refactor: consolidate security-group and security-group-rule
This commit is contained in:
		
							parent
							
								
									3a722642b5
								
							
						
					
					
						commit
						7b16b3e7d5
					
				
					 11 changed files with 150 additions and 169 deletions
				
			
		
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							|  | @ -1,2 +1,3 @@ | |||
| .terraform* | ||||
| terraform.tfstate* | ||||
| .env | ||||
|  | @ -1,32 +1,10 @@ | |||
| module "icmp_group" { | ||||
| module "security_groups" { | ||||
|   source = "../security-group" | ||||
|   project_id = var.project_id | ||||
|   name       = "icmp" | ||||
| } | ||||
| 
 | ||||
| module "ssh_group" { | ||||
|   source     = "../security-group" | ||||
|   project_id = var.project_id | ||||
|   name       = "ssh" | ||||
| } | ||||
|   for_each = var.security_groups | ||||
| 
 | ||||
| module "icmp_ingress" { | ||||
|   source            = "../security-group-rule" | ||||
|   project_id  = var.project_id | ||||
|   security_group_id = module.icmp_group.id | ||||
|   rules             = var.icmp_ingress_rules | ||||
| } | ||||
| 
 | ||||
| module "icmp_egress" { | ||||
|   source            = "../security-group-rule" | ||||
|   project_id        = var.project_id | ||||
|   security_group_id = module.icmp_group.id | ||||
|   rules             = var.icmp_egress_rules | ||||
| } | ||||
| 
 | ||||
| module "ssh_ingress" { | ||||
|   source            = "../security-group-rule" | ||||
|   project_id        = var.project_id | ||||
|   security_group_id = module.ssh_group.id | ||||
|   rules             = var.ssh_ingress_rules | ||||
|   name        = each.value.name | ||||
|   description = each.value.description | ||||
|   rules       = each.value.rules | ||||
| } | ||||
|  | @ -2,55 +2,58 @@ region                = "eu01" | |||
| service_account_token = "" | ||||
| project_id            = "" | ||||
| 
 | ||||
| # icmp_ingress_rules = [ | ||||
| #   { | ||||
| #     direction   = "ingress" | ||||
| #     description = "ICMP RULE 1" | ||||
| #     ip_range    = "0.0.0.0/0" | ||||
| #     protocol = { | ||||
| #       name = "icmp" | ||||
| #     } | ||||
| #     icmp_parameters = { | ||||
| #       type = 8, | ||||
| #       code = 0 | ||||
| #     } | ||||
| #   }, | ||||
| #   { | ||||
| #     direction   = "ingress" | ||||
| #     description = "ICMP RULE 2" | ||||
| #     ip_range    = "1.2.3.4/0" | ||||
| #     protocol = { | ||||
| #       name = "icmp" | ||||
| #     } | ||||
| #     icmp_parameters = { | ||||
| #       type = 8, | ||||
| #       code = 0 | ||||
| #     } | ||||
| #   } | ||||
| # ] | ||||
| security_groups = { | ||||
|   ssh_ingress_group = { | ||||
|     name        = "ssh-ingress-group" | ||||
|     description = "ALLOW SSH ingress" | ||||
|     rules = [ | ||||
|       { | ||||
|         description = "SSH RULE 1" | ||||
|         direction   = "ingress" | ||||
|         ether_type  = "IPv4" | ||||
|         ip_range    = "0.0.0.0/0" | ||||
|         protocol = { | ||||
|           name = "tcp" | ||||
|         } | ||||
|         port_range = { | ||||
|           min = 22 | ||||
|           max = 22 | ||||
|         } | ||||
|       }, | ||||
|     ] | ||||
|   }, | ||||
| 
 | ||||
| # ssh_ingress_rules = [ | ||||
| #   { | ||||
| #     direction   = "ingress" | ||||
| #     description = "SSH RULE 1" | ||||
| #     ip_range    = "10.1.10.1/24" | ||||
| #     port_range = { | ||||
| #       min = 22, | ||||
| #       max = 22 | ||||
| #     } | ||||
| #     protocol = { | ||||
| #       name = "tcp" | ||||
| #     } | ||||
| #   } | ||||
| # ] | ||||
|   web_traffic_group = { | ||||
|     name        = "web-traffic-group" | ||||
|     description = "ALLOW WEB TRAFFIC ingress" | ||||
|     rules = [ | ||||
|       { | ||||
|         description = "ALLOW ALL 80" | ||||
|         direction   = "ingress" | ||||
|         ether_type  = "IPv4" | ||||
|         ip_range    = "0.0.0.0/0" | ||||
|         protocol = { | ||||
|           name = "tcp" | ||||
|         } | ||||
|         port_range = { | ||||
|           min = 80 | ||||
|           max = 80 | ||||
|         } | ||||
|       }, | ||||
|       { | ||||
|         description = "ALLOW ALL 443" | ||||
|         direction   = "ingress" | ||||
|         ether_type  = "IPv4" | ||||
|         ip_range    = "0.0.0.0/0" | ||||
|         protocol = { | ||||
|           name = "tcp" | ||||
|         } | ||||
|         port_range = { | ||||
|           min = 443 | ||||
|           max = 443 | ||||
|         } | ||||
|       }, | ||||
|     ] | ||||
|   }, | ||||
| 
 | ||||
| # icmp_egress_rules = [ | ||||
| #   { | ||||
| #     direction   = "egress" | ||||
| #     description = "ICMP EGRESS RULE 1" | ||||
| #     ip_range    = "0.0.0.0/0" | ||||
| #     protocol = { | ||||
| #       name = "icmp" | ||||
| #     } | ||||
| #   } | ||||
| # ] | ||||
| } | ||||
|  | @ -15,14 +15,29 @@ variable "service_account_token" { | |||
|   type        = string | ||||
| } | ||||
| 
 | ||||
| variable "icmp_ingress_rules" { | ||||
|   type = any | ||||
| } | ||||
| 
 | ||||
| variable "icmp_egress_rules" { | ||||
|   type = any | ||||
| } | ||||
| 
 | ||||
| variable "ssh_ingress_rules" { | ||||
|   type = any | ||||
| variable "security_groups" { | ||||
|   type = map(object({ | ||||
|     name        = optional(string) | ||||
|     description = optional(string) | ||||
|     rules = list(object({ | ||||
|       direction   = string | ||||
|       description = optional(string) | ||||
|       ether_type  = optional(string) | ||||
|       icmp_parameters = optional(object({ | ||||
|         type = optional(number) | ||||
|         code = optional(number) | ||||
|       })) | ||||
|       ip_range = optional(string) | ||||
|       port_range = optional(object({ | ||||
|         min = number | ||||
|         max = number | ||||
|       })) | ||||
|       protocol = optional(object({ | ||||
|         name   = optional(string) | ||||
|         number = optional(number) | ||||
|       })) | ||||
|       remote_security_group_id = optional(string) | ||||
|     })) | ||||
|   })) | ||||
| } | ||||
|  |  | |||
|  | @ -1,19 +0,0 @@ | |||
| locals { | ||||
|   rule_count = length(var.rules) | ||||
| } | ||||
| 
 | ||||
| resource "stackit_security_group_rule" "this" { | ||||
|   count = local.rule_count | ||||
| 
 | ||||
|   project_id        = var.project_id | ||||
|   security_group_id = var.security_group_id | ||||
| 
 | ||||
|   direction                = var.rules[count.index].direction | ||||
|   description              = var.rules[count.index].description | ||||
|   ether_type               = var.rules[count.index].ether_type | ||||
|   icmp_parameters          = var.rules[count.index].icmp_parameters | ||||
|   ip_range                 = var.rules[count.index].ip_range | ||||
|   port_range               = var.rules[count.index].port_range | ||||
|   protocol                 = var.rules[count.index].protocol | ||||
|   remote_security_group_id = var.rules[count.index].remote_security_group_id | ||||
| } | ||||
|  | @ -1,3 +0,0 @@ | |||
| output "rule_ids" { | ||||
|   value = stackit_security_group_rule.this[*].id | ||||
| } | ||||
|  | @ -1,9 +0,0 @@ | |||
| terraform { | ||||
|   required_version = ">= 1.9.0" | ||||
|   required_providers { | ||||
|     stackit = { | ||||
|       source  = "stackitcloud/stackit" | ||||
|       version = "0.56.0" | ||||
|     } | ||||
|   } | ||||
| } | ||||
|  | @ -1,39 +0,0 @@ | |||
| variable "project_id" { | ||||
|   type = string | ||||
| } | ||||
| 
 | ||||
| variable "security_group_id" { | ||||
|   type = string | ||||
| } | ||||
| 
 | ||||
| variable "rules" { | ||||
|   type = list(object({ | ||||
|     direction   = string | ||||
|     description = optional(string) | ||||
|     ether_type  = optional(string) | ||||
|     icmp_parameters = optional(object({ | ||||
|       type = optional(number) | ||||
|       code = optional(number) | ||||
|     })) | ||||
|     ip_range = optional(string) | ||||
|     port_range = optional(object({ | ||||
|       min = number | ||||
|       max = number | ||||
|     })) | ||||
|     protocol = optional(object({ | ||||
|       name   = optional(string) | ||||
|       number = optional(number) | ||||
|     })) | ||||
|     remote_security_group_id = optional(string) | ||||
|   })) | ||||
|   default = [] | ||||
| 
 | ||||
|   validation { | ||||
|     condition = alltrue([ | ||||
|       for rule in var.rules : contains(["ingress", "egress"], rule.direction) | ||||
|       # ... need more validations  | ||||
|     ]) | ||||
|     error_message = "Direction must be either \"ingress\" or \"egress\"." | ||||
|   } | ||||
| } | ||||
| 
 | ||||
|  | @ -1,5 +1,25 @@ | |||
| locals { | ||||
|   rule_count = length(var.rules) | ||||
| } | ||||
| 
 | ||||
| resource "stackit_security_group" "this" { | ||||
|   project_id  = var.project_id | ||||
|   name        = var.name | ||||
|   description = var.description == null ? var.name : var.description | ||||
|   description = var.description | ||||
| } | ||||
| 
 | ||||
| resource "stackit_security_group_rule" "rule" { | ||||
|   count = local.rule_count | ||||
| 
 | ||||
|   direction         = var.rules[count.index].direction | ||||
|   project_id        = var.project_id | ||||
|   security_group_id = stackit_security_group.this.id | ||||
| 
 | ||||
|   description              = var.rules[count.index].description | ||||
|   ether_type               = var.rules[count.index].ether_type | ||||
|   icmp_parameters          = var.rules[count.index].icmp_parameters | ||||
|   ip_range                 = var.rules[count.index].ip_range | ||||
|   port_range               = var.rules[count.index].port_range | ||||
|   protocol                 = var.rules[count.index].protocol | ||||
|   remote_security_group_id = var.rules[count.index].remote_security_group_id | ||||
| } | ||||
|  |  | |||
|  | @ -1,7 +1,8 @@ | |||
| output "id" { | ||||
| output "security_group_id" { | ||||
|   value       = stackit_security_group.this.security_group_id | ||||
|   description = "ID of the security group" | ||||
| } | ||||
| 
 | ||||
| output "name" { | ||||
|   value = stackit_security_group.this.name | ||||
| output "rule_ids" { | ||||
|   value = stackit_security_group_rule.rule[*].id | ||||
| } | ||||
|  | @ -1,12 +1,45 @@ | |||
| variable "project_id" { | ||||
|   type        = string | ||||
|   description = "The ID of the project where the security group will be created." | ||||
| } | ||||
| 
 | ||||
| variable "name" { | ||||
|   type        = string | ||||
|   description = "Name of the security group." | ||||
| } | ||||
| 
 | ||||
| variable "description" { | ||||
|   type        = string | ||||
|   default = null | ||||
|   default     = "" | ||||
|   description = "Description of the security group. If not provided, it defaults to an empty string." | ||||
| } | ||||
| 
 | ||||
| variable "rules" { | ||||
|   description = "List of rules to attach to this security-group" | ||||
|   type = list(object({ | ||||
|     direction   = string | ||||
|     description = optional(string) | ||||
|     ether_type  = optional(string) | ||||
|     icmp_parameters = optional(object({ | ||||
|       type = optional(number) | ||||
|       code = optional(number) | ||||
|     })) | ||||
|     ip_range = optional(string) | ||||
|     port_range = optional(object({ | ||||
|       min = number | ||||
|       max = number | ||||
|     })) | ||||
|     protocol = optional(object({ | ||||
|       name = optional(string) | ||||
|     })) | ||||
|     remote_security_group_id = optional(string) | ||||
|   })) | ||||
|   default = [] | ||||
|   validation { | ||||
|     condition = alltrue([ | ||||
|       for rule in var.rules : contains(["ingress", "egress"], rule.direction) | ||||
|       # ... need more validations  | ||||
|     ]) | ||||
|     error_message = "Direction must be either \"ingress\" or \"egress\"." | ||||
|   } | ||||
| } | ||||
		Loading…
	
		Reference in a new issue