feat(example): secgroup support remote group

terraform-huaweicloud-modules · Jun 9, 2023 · b9def43 · b9def43
1 parent 6ea1640
commit b9def43
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -60,6 +60,8 @@ Full contributing [guidelines are covered here](.github/how_to_contribute.md).
 | huaweicloud_networking_secgroup.this | resource |
 | huaweicloud_networking_secgroup_rule.in_v4_self_group | resource |
 | huaweicloud_networking_secgroup_rule.this | resource |
+| huaweicloud_vpc_address_group.this | resource |
+| huaweicloud_networking_secgroup_rule.remote_address_group | resource |
 | data.huaweicloud_vpcs.this | data-source |
 | data.huaweicloud_vpc_subnets.this | data-source |
 | data.huaweicloud_networking_secgroups.this | data-source |
@@ -73,11 +75,12 @@ Full contributing [guidelines are covered here](.github/how_to_contribute.md).
 | is_vpc_create | Controls whether a VPC should be created (it affects all VPC related resources under this module) | bool | true | N |
 | vpc_name | The name of the VPC resource | string | "" | N |
 | vpc_cidr_block | The CIDR block of the VPC resource | string | "192.168.0.0/16" | N |
-| subnets_configuration | The configuration for the subnet resources to which the VPC belongs | list(object) | <pre>[<br>  {<br>    name = "module-default-subnet",<br>    cidr = "192.168.16.0/20",<br>  },<br>]</pre> | N |
+| subnets_configuration | The configuration for the subnet resources to which the VPC belongs | <pre>list(object({<br>  name         = string<br>  description  = optional(string, null)<br>  cidr         = string<br>  ipv6_enabled = optional(bool, true)<br>  dhcp_enabled = optional(bool, true)<br>  dns_list     = optional(list(string), null)<br>  tags         = optional(map(string), {})<br>  delete_timeout = optional(string, null)<br>}))</pre> | <pre>[<br>  {<br>    name = "module-default-subnet",<br>    cidr = "192.168.16.0/20",<br>  },<br>]</pre> | N |
 | is_security_group_create | Controls whether a security group should be created (it affects all security group related resources under this module) | bool | true | N |
 | security_group_name | The name of the security group resource" | string | "" | N |
 | security_group_description | The description of the security group resource | string | null | N |
-| security_group_rules_configuration | The configuration for security group rule resources to which the security group belongs | list(object) | <pre>[<br>  {<br>    protocol = "icmp"<br>  }<br>]</pre> | N |
+| security_group_rules_configuration | The configuration for security group rule resources to which the security group belongs | <pre>list(object({<br>  description             = optional(string, null)<br>  direction               = optional(string, "ingress")<br>  ethertype               = optional(string, "IPv4")<br>  protocol                = optional(string, null)<br>  ports                   = optional(string, null)<br>  remote_ip_prefix        = optional(string, "0.0.0.0/0")<br>  remote_group_id         = optional(string, null)<br>  remote_address_group_id = optional(string, null)<br>  action                  = optional(string, "allow")<br>  priority                = optional(number, null)<br>}))</pre> | <pre>[<br>  {<br>    protocol = "icmp"<br>  }<br>]</pre> | N |
+| remote_address_group_rules_configuration | The configuration of remote address group for security group rule resources | <pre>list(object({<br>  description      = optional(string, null)<br>  direction        = optional(string, "ingress")<br>  ethertype        = optional(string, "IPv4")<br>  protocol         = optional(string, null)<br>  ports            = optional(string, null)<br>  remote_addresses = list(string)<br>  action           = optional(string, "allow")<br>  priority         = optional(number, null)<br>}))</pre> |<pre>[<br>  {direction="ingress", ethertype="IPv4", protocol="icmp", ports="80", remote_addresses=["192.168.10.22,192.168.11.0-192.168.11.240"]<br>  }<br>]<pre> |
 | query_vpc_names | The VPC name list used to query the resource IDs | list(string) | <pre>[]</pre> | N |
 | query_subnet_names | The subnet name list used to query the resource IDs | list(string) | <pre>[]</pre> | N |
 | query_security_group_names | The security group name list used to query the resource IDs | list(string) | <pre>[]</pre> | N |

diff --git a/examples/simple-security-group-rules/README.md b/examples/simple-security-group-rules/README.md
@@ -40,13 +40,21 @@ quota limits). Run `terraform destroy` when you don't need these resources.
 |------|------|
 | huaweicloud_networking_secgroup.this[0] | resource |
 | huaweicloud_networking_secgroup_rule.in_v4_self_group[0] | resource |
+| huaweicloud_networking_secgroup_rule.this[0] | resource |
 | huaweicloud_networking_secgroup_rule.this[1] | resource |
+| huaweicloud_networking_secgroup_rule.this[2] | resource |
+| huaweicloud_networking_secgroup_rule.this[3] | resource |
+| huaweicloud_vpc_address_group.this[0] | resource |
+| huaweicloud_networking_secgroup_rule.remote_address_group[0] | resource |
 
 ## Inputs
 
 | Name | Description | Type | Value |
 |------|-------------|------|-------|
+| is_vpc_create | Controls whether a VPC should be created (it affects all VPC related resources under this module) | bool | false |
 | security_group_name | The name of the security group resource | string | module-single-security-group |
+| security_group_rules_configuration |vThe configuration for security group rule resources to which the security group belongs | <pre>list(object({<br>  description             = optional(string, null)<br>  direction               = optional(string, "ingress")<br>  ethertype               = optional(string, "IPv4")<br>  protocol                = optional(string, null)<br>  ports                   = optional(string, null)<br>  remote_ip_prefix        = optional(string, "0.0.0.0/0")<br>  remote_group_id         = optional(string, null)<br>  remote_address_group_id = optional(string, null)<br>  action                  = optional(string, "allow")<br>  priority                = optional(number, null)<br>}))</pre> | <pre>[<br>  {direction="ingress", ethertype="IPv4", protocol="icmp"},<br>  {direction="ingress", ethertype="IPv6", protocol="icmp", remote_ip_prefix="::/0"},<br>  {direction="egress", ethertype="IPv4"},<br>  {direction="egress", ethertype="IPv6", remote_ip_prefix="::/0"},<br>]</pre> |
+| remote_address_group_rules_configuration | The configuration of remote address group for security group rule resources | <pre>list(object({<br>  description      = optional(string, null)<br>  direction        = optional(string, "ingress")<br>  ethertype        = optional(string, "IPv4")<br>  protocol         = optional(string, null)<br>  ports            = optional(string, null)<br>  remote_addresses = list(string)<br>  action           = optional(string, "allow")<br>  priority         = optional(number, null)<br>}))</pre> |<pre>[<br>  {direction="ingress", ethertype="IPv4", protocol="icmp", ports="80", remote_addresses=["192.168.10.22,192.168.11.0-192.168.11.240"]},<br>]<pre> |
 
 ## Outputs
 

diff --git a/examples/simple-security-group-rules/main.tf b/examples/simple-security-group-rules/main.tf
@@ -1,6 +1,8 @@
 module "vpc_service" {
   source = "../.."
 
+  is_vpc_create = false
+
   security_group_name = "module-single-security-group"
 
   security_group_rules_configuration = [
@@ -9,4 +11,7 @@ module "vpc_service" {
     {direction="egress", ethertype="IPv4"},
     {direction="egress", ethertype="IPv6", remote_ip_prefix="::/0"},
   ]
+  remote_address_group_rules_configuration = [
+    {direction="ingress", ethertype="IPv4", protocol="tcp", ports="80", remote_addresses=["192.168.10.22","192.168.11.0-192.168.11.240"]},
+  ]
 }
diff --git a/examples/simple-security-group-rules/variables.tf b/examples/simple-security-group-rules/variables.tf
diff --git a/main.tf b/main.tf
@@ -83,12 +83,35 @@ resource "huaweicloud_networking_secgroup_rule" "this" {
 
   security_group_id = huaweicloud_networking_secgroup.this[0].id
 
-  description      = lookup(element(var.security_group_rules_configuration, count.index), "description")
-  direction        = lookup(element(var.security_group_rules_configuration, count.index), "direction")
-  ethertype        = lookup(element(var.security_group_rules_configuration, count.index), "ethertype")
-  protocol         = lookup(element(var.security_group_rules_configuration, count.index), "protocol")
-  ports            = lookup(element(var.security_group_rules_configuration, count.index), "ports")
-  remote_ip_prefix = lookup(element(var.security_group_rules_configuration, count.index), "remote_ip_prefix")
-  action           = lookup(element(var.security_group_rules_configuration, count.index), "action")
-  priority         = lookup(element(var.security_group_rules_configuration, count.index), "priority")
+  description             = lookup(element(var.security_group_rules_configuration, count.index), "description")
+  direction               = lookup(element(var.security_group_rules_configuration, count.index), "direction")
+  ethertype               = lookup(element(var.security_group_rules_configuration, count.index), "ethertype")
+  protocol                = lookup(element(var.security_group_rules_configuration, count.index), "protocol")
+  ports                   = lookup(element(var.security_group_rules_configuration, count.index), "ports")
+  remote_ip_prefix        = lookup(element(var.security_group_rules_configuration, count.index), "remote_group_id") == null ? lookup(element(var.security_group_rules_configuration, count.index), "remote_ip_prefix") : null
+  remote_group_id         = lookup(element(var.security_group_rules_configuration, count.index), "remote_group_id")
+  action                  = lookup(element(var.security_group_rules_configuration, count.index), "action")
+  priority                = lookup(element(var.security_group_rules_configuration, count.index), "priority")
+}
+
+resource "huaweicloud_vpc_address_group" "this" {
+  count = var.is_security_group_create && length(var.remote_address_group_rules_configuration) > 0 ? length(var.remote_address_group_rules_configuration) : 0
+
+  name      = var.name_suffix != "" ? format("%s-address-group-%d", var.name_suffix, count.index) : var.security_group_name
+  addresses = lookup(element(var.remote_address_group_rules_configuration, count.index), "remote_addresses")
+}
+
+resource "huaweicloud_networking_secgroup_rule" "remote_address_group" {
+  count = var.is_security_group_create && length(var.remote_address_group_rules_configuration) > 0 ? length(var.remote_address_group_rules_configuration) : 0
+
+  security_group_id = huaweicloud_networking_secgroup.this[0].id
+
+  description             = lookup(element(var.remote_address_group_rules_configuration, count.index), "description")
+  direction               = lookup(element(var.remote_address_group_rules_configuration, count.index), "direction")
+  ethertype               = lookup(element(var.remote_address_group_rules_configuration, count.index), "ethertype")
+  protocol                = lookup(element(var.remote_address_group_rules_configuration, count.index), "protocol")
+  ports                   = lookup(element(var.remote_address_group_rules_configuration, count.index), "ports")
+  remote_address_group_id = huaweicloud_vpc_address_group.this[count.index].id
+  action                  = lookup(element(var.remote_address_group_rules_configuration, count.index), "action")
+  priority                = lookup(element(var.remote_address_group_rules_configuration, count.index), "priority")
 }
diff --git a/variables.tf b/variables.tf
@@ -97,22 +97,41 @@ variable "security_group_description" {
 variable "security_group_rules_configuration" {
   description = "The configuration for security group rule resources to which the security group belongs"
 
+  type = list(object({
+    description             = optional(string, null)
+    direction               = optional(string, "ingress")
+    ethertype               = optional(string, "IPv4")
+    protocol                = optional(string, null)
+    ports                   = optional(string, null)
+    remote_ip_prefix        = optional(string, "0.0.0.0/0")
+    remote_group_id         = optional(string, null)
+    remote_address_group_id = optional(string, null)
+    action                  = optional(string, "allow")
+    priority                = optional(number, null)
+  }))
+
+  default = [
+    {
+      protocol = "icmp"
+    }
+  ]
+}
+
+variable "remote_address_group_rules_configuration" {
+  description = "The configuration of remote address group for security group rule resources"
+
   type = list(object({
     description      = optional(string, null)
     direction        = optional(string, "ingress")
     ethertype        = optional(string, "IPv4")
     protocol         = optional(string, null)
     ports            = optional(string, null)
-    remote_ip_prefix = optional(string, "0.0.0.0/0")
+    remote_addresses = list(string) // The remote addresses split by commas (,)
     action           = optional(string, "allow")
     priority         = optional(number, null)
   }))
 
-  default = [
-    {
-      protocol = "icmp"
-    }
-  ]
+  default = []
 }
 
 ######################################################################