professional-service-best-practices/terraform-modules
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add logic for nic, nic w. custom ipv4, creation of and attachement of sec grps to nic

Browse source
This commit is contained in:
Maximilian_Schlenz 2025-07-15 15:42:38 +02:00
parent bb841ad2a3
commit 7345619f23
13 changed files with 270 additions and 107 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

69
example/main.tf
View file

@ -1,9 +1,12 @@
module "project" { module "project" {
source = "../project" source = "../project"
name = "project-1" name = "project-123"
labels = {
"example" = "test"
}
organization_id = var.organization_id organization_id = var.organization_id
owner_email = "maximilian.schlenz@stackit.cloud" owner_email = "maximilian.schlenz@stackit.cloud"
} }
module "security_groups" { module "security_groups" {
@ -13,10 +16,47 @@ module "security_groups" {
project_id = module.project.project_id project_id = module.project.project_id
name = each.value.name name = each.value.name
description = each.value.description description = each.value.description != null ? each.value.description : ""
rules = each.value.rules rules = each.value.rules
} }
locals {
security_group_ids_by_name = {
for key, m in module.security_groups :
m.name => m.security_group_id
}
}
module "net" {
depends_on = [module.security_groups]
source = "../network"
for_each = var.networks
project_id = module.project.project_id
name = each.value.name
# IPv4 and IPv6 settings
ipv4_gateway = each.value.ipv4_gateway
ipv4_nameservers = each.value.ipv4_nameservers
ipv4_prefix = each.value.ipv4_prefix
ipv4_prefix_length = each.value.ipv4_prefix_length
ipv6_gateway = each.value.ipv6_gateway
ipv6_nameservers = each.value.ipv6_nameservers
ipv6_prefix = each.value.ipv6_prefix
ipv6_prefix_length = each.value.ipv6_prefix_length
no_ipv4_gateway = each.value.no_ipv4_gateway
no_ipv6_gateway = each.value.no_ipv6_gateway
routed = each.value.routed
labels = each.value.labels
# NIC options
nics = each.value.nics
security_group_ids_by_name = local.security_group_ids_by_name
}
# module "postgres" { # module "postgres" {
# source = "../postgres" # source = "../postgres"
@ -34,29 +74,6 @@ module "security_groups" {
# databases = each.value.databases # databases = each.value.databases
# } # }
module "net" {
depends_on = [module.security_groups]
source = "../network"
for_each = var.networks
project_id = module.project.project_id
name = each.value.name
ipv4_nameservers = each.value.ipv4_nameservers
labels = each.value.labels
nic_ipv4 = each.value.nic_ipv4
nic_name = each.value.nic_name
nic_allowed_addresses = each.value.nic_allowed_addresses
nic_labels = each.value.nic_labels
nic_security = each.value.nic_security
nic_security_group_ids = [
module.security_groups["ssh_ingress_group"].security_group_id,
]
}
# module "ske" { # module "ske" {
# source = "../ske" # source = "../ske"

2
example/providers.tf
View file

@ -3,7 +3,7 @@ terraform {
required_providers { required_providers {
stackit = { stackit = {
source = "stackitcloud/stackit" source = "stackitcloud/stackit"
version = "0.56.0" version = "0.54.0"
} }
} }
} }

52
example/terraform.tfvars
View file

@ -1,7 +1,7 @@
region = "eu01" region = "eu01"
service_account_token = "" service_account_token = ""
project_id = "" project_id = ""
organization_id = "03a34540-3c1a-4794-b2c6-7111ecf824ef" organization_id = "03a34540-3c1a-4794-b2c6-7111ecf824ef"
service_account_key_path = "/Users/schlenz/sa-key-dd5fa2c9-1651-4da7-8404-9ac4fe9bc3d5.json" service_account_key_path = "/Users/schlenz/sa-key-dd5fa2c9-1651-4da7-8404-9ac4fe9bc3d5.json"
security_groups = { security_groups = {
@ -91,21 +91,51 @@ security_groups = {
# } # }
networks = { networks = {
# web = { wan_network = {
# name = "web-net" name = "wan_network"
# ipv4_nameservers = ["1.1.1.1", "8.8.8.8"] ipv4_nameservers = ["1.1.1.1", "8.8.8.8"]
# labels = { ipv4_prefix_length = 24
# env = "prod" ipv4_prefix = "10.219.0.0/24"
# } routed = true
# } }
lan_network1 = {
name = "lan_network1"
ipv4_prefix_length = 24
ipv4_prefix = "10.220.1.0/24"
routed = true
nics = {
p2_lan1 = {
nic_name = "P2LAN1"
nic_ipv4 = "10.220.1.32"
nic_security = true
nic_security_group_names = ["ssh-ingress-group"]
}
}
}
lan_network2 = {
name = "lan_network2"
ipv4_prefix_length = 24
ipv4_prefix = "10.221.0.0/24"
routed = true
}
lan_network3 = {
name = "lan_network3"
ipv4_nameservers = ["1.1.1.1", "8.8.8.8"]
ipv4_prefix_length = 24
ipv4_prefix = "10.223.3.0/24"
routed = true
}
wan = {
name = "MGMT"
ipv4_nameservers = ["1.1.1.1", "8.8.8.8"]
ipv4_prefix_length = 24
nic_ipv4 = "10.224.0.254"
}
db = { db = {
name = "db-net" name = "db-net"
nic_ipv4 = "10.0.0.126" nic_ipv4 = "10.0.0.126"
nic_security = true nic_security = true
security_groups = {
}
} }
} }

38
example/variables.tf
View file

@ -77,23 +77,45 @@ variable "security_groups" {
# })) # }))
# } # }
# Network definition map
variable "networks" { variable "networks" {
type = map(object({ type = map(object({
name = string name = string
ipv4_nameservers = optional(list(string)) # IPv4 settings
labels = optional(map(string)) ipv4_gateway = optional(string)
ipv4_nameservers = optional(list(string))
ipv4_prefix = optional(string)
ipv4_prefix_length = optional(number)
nic_ipv4 = optional(string) # IPv6 settings
nic_name = optional(string) ipv6_gateway = optional(string)
ipv6_nameservers = optional(list(string))
ipv6_prefix = optional(string)
ipv6_prefix_length = optional(number)
nic_allowed_addresses = optional(list(string)) # Flags & labels
nic_labels = optional(map(string)) labels = optional(map(string))
nic_security = optional(bool) no_ipv4_gateway = optional(bool)
nic_security_group_ids = optional(list(string)) no_ipv6_gateway = optional(bool)
routed = optional(bool)
# NICspecific options
nics = optional(map(object({
nic_ipv4 = optional(string)
nic_name = string
nic_allowed_addresses = optional(list(string))
nic_labels = optional(map(string))
nic_security = optional(bool)
nic_security_group_ids = optional(list(string))
nic_security_group_names = optional(list(string))
})))
})) }))
default = {}
} }
# variable "ske_clusters" { # variable "ske_clusters" {
# type = map(object({ # type = map(object({
# name = string # name = string

44
network/main.tf
View file

@ -1,31 +1,41 @@
resource "stackit_network" "this" { resource "stackit_network" "this" {
project_id = var.project_id project_id = var.project_id
name = var.name name = var.name
labels = var.labels
ipv4_gateway = var.routed == false ? var.ipv4_gateway : null # IPv4 settings
ipv4_gateway = var.ipv4_gateway
ipv4_nameservers = var.ipv4_nameservers ipv4_nameservers = var.ipv4_nameservers
ipv4_prefix = var.ipv4_prefix ipv4_prefix = var.ipv4_prefix
ipv4_prefix_length = var.ipv4_prefix_length ipv4_prefix_length = var.ipv4_prefix_length
ipv6_gateway = var.routed == false ? var.ipv6_gateway : null
# IPv6 settings
ipv6_gateway = var.ipv6_gateway
ipv6_nameservers = var.ipv6_nameservers ipv6_nameservers = var.ipv6_nameservers
ipv6_prefix = var.ipv6_prefix ipv6_prefix = var.ipv6_prefix
ipv6_prefix_length = var.ipv6_prefix_length ipv6_prefix_length = var.ipv6_prefix_length
labels = var.labels
no_ipv4_gateway = var.no_ipv4_gateway no_ipv4_gateway = var.no_ipv4_gateway
no_ipv6_gateway = var.no_ipv6_gateway no_ipv6_gateway = var.no_ipv6_gateway
routed = var.routed routed = var.routed
} }
resource "stackit_network_interface" "static" { resource "stackit_network_interface" "nics" {
count = var.nic_ipv4 == null ? 0 : 1 for_each = var.nics != null ? var.nics : {}
network_id = stackit_network.this.network_id
project_id = var.project_id project_id = var.project_id
network_id = stackit_network.this.network_id
ipv4 = var.nic_ipv4 name = each.value.nic_name
labels = var.nic_labels ipv4 = each.value.nic_ipv4
name = var.nic_name != null ? var.nic_name : "${var.name}-nic" allowed_addresses = each.value.nic_allowed_addresses
security = var.nic_security labels = each.value.nic_labels
security_group_ids = var.nic_security ? var.nic_security_group_ids : null security = each.value.nic_security
allowed_addresses = var.nic_security ? var.nic_allowed_addresses : null security_group_ids = (
each.value.nic_security_group_ids != null ? each.value.nic_security_group_ids :
each.value.nic_security_group_names != null ?
[for name in each.value.nic_security_group_names : var.security_group_ids_by_name[name]]
: []
)
} }

9
network/output.tf Normal file
View file

@ -0,0 +1,9 @@
output "network_id" {
description = "Network ID"
value = stackit_network.this.network_id
}
output "network_name" {
description = "Network name"
value = stackit_network.this.name
}

3
network/providers.tf
View file

@ -1,10 +1,9 @@
terraform { terraform {
required_version = ">= 1.9.0" required_version = ">= 1.9.0"
required_providers { required_providers {
stackit = { stackit = {
source = "stackitcloud/stackit" source = "stackitcloud/stackit"
version = "0.56.0" version = "0.54.0"
} }
} }
} }

21
network/variables.tf
View file

@ -63,7 +63,7 @@ variable "no_ipv6_gateway" {
variable "routed" { variable "routed" {
type = bool type = bool
default = true # default = true
} }
variable "nic_allowed_addresses" { variable "nic_allowed_addresses" {
@ -97,7 +97,20 @@ variable "nic_security_group_ids" {
default = [] default = []
} }
variable "nic_security_group_names" { variable "nics" {
type = list(string) type = map(object({
default = [] nic_ipv4 = optional(string)
nic_name = optional(string)
nic_allowed_addresses = optional(list(string))
nic_labels = optional(map(string))
nic_security = optional(bool)
nic_security_group_ids = optional(list(string))
nic_security_group_names = optional(list(string))
}))
default = {}
}
variable "security_group_ids_by_name" {
description = "Map of security-group names -> IDs"
type = map(string)
} }

2
project/output.tf
View file

@ -1,4 +1,4 @@
output "project_id" { output "project_id" {
value = stackit_resourcemanager_project.this.id value = stackit_resourcemanager_project.this.project_id
description = "ID of the project" description = "ID of the project"
} }

2
project/providers.tf
View file

@ -3,7 +3,7 @@ terraform {
required_providers { required_providers {
stackit = { stackit = {
source = "stackitcloud/stackit" source = "stackitcloud/stackit"
version = "0.56.0" version = "0.54.0"
} }
} }
} }

7
security-group/output.tf
View file

@ -1,8 +1,9 @@
output "security_group_id" { output "security_group_id" {
value = stackit_security_group.this.security_group_id
description = "ID of the security group" description = "ID of the security group"
value = stackit_security_group.this.security_group_id
} }
output "rule_ids" { output "name" {
value = stackit_security_group_rule.rule[*].id description = "Name of the security group"
value = stackit_security_group.this.name
} }

2
security-group/providers.tf
View file

@ -3,7 +3,7 @@ terraform {
required_providers { required_providers {
stackit = { stackit = {
source = "stackitcloud/stackit" source = "stackitcloud/stackit"
version = "0.56.0" version = "0.54.0"
} }
} }
} }

122
security-group/variables.tf
View file

@ -1,45 +1,107 @@
variable "project_id" { variable "project_id" {
description = "STACKIT project ID in which to create resources."
type = string type = string
description = "The ID of the project where the security group will be created."
} }
variable "name" { variable "name" {
description = "Name of the network."
type = string type = string
description = "Name of the security group."
} }
variable "description" { variable "description" {
type = string type = string
default = "" default = ""
description = "Description of the security group. If not provided, it defaults to an empty string." }
variable "ipv4_gateway" {
description = "IPv4 gateway for the network. If null, the first IP in the CIDR is used."
type = string
nullable = true
default = null
}
variable "ipv4_nameservers" {
description = "List of IPv4 nameservers."
type = list(string)
nullable = true
default = null
}
variable "ipv4_prefix" {
description = "IPv4 prefix (CIDR) for the network."
type = string
nullable = true
default = null
}
variable "ipv4_prefix_length" {
description = "IPv4 prefix length for the network."
type = number
nullable = true
default = null
}
variable "ipv6_gateway" {
description = "IPv6 gateway for the network. If null, the first IP in the CIDR is used."
type = string
nullable = true
default = null
}
variable "ipv6_nameservers" {
description = "List of IPv6 nameservers."
type = list(string)
nullable = true
default = null
}
variable "ipv6_prefix" {
description = "IPv6 prefix (CIDR) for the network."
type = string
nullable = true
default = null
}
variable "ipv6_prefix_length" {
description = "IPv6 prefix length for the network."
type = number
nullable = true
default = null
}
variable "labels" {
description = "Key/value labels to attach to the network."
type = map(string)
nullable = true
default = null
}
variable "no_ipv4_gateway" {
description = "If true, suppress creation of an IPv4 gateway."
type = bool
default = false
}
variable "no_ipv6_gateway" {
description = "If true, suppress creation of an IPv6 gateway."
type = bool
default = false
}
variable "routed" {
description = "If true, the network is routed."
type = bool
default = false
}
variable "routing_table_id" {
description = "Routing table ID to associate with this network (experimental)."
type = string
nullable = true
default = null
} }
variable "rules" { variable "rules" {
description = "List of rules to attach to this security-group" description = "List of routing rules to apply to this network (experimental)."
type = list(object({ type = any
direction = string
description = optional(string)
ether_type = optional(string)
icmp_parameters = optional(object({
type = optional(number)
code = optional(number)
}))
ip_range = optional(string)
port_range = optional(object({
min = number
max = number
}))
protocol = optional(object({
name = optional(string)
}))
remote_security_group_id = optional(string)
}))
default = []
validation {
condition = alltrue([
for rule in var.rules : contains(["ingress", "egress"], rule.direction)
# ... need more validations
])
error_message = "Direction must be either \"ingress\" or \"egress\"."
}
} }