[Openstack] Add security groups not managed by terraform (#6865)

* add custom sec groups

* make sure groups are applied only when created

* fix spacing

contrib/terraform/openstack/kubespray.tf

@@ -80,6 +80,8 @@ module "compute" {
   wait_for_floatingip                          = var.wait_for_floatingip
   use_access_ip                                = var.use_access_ip
   use_server_groups                            = var.use_server_groups
+  extra_sec_groups                             = var.extra_sec_groups
+  extra_sec_groups_name                        = var.extra_sec_groups_name
 
   network_id = module.network.router_id
 }

contrib/terraform/openstack/modules/compute/main.tf

@@ -17,6 +17,13 @@ resource "openstack_networking_secgroup_v2" "k8s_master" {
   delete_default_rules = true
 }
 
+resource "openstack_networking_secgroup_v2" "k8s_master_extra" {
+  count                = "%{if var.extra_sec_groups}1%{else}0%{endif}"
+  name                 = "${var.cluster_name}-k8s-master-${var.extra_sec_groups_name}"
+  description          = "${var.cluster_name} - Kubernetes Master nodes - rules not managed by terraform"
+  delete_default_rules = true
+}
+
 resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
   count             = length(var.master_allowed_remote_ips)
   direction         = "ingress"
@@ -95,6 +102,13 @@ resource "openstack_networking_secgroup_v2" "worker" {
   delete_default_rules = true
 }
 
+resource "openstack_networking_secgroup_v2" "worker_extra" {
+  count                = "%{if var.extra_sec_groups}1%{else}0%{endif}"
+  name                 = "${var.cluster_name}-k8s-worker-${var.extra_sec_groups_name}"
+  description          = "${var.cluster_name} - Kubernetes worker nodes - rules not managed by terraform"
+  delete_default_rules = true
+}
+
 resource "openstack_networking_secgroup_rule_v2" "worker" {
   count             = length(var.worker_allowed_ports)
   direction         = "ingress"
@@ -124,6 +138,21 @@ resource "openstack_compute_servergroup_v2" "k8s_etcd" {
   policies = ["anti-affinity"]
 }
 
+locals {
+# master groups
+  master_sec_groups = compact([
+    openstack_networking_secgroup_v2.k8s_master.name,
+    openstack_networking_secgroup_v2.k8s.name,
+    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+  ])
+# worker groups
+  worker_sec_groups = compact([
+    openstack_networking_secgroup_v2.k8s.name,
+    openstack_networking_secgroup_v2.worker.name,
+    var.extra_sec_groups ? openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+  ])
+}
+
 resource "openstack_compute_instance_v2" "bastion" {
   name       = "${var.cluster_name}-bastion-${count.index + 1}"
   count      = var.number_of_bastions
@@ -189,9 +218,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -238,9 +265,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -327,9 +352,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -371,9 +394,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -414,9 +435,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -461,9 +480,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -504,9 +521,7 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []

contrib/terraform/openstack/modules/compute/variables.tf

@@ -127,3 +127,11 @@ variable "use_access_ip" {}
 variable "use_server_groups" {
   type = bool
 }
+
+variable "extra_sec_groups" {
+  type = bool
+}
+
+variable "extra_sec_groups_name" {
+  type = string
+}
\ No newline at end of file

contrib/terraform/openstack/variables.tf

@@ -246,3 +246,10 @@ variable "k8s_nodes" {
   default = {}
 }
 
+variable "extra_sec_groups" {
+  default = false
+}
+
+variable "extra_sec_groups_name" {
+  default = "custom"
+}