Oracle Cloud Infrastructure Documentation

Terraform: Create a Virtual Cloud Network

In this tutorial, you use Terraform to create a virtual cloud network in your Oracle Cloud Infrastructure tenancy.

Key tasks include how to:

  • Set up a basic virtual cloud network.
  • Define and add the following resources to the network:
    • Security lists
    • Private and public subnets
A diagram of the components needed to create an Oracle Cloud Infrastructure virtual cloud network with Terraform. From a local Linux environment, the user creates a virtual cloud network with Terraform. This network has a public subnet that can be reached from the internet. The network also has a private subnet that connects to the internet through a NAT gateway, and also privately connects to the Oracle Services Network. The CIDR block for the virtual cloud network is 10.0.0.0/16, for the public subnet is 10.0.0.0/24, and for the private subnet is 10.0.1.0/24.

For additional information, see:

Before You Begin

To successfully perform this tutorial, you must have the following:

Requirements

1. Prepare

Prepare your environment for creating a virtual cloud network. Also, collect all the information you need to complete the tutorial.

Gather Required Information

Copy the following information into your notepad.

  1. Compartment Name: <your-compartment-name>
    • Find your compartment name from the Create a Compartment tutorial you performed in the Before you Begin section.
  2. Compartment ID: <compartment-ocid>
    • In the Oracle Cloud Infrastructure Console search bar, enter <your-compartment-name>.
    • Click <your-compartment-name> in the search results.
    • Copy the OCID.
  3. Region: <region-identifier>
Add Resource Policy

If your username is in the Administrators group, then skip this section. Otherwise, have your administrator add the following policy to your tenancy:

allow group <the-group-your-username-belongs> to manage all-resources in compartment <your-compartment-name>

With this privilege, you can manage all resources in your compartment, essentially giving you administrative rights in that compartment.

Steps to Add the Policy
  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. Select your compartment from the Compartment drop-down.
  3. Click Create Policy.
  4. Fill in the following information:
    • Name: manage-<your-compartment-name>-resources
    • Description: Allow users to list, create, update, and delete resources in <your-compartment-name>.
    • Compartment: <your-tenancy>(root)
  5. For Policy Builder, select the following choices:
    • Policy use cases: Compartment Management
    • Common policy templates: Let compartment admins manage the compartment
    • Groups: <the-group-your-username-belongs>
    • Location: <your-tenancy>(root)
  6. Click Create.

Reference: Common Policies

2. Create a Basic Network

Create scripts for authentication, a basic virtual cloud network defined by a module, and outputs.

Add Authentication

First, set up a directory for your Terraform scripts. Then add a provider script so your Oracle Cloud Infrastructure account can authenticate the scripts running from this directory.

  1. In your $HOME directory, create a directory called tf-vcn and change to that directory. 
    mkdir tf-vcn
    cd tf-vcn
  2. Copy the provider.tf file from the Set Up OCI Terraform tutorial mentioned in the Before you Begin section, into the tf-vcn directory. 
    cp ../tf-provider/provider.tf .
Declare a Basic Network

Declare a basic network with an Oracle Cloud Infrastructure virtual cloud network (VCN) module, documented in the Terraform Registry. Then, run your scripts and create the network. In the next sections, add components to customize your network.

  1. Go to Terraform Registry.
  2. Click Browse Modules.
  3. In the left navigation Provider list, click oci.
    You get a list of Oracle Cloud Infrastructure provided modules.
  4. Click oracle-terraform-modules/vcn.
  5. For Version, from the list, click Version 3.1.0.
    This tutorial uses version 3.1.0. If you use another version, you might have different number of required inputs and create different resources for your vcn.
  6. Create a file called vcn-module.tf.
  7. Copy the code from Provision Instructions section of the page into vcn-module.tf.

    Example:

    module "vcn" {
  source  = "oracle-terraform-modules/vcn/oci"
  version = "3.1.0"
  # insert the 5 required variables here
}
  8. Click Inputs and find all Required Inputs.
  9. Review the optional inputs to override.
  10. Add the following code to vcn-module.tf. 
    # Source from https://registry.terraform.io/modules/oracle-terraform-modules/vcn/oci/
module "vcn"{
  source  = "oracle-terraform-modules/vcn/oci"
  version = "3.1.0"
  # insert the 5 required variables here

  # Required Inputs
  compartment_id = "<compartment-ocid>"
  region = "<region-identifier>"

  internet_gateway_route_rules = null
  local_peering_gateways = null
  nat_gateway_route_rules = null

  # Optional Inputs
  vcn_name = "vcn-module"
  vcn_dns_label = "vcnmodule"
  vcn_cidrs = ["10.0.0.0/16"]
  
  create_internet_gateway = true
  create_nat_gateway = true
  create_service_gateway = true  
}
    • Replace <compartment-ocid> and <region-identifier> with the information in the Gather Required Information section.
    • Replace <your-vcn-name> with a name of your choice. The default value is vcn-module
    • Replace <your-dns-label> with a label of your choice. The default value is vcnmodule.
      Note

      • The DNS Domain Name for your virtual cloud network is: 
        <your-dns-label>.oraclevcn.com
  11. Save the vcn-module.tf file.
Explanation
About Modules

A module is a container for multiple resources that are used together. Instead of declaring infrastructure resources one by one, start with an Oracle Cloud Infrastructure provided module. For example, start with a basic virtual cloud network module. Then, add the resources that are not included in the module, to your scripts.

Declare a Module Block
  • Start the block with the keyword: module.
  • Add a label for the module's provided name:
    • Example: "vcn"
  • Inside the code block
    • Add source and version information from the Provision Instructions section of the module documentation.
    • Provide a value for the required inputs. They don't have a default value. Example:
      • compartment_id
      • internet_gateway_route_rules
      • local_peering_gateways
      • nat_gateway_route_rules
      • region
    • Provide values for the optional inputs that you want to override. Otherwise, their default values are used. Example:
      • create_internet_gateway
      • create_nat_gateway
      • create_service_gateway
      • vcn_dns_label
      • vcn_cidrs
      • vcn_name
    • You can declare the optional inputs with their default value, so later when you review your code, you know what value you used. Example:
      vcn_name = "vcn-module"
vcn_dns_label = "vcnmodule"
vcn_cidrs = ["10.0.0.0/16"]
Add Outputs

Add output blocks to your code to get information about your virtual cloud network after you run your scripts.

  1. In the tf-vcn directory, create a file called outputs.tf.
  2. Add the following code to outputs.tf. 
    # Outputs for the vcn module

output "vcn_id" {
  description = "OCID of the VCN that is created"
  value = module.vcn.vcn_id
}
output "id-for-route-table-that-includes-the-internet-gateway" {
  description = "OCID of the internet-route table. This route table has an internet gateway to be used for public subnets"
  value = module.vcn.ig_route_id
}
output "nat-gateway-id" {
  description = "OCID for NAT gateway"
  value = module.vcn.nat_gateway_id
}
output "id-for-for-route-table-that-includes-the-nat-gateway" {
  description = "OCID of the nat-route table - This route table has a nat gateway to be used for private subnets. This route table also has a service gateway."
  value = module.vcn.nat_route_id
}
  3. Save the outputs.tf file.
    Note

    Ensure that outputs.tf, provider.tf, and vcn-module.tf are in the same directory.
Explanation
About Module Outputs
Module outputs are the attributes that you can return for that module. To find the outputs for the vcn module:
  • Go to the OCI Module: vcn page.
  • Click Outputs.
  • You get a list of attributes that you can output for the VCN module.
  • Review the description of the attributes:
    • ig_route_id
      • OCID of the route table that includes the internet gateway.
    • nat_gateway_id
      • OCID of the NAT gateway
    • nat_route_id
      • OCID of the route table that includes the NAT gateway.
    • vcn_id
      • OCID of the VCN
Declare a Module Output Block
    • Start the block with the keyword: output.
    • Add a label to be printed with the output results:
      • The label can contain letters, digits, underscores (_), and hyphens (-). The first character must not be a digit.
      • Example: "vcn_id"
    • Get the attributes from the module's Outputs page.
    • Inside the code block, enter a value for the module output with the expression:
      • value = module.<module-name>.<output-attribute>
      • Example: value = module.vcn.vcn_id
    • (Optional): Inside the code block, add a description string. Example:
      description = "OCID of the internet-route table. This route table has an internet gateway to be used for public subnets"
      Note

      A description string is not printed in the output, so ensure that the label describes what it outputs.
    • Create an output block for each output.
Create the Basic Network
  1. Create your basic network with Terraform: 
    terraform init
    terraform plan
    terraform apply

    When prompted for confirmation, enter yes, for your resources to be created.

    After the virtual network is created, the outputs that you defined are displayed in the output terminal.

  2. (Optional) Watch the creation from the Console:
    • Open the navigation menu and click Networking, and then click Virtual Cloud Networks.
    • Select your compartment.
    • Watch your virtual cloud network appear in the list of networks.

Congratulations! You have successfully created a basic virtual network using Terraform, in your Oracle Cloud Infrastructure account. You have a virtual network and you can be done at this point. The next sections show you how to customize a network created from a module.

3. Customize the Network

Create scripts for security lists, private, and public subnets to create the same virtual network as the Console's wizard.

Create a Security List for the Private Subnet
Declare a Security List
  1. Create a file called private-security-list.tf.
  2. Add the following code to private-security-list.tf. 
    # Source from https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list

resource "oci_core_security_list" "private-security-list"{

# Required
  compartment_id = "<compartment-ocid>"
  vcn_id = module.vcn.vcn_id

# Optional
  display_name = "security-list-for-private-subnet"
}
    • Replace <compartment-ocid>, with the information in the Gather Information section.
    • Point vcn_id to the VCN OCID you created with the module: 
      vcn_id = module.vcn.vcn_id
Explanation
  • Go to Oracle Cloud Infrastructure Provider.
  • In the left navigation Filter, enter security list.

    Results are returned for both Data Sources and Resources.

  • Under Core, go to Resources and click oci_core_security_list.
  • In the Argument Reference section, find all (Required) arguments with top level (black solid) bullet points:
    • compartment_id
    • vcn_id
  • For compartment_id: use
    compartment_id = "<compartment-ocid>"
  • For vcn_id, use the OCID of the basic virtual network. To assign the OCID, before knowing it, assign an output from the module, as input for the security list resource:
    • Get the module's output attribute from the module's Outputs page.
    • Assign a value to the resource argument with the expression:
      • <resource argument> = module.<module-name>.<output-attribute>
      • Example: vcn_id = module.vcn.vcn_id
      • Both the oci_core_security_list resource and the oracle-terraform-modules/vcn use the same argument name for virtual cloud network OCID: vcn_id.
      • The vcn_id on the left side of the equation is the argument (required input) for the resource.
      • The vcn_id on the right side of the equation, is the OCID of the VCN that you create with the module.
      • It doesn't matter if you have run the VCN module script and created the VCN or not. Either way, Terraform assigns the VCN OCID to the security list, after the VCN module is created.
Add an Egress Rule
Add an egress rule to your security list based on the following values:

Egress Rule

  • Stateless: No
  • Destination: 0.0.0.0/0
  • IP Protocol: All Protocols
Note

The Allows field in the table is automatically generated based on other fields. You don't add an argument for it in your script.
  1. Add the following code to private-security-list.tf: 
      
  egress_security_rules {
      stateless = false
      destination = "0.0.0.0/0"
      destination_type = "CIDR_BLOCK"
      protocol = "all" 
  }
  2. Save the private-security-list.tf file.
  3. Add the following code to outputs.tf. 
    
# Outputs for private security list

output "private-security-list-name" {
  value = oci_core_security_list.private-security-list.display_name
}
output "private-security-list-OCID" {
  value = oci_core_security_list.private-security-list.id
}
  4. Save the outputs.tf file.
    Note

    Ensure that private-security-list.tf, outputs.tf, provider.tf, and vcn-module.tf are in the same directory.
Explanation

In the Argument Reference section of oci_core_security_list page, find the following arguments for private-security-list.tf:

  • egress_security_rules
    • stateless
    • destination
    • destination_type
    • protocol
Note

You use the equals sign "=" to assign a value to an argument. The argument egress_security_rules doesn't directly get a value. It has its own arguments and they each get a value. Therefore, ensure that you only use the equals sign inside the block.
  • Write: 
    egress_security_rules {
<arguments with assigned values>
}
  • Don't write: 
    egress_security_rules = {
<arguments with assigned values>
}

In the Attribute Reference section of oci_core_security_list page, find the following attributes to use as outputs in outputs.tf:

  • display_name
  • id
Create the Security List
  1. Create the security list for the private subnet, with Terraform: 
    terraform init
    terraform plan
    terraform apply

    When prompted for confirmation, enter yes, for your resources to be created.

    After the security list is created, the outputs that you defined are displayed in the output terminal.

  2. (Optional) Watch the network creation from the Console.
    • Open the navigation menu and click Networking, and then click Virtual Cloud Networks.
    • Click <your-vcn-name>.
    • In the Resources section, click Security Lists.
    • Click security-list-for-private-subnet.
    • Click Egress Rules.

Congratulations! You have successfully created a security list with an egress rule in your virtual cloud network. You add three ingress rules to this security list in the next section.

Create Ingress Rules for the Private Subnet

In this section, you add the following three ingress rules to the security list you created in the previous section.

Ingress Rules

  • Rule 1:
    • Stateless: No
    • Source: 10.0.0.0/16
    • IP Protocol: TCP
    • Source Port Range: All
    • Destination Port Range: 22
  • Rule 2:
    • Stateless: No
    • Source: 0.0.0.0/0
    • IP Protocol: ICMP
    • Type and Code: 3, 4
  • Rule 3:
    • Stateless: No
    • Source: 10.0.0.0/16
    • IP Protocol: ICMP
    • Type and Code: 3
Note

The Allows field in the table is automatically generated based on other fields. You don't add an argument for it in your script.
  1. Add the following code to private-security-list.tf: 
     
ingress_security_rules { 
      stateless = false
      source = "10.0.0.0/16"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml TCP is 6
      protocol = "6"
      tcp_options { 
          min = 22
          max = 22
      }
    }
  ingress_security_rules { 
      stateless = false
      source = "0.0.0.0/0"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ICMP is 1  
      protocol = "1"
  
      # For ICMP type and code see: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
      icmp_options {
        type = 3
        code = 4
      } 
    }   
  
  ingress_security_rules { 
      stateless = false
      source = "10.0.0.0/16"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ICMP is 1  
      protocol = "1"
  
      # For ICMP type and code see: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
      icmp_options {
        type = 3
      } 
    }
  2. Save the private-security-list.tf file.
  3. Run your scripts. 
    terraform init
    terraform plan
    terraform apply

    When prompted for confirmation, enter yes, for your resources to be created.

  4. (Optional) Watch the creation from the Console:
    • Open the navigation menu and click Networking, and then click Virtual Cloud Networks.
    • Click <your-vcn-name>.
    • In the Resources section, click Security Lists.
    • Click security-list-for-private-subnet.
    • Click Ingress Rules.

Congratulations! You have successfully added three ingress rules to your security list. You use this security list for a private subnet. You create another security list for a public subnet in the next section.

Explanation
  • Go to Oracle Cloud Infrastructure Provider.
  • In the left navigation Filter, enter security list.

    Results are returned for both Data Sources and Resources.

  • Under Core, go to Resources and click oci_core_security_list.
  • In the Argument Reference section, find the following arguments:
    • ingress_security_rules
      • stateless
      • source
      • source_type
      • protocol
      • icmp_options
        • type
        • code
      • tcp_options
        • min
        • max
  • For protocol, refer to Protocol Numbers:
    • TCP: 6
    • ICMP: 1
  • For icmp_options, refer to ICMP Parameters.
  • For tcp_options, if you have no port range, such as Destination Range: 22, set the maximum and minimum value to the same number. Example:
    • min = 22
    • max = 22
Create a Security List for the Public Subnet

In this section, you create a security list in your network with egress and ingress rules. Later, you assign this security list to a public subnet.

  1. In the tf-vcn directory, copy the private-security-list.tf file and call it public-security-list.tf. 
    cp private-security-list.tf public-security-list.tf
  2. Open the public-security-list.tf file and update the following:
    • resource block local name: from "private-security-list" to "public-security-list"
    • security list name: display_name = "security-list-for-public-subnet"
    # Source from https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list

resource "oci_core_security_list" "public-security-list"{

# Required
  compartment_id = "<compartment-ocid>"
  vcn_id = module.vcn.vcn_id

# Optional
  display_name = "security-list-for-public-subnet"
  3. Use the same egress rule as the private one.

    Egress Rule

    • Stateless: No
    • Destination: 0.0.0.0/0
    • IP Protocol: All Protocols
      
  egress_security_rules {
      stateless = false
      destination = "0.0.0.0/0"
      destination_type = "CIDR_BLOCK"
      protocol = "all" 
  }
  4. Update the TCP rule for the first ingress rule based on the following table:
    • from source = "10.0.0.0/16" to source = "0.0.0.0/0"

    Ingress Rules

    • Rule 1:
      • Stateless: No
      • Source: 0.0.0.0/0
      • IP Protocol: TCP
      • Source Port Range: All
      • Destination Port Range: 22
    • Rule 2:
      • Stateless: No
      • Source: 0.0.0.0/0
      • IP Protocol: ICMP
      • Type and Code: 3, 4
    • Rule 3:
      • Stateless: No
      • Source: 10.0.0.0/16
      • IP Protocol: ICMP
      • Type and Code: 3
     
ingress_security_rules { 
      stateless = false
      source = "0.0.0.0/0"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml TCP is 6
      protocol = "6"
      tcp_options { 
          min = 22
          max = 22
      }
    }
  ingress_security_rules { 
      stateless = false
      source = "0.0.0.0/0"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ICMP is 1  
      protocol = "1"
  
      # For ICMP type and code see: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
      icmp_options {
        type = 3
        code = 4
      } 
    }   
  
  ingress_security_rules { 
      stateless = false
      source = "10.0.0.0/16"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ICMP is 1  
      protocol = "1"
  
      # For ICMP type and code see: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
      icmp_options {
        type = 3
      } 
    }
  5. Save the public-security-list.tf file.
  6. Add the following code to outputs.tf. 
    
# Outputs for public security list

output "public-security-list-name" {
  value = oci_core_security_list.public-security-list.display_name
}
output "public-security-list-OCID" {
  value = oci_core_security_list.public-security-list.id
}
  7. Save the outputs.tf file.
    Note

    Ensure that public-security-list.tf, private-security-list.tf, outputs.tf, provider.tf, and vcn-module.tf are in the same directory.
  8. Run your scripts. 
    terraform init
    terraform plan
    terraform apply

    When prompted for confirmation, enter yes, for the security list to be created.

  9. (Optional) Watch the creation from the Console.
    • Open the navigation menu and click Networking, and then click Virtual Cloud Networks.
    • Click <your-vcn-name>.
    • In the Resources section, click Security Lists.
    • Click security-list-for-public-subnet.
    • Click Ingress Rules.
    • Click Egress Rules.

Congratulations! You have successfully created another security list in your virtual cloud network.

Create a Private Subnet

In this section, you create a private subnet in your network and associate the private security list to this subnet. You also add the NAT route table that you made with the vcn module to this subnet. The NAT route table has one NAT gateway and one service gateway and is designed for private subnets. See the first diagram in the tutorial.

  1. In the tf-vcn directory, create a file called private-subnet.tf and add the following code to it: 
    # Source from https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet

resource "oci_core_subnet" "vcn-private-subnet"{

  # Required
  compartment_id = "<compartment-ocid>"
  vcn_id = module.vcn.vcn_id
  cidr_block = "10.0.1.0/24"
 
  # Optional
  # Caution: For the route table id, use module.vcn.nat_route_id.
  # Do not use module.vcn.nat_gateway_id, because it is the OCID for the gateway and not the route table.
  route_table_id = module.vcn.nat_route_id
  security_list_ids = [oci_core_security_list.private-security-list.id]
  display_name = "private-subnet"
}
    • Replace <compartment-ocid>, with the information you gathered in the Gather Required Information section.
  2. Save the private-subnet.tf file.
  3. Add the following code to outputs.tf. 
    
# Outputs for private subnet

output "private-subnet-name" {
  value = oci_core_subnet.vcn-private-subnet.display_name
}
output "private-subnet-OCID" {
  value = oci_core_subnet.vcn-private-subnet.id
}
  4. Save the outputs.tf file.
    Note

    Ensure that private-subnet.tf is in the tf-vcn directory.
  5. Run your scripts. 
    terraform init
    terraform plan
    terraform apply

    When prompted for confirmation, enter yes, for the private subnet to be created.

  6. (Optional) Watch the creation from the Console:
    • Open the navigation menu and click Networking, and then click Virtual Cloud Networks.
    • Click <your-vcn-name>.
    • In the Resources section, click Subnets.
    • Click private-subnet.
    • In the Subnet Information section, check the Route Table: nat-route
    • In the Security Lists section, check the security-list-for-private-subnet.

Congratulations! You have successfully created a private subnet in your virtual cloud network.

Explanation
  • Go to Oracle Cloud Infrastructure Provider.
  • In the left navigation Filter, enter subnet.

    Results are returned for both Data Sources and Resources.

  • Under Core, go to Resources and click oci_core_subnet.
  • In the Argument Reference section, find all (Required) arguments:
    • compartment_id
    • vcn_id
    • cidr_block
  • Override the following optional arguments:
    • route_table_id
    • security_list_ids
    • display_name
  • Assign values to the arguments:
    • cidr_block
      • Refer to the first diagram in the tutorial.
    • route_table_id
      • The OCID of a route table.
      • To see the gateways for this route table, refer to the private subnet in the first diagram in the tutorial:
        • NAT Gateway
        • Service Gateway
      • Assign the route table with the NAT gateway that you created with the VCN module. This route table also contains a service gateway.
        Note

        • Use module.vcn.nat_route_id.
        • Do not use module.vcn.nat_gateway_id, because it returns the OCID of the gateway and not the route table.
      • (Optional): In the Console, go to your-vcn-name. Under Resources, click Route Tables and then nat-route. Review the rules of the route table and compare the Target Type values with the tutorial diagram.
    • security_list_ids
      • Returns a list of strings, each an OCID of a security list.
      • Get the OCID of the private security list.
      • Use square brackets for this argument. Example: 
        security_list_ids = ["sec-list-1","sec-list-2","sec-list-3"]
      • To assign one security list, place it inside the square brackets without any commas.
      • To refer to the security list created with another resource, use its local name. Example:
        security_list_ids = [oci_core_security_list.<local-name>.id]
security_list_ids = [oci_core_security_list.private-security-list.id]
Create a Public Subnet

In this section, you create a public subnet in your network and associate the public security list to this subnet. You also add the internet route table that you made with the VCN module to this subnet. The internet route table has an internet gateway and is designed for public subnets. See the first diagram in the tutorial.

  1. In the tf-vcn directory, create a file called public-subnet.tf and add the following code to it: 
    # Source from https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet

resource "oci_core_subnet" "vcn-public-subnet"{

  # Required
  compartment_id = "<compartment-ocid>"
  vcn_id = module.vcn.vcn_id
  cidr_block = "10.0.0.0/24"
 
  # Optional
  route_table_id = module.vcn.ig_route_id
  security_list_ids = [oci_core_security_list.public-security-list.id]
  display_name = "public-subnet"
}
    • Replace <compartment-ocid>, with the information you gathered in the Gather Required Information section.
  2. Save the public-subnet.tf file.
  3. Add the following code to outputs.tf. 
    
# Outputs for public subnet

output "public-subnet-name" {
  value = oci_core_subnet.vcn-public-subnet.display_name
}
output "public-subnet-OCID" {
  value = oci_core_subnet.vcn-public-subnet.id
}
  4. Save the outputs.tf file.
    Note

    Ensure that public-subnet.tf is in the tf-vcn directory.
  5. Run your scripts. 
    terraform init
    terraform plan
    terraform apply

    When prompted for confirmation, enter yes, for the public subnet to be created.

  6. (Optional) Watch the creation from the Console:
    • Open the navigation menu and click Networking, and then click Virtual Cloud Networks.
    • Click <your-vcn-name>.
    • In the Resources section, click Subnets.
    • Click public-subnet.
    • In the Subnet Information section, check the Route Table: internet-route
    • In the Security Lists section, check the security-list-for-public-subnet.

Congratulations! You have successfully created a public subnet in your virtual cloud network.

Explanation
  • Go to Oracle Cloud Infrastructure Provider.
  • In the left navigation Filter, enter subnet.

    Results are returned for both Data Sources and Resources.

  • Under Core, go to Resources and click oci_core_subnet.
  • In the Argument Reference section, find all (Required) arguments:
    • compartment_id
    • vcn_id
    • cidr_block
  • Override the following optional arguments:
    • route_table_id
    • security_list_ids
    • display_name
  • Assign values to the arguments:
    • cidr_block
      • Refer to the first diagram in the tutorial.
    • route_table_id
      • The OCID of a route table.
      • To see the gateway for this route table, refer to the public subnet in the first diagram in the tutorial:
        • Internet Gateway
      • Assign the route table with an internet gateway that you created with the VCN module.
        Note

        • Use module.vcn.ig_route_id.
      • (Optional): In the Console, go to your-vcn-name. Under Resources, click Route Tables and then internet-route. Review the rules of the route table and compare the Target Type value with the tutorial diagram.
    • security_list_ids
      • Returns a list of strings, each an OCID of a security list.
      • Get the OCID of the public security list.
      • Use square brackets for this argument. Example: 
        security_list_ids = ["sec-list-1","sec-list-2","sec-list-3"]
      • To assign one security list, place it inside the square brackets without any commas.
      • To refer to the security list created with another resource, use its local name. Example:
        security_list_ids = [oci_core_security_list.<local-name>.id]
security_list_ids = [oci_core_security_list.public-security-list.id]

4. Recreate the Virtual Cloud Network (Optional)

Destroy your virtual cloud network. Then rerun your scripts to create another virtual cloud network.

Run the Scripts

In the previous sections, to check your work, you ran your scripts every time you declared a resource. Now, you run them together. You observe that the scripts are declarative and Terraform resolves the order in which it creates the objects.

  1. Destroy your instance with Terraform: 
    terraform destroy

    When prompted for confirmation, enter yes, for your resource to be destroyed.

  2. (Optional) Watch the termination from the Console:
    • Open the navigation menu and click Networking, and then click Virtual Cloud Networks.
    • Select your compartment.
    • Watch your virtual cloud network disappear from the list of networks.
  3. Make a new virtual cloud network with Terraform: 
    terraform init
    terraform plan
    terraform apply

    When prompted for confirmation, enter yes, for your resources to be created.

    After the network is created, the outputs that you defined are displayed in the output terminal.

    Note

    This new virtual cloud network has new OCIDs for its resources. This network is not the same one that you destroyed.
  4. (Optional) Watch the creation from the Console:
    • Open the navigation menu and click Networking, and then click Virtual Cloud Networks.
    • Select your compartment.
    • Watch your virtual cloud network appear in the list of networks.
  5. Display the outputs again. 
    terraform output

Congratulations! You have successfully created a virtual cloud network and its components using Terraform, in your Oracle Cloud Infrastructure account.

Note

This virtual cloud network has the same components as the virtual cloud network that you create in the Console, with the Start VCN Wizard. Choose the VCN with Internet Connectivity option. You can follow the tutorial steps to Set up a network with a wizard and then compare it with this network.

References: