From fdccdc31cff109473ca33e0fc939f8172406c874 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Thu, 11 Apr 2024 23:37:08 +0200 Subject: [PATCH] feat(main): add secgroup and rules to module --- README.md | 17 ++++++++++++++--- main.tf | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 32 +++++++++++++++++++++++++++----- 3 files changed, 90 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 98173ca..542c8e5 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,16 @@ Terraform module to deploy a Neutron security-group in a given project. ### Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [openstack](#requirement_openstack) | ~> 1.54 | ### Providers -No providers. +| Name | Version | +|------|---------| +| [openstack](#provider_openstack) | ~> 1.54 | ### Modules @@ -15,7 +20,11 @@ No modules. ### Resources -No resources. +| Name | Type | +|------|------| +| [openstack_networking_secgroup_rule_v2.egress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource | +| [openstack_networking_secgroup_rule_v2.ingress](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2) | resource | +| [openstack_networking_secgroup_v2.this](https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_v2) | resource | ### Inputs @@ -23,6 +32,8 @@ No resources. |------|-------------|------|---------|:--------:| | [delete_default_rules](#input_delete_default_rules) | Whether or not to delete the default egress rules applied to the security group.
Default rules allow egress ipv4 and ipv6 to 0.0.0.0/0. | `bool` | `false` | no | | [description](#input_description) | Description for the security group. | `string` | `null` | no | +| [egress_rules](#input_egress_rules) | The list of egress rules to attach to the security group.
You can use all regular entries from the openstack_networking_secgroup_rule_v2 resource
provided by the openstack provider, except region, which defaults to the region of the provider used,
and direction, which defaults to egress.
By default, if ethertype is not specified, it will by IPv4. | `map(map(string))` | n/a | yes | +| [ingress_rules](#input_ingress_rules) | The list of ingress rules to attach to the security group.
You can use all regular entries from the openstack_networking_secgroup_rule_v2 resource
provided by the openstack provider, except region, which defaults to the region of the provider used,
and direction, which defaults to ingress.
By default, if ethertype is not specified, it will by IPv4. | `map(map(string))` | n/a | yes | | [name](#input_name) | The name of the security group. | `string` | n/a | yes | | [tags](#input_tags) | A list of tags (strings) to apply to the security group | `list(string)` | `[]` | no | | [tenant_id](#input_tenant_id) | The tenant for which to create the security group.
This is only required for admins creating security groups for other tenant. | `string` | `null` | no | diff --git a/main.tf b/main.tf index e69de29..a38f26b 100644 --- a/main.tf +++ b/main.tf @@ -0,0 +1,49 @@ +terraform { + required_version = ">= 1.0.0" + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 1.54" + } + } +} + +resource "openstack_networking_secgroup_v2" "this" { + name = var.name + description = var.description + tenant_id = var.tenant_id + delete_default_rules = var.delete_default_rules + tags = var.tags +} + +resource "openstack_networking_secgroup_rule_v2" "ingress" { + for_each = var.ingress_rules + + direction = "ingress" + security_group_id = openstack_networking_secgroup_v2.this.id + tenant_id = var.tenant_id + + description = try(each.value.description, false) ? each.value.description : null + ethertype = try(each.value.ethertype, false) ? each.value.ethertype : "IPv4" + protocol = try(each.value.protocol, false) ? each.value.protocol : "tcp" + port_range_min = try(each.value.port_range_min, false) ? each.value.port_range_min : null + port_range_max = try(each.value.port_range_max, false) ? each.value.port_range_max : null + remote_ip_prefix = try(each.value.remote_ip_prefix, false) ? each.value.remote_ip_prefix : null + remote_group_id = try(each.value.remote_group_id, false) ? each.value.remote_group_id : null +} + +resource "openstack_networking_secgroup_rule_v2" "egress" { + for_each = var.egress_rules + + direction = "egress" + security_group_id = openstack_networking_secgroup_v2.this.id + tenant_id = var.tenant_id + + description = try(each.value.description, false) ? each.value.description : null + ethertype = try(each.value.ethertype, false) ? each.value.ethertype : "IPv4" + protocol = try(each.value.protocol, false) ? each.value.protocol : "tcp" + port_range_min = try(each.value.port_range_min, false) ? each.value.port_range_min : null + port_range_max = try(each.value.port_range_max, false) ? each.value.port_range_max : null + remote_ip_prefix = try(each.value.remote_ip_prefix, false) ? each.value.remote_ip_prefix : null + remote_group_id = try(each.value.remote_group_id, false) ? each.value.remote_group_id : null +} diff --git a/variables.tf b/variables.tf index 3c9a77c..cdcd6b9 100644 --- a/variables.tf +++ b/variables.tf @@ -9,6 +9,15 @@ variable "description" { default = null } +variable "tenant_id" { + type = string + description = <<-EOT + The tenant for which to create the security group. + This is only required for admins creating security groups for other tenant. + EOT + default = null +} + variable "delete_default_rules" { type = bool description = <<-EOT @@ -18,13 +27,26 @@ variable "delete_default_rules" { default = false } -variable "tenant_id" { - type = string +variable "ingress_rules" { + type = map(map(string)) description = <<-EOT - The tenant for which to create the security group. - This is only required for admins creating security groups for other tenant. + The list of ingress rules to attach to the security group. + You can use all regular entries from the openstack_networking_secgroup_rule_v2 resource + provided by the openstack provider, except region, which defaults to the region of the provider used, + and direction, which defaults to ingress. + By default, if ethertype is not specified, it will by IPv4. + EOT +} + +variable "egress_rules" { + type = map(map(string)) + description = <<-EOT + The list of egress rules to attach to the security group. + You can use all regular entries from the openstack_networking_secgroup_rule_v2 resource + provided by the openstack provider, except region, which defaults to the region of the provider used, + and direction, which defaults to egress. + By default, if ethertype is not specified, it will by IPv4. EOT - default = null } variable "tags" {