From ce2de7a60fa3ff6f87dd51e3993561254448c16d Mon Sep 17 00:00:00 2001 From: Andrei Ilas Date: Mon, 18 Nov 2024 14:29:00 +0200 Subject: [PATCH] feat: add support to reference module nsgs in the nsg rules --- examples/network/vars-network.auto.tfvars | 9 +++++++++ modules/network/rules.tf | 16 ++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/examples/network/vars-network.auto.tfvars b/examples/network/vars-network.auto.tfvars index 3ecac907..2d5b7bbd 100644 --- a/examples/network/vars-network.auto.tfvars +++ b/examples/network/vars-network.auto.tfvars @@ -51,12 +51,21 @@ allow_rules_public_lb = { # "Allow TCP ingress to public load balancers for SSL traffic from anywhere" : { # protocol = 6, port = 443, source = "0.0.0.0/0", source_type = "CIDR_BLOCK", # }, + # "Allow UDP egress to workers port range 50000-52767 from Public LBs" : { + # protocol = 17, destination_port_min = 50000, destination_port_max=52767, destination = "workers", destination_type = "NETWORK_SECURITY_GROUP" + # }, } allow_rules_workers = { # "Allow TCP ingress to workers for port 8080 from VCN" : { # protocol = 6, port = 8080, source = "10.0.0.0/16", source_type = "CIDR_BLOCK", # }, + # "Allow UDP ingress to workers for port range 50000-52767 from Public LBs" : { + # protocol = 17, destination_port_min = 50000, destination_port_max=52767, source = "pub_lb", source_type = "NETWORK_SECURITY_GROUP" + # }, + # "Allow TCP ingress to workers for port range 8888-8888 from existing NSG" : { + # protocol = 6, destination_port_min = 8888, destination_port_max=8888, source = "ocid1.networksecuritygroup.oc1.eu-frankfurt-1.aaaaaaaai6z4le2ji7dkpmuwff4525b734wrjlifjqkrzlr5qctgxdsyoyra", source_type = "NETWORK_SECURITY_GROUP" + # }, } # Dynamic routing gateway (DRG) diff --git a/modules/network/rules.tf b/modules/network/rules.tf index fdf2c8b9..4b289f34 100644 --- a/modules/network/rules.tf +++ b/modules/network/rules.tf @@ -24,9 +24,21 @@ locals { network_security_group_id = lookup(y, "nsg_id") direction = contains(keys(y), "source") ? "INGRESS" : "EGRESS" protocol = lookup(y, "protocol") - source = lookup(y, "source", null) + source = ( + alltrue([ + upper(lookup(y, "source_type", "")) == local.rule_type_nsg, + length(regexall("ocid\\d+\\.networksecuritygroup", lower(lookup(y, "source", "")))) == 0]) ? + lookup(local.all_nsg_ids, lower(lookup(y, "source", "")), null) : + lookup(y, "source", null) + ) source_type = lookup(y, "source_type", null) - destination = lookup(y, "destination", null) + destination = ( + alltrue([ + upper(lookup(y, "destination_type", "")) == local.rule_type_nsg, + length(regexall("ocid\\d+\\.networksecuritygroup", lower(lookup(y, "destination", "")))) == 0]) ? + lookup(local.all_nsg_ids, lower(lookup(y, "destination", "")), null) : + lookup(y, "destination", null) + ) destination_type = lookup(y, "destination_type", null) }) }