From 1a2a483336edefc71c2305bef68c446c23ceac9f Mon Sep 17 00:00:00 2001
From: Mikael Frykholm <mifr@sunet.se>
Date: Wed, 17 Apr 2024 08:04:52 +0200
Subject: [PATCH] Manage security groups with tofu instead of manually.

---
 main.tf | 169 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 169 insertions(+)

diff --git a/main.tf b/main.tf
index aee2d2a..b8549de 100644
--- a/main.tf
+++ b/main.tf
@@ -13,6 +13,175 @@ required_version = ">= 0.14.0"
 provider "openstack" {
   cloud = "sto4-rut"
 }
+resource "openstack_networking_secgroup_v2" "microk8s" {
+  name        = "microk8s"
+  description = "Traffic to allow between microk8s hosts"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule1" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 16443
+  port_range_max    = 16443
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule2" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 16443
+  port_range_max    = 16443
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule3" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 10250
+  port_range_max    = 10250
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule4" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 10250
+  port_range_max    = 10250
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule5" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 10255
+  port_range_max    = 10255
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule6" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 10255
+  port_range_max    = 10255
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule7" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 25000
+  port_range_max    = 25000
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule8" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 25000
+  port_range_max    = 25000
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule9" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 12379
+  port_range_max    = 12379
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule10" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 12379
+  port_range_max    = 12379
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule11" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 10257
+  port_range_max    = 10257
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule12" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 10257
+  port_range_max    = 10257
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule13" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 10259
+  port_range_max    = 10259
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule14" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 10259
+  port_range_max    = 10259
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule15" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 19001
+  port_range_max    = 19001
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule16" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 19001
+  port_range_max    = 19001
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule17" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "udp"
+  port_range_min    = 4789
+  port_range_max    = 4789
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule18" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "udp"
+  port_range_min    = 4789
+  port_range_max    = 4789
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s.id
+}
+
 
 resource "openstack_compute_instance_v2" "controller-nodes" {
   count           = var.controller_instance_count