Refactor security group generation and prepare sto4 microk8s group

IaC-test/main.tf

@@ -14,12 +14,20 @@ provider "openstack" {
   cloud = "${var.cloud_name}"
 }
 
+# DCO Matrix Test
 provider "openstack" {
-  cloud = "${var.cloud2_name}"
+  cloud = "${var.clouddco_name}"
-  alias = "STO3MT"
+  alias = "dco"
 }
 
+# STO3 Matrix test
 provider "openstack" {
-  cloud = "${var.cloud3_name}"
+  cloud = "${var.cloudsto3_name}"
-  alias = "STO4MT"
+  alias = "sto3"
+}
+
+# STO4 Matrix test
+provider "openstack" {
+  cloud = "${var.cloudsto4_name}"
+  alias = "sto4"
 }

IaC-test/securitygroups-k8s-sto4.tf

@@ -0,0 +1,77 @@
+resource "openstack_networking_secgroup_v2" "microk8s-sto4" {
+  name        = "microk8s"
+  description = "Traffic to allow between microk8s hosts"
+  provider=openstack.sto4
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto4" {
+  count             =  length(var.k8sports)
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
+  port_range_min    = keys(var.k8sports[count.index])[0]
+  port_range_max    = keys(var.k8sports[count.index])[0]
+  provider          = openstack.sto4
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s-sto4.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_sto4" {
+  count             =  length(var.k8sports)
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
+  port_range_min    = keys(var.k8sports[count.index])[0]
+  port_range_max    = keys(var.k8sports[count.index])[0]
+  provider          = openstack.sto4
+  remote_group_id   = openstack_networking_secgroup_v2.microk8s-sto4.id
+  security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_dco" {
+  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes)
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]]
+  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]
+  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]
+  provider          = openstack.sto4
+  remote_ip_prefix  = join("/", [ resource.openstack_compute_instance_v2.controller-nodes[count.index % length(resource.openstack_compute_instance_v2.controller-nodes)].access_ip_v4, "32"])
+  security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_dco" {
+  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes)
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]]
+  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]
+  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]
+  provider          = openstack.sto4
+  remote_ip_prefix  = join("/", [ replace(resource.openstack_compute_instance_v2.controller-nodes[count.index % length(resource.openstack_compute_instance_v2.controller-nodes)].access_ip_v6, "/[\\[\\]']/",""),"128"])
+  security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco" {
+  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes)
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]]
+  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]
+  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]
+  provider          = openstack.sto4
+  remote_ip_prefix  = join("/", [ resource.openstack_compute_instance_v2.worker-nodes[count.index % length(resource.openstack_compute_instance_v2.worker-nodes)].access_ip_v4, "32" ])
+  security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco" {
+  count             =  length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes)
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]]
+  port_range_min    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]
+  port_range_max    = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]
+  provider          = openstack.sto4
+  remote_ip_prefix  = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes[count.index % length(resource.openstack_compute_instance_v2.worker-nodes)].access_ip_v6, "/[\\[\\]']/",""), "128"])
+  security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
+}

IaC-test/vars.tf

@@ -3,6 +3,22 @@ variable "datacenter_name" {
   default = "dco"
 }
 
+# Cloud names in clouds.yaml file
+variable "clouddco_name" {
+  type = string
+  default = "dco-matrixtest"
+}
+
+variable "cloudsto3_name" {
+  type = string
+  default = "sto3-matrixtest"
+}
+
+variable "cloudsto4_name" {
+  type = string
+  default = "sto4-matrixtest"
+}
+
 variable "keyname" {
   type = string
   default = "manderssonpub"
@@ -50,3 +66,17 @@ variable "cloud2_name" {
 variable "cloud3_name" {
   default="dco-matrixtest"
 }
+
+variable "k8sports" {
+  default=[
+    {"16443" = "tcp"},
+    {"10250" = "tcp"},
+    {"10255" = "tcp"},
+    {"25000" = "tcp"},
+    {"12379" = "tcp"},
+    {"10257" = "tcp"},
+    {"10259" = "tcp"},
+    {"4789" = "udp"},
+    {"51820" = "udp"}
+  ]
+}