From df7ed2438966be3ef9a45e17b574f6567c33bd85 Mon Sep 17 00:00:00 2001
From: Hugo Blom <bl0m1@users.noreply.github.com>
Date: Thu, 5 Nov 2020 14:30:54 +0100
Subject: [PATCH] [Openstack] Add security groups not managed by terraform
 (#6865)

* add custom sec groups

* make sure groups are applied only when created

* fix spacing
---
 contrib/terraform/openstack/kubespray.tf      |  2 +
 .../openstack/modules/compute/main.tf         | 57 ++++++++++++-------
 .../openstack/modules/compute/variables.tf    |  8 +++
 contrib/terraform/openstack/variables.tf      |  7 +++
 4 files changed, 53 insertions(+), 21 deletions(-)

diff --git a/contrib/terraform/openstack/kubespray.tf b/contrib/terraform/openstack/kubespray.tf
index f4aa24d5a..90aad989c 100644
--- a/contrib/terraform/openstack/kubespray.tf
+++ b/contrib/terraform/openstack/kubespray.tf
@@ -80,6 +80,8 @@ module "compute" {
   wait_for_floatingip                          = var.wait_for_floatingip
   use_access_ip                                = var.use_access_ip
   use_server_groups                            = var.use_server_groups
+  extra_sec_groups                             = var.extra_sec_groups
+  extra_sec_groups_name                        = var.extra_sec_groups_name
 
   network_id = module.network.router_id
 }
diff --git a/contrib/terraform/openstack/modules/compute/main.tf b/contrib/terraform/openstack/modules/compute/main.tf
index 5ef4b6c6b..6b469ad04 100644
--- a/contrib/terraform/openstack/modules/compute/main.tf
+++ b/contrib/terraform/openstack/modules/compute/main.tf
@@ -17,6 +17,13 @@ resource "openstack_networking_secgroup_v2" "k8s_master" {
   delete_default_rules = true
 }
 
+resource "openstack_networking_secgroup_v2" "k8s_master_extra" {
+  count                = "%{if var.extra_sec_groups}1%{else}0%{endif}"
+  name                 = "${var.cluster_name}-k8s-master-${var.extra_sec_groups_name}"
+  description          = "${var.cluster_name} - Kubernetes Master nodes - rules not managed by terraform"
+  delete_default_rules = true
+}
+
 resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
   count             = length(var.master_allowed_remote_ips)
   direction         = "ingress"
@@ -95,6 +102,13 @@ resource "openstack_networking_secgroup_v2" "worker" {
   delete_default_rules = true
 }
 
+resource "openstack_networking_secgroup_v2" "worker_extra" {
+  count                = "%{if var.extra_sec_groups}1%{else}0%{endif}"
+  name                 = "${var.cluster_name}-k8s-worker-${var.extra_sec_groups_name}"
+  description          = "${var.cluster_name} - Kubernetes worker nodes - rules not managed by terraform"
+  delete_default_rules = true
+}
+
 resource "openstack_networking_secgroup_rule_v2" "worker" {
   count             = length(var.worker_allowed_ports)
   direction         = "ingress"
@@ -124,6 +138,21 @@ resource "openstack_compute_servergroup_v2" "k8s_etcd" {
   policies = ["anti-affinity"]
 }
 
+locals {
+# master groups
+  master_sec_groups = compact([
+    openstack_networking_secgroup_v2.k8s_master.name,
+    openstack_networking_secgroup_v2.k8s.name,
+    var.extra_sec_groups ?openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+  ])
+# worker groups
+  worker_sec_groups = compact([
+    openstack_networking_secgroup_v2.k8s.name,
+    openstack_networking_secgroup_v2.worker.name,
+    var.extra_sec_groups ? openstack_networking_secgroup_v2.k8s_master_extra[0].name : "",
+  ])
+}
+
 resource "openstack_compute_instance_v2" "bastion" {
   name       = "${var.cluster_name}-bastion-${count.index + 1}"
   count      = var.number_of_bastions
@@ -189,9 +218,7 @@ resource "openstack_compute_instance_v2" "k8s_master" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -238,9 +265,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -327,9 +352,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -371,9 +394,7 @@ resource "openstack_compute_instance_v2" "k8s_master_no_floating_ip_no_etcd" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s_master.name,
-    openstack_networking_secgroup_v2.k8s.name,
-  ]
+  security_groups = local.master_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_master[0]] : []
@@ -414,9 +435,7 @@ resource "openstack_compute_instance_v2" "k8s_node" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -461,9 +480,7 @@ resource "openstack_compute_instance_v2" "k8s_node_no_floating_ip" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
@@ -504,9 +521,7 @@ resource "openstack_compute_instance_v2" "k8s_nodes" {
     name = var.network_name
   }
 
-  security_groups = [openstack_networking_secgroup_v2.k8s.name,
-    openstack_networking_secgroup_v2.worker.name,
-  ]
+  security_groups = local.worker_sec_groups
 
   dynamic "scheduler_hints" {
     for_each = var.use_server_groups ? [openstack_compute_servergroup_v2.k8s_node[0]] : []
diff --git a/contrib/terraform/openstack/modules/compute/variables.tf b/contrib/terraform/openstack/modules/compute/variables.tf
index 11bb5f563..99f266b09 100644
--- a/contrib/terraform/openstack/modules/compute/variables.tf
+++ b/contrib/terraform/openstack/modules/compute/variables.tf
@@ -127,3 +127,11 @@ variable "use_access_ip" {}
 variable "use_server_groups" {
   type = bool
 }
+
+variable "extra_sec_groups" {
+  type = bool
+}
+
+variable "extra_sec_groups_name" {
+  type = string
+}
\ No newline at end of file
diff --git a/contrib/terraform/openstack/variables.tf b/contrib/terraform/openstack/variables.tf
index d161e8947..5b49b2942 100644
--- a/contrib/terraform/openstack/variables.tf
+++ b/contrib/terraform/openstack/variables.tf
@@ -246,3 +246,10 @@ variable "k8s_nodes" {
   default = {}
 }
 
+variable "extra_sec_groups" {
+  default = false
+}
+
+variable "extra_sec_groups_name" {
+  default = "custom"
+}