-
Notifications
You must be signed in to change notification settings - Fork 9
/
security_group.tf
200 lines (169 loc) · 6.21 KB
/
security_group.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
##############################################################################
# ibm_is_security_group
##############################################################################
locals {
vsi_security_group = [var.create_security_group ? var.security_group : null]
# Create list of all security groups including the ones for load balancers
security_groups = flatten([
[
for group in local.vsi_security_group :
group if group != null
],
[
for load_balancer in var.load_balancers :
load_balancer.security_group if load_balancer.security_group != null
]
])
# Convert list to map
security_group_map = {
for group in local.security_groups :
(group.name) => group
}
# input variable validation
# tflint-ignore: terraform_unused_declarations
validate_security_group = var.create_security_group == false && var.security_group != null ? tobool("var.security_group should be null when var.create_security_group is false. Use var.security_group_ids to add security groups to VSI deployment primary interface.") : true
# tflint-ignore: terraform_unused_declarations
validate_security_group_2 = var.create_security_group == true && var.security_group == null ? tobool("var.security_group cannot be null when var.create_security_group is true.") : true
}
resource "ibm_is_security_group" "security_group" {
for_each = local.security_group_map
name = each.value.name
resource_group = var.resource_group_id
vpc = var.vpc_id
tags = var.tags
access_tags = var.access_tags
}
##############################################################################
##############################################################################
# Change Security Group (Optional)
##############################################################################
locals {
# Create list of all sg rules to create adding the name
security_group_rule_list = flatten([
for group in local.security_groups :
[
for rule in group.rules :
merge({
sg_name = group.name
}, rule)
]
])
# Convert list to map
security_group_rules = {
for rule in local.security_group_rule_list :
("${rule.sg_name}-${rule.name}") => rule
}
}
resource "ibm_is_security_group_rule" "security_group_rules" {
for_each = local.security_group_rules
group = ibm_is_security_group.security_group[each.value.sg_name].id
direction = each.value.direction
remote = each.value.source
##############################################################################
# Dynamicaly create ICMP Block
##############################################################################
dynamic "icmp" {
# Runs a for each loop, if the rule block contains icmp, it looks through the block
# Otherwise the list will be empty
for_each = (
# Only allow creation of icmp rules if all of the keys are not null.
# This allows the use of the optional variable in landing zone patterns
# to convert to a single typed list by adding `null` as the value.
each.value.icmp == null
? []
: length([
for value in ["type", "code"] :
true if lookup(each.value["icmp"], value, null) == null
]) == 2
? [] # if all values null empty array
: [each.value]
)
# Conditianally add content if sg has icmp
content {
type = lookup(
each.value["icmp"],
"type",
null
)
code = lookup(
each.value["icmp"],
"code",
null
)
}
}
##############################################################################
##############################################################################
# Dynamically create TCP Block
##############################################################################
dynamic "tcp" {
# Runs a for each loop, if the rule block contains tcp, it looks through the block
# Otherwise the list will be empty
for_each = (
# Only allow creation of tcp rules if all of the keys are not null.
# This allows the use of the optional variable in landing zone patterns
# to convert to a single typed list by adding `null` as the value.
# the default behavior will be to set `null` `port_min` values to 1 if null
# and `port_max` to 65535 if null
each.value.tcp == null
? []
: length([
for value in ["port_min", "port_max"] :
true if lookup(each.value["tcp"], value, null) == null
]) == 2
? [] # if all values null empty array
: [each.value]
)
# Conditionally adds content if sg has tcp
content {
port_min = lookup(
each.value["tcp"],
"port_min",
null
)
port_max = lookup(
each.value["tcp"],
"port_max",
null
)
}
}
##############################################################################
##############################################################################
# Dynamically create UDP Block
##############################################################################
dynamic "udp" {
# Runs a for each loop, if the rule block contains udp, it looks through the block
# Otherwise the list will be empty
for_each = (
# Only allow creation of udp rules if all of the keys are not null.
# This allows the use of the optional variable in landing zone patterns
# to convert to a single typed list by adding `null` as the value.
# the default behavior will be to set `null` `port_min` values to 1 if null
# and `port_max` to 65535 if null
each.value.udp == null
? []
: length([
for value in ["port_min", "port_max"] :
true if lookup(each.value["udp"], value, null) == null
]) == 2
? [] # if all values null empty array
: [each.value]
)
# Conditionally adds content if sg has udp
content {
port_min = lookup(
each.value["udp"],
"port_min",
null
)
port_max = lookup(
each.value["udp"],
"port_max",
null
)
}
}
##############################################################################
}
##############################################################################