Example Terraform Scripts for Network Resources

On Compute Cloud@Customer, you can use Terraform scripts to automate the creation of OKE network resources.

You can use the following Terraform scripts in your Terraform environment to automate the creation of the network resources that are required by OKE. For detailed information about Terraform, see Terraform. (Alternatively, you can create the network resources individually. See Configuring OKE Network Resources Individually)

Most of the values shown in these scripts, such as resource display names and CIDRs, are examples. Some ports must be specified as shown (see Workload Cluster Network Ports), and the OKE control plane subnet must be named control-plane. See Workload Cluster Network CIDR Ranges for comments about CIDR values.

Terraform Script Examples


This file creates several variables that are used to configure OKE network resources. Many of these variables aren't assigned values in this file. One port and five CIDRs are assigned values. The kubernetes_api_port, port 6443, is the port used to access the Kubernetes API. See also Workload Cluster Network Ports. The five CIDRs that are defined in this file are for the OKE VCN, worker subnet, worker load balancer subnet, control plane subnet, and control plane load balancer subnet.

variable "oci_config_file_profile" {
  type    = string
  default = "DEFAULT"

variable "tenancy_ocid" {
  description = "tenancy OCID"
  type        = string
  nullable    = false

variable "compartment_id" {
  description = "compartment OCID"
  type        = string
  nullable    = false

variable "vcn_name" {
  description = "VCN name"
  nullable    = false

variable "kube_client_cidr" {
  description = "CIDR of Kubernetes API clients"
  type        = string
  nullable    = false

variable "kubernetes_api_port" {
  description = "port used for kubernetes API"
  type        = string
  default     = "6443"

variable "worker_lb_ingress_rules" {
  description = "traffic allowed to worker load balancer"
  type = list(object({
    source   = string
    port_min = string
    port_max = string
  nullable = false

variable "worker_ingress_rules" {
  description = "traffic allowed directly to workers"
  type = list(object({
    source   = string
    port_min = string
    port_max = string
  nullable = true

# IP network addressing
variable "vcn_cidr" {
  default = ""

# Subnet for KMIs where kube-apiserver and other control
# plane applications run
variable "kmi_cidr" {
  description = "K8s control plane subnet CIDR"
  default     = ""

# Subnet for KMI load balancer 
variable "kmilb_cidr" {
  description = "K8s control plane LB subnet CIDR"
  default     = ""

# Subnet for worker nodes, max 128 nodes
variable "worker_cidr" {
  description = "K8s worker subnet CIDR"
  default     = ""

# Subnet for worker load balancer (for use by CCM)
variable "workerlb_cidr" {
  description = "K8s worker LB subnet CIDR"
  default     = ""


This file assigns values to some of the variables that were created in variables.tf. It also defines security list rules for accessing the worker nodes and the worker load balancer.

# Name of the profile to use from $HOME/.oci/config
oci_config_file_profile = "DEFAULT"

# Tenancy OCID from the oci_config_file_profile profile.
tenancy_ocid = "ocid1.tenancy.unique_ID"

# Compartment in which to build the OKE cluster.
compartment_id = "ocid1.compartment.unique_ID"

# Display name for the OKE VCN.
vcn_name = "oketest"

# CIDR of clients that are allowed to contact Kubernetes API server.
kube_client_cidr = ""

# Security list rules for who is allowed to contact the worker load balancer.
# Adjust these values for your applications.
worker_lb_ingress_rules = [
    source   = ""
    port_min = 80
    port_max = 80
    source   = ""
    port_min = 443
    port_max = 443

# Security list rules for who is allowed to contact worker nodes directly.
# This example allows to contact the default nodeport range.
worker_ingress_rules = [
    source   = ""
    port_min = 30000
    port_max = 32767


This file is required to use the OCI provider. The file initializes the OCI module using the OCI profile configuration file.

provider "oci" {
  config_file_profile = var.oci_config_file_profile
  tenancy_ocid        = var.tenancy_ocid


This file specifies the provider to use (oracle/oci), defines several security list rules, and initializes required local variables.

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
      version = ">= 4.50.0"
      # If necessary, you can pin a specific version here
      #version = "4.71.0"
  required_version = ">= 1.1"

locals {
  kube_internal_cidr = ""
  worker_lb_ingress_rules = var.worker_lb_ingress_rules
  worker_ingress_rules = flatten([var.worker_ingress_rules, [
      source   = var.vcn_cidr
      port_min = 22
      port_max = 22
      source   = var.kube_client_cidr
      port_min = 30000
      port_max = 32767
      source   = var.workerlb_cidr
      port_min = 30000
      port_max = 32767
      source   = var.workerlb_cidr
      port_min = 10256
      port_max = 10256
      source   = var.kmi_cidr
      port_min = 22
      port_max = 65535
  worker_ingress_udp_rules = [
      source   = var.worker_cidr
      port_min = 8285
      port_max = 8472
      source   = var.kmi_cidr
      port_min = 8285
      port_max = 8472

  kmi_lb_ingress_rules = [
      source   = local.kube_internal_cidr
      port_min = var.kubernetes_api_port
      port_max = var.kubernetes_api_port
      source   = var.kube_client_cidr
      port_min = var.kubernetes_api_port
      port_max = var.kubernetes_api_port
      source   = var.vcn_cidr
      port_min = var.kubernetes_api_port
      port_max = var.kubernetes_api_port

  kmi_ingress_rules = [
      source   = var.kube_client_cidr
      port_min = var.kubernetes_api_port
      port_max = var.kubernetes_api_port
      source   = var.kmilb_cidr
      port_min = var.kubernetes_api_port
      port_max = var.kubernetes_api_port
      source   = var.worker_cidr
      port_min = 1024
      port_max = 65535
      source   = var.kmi_cidr
      port_min = 1024
      port_max = 65535
  kmi_ingress_udp_rules = [
      source   = var.worker_cidr
      port_min = 8285
      port_max = 8472
      source   = var.kmi_cidr
      port_min = 8285
      port_max = 8472


This file defines a VCN, NAT gateway, internet gateway, private route table, and public route table. The private route table is the default route table for the VCN.

resource "oci_core_vcn" "oke_vcn" {
  cidr_block     = var.vcn_cidr
  dns_label      = var.vcn_name
  compartment_id = var.compartment_id
  display_name   = "${var.vcn_name}-vcn"

resource "oci_core_nat_gateway" "vcn_ngs" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id
  display_name = "VCN nat g6s"

resource "oci_core_internet_gateway" "vcn_igs" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id
  display_name = "VCN i6t g6s"
  enabled      = true

resource "oci_core_default_route_table" "private" {
  manage_default_resource_id = oci_core_vcn.oke_vcn.default_route_table_id
  display_name               = "Default - private"

  route_rules {
    destination       = ""
    destination_type  = "CIDR_BLOCK"
    network_entity_id = oci_core_nat_gateway.vcn_ngs.id

resource "oci_core_route_table" "public" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id
  display_name = "public"

  route_rules {
    destination       = ""
    destination_type  = "CIDR_BLOCK"
    network_entity_id = oci_core_internet_gateway.vcn_igs.id


This file defines the security lists for both the worker subnet and the worker load balancer subnet. The rules for these security lists were defined in other Terraform files in this set.

resource "oci_core_security_list" "workerlb" {
  display_name   = "${var.vcn_name}-workerlb"
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id

  dynamic "ingress_security_rules" {
    iterator = port
    for_each = local.worker_lb_ingress_rules

    content {
      source      = port.value.source
      source_type = "CIDR_BLOCK"
      protocol    = "6"
      tcp_options {
        min = port.value.port_min
        max = port.value.port_max

resource "oci_core_security_list" "worker" {
  display_name   = "${var.vcn_name}-worker"
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id

  dynamic "ingress_security_rules" {
    iterator = port
    for_each = local.worker_ingress_rules

    content {
      source      = port.value.source
      source_type = "CIDR_BLOCK"
      protocol    = "6"
      tcp_options {
        min = port.value.port_min
        max = port.value.port_max

  dynamic "ingress_security_rules" {
    iterator = port
    for_each = local.worker_ingress_udp_rules

    content {
      source      = port.value.source
      source_type = "CIDR_BLOCK"
      protocol    = "17"
      udp_options {
        min = port.value.port_min
        max = port.value.port_max


This file defines the worker and worker load balancer subnets. The worker load balancer subnet is named service-lb.

resource "oci_core_subnet" "worker" {
  cidr_block     = var.worker_cidr
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id

  display_name               = "worker"
  dns_label                  = "worker"
  prohibit_public_ip_on_vnic = true

  security_list_ids = [

resource "oci_core_subnet" "worker_lb" {
  cidr_block     = var.workerlb_cidr
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id

  display_name               = "service-lb"
  dns_label                  = "servicelb"
  prohibit_public_ip_on_vnic = false
  route_table_id             = oci_core_route_table.public.id

  security_list_ids = [


This file defines the security lists for the control plane and control plane load balancer subnets. This file also defines updates to make to the default security list for the VCN.

resource "oci_core_default_security_list" "oke_vcn" {
  manage_default_resource_id = oci_core_vcn.oke_vcn.default_security_list_id

  egress_security_rules {
    destination      = ""
    destination_type = "CIDR_BLOCK"
    protocol         = "all"

  dynamic "ingress_security_rules" {
    iterator = icmp_type
    for_each = [3, 8, 11]

    content {
      # ping from VCN; unreachable/TTL from anywhere
      source      = (icmp_type.value == "8" ? var.vcn_cidr : "")
      source_type = "CIDR_BLOCK"
      protocol    = "1"
      icmp_options {
        type = icmp_type.value

resource "oci_core_security_list" "kmilb" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id

  display_name = "${var.vcn_name}-kmilb"

  dynamic "ingress_security_rules" {
    iterator = port
    for_each = local.kmi_lb_ingress_rules

    content {
      source      = port.value.source
      source_type = "CIDR_BLOCK"
      protocol    = "6"
      tcp_options {
        min = port.value.port_min
        max = port.value.port_max

resource "oci_core_security_list" "kmi" {
  compartment_id = var.compartment_id
  vcn_id         = oci_core_vcn.oke_vcn.id

  display_name = "${var.vcn_name}-kmi"

  dynamic "ingress_security_rules" {
    iterator = port
    for_each = local.kmi_ingress_rules

    content {
      source      = port.value.source
      source_type = "CIDR_BLOCK"
      protocol    = "6"
      tcp_options {
        min = port.value.port_min
        max = port.value.port_max

  dynamic "ingress_security_rules" {
    iterator = port
    for_each = local.kmi_ingress_udp_rules

    content {
      source      = port.value.source
      source_type = "CIDR_BLOCK"
      protocol    = "17"
      udp_options {
        min = port.value.port_min
        max = port.value.port_max


This file defines the control plane and control plane load balancer subnets.


The name of the kmi subnet must be exactly control-plane.

resource "oci_core_subnet" "kmi" {
  cidr_block                 = var.kmi_cidr
  compartment_id             = var.compartment_id
  display_name               = "control-plane"
  dns_label                  = "kmi"
  vcn_id                     = oci_core_vcn.oke_vcn.id
  prohibit_public_ip_on_vnic = true
  security_list_ids = [

resource "oci_core_subnet" "kmi_lb" {
  cidr_block                 = var.kmilb_cidr
  compartment_id             = var.compartment_id
  dns_label                  = "kmilb"
  vcn_id                     = oci_core_vcn.oke_vcn.id
  display_name               = "control-plane-endpoint"
  prohibit_public_ip_on_vnic = false
  route_table_id             = oci_core_route_table.public.id
  security_list_ids = [