refactor: consolidate security-group and security-group-rule

.gitignore

@@ -1,2 +1,3 @@
 .terraform*
 terraform.tfstate*
+.env

example/main.tf

@@ -1,32 +1,10 @@
-module "icmp_group" {
+module "security_groups" {
-  source     = "../security-group"
+  source = "../security-group"
-  project_id = var.project_id
-  name       = "icmp"
-}
 
-module "ssh_group" {
+  for_each = var.security_groups
-  source     = "../security-group"
-  project_id = var.project_id
-  name       = "ssh"
-}
 
-module "icmp_ingress" {
+  project_id  = var.project_id
-  source            = "../security-group-rule"
+  name        = each.value.name
-  project_id        = var.project_id
+  description = each.value.description
-  security_group_id = module.icmp_group.id
+  rules       = each.value.rules
-  rules             = var.icmp_ingress_rules
-}
-
-module "icmp_egress" {
-  source            = "../security-group-rule"
-  project_id        = var.project_id
-  security_group_id = module.icmp_group.id
-  rules             = var.icmp_egress_rules
-}
-
-module "ssh_ingress" {
-  source            = "../security-group-rule"
-  project_id        = var.project_id
-  security_group_id = module.ssh_group.id
-  rules             = var.ssh_ingress_rules
 }

example/terraform.tfvars

@@ -2,55 +2,58 @@ region                = "eu01"
 service_account_token = ""
 project_id            = ""
 
-# icmp_ingress_rules = [
+security_groups = {
-#   {
+  ssh_ingress_group = {
-#     direction   = "ingress"
+    name        = "ssh-ingress-group"
-#     description = "ICMP RULE 1"
+    description = "ALLOW SSH ingress"
-#     ip_range    = "0.0.0.0/0"
+    rules = [
-#     protocol = {
+      {
-#       name = "icmp"
+        description = "SSH RULE 1"
-#     }
+        direction   = "ingress"
-#     icmp_parameters = {
+        ether_type  = "IPv4"
-#       type = 8,
+        ip_range    = "0.0.0.0/0"
-#       code = 0
+        protocol = {
-#     }
+          name = "tcp"
-#   },
+        }
-#   {
+        port_range = {
-#     direction   = "ingress"
+          min = 22
-#     description = "ICMP RULE 2"
+          max = 22
-#     ip_range    = "1.2.3.4/0"
+        }
-#     protocol = {
+      },
-#       name = "icmp"
+    ]
-#     }
+  },
-#     icmp_parameters = {
-#       type = 8,
-#       code = 0
-#     }
-#   }
-# ]
 
-# ssh_ingress_rules = [
+  web_traffic_group = {
-#   {
+    name        = "web-traffic-group"
-#     direction   = "ingress"
+    description = "ALLOW WEB TRAFFIC ingress"
-#     description = "SSH RULE 1"
+    rules = [
-#     ip_range    = "10.1.10.1/24"
+      {
-#     port_range = {
+        description = "ALLOW ALL 80"
-#       min = 22,
+        direction   = "ingress"
-#       max = 22
+        ether_type  = "IPv4"
-#     }
+        ip_range    = "0.0.0.0/0"
-#     protocol = {
+        protocol = {
-#       name = "tcp"
+          name = "tcp"
-#     }
+        }
-#   }
+        port_range = {
-# ]
+          min = 80
+          max = 80
+        }
+      },
+      {
+        description = "ALLOW ALL 443"
+        direction   = "ingress"
+        ether_type  = "IPv4"
+        ip_range    = "0.0.0.0/0"
+        protocol = {
+          name = "tcp"
+        }
+        port_range = {
+          min = 443
+          max = 443
+        }
+      },
+    ]
+  },
 
-# icmp_egress_rules = [
+}
-#   {
-#     direction   = "egress"
-#     description = "ICMP EGRESS RULE 1"
-#     ip_range    = "0.0.0.0/0"
-#     protocol = {
-#       name = "icmp"
-#     }
-#   }
-# ]

example/variables.tf

@@ -15,14 +15,29 @@ variable "service_account_token" {
   type        = string
 }
 
-variable "icmp_ingress_rules" {
-  type = any
-}
 
-variable "icmp_egress_rules" {
+variable "security_groups" {
-  type = any
+  type = map(object({
-}
+    name        = optional(string)
-
+    description = optional(string)
-variable "ssh_ingress_rules" {
+    rules = list(object({
-  type = any
+      direction   = string
+      description = optional(string)
+      ether_type  = optional(string)
+      icmp_parameters = optional(object({
+        type = optional(number)
+        code = optional(number)
+      }))
+      ip_range = optional(string)
+      port_range = optional(object({
+        min = number
+        max = number
+      }))
+      protocol = optional(object({
+        name   = optional(string)
+        number = optional(number)
+      }))
+      remote_security_group_id = optional(string)
+    }))
+  }))
 }

security-group-rule/main.tf

@@ -1,19 +0,0 @@
-locals {
-  rule_count = length(var.rules)
-}
-
-resource "stackit_security_group_rule" "this" {
-  count = local.rule_count
-
-  project_id        = var.project_id
-  security_group_id = var.security_group_id
-
-  direction                = var.rules[count.index].direction
-  description              = var.rules[count.index].description
-  ether_type               = var.rules[count.index].ether_type
-  icmp_parameters          = var.rules[count.index].icmp_parameters
-  ip_range                 = var.rules[count.index].ip_range
-  port_range               = var.rules[count.index].port_range
-  protocol                 = var.rules[count.index].protocol
-  remote_security_group_id = var.rules[count.index].remote_security_group_id
-}

security-group-rule/output.tf

@@ -1,3 +0,0 @@
-output "rule_ids" {
-  value = stackit_security_group_rule.this[*].id
-}

security-group-rule/providers.tf

@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 1.9.0"
-  required_providers {
-    stackit = {
-      source  = "stackitcloud/stackit"
-      version = "0.56.0"
-    }
-  }
-}

security-group-rule/variables.tf

@@ -1,39 +0,0 @@
-variable "project_id" {
-  type = string
-}
-
-variable "security_group_id" {
-  type = string
-}
-
-variable "rules" {
-  type = list(object({
-    direction   = string
-    description = optional(string)
-    ether_type  = optional(string)
-    icmp_parameters = optional(object({
-      type = optional(number)
-      code = optional(number)
-    }))
-    ip_range = optional(string)
-    port_range = optional(object({
-      min = number
-      max = number
-    }))
-    protocol = optional(object({
-      name   = optional(string)
-      number = optional(number)
-    }))
-    remote_security_group_id = optional(string)
-  }))
-  default = []
-
-  validation {
-    condition = alltrue([
-      for rule in var.rules : contains(["ingress", "egress"], rule.direction)
-      # ... need more validations 
-    ])
-    error_message = "Direction must be either \"ingress\" or \"egress\"."
-  }
-}
-

security-group/main.tf

@@ -1,5 +1,25 @@
+locals {
+  rule_count = length(var.rules)
+}
+
 resource "stackit_security_group" "this" {
   project_id  = var.project_id
   name        = var.name
-  description = var.description == null ? var.name : var.description
+  description = var.description
+}
+
+resource "stackit_security_group_rule" "rule" {
+  count = local.rule_count
+
+  direction         = var.rules[count.index].direction
+  project_id        = var.project_id
+  security_group_id = stackit_security_group.this.id
+
+  description              = var.rules[count.index].description
+  ether_type               = var.rules[count.index].ether_type
+  icmp_parameters          = var.rules[count.index].icmp_parameters
+  ip_range                 = var.rules[count.index].ip_range
+  port_range               = var.rules[count.index].port_range
+  protocol                 = var.rules[count.index].protocol
+  remote_security_group_id = var.rules[count.index].remote_security_group_id
 }

security-group/output.tf

@@ -1,7 +1,8 @@
-output "id" {
+output "security_group_id" {
-  value = stackit_security_group.this.security_group_id
+  value       = stackit_security_group.this.security_group_id
+  description = "ID of the security group"
 }
 
-output "name" {
+output "rule_ids" {
-  value = stackit_security_group.this.name
+  value = stackit_security_group_rule.rule[*].id
 }

security-group/variables.tf

@@ -1,12 +1,45 @@
 variable "project_id" {
-  type = string
+  type        = string
+  description = "The ID of the project where the security group will be created."
 }
 
 variable "name" {
-  type = string
+  type        = string
+  description = "Name of the security group."
 }
 
 variable "description" {
-  type    = string
+  type        = string
-  default = null
+  default     = ""
+  description = "Description of the security group. If not provided, it defaults to an empty string."
+}
+
+variable "rules" {
+  description = "List of rules to attach to this security-group"
+  type = list(object({
+    direction   = string
+    description = optional(string)
+    ether_type  = optional(string)
+    icmp_parameters = optional(object({
+      type = optional(number)
+      code = optional(number)
+    }))
+    ip_range = optional(string)
+    port_range = optional(object({
+      min = number
+      max = number
+    }))
+    protocol = optional(object({
+      name = optional(string)
+    }))
+    remote_security_group_id = optional(string)
+  }))
+  default = []
+  validation {
+    condition = alltrue([
+      for rule in var.rules : contains(["ingress", "egress"], rule.direction)
+      # ... need more validations 
+    ])
+    error_message = "Direction must be either \"ingress\" or \"egress\"."
+  }
 }