Custom Module - Security Group - Openstack

Terraform
1

Hi all,

I hope somebody can help. I’ pretty new to Terraform and trying to write custom modules instead of typing every single resource.

Unfortunately I got stuck somehow.
The module should create multiple security groups with multiple rules and ingress-sources assigned to it.

I’m calling the module as follows:

module "secgroups" {
    source = "../../modules/secgroup"

    groups = {
        ssh = { 
            description = "Security Group for SSH"
            sources     = [ "sg-mgmt-web", "sg-mgmt-ntp" ]
            ports       = [ "22" ]
        }
        web = {
            description = "Security Group for HTTP(S)"
            sources     = [ "sg-mgmt-ssh", "sg-mgmt-ntp" ]
            ports       = [ "80", "443" ]
        }
        ntp = {
            description = "Security Group for HTTP(S)"
            sources     = [ "sg-mgmt-ssh", "sg-mgmt-web" ]
            ports       = [ "151" ]
        }
    }
}

I’ve already simplified it because typically I would use rules instead of ports and use a map with multplie key/value pairs. But I need to get to the next step.

My first step is to create the security groups: (that was simple)

resource "openstack_networking_secgroup_v2" "this" {
  for_each = var.groups
  name        = "sg-mgmt-${each.key}"
  description = "${each.value.description}"
}

The created resources are called like this:

module.secgroups.openstack_networking_secgroup_v2.this["ntp"]
module.secgroups.openstack_networking_secgroup_v2.this["ssh"]
module.secgroups.openstack_networking_secgroup_v2.this["web"]

But now I’m stuck at the next step:

Basically the resources definition for each rule would look as follows:

resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_1" {
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 80
  port_range_max    = 80
  remote_group_id =  openstack_networking_secgroup_v2.this.ssh.id
  security_group_id = openstack_networking_secgroup_v2.this.web.id
}

I would really appreaciate if you could guide me in the right direction.

Thank you,

2

Just as an aside, this syntax is redundant:

You should write:

  description = each.value.description

As for the main problem…

I think we need you to share some more details about what you’re trying to achieve. In particular, the proposed input:

has short names like ssh for the groups, but internally prepends a sg-mgmt- prefix, but then the user of the module needs to know about that when they fill in the sources? That seems confusing.

Is it a valid assumption that all sources will be security groups defined by the same module?

3

Thank you for the quick reply.

I’ll use the “web” as an example what I would like to get:

[
   {
      sg_group = "web"               
      source   = "sg-mgmt-ssh"
      port     = "80"

   }
   {
      sg_group = "web"               
      source   = "sg-mgmt-ntp"
      port     = "80"              
   }
   {
      sg_group = "web"               
      source   = "sg-mgmt-ssh"
      port     = "443"              
   }
   {
      sg_group = "web"               
      source   = "sg-mgmt-ntp"
      port     = "443"              
   }
]

I left out the description as I only need it for the first module.

Is it a valid assumption that all sources will be security groups defined by the same module?

yes, that’s correct. That’s why it is important that the secgroups are created first and then rules are attached to it.

has short names like ssh for the groups, but internally prepends a sg-mgmt- prefix, but then the user of the module needs to know about that when they fill in the sources? That seems confusing.

you’re right, as the naming convention will stay the same the short name could always be used. Prefix “sg-mgmt-” can be added later

4

I think I’ve figured it out :slight_smile:

locals {
  groups = {
    web = {
      description = "SecGroup SSH"
      sources = ["web", "ntp"]
      ports   = [ "22", "44" ]
    }
  }

  helper_groups = flatten([ for group, group_values in local.groups:
              [ for source_value in group_values.sources:
                [ for ports_value in group_values.ports:
                  {
                    secgroup    = "sg-mgmt-${group}"
                    # description = group_values.description
                    source      = "sg-mgmt-${source_value}"
                    port        = ports_value
                  }
                ]
              ]
  ])
}

output "list_of_maps2" {
  value = local.helper_groups
}

The output is now as follows:

+ list_of_maps2 = [
      + {
          + port     = "22"
          + secgroup = "sg-mgmt-web"
          + source   = "sg-mgmt-web"
        },
      + {
          + port     = "44"
          + secgroup = "sg-mgmt-web"
          + source   = "sg-mgmt-web"
        },
      + {
          + port     = "22"
          + secgroup = "sg-mgmt-web"
          + source   = "sg-mgmt-ntp"
        },
      + {
          + port     = "44"
          + secgroup = "sg-mgmt-web"
          + source   = "sg-mgmt-ntp"
        },
    ]