid normally listens to port 3128
http_port 3128

# Wite List
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow whitelist

EOF

cat <<-'EOF' > /etc/squid/whitelist

objectstorage.us-ashburn-1.oraclecloud.com
auth.us-ashburn-1.oraclecloud.com

EOF

systemctl restart squid
systemctl status squid
systemctl enable squid

systemctl stop firewalld
systemctl status firewalld
systemctl disable firewalld

tail -f /var/log/squid/access.log

-- 6. 動作確認 (vm02での作業)
export OCI_CLI_AUTH=instance_principal

インスタンスプリンシパル反映まで時間がかかる場合あり


oci os object list \
--bucket-name bucket01 \
--region us-ashburn-1 


export https_proxy="http://10.0.1.237:3128"


oci os object list \
--bucket-name bucket01 \
--region us-ashburn-1 

 

 

-- 7. クリーンアップ

oci iam policy list \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111 

oci iam policy delete \
--policy-id ocid1.policy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force 

oci iam dynamic-group list 

oci iam dynamic-group delete \
--dynamic-group-id ocid1.dynamicgroup.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force 

 


terraform destroy -auto-approve

 

 

 

OEM Management Repository Views

その他

Enterprise Manager Cloud Control Management Repository Views Reference
https://docs.oracle.com/cd/cloud-control-13.3/EMVWS/toc.htm

How To Query Target Status From The OEM Repository DB ? (Doc ID 2669538.1)

 


SET MARKUP CSV ON


-- 2 Blackout Views

select * from sysman.MGMT$BLACKOUT_HISTORY;
select * from sysman.MGMT$BLACKOUTS;


-- 4 Compliance Views

select * from sysman.MGMT$COMPLIANCE_STANDARD_RULE;
select * from sysman.MGMT$COMPLIANCE_STANDARD;
select * from sysman.MGMT$COMPLIANCE_STANDARD_GROUP;
select * from sysman.MGMT$CS_EVAL_SUMMARY;
select * from sysman.MGMT$COMPOSITE_CS_EVAL_SUMMARY;
select * from sysman.MGMT$CS_RULE_EVAL_SUMMARY;
select * from sysman.MGMT$CS_GROUP_EVAL_SUMMARY;
select * from sysman.MGMT$CS_TARGET_ASSOC;
select * from sysman.MGMT$CSR_CURRENT_VIOLATION;
select * from sysman.MGMT$CSR_VIOLATION_CONTEXT;
select * from sysman.MGMT$EM_RULE_VIOL_CTXT_DEF;
select * from sysman.MGMT$RULE_KEYWORD;
select * from sysman.MGMT$CS_KEYWORD;
select * from sysman.MGMT$CS_GROUP_KEYWORD;
select * from sysman.MGMT$CS_RULE_ATTRS;
select * from sysman.MGMT$CS_HIERARCHY;
select * from sysman.MGMT$CS_RQS_HIERARCHY;
select * from sysman.MGMT$CS_RULEFOLDER;
select * from sysman.MGMT$CSG_HIERARCHY;
select * from sysman.MGMT$CSG_SUBGROUP;
select * from sysman.MGMT$CSR_TARGET_ASSOC;
select * from sysman.MGMT$CSRF_TARGET_ASSOC;
select * from sysman.MGMT$REPO_RULE_CHK_DETAILS;
select * from sysman.MGMT$REPOSITORY_RULE_BIND_VARS;
select * from sysman.MGMT$REPOSITORY_RULE_PARAMS;
select * from sysman.MGMT$CS_TGT_ASSOC_TXF_REQ;
select * from sysman.MGMT$EM_CS_RULE_EVENT_ERROR;
select * from sysman.MGMT$CCC_ALL_OBS_BUNDLES;
select * from sysman.MGMT$CCC_ALL_OBSERVATIONS;
select * from sysman.MGMT$CCC_ALL_VIOLATIONS;
select * from sysman.MGMT$CCC_ALL_AGENT_WARNINGS;
select * from sysman.MGMT$CCC_ALL_WATCHDOG_ALERTS;
select * from sysman.MGMT$COMPLIANT_TARGETS;
select * from sysman.MGMT$COMPLIANCE_SUMMARY;
select * from sysman.MGMT$COMPLIANCE_TREND;
select * from sysman.MGMT$CCC_DIAG_ANALYTICS;
select * from sysman.MGMT$CCC_DIAG_QUEUEBACKLOG;

-- 5 Configuration Management Views

-- 5.1 Custom Configuration Specification Views

select * from sysman.MGMT$CCS_DATA;
select * from sysman.MGMT$CCS_DATA_SOURCE;
select * from sysman.MGMT$CCS_DATA_VISIBLE;


-- 5.2  Database Configuration Views

select * from sysman.MGMT$DB_TABLESPACES;
select * from sysman.MGMT$DB_DATAFILES;
select * from sysman.MGMT$DB_CONTROLFILES;
select * from sysman.MGMT$DB_DBNINSTANCEINFO;
select * from sysman.MGMT$DB_FEATUREUSAGE;
select * from sysman.MGMT$DB_INIT_PARAMS;
select * from sysman.MGMT$DB_LICENSE;
select * from sysman.MGMT$DB_REDOLOGS;
select * from sysman.MGMT$DB_ROLLBACK_SEGS;
select * from sysman.MGMT$DB_SGA;
select * from sysman.MGMT$DB_TABLESPACES_ALL;
select * from sysman.MGMT$DB_OPTIONS;


-- 5.3  Enterprise Configuration Management Views

select * from sysman.MGMT$ECM_CMP_JOBS;
select * from sysman.MGMT$ECM_CMP_JOB_LAST_RESULTS;
select * from sysman.MGMT$ECM_CMP_RPT_CCS_DS;
select * from sysman.MGMT$ECM_CMP_RPT_CCS_DS_DTLS;
select * from sysman.MGMT$ECM_CMP_RPT_CCS_PD_ALL;
select * from sysman.MGMT$ECM_CMP_RPT_CCS_PD_DIFFS;
select * from sysman.MGMT$ECM_CMP_RPT_CI_DIFFS;
select * from sysman.MGMT$ECM_CMP_VISIBLE_CONFIGS;
select * from sysman.MGMT$ECM_CURRENT_SNAPSHOTS;
select * from sysman.MGMT$ECM_VISIBLE_SNAPSHOTS;

 

-- 6 Events Views

select * from sysman.MGMT$INCIDENTS;
select * from sysman.MGMT$INCIDENT_CATEGORY;
select * from sysman.MGMT$INCIDENT_TARGET;
select * from sysman.MGMT$INCIDENT_ANNOTATION;
select * from sysman.MGMT$EVENTS_LATEST;
select * from sysman.MGMT$EVENTS;
select * from sysman.MGMT$EVENT_ANNOTATION;
select * from sysman.MGMT$PROBLEMS;
select * from sysman.MGMT$PROBLEM_ANNOTATION;

-- 7 Hardware Views

-- 7.1  Hardware Views

select * from sysman.MGMT$HW_CPU_DETAILS;
select * from sysman.MGMT$HW_NIC;
select * from sysman.MGMT$HW_NIC_BONDS;
select * from sysman.MGMT$HW_IO_DEVICES;
select * from sysman.MGMT$EM_ECM_HOST_VIRTUAL;
select * from sysman.MGMT$HW_HOSTS_FILE;


-- 7.2 Service Tag Views

select * from sysman.MGMT$SERVICETAG_INSTANCES;
select * from sysman.MGMT$SERVICETAG_REGISTRY;

 

-- 8 Inventory Views

-- 8.1 Inventory Views

select * from sysman.MGMT$TARGET;
select * from sysman.MGMT$TARGET_TYPE;
select * from sysman.MGMT$TARGET_TYPE_DEF;
select * from sysman.MGMT$TARGET_ASSOCIATIONS;
select * from sysman.MGMT$TARGET_MEMBERS;
select * from sysman.MGMT$TARGET_FLAT_MEMBERS;
select * from sysman.MGMT$TARGET_TYPE_PROPERTIES;
select * from sysman.MGMT$TARGET_PROPERTIES;


-- 8.2 Oracle Home Directory Patching Views

select * from sysman.MGMT$EM_HOMES_PLATFORM;
select * from sysman.MGMT$APPL_PATCH_AND_PATCHSET;
select * from sysman.MGMT$HOMES_AFFECTED;
select * from sysman.MGMT$APPLIED_PATCHES;
select * from sysman.MGMT$APPLIED_PATCHSETS;


-- 8.3 Oracle Home Directory Views

select * from sysman.MGMT$OH_HOME_INFO;
select * from sysman.MGMT$OH_DEP_HOMES;
select * from sysman.MGMT$OH_CRS_NODES;
select * from sysman.MGMT$OH_CLONE_PROPERTIES;
select * from sysman.MGMT$OH_COMPONENT;
select * from sysman.MGMT$OH_COMP_INST_TYPE;
select * from sysman.MGMT$OH_COMP_DEP_RULE;
select * from sysman.MGMT$OH_PATCHSET;
select * from sysman.MGMT$OH_VERSIONED_PATCH;
select * from sysman.MGMT$OH_PATCH;
select * from sysman.MGMT$OH_PATCHED_COMPONENT;
select * from sysman.MGMT$OH_PATCH_FIXED_BUG;
select * from sysman.MGMT$OH_PATCHED_FILE;
select * from sysman.MGMT$OH_FILE;
select * from sysman.MGMT$PA_RECOM_METRIC_SOURCE;
select * from sysman.MGMT$OH_INV_SUMMARY;
select * from sysman.MGMT$OH_INSTALLED_TARGETS;

 

-- 9 Job Views

select * from sysman.MGMT$CA_TARGETS;
select * from sysman.MGMT$CA_EXECUTIONS;
select * from sysman.MGMT$JOBS;
select * from sysman.MGMT$JOB_TARGETS;
select * from sysman.MGMT$JOB_EXECUTION_HISTORY;
select * from sysman.MGMT$JOB_STEP_HISTORY;
select * from sysman.MGMT$JOB_ANNOTATIONS;
select * from sysman.MGMT$JOB_NOTIFICATION_LOG;

-- 10 Linux Patching Views

select * from sysman.MGMT$HOSTPATCH_HOSTS;
select * from sysman.MGMT$HOSTPATCH_GROUPS;
select * from sysman.MGMT$HOSTPATCH_GRP_COMPL_HIST;
select * from sysman.MGMT$HOSTPATCH_HOST_COMPL;

-- 11 Management Template Views

select * from sysman.MGMT$TEMPLATES;
select * from sysman.MGMT$TEMPLATE_POLICY_SETTINGS;
select * from sysman.MGMT$TEMPLATE_METRICCOLLECTION;
select * from sysman.MGMT$TEMPLATE_METRIC_SETTINGS;

-- 12 Metric Views

select * from sysman.MGMT$METRIC_CATEGORIES;
select * from sysman.MGMT$METRIC_COLLECTION;
select * from sysman.MGMT$METRIC_ERROR_CURRENT;
select * from sysman.MGMT$METRIC_ERROR_HISTORY;

-- 13 Middleware Management Views

-- 13.1 Application Deployment Views

select * from sysman.MGMT$J2EE_APPLICATION;
select * from sysman.MGMT$J2EEAPP_EJBCOMPONENT;
select * from sysman.MGMT$J2EEAPP_JRFWS;
select * from sysman.MGMT$J2EEAPP_JRFWSOPER;
select * from sysman.MGMT$J2EEAPP_JRFWSPOLICY;
select * from sysman.MGMT$J2EEAPP_JRFWSPORT;
select * from sysman.MGMT$J2EEAPP_WEBAPPCOMPONENT;
select * from sysman.MGMT$J2EEAPP_WSCONFIG;
select * from sysman.MGMT$J2EEAPP_WSPORTCONFIG;


-- 13.2 Glassfish Views

select * from sysman.MGMT$EMAS_GLASSFISH_DOMAIN;
select * from sysman.MGMT$EMAS_GLASSFISH_NODES;
select * from sysman.MGMT$EMAS_GLASSFISH_SERVER;
select * from sysman.MGMT$EMAS_GLASSFISH_SVR_PROP;
select * from sysman.MGMT$EMAS_GLASSFISH_NW_LSTNR;
select * from sysman.MGMT$EMAS_GLASSFISH_DATASOURCE;
select * from sysman.MGMT$EMAS_GLASSFISH_DS_PROP;


-- 13.3 Oracle WebLogic Server Views

select * from sysman.MGMT$WEBLOGIC_APPLICATIONS;
select * from sysman.MGMT$WEBLOGIC_EJBCOMPONENT;
select * from sysman.MGMT$WEBLOGIC_FILESTORE;
select * from sysman.MGMT$WEBLOGIC_JDBCDATASOURCE;
select * from sysman.MGMT$WEBLOGIC_JDBCMULTIDS;
select * from sysman.MGMT$WEBLOGIC_JMSCONNFACTORY;
select * from sysman.MGMT$WEBLOGIC_JMSQUEUE;
select * from sysman.MGMT$WEBLOGIC_JMSSERVER;
select * from sysman.MGMT$WEBLOGIC_JMSTOPIC;
select * from sysman.MGMT$WEBLOGIC_JOLTCONNPOOL;
select * from sysman.MGMT$WEBLOGIC_JVMSYSPROPS;
select * from sysman.MGMT$WEBLOGIC_MACHINE;
select * from sysman.MGMT$WEBLOGIC_NETWORK_CHANNELS;
select * from sysman.MGMT$WEBLOGIC_NODEMANAGER;
select * from sysman.MGMT$WEBLOGIC_RACONFIG;
select * from sysman.MGMT$WEBLOGIC_RAOUTBOUNDCONFIG;
select * from sysman.MGMT$WEBLOGIC_RESOURCECONFIG;
select * from sysman.MGMT$WEBLOGIC_SERVER;
select * from sysman.MGMT$WEBLOGIC_STARTSHUTCLASSES;
select * from sysman.MGMT$WEBLOGIC_VIRTUALHOST;
select * from sysman.MGMT$WEBLOGIC_WEBAPPCOMPONENT;
select * from sysman.MGMT$WEBLOGIC_WORKMANAGER;
select * from sysman.MGMT$WEBLOGIC_WSCONFIG;
select * from sysman.MGMT$WEBLOGIC_WSPORTCONFIG;


-- 13.4 Oracle WebLogic Domain Views

select * from sysman.MGMT$WEBLOGIC_DOMAIN;
select * from sysman.MGMT$WEBLOGIC_OPSSSYSPROP;
select * from sysman.MGMT$WEBLOGIC_OAMCONFIG;


-- 13.5 Oracle WebLogic Cluster View

select * from sysman.MGMT$WEBLOGIC_CLUSTER;

 

-- 14 Monitoring Views

select * from sysman.MGMT$ALERT_CURRENT;
select * from sysman.MGMT$TARGET_METRIC_COLLECTIONS;
select * from sysman.MGMT$TARGET_METRIC_SETTINGS;
select * from sysman.MGMT$AVAILABILITY_CURRENT;
select * from sysman.MGMT$AVAILABILITY_HISTORY;
select * from sysman.MGMT$ALERT_HISTORY;
select * from sysman.MGMT$AVAIL_ALERT_HISTORY;
select * from sysman.MGMT$METRIC_DETAILS;
select * from sysman.MGMT$METRIC_CURRENT;
select * from sysman.MGMT$METRIC_HOURLY;
select * from sysman.MGMT$METRIC_DAILY;

-- 15 Operating System Views

select * from sysman.MGMT$OS_SUMMARY;
select * from sysman.MGMT$OS_COMPONENTS;
select * from sysman.MGMT$OS_HW_SUMMARY;
select * from sysman.MGMT$OS_PATCH_SUMMARY;
select * from sysman.MGMT$OS_FS_MOUNT;
select * from sysman.MGMT$OS_KERNEL_PARAMS;
select * from sysman.MGMT$OS_PATCHES;
select * from sysman.MGMT$OS_PROPERTIES;
select * from sysman.MGMT$OS_MODULES;
select * from sysman.MGMT$OS_LIMITS;
select * from sysman.MGMT$OS_INIT_SERVICES;

-- 16 Security Views

select * from sysman.MGMT$ESA_ALL_PRIVS_REPORT;
select * from sysman.MGMT$ESA_ANY_DICT_REPORT;
select * from sysman.MGMT$ESA_ANY_PRIV_REPORT;
select * from sysman.MGMT$ESA_AUDIT_SYSTEM_REPORT;
select * from sysman.MGMT$ESA_BECOME_USER_REPORT;
select * from sysman.MGMT$ESA_CATALOG_REPORT;
select * from sysman.MGMT$ESA_CONN_PRIV_REPORT;
select * from sysman.MGMT$ESA_CREATE_PRIV_REPORT;
select * from sysman.MGMT$ESA_DBA_GROUP_REPORT;
select * from sysman.MGMT$ESA_DBA_ROLE_REPORT;
select * from sysman.MGMT$ESA_DIRECT_PRIV_REPORT;
select * from sysman.MGMT$ESA_EXMPT_ACCESS_REPORT;
select * from sysman.MGMT$ESA_KEY_OBJECTS_REPORT;
select * from sysman.MGMT$ESA_OH_OWNERSHIP_REPORT;
select * from sysman.MGMT$ESA_OH_PERMISSION_REPORT;
select * from sysman.MGMT$ESA_POWER_PRIV_REPORT;
select * from sysman.MGMT$ESA_PUB_PRIV_REPORT;
select * from sysman.MGMT$ESA_SYS_PUB_PKG_REPORT;
select * from sysman.MGMT$ESA_TABSP_OWNERS_REPORT;
select * from sysman.MGMT$ESA_TRC_AUD_PERM_REPORT;
select * from sysman.MGMT$ESA_WITH_ADMIN_REPORT;
select * from sysman.MGMT$ESA_WITH_GRANT_REPORT;
select * from sysman.MGMT$ESM_COLLECTION_LATEST;
select * from sysman.MGMT$ESM_FILE_SYSTEM_LATEST;
select * from sysman.MGMT$ESM_PORTS_LATEST;
select * from sysman.MGMT$ESM_SERVICE_LATEST;
select * from sysman.MGMT$ESM_STACK_LATEST;

-- 17 Storage Reporting Views

select * from sysman.MGMT$STORAGE_REPORT_DATA;
select * from sysman.MGMT$STORAGE_REPORT_KEYS;
select * from sysman.MGMT$STORAGE_REPORT_PATHS;
select * from sysman.MGMT$STORAGE_REPORT_ISSUES;
select * from sysman.MGMT$STORAGE_REPORT_DISK;
select * from sysman.MGMT$STORAGE_REPORT_VOLUME;
select * from sysman.MGMT$STORAGE_REPORT_LOCALFS;
select * from sysman.MGMT$STORAGE_REPORT_NFS;

-- 18 Target Views

select * from sysman.MGMT$AGENTS_MONITORING_TARGETS;
select * from sysman.MGMT$EM_ECM_MOS_PROPERTIES;
select * from sysman.MGMT$EM_ECM_TARGET_FRESHNESS;
select * from sysman.MGMT$MANAGEABLE_ENTITIES;

 

{Alibaba ApsaraDB for MongoDB} Getting Started

Alibaba

https://www.alibabacloud.com/help/en/mongodb/

https://dev.classmethod.jp/articles/how-to-sign-up-alibaba-cloud-international-account/


東京リージョンは価格が高いため杭州市を使用する
杭州市を使用する場合、実名登録が必要
実名登録は完了しても連絡はこないので定期的に確認必要


Japna(Tokyo) -> $0.740/時間
ap-northeast-1
ap-northeast-1a


China(Hangzhou) 杭州市 -> $0.404/時間
cn-hangzhou
cn-hangzhou-h


aliyun ecs DescribeRegions 
aliyun ecs DescribeZones --RegionId cn-hangzhou

--China(Hangzhou) 杭州
export ALIBABACLOUD_REGION_ID=cn-hangzhou

 

-- 1. VPCとECSの作成

 

cat <<-'EOF' > variables.tf

locals {
  availability_zone = "cn-hangzhou-h"
}


variable "instance_type" {
  description = "instance_type"
  type = string
  default = "ecs.n1.tiny"
}

variable "image_id" {
  description = "image_id"
  type = string
  default = "aliyun_2_1903_x64_20G_alibase_20231221.vhd"
}

EOF

 

cat <<-'EOF' > main.tf

terraform {
  required_version = ">= 1.0.0, < 2.0.0"
  required_providers {
    alicloud = {
       source  = "aliyun/alicloud"
       version = "= 1.217.0"
    }
  }
}

provider "alicloud" {
    region  = "cn-hangzhou"
}


resource "alicloud_vpc" "vpc01" {
  vpc_name          = "vpc01"
  description       = "vpc01"
  cidr_block        = "10.2.0.0/16"
}

 

resource "alicloud_vswitch" "sw01" {
  vswitch_name      = "sw01"
  description       = "sw01"
  vpc_id            = alicloud_vpc.vpc01.id
  cidr_block        = "10.2.1.0/24"
  zone_id           = local.availability_zone
}

resource "alicloud_security_group" "sg01" {
  name                = "sg01"
  description         = "sg01"
  vpc_id              = alicloud_vpc.vpc01.id
  security_group_type = "normal"
}


resource "alicloud_security_group_rule" "sg0101" {
  type              = "ingress"
  ip_protocol       = "tcp"
  port_range        = "22/22"
  security_group_id = alicloud_security_group.sg01.id
  nic_type          = "intranet"
  policy            = "accept"
  priority          = 10
  cidr_ip           = "0.0.0.0/0"
  description       = "sg0101"
}


resource "alicloud_vpc_ipv4_gateway" "gw01" {
  ipv4_gateway_name        = "gw01"
  ipv4_gateway_description = "gw01"
  vpc_id                   = alicloud_vpc.vpc01.id
  enabled                  = true
}

 

 

# ルートテーブルへvSwitchの関連付け
resource "alicloud_route_table_attachment" "sw01_rt01" {
  vswitch_id     = alicloud_vswitch.sw01.id
  route_table_id = alicloud_vpc.vpc01.route_table_id
}


# ルートテーブルへカスタムルート追加
resource "alicloud_route_entry" "rt0101" {
  name                  = "rt0101"
  route_table_id        = alicloud_vpc.vpc01.route_table_id
  destination_cidrblock = "0.0.0.0/0"
  nexthop_type          = "Ipv4Gateway"
  nexthop_id            = alicloud_vpc_ipv4_gateway.gw01.id
}


resource "alicloud_instance" "instance01" {

  image_id                   = var.image_id
  instance_type              = var.instance_type
  security_groups            = [alicloud_security_group.sg01.id]
  instance_name              = "instance01"
  system_disk_category       = "cloud_ssd"
  system_disk_name           = "instance01"
  system_disk_size           = 20
  description                = "instance01"
  internet_charge_type       = "PayByBandwidth"
  internet_max_bandwidth_out = 0
  host_name                  = "instance01"
  vswitch_id                 = alicloud_vswitch.sw01.id
  instance_charge_type       = "PostPaid"
  key_name                   = "alibabakey02"
  deletion_protection        = false
  credit_specification       = "Standard"

}


resource "alicloud_eip_address" "eip01" {
  address_name              = "eip01"
  bandwidth                 = 1
  deletion_protection       = false
  description               = "eip01"
  internet_charge_type      = "PayByTraffic"
  isp                       = "BGP"
  payment_type              = "PayAsYouGo"
  netmode                   = "public"
}

# インスタンスとEIPの関連付け
resource "alicloud_eip_association" "instance01_eip01" {
  instance_id              = alicloud_instance.instance01.id
  allocation_id            = alicloud_eip_address.eip01.id
}

 

EOF

 

cat <<-'EOF' > outputs.tf

 

output "vpc01_id" {
  value = alicloud_vpc.vpc01.id
  description = "vpc01.id"
}

output "vpc01_route_table_id" {
  value = alicloud_vpc.vpc01.route_table_id
  description = "vpc01.route_table_id"
}

output "sw01_id" {
  value = alicloud_vswitch.sw01.id
  description = "sw01.id"
}

output "sg01_id" {
  value = alicloud_security_group.sg01.id
  description = "sg01.id"
}

output "gw01_id" {
  value = alicloud_vpc_ipv4_gateway.gw01.id
  description = "gw01.id"
}


output "instance01_id" {
  value = alicloud_instance.instance01.id
  description = "instance01.id"
}


output "eip01_id" {
  value = alicloud_eip_address.eip01.id
  description = "eip01.id"
}

 

EOF

 


terraform init
terraform fmt
terraform -version

 

terraform plan

terraform apply -auto-approve


-- 2. MongoDB作成

aliyun dds DescribeAvailableResource \
--ZoneId cn-hangzhou-h 


2コア、8GB

 

aliyun dds CreateDBInstance \
--DBInstanceClass mdb.shard.4x.large.d \
--DBInstanceStorage 20 \
--Engine MongoDB \
--EngineVersion 6.0 \
--AccountPassword 'password' \
--ChargeType PostPaid \
--NetworkType VPC \
--ReadonlyReplicas 0 \
--ReplicationFactor 3 \
--SecurityIPList '10.2.0.0/16' \
--StorageEngine WiredTiger \
--StorageType cloud_essd1 \
--VSwitchId vsw-111111111111111111111 \
--VpcId vpc-111111111111111111111 \
--ZoneId cn-hangzhou-h

 

aliyun dds DescribeDBInstances 

 

 

 

-- 3. ホワイトリストの設定


aliyun dds DescribeSecurityIps \
--DBInstanceId dds-1111111111111111 

aliyun dds ModifySecurityIps \
--DBInstanceId dds-1111111111111111 \
--SecurityIps 10.2.1.111 \
--ModifyMode Append 


aliyun dds DescribeSecurityIps \
--DBInstanceId dds-1111111111111111 

 

 


-- 4. ECSから動作確認


tar xvzf mongosh-2.2.3-linux-x64.tgz

cd mongosh-2.2.3-linux-x64
cd bin

 

./mongosh mongodb://root:'password'@dds-11111111111111112.mongodb.rds.aliyuncs.com:3717,dds-11111111111111111.mongodb.rds.aliyuncs.com:3717/admin?replicaSet=mgset-11111111


show dbs;


rs.conf()
rs.status();


use test


db.tab1.insertOne( { col1: "val1"} )
db.tab1.find()

exit

 


-- 5. クリーンアップ


aliyun dds DescribeDBInstances 


aliyun dds DeleteDBInstance \
--DBInstanceId dds-1111111111111111 

 


terraform destroy -auto-approve