feat: INFRA-504 Added lb tunnel sec group

output.tf

@@ -4,4 +4,8 @@ output "member_group" {
 
 output "load_balancer_group" {
   value = openstack_networking_secgroup_v2.vault_load_balancer
+}
+
+output "load_balancer_tunnel_security_group" {
+  value = openstack_networking_secgroup_v2.vault_load_balancer_tunnel
 }

security_groups.tf

@@ -10,6 +10,12 @@ resource "openstack_networking_secgroup_v2" "vault_load_balancer" {
   delete_default_rules = true
 }
 
+resource "openstack_networking_secgroup_v2" "vault_load_balancer_tunnel" {
+  name                 = var.load_balancer_tunnel_name
+  description          = "Security group for vault tunneled load balancer"
+  delete_default_rules = true
+}
+
 //Allow all outbound traffic from vault members and load balancers
 resource "openstack_networking_secgroup_rule_v2" "vault_member_outgoing_v4" {
   direction         = "egress"
@@ -35,6 +41,18 @@ resource "openstack_networking_secgroup_rule_v2" "vault_load_balancer_outgoing_v
   security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "vault_load_balancer_tunnel_outgoing_v4" {
+  direction         = "egress"
+  ethertype         = "IPv4"
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "vault_load_balancer_tunnel_outgoing_v6" {
+  direction         = "egress"
+  ethertype         = "IPv6"
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
 //Allow port 8200, 4443, icmp traffic from other members and load balancers
 resource "openstack_networking_secgroup_rule_v2" "peer_member_vault_access" {
   direction         = "ingress"
@@ -88,6 +106,32 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_member_icmp_acce
   security_group_id = openstack_networking_secgroup_v2.vault_member.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "load_balancer_tunnel_member_vault_access" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 8200
+  port_range_max    = 8200
+  remote_group_id   = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+  security_group_id = openstack_networking_secgroup_v2.vault_member.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "load_balancer_tunnel_member_icmp_access_v4" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_group_id   = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+  security_group_id = openstack_networking_secgroup_v2.vault_member.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "load_balancer_tunnel_member_icmp_access_v6" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "ipv6-icmp"
+  remote_group_id   = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+  security_group_id = openstack_networking_secgroup_v2.vault_member.id
+}
+
 //Allow vault and icmp traffic access on load balancers from the clients
 resource "openstack_networking_secgroup_rule_v2" "clients_vault_access" {
   for_each          = { for idx, id in var.client_group_ids : idx => id }
@@ -118,6 +162,35 @@ resource "openstack_networking_secgroup_rule_v2" "clients_icmp_access_v6" {
   security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "clients_vault_access_tunnel" {
+  for_each          = { for idx, id in var.client_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 8200
+  port_range_max    = 8200
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "clients_icmp_access_tunnel_v4" {
+  for_each          = { for idx, id in var.client_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "clients_icmp_access_tunnel_v6" {
+  for_each          = { for idx, id in var.client_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "ipv6-icmp"
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
 //Allow port 22 and icmp traffic from the bastion
 resource "openstack_networking_secgroup_rule_v2" "bastion_member_ssh_access" {
   for_each          = { for idx, id in var.bastion_group_ids : idx => id }
@@ -177,6 +250,35 @@ resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_icmp_acc
   security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id
 }
 
+resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_tunnel_ssh_access" {
+  for_each          = { for idx, id in var.bastion_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_tunnel_icmp_access_v4" {
+  for_each          = { for idx, id in var.bastion_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_tunnel_icmp_access_v6" {
+  for_each          = { for idx, id in var.bastion_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "ipv6-icmp"
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
 //Allow port 9100 and icmp traffic from metrics server
 resource "openstack_networking_secgroup_rule_v2" "metrics_server_member_node_exporter_access" {
   for_each          = { for idx, id in var.metrics_server_group_ids : idx => id }
@@ -234,4 +336,33 @@ resource "openstack_networking_secgroup_rule_v2" "metrics_server_load_balancer_i
   protocol          = "ipv6-icmp"
   remote_group_id   = each.value
   security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "metrics_server_load_balancer_tunnel_node_exporter_access" {
+  for_each          = { for idx, id in var.metrics_server_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 9100
+  port_range_max    = 9100
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "metrics_server_load_balancer_tunnel_icmp_access_v4" {
+  for_each          = { for idx, id in var.metrics_server_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "metrics_server_load_balancer_tunnel_icmp_access_v6" {
+  for_each          = { for idx, id in var.metrics_server_group_ids : idx => id }
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "ipv6-icmp"
+  remote_group_id   = each.value
+  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
 }

variables.tf

@@ -9,6 +9,11 @@ variable "load_balancer_group_name" {
   type        = string
 }
 
+variable "load_balancer_tunnel_name" {
+  description = "Name for vault load balancer tunnel security group"
+  type        = string
+}
+
 variable "client_group_ids" {
   description = "Id of client security groups"
   type = list(string)