sec group nested in network

2025-07-14 15:27:38 +02:00 · 2025-07-14 15:27:38 +02:00 · 4cf188696c
commit 4cf188696c
parent c335e50eff
2 changed files with 69 additions and 1 deletions
--- a/network/main.tf
+++ b/network/main.tf
@ -1,3 +1,22 @@
+locals {
+  sg_rule_list = flatten([
+    for sg_key, sg in var.security_groups : [
+      for idx, r in sg.rules : merge(r, {
+        sg_key = sg_key
+        uniq   = "${sg_key}-${idx}"
+      })
+    ]
+  ])
+
+  flattened_sg_rules = { for r in local.sg_rule_list : r.uniq => r }
+
+  created_sg_ids = values(stackit_security_group.sg)[*].id
+  all_sg_ids     = concat(
+                     local.created_sg_ids,
+                     var.nic_security_group_ids != null ? var.nic_security_group_ids : []
+                   )
+}
+
 resource "stackit_network" "this" {
  project_id = var.project_id
  name       = var.name
@ -16,6 +35,30 @@ resource "stackit_network" "this" {
  routed              = var.routed
 }

+resource "stackit_security_group" "sg" {
+  for_each   = var.security_groups
+
+  project_id = var.project_id
+  name       = each.value.name
+  description = each.value.description
+  labels      = each.value.labels
+  stateful    = each.value.stateful
+}
+
+resource "stackit_security_group_rule" "rule" {
+  for_each         = local.flattened_sg_rules
+
+  project_id       = var.project_id
+  security_group_id = stackit_security_group.sg[each.value.sg_key].id
+  direction        = each.value.direction
+  description      = each.value.description
+  ether_type       = each.value.ether_type
+  ip_range         = each.value.ip_range
+  protocol         = each.value.protocol
+  port_range       = each.value.port_range
+  remote_security_group_id = each.value.remote_security_group_id
+}
+
 resource "stackit_network_interface" "static" {
  count = var.nic_ipv4 == null ? 0 : 1

@ -26,6 +69,6 @@ resource "stackit_network_interface" "static" {
  labels             = var.nic_labels
  name               = var.nic_name != null ? var.nic_name : "${var.name}-nic"
  security           = var.nic_security
-  security_group_ids = var.nic_security ? var.nic_security_group_ids : null
+  security_group_ids = var.nic_security ? local.all_sg_ids : null
  allowed_addresses  = var.nic_security ? var.nic_allowed_addresses : null
 }
--- a/network/variables.tf
+++ b/network/variables.tf
@ -96,3 +96,28 @@ variable "nic_security_group_ids" {
  type    = list(string)
  default = []
 }
+
+variable "security_groups" {
+  type = map(object({
+    name        = string
+    description = optional(string)
+    labels      = optional(map(string))
+    stateful    = optional(bool)
+    rules = list(object({
+      description = optional(string)
+      direction   = string
+      ether_type  = optional(string)
+      ip_range    = optional(string)
+      protocol = optional(object({
+        name   = optional(string)
+        number = optional(number)
+      }))
+      port_range = optional(object({
+        min = number
+        max = number
+      }))
+      remote_security_group_id = optional(string)
+    }))
+  }))
+  default = {}
+}