Use single security group (#23)

mcapuccini · Nov 22, 2018 · a0557f1 · a0557f1
1 parent 5738850
commit a0557f1
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 46 deletions.
diff --git a/main.tf b/main.tf
@@ -6,8 +6,10 @@ resource "openstack_compute_keypair_v2" "keypair" {
 
 # Create security group
 module "secgroup" {
-  source      = "modules/secgroup"
-  name_prefix = "${var.cluster_prefix}"
+  source              = "modules/secgroup"
+  name_prefix         = "${var.cluster_prefix}"
+  allowed_ingress_tcp = "${var.allowed_ingress_tcp}"
+  allowed_ingress_udp = "${var.allowed_ingress_udp}"
 }
 
 # Create network
@@ -65,21 +67,20 @@ module "service" {
 
 # Create edge nodes
 module "edge" {
-  source              = "modules/node"
-  count               = "${var.edge_count}"
-  name_prefix         = "${var.cluster_prefix}-edge"
-  flavor_name         = "${var.edge_flavor_name}"
-  image_name          = "${var.image_name}"
-  network_name        = "${module.network.network_name}"
-  secgroup_name       = "${module.secgroup.secgroup_name}"
-  floating_ip_pool    = "${var.floating_ip_pool}"
-  ssh_user            = "${var.ssh_user}"
-  ssh_key             = "${var.ssh_key}"
-  os_ssh_keypair      = "${openstack_compute_keypair_v2.keypair.name}"
-  docker_version      = "${var.docker_version}"
-  assign_floating_ip  = "${var.edge_assign_floating_ip}"
-  allowed_ingress_tcp = [22, 6443]
-  role                = ["worker"]
+  source             = "modules/node"
+  count              = "${var.edge_count}"
+  name_prefix        = "${var.cluster_prefix}-edge"
+  flavor_name        = "${var.edge_flavor_name}"
+  image_name         = "${var.image_name}"
+  network_name       = "${module.network.network_name}"
+  secgroup_name      = "${module.secgroup.secgroup_name}"
+  floating_ip_pool   = "${var.floating_ip_pool}"
+  ssh_user           = "${var.ssh_user}"
+  ssh_key            = "${var.ssh_key}"
+  os_ssh_keypair     = "${openstack_compute_keypair_v2.keypair.name}"
+  docker_version     = "${var.docker_version}"
+  assign_floating_ip = "${var.edge_assign_floating_ip}"
+  role               = ["worker"]
 
   labels = {
     node_type = "edge"
@@ -90,11 +91,8 @@ module "edge" {
 locals {
   rke_cluster_deps = [
     "${join(",",module.master.prepare_nodes_id_list)}",       # Master stuff ...
-    "${join(",",module.master.allowed_ingress_id_list)}",
     "${join(",",module.service.prepare_nodes_id_list)}",      # Service stuff ...
-    "${join(",",module.service.allowed_ingress_id_list)}",
     "${join(",",module.edge.prepare_nodes_id_list)}",         # Edge stuff ...
-    "${join(",",module.edge.allowed_ingress_id_list)}",
     "${join(",",module.edge.associate_floating_ip_id_list)}",
     "${join(",",module.secgroup.rule_id_list)}",              # Other stuff ...
     "${module.network.interface_id}",

diff --git a/modules/node/main.tf b/modules/node/main.tf
@@ -1,11 +1,3 @@
-# Create security group for allowed ports
-module "allowed_ingress" {
-  source              = "../secgroup"
-  name_prefix         = "${var.name_prefix}"
-  allowed_ingress_tcp = "${var.allowed_ingress_tcp}"
-  allowed_ingress_udp = "${var.allowed_ingress_udp}"
-}
-
 # Create instance
 resource "openstack_compute_instance_v2" "instance" {
   count       = "${var.count}"
@@ -18,7 +10,7 @@ resource "openstack_compute_instance_v2" "instance" {
     name = "${var.network_name}"
   }
 
-  security_groups = ["${var.secgroup_name}", "${module.allowed_ingress.secgroup_name}"]
+  security_groups = ["${var.secgroup_name}"]
 
   # Try to drain and delete node before downscaling
   provisioner "local-exec" {

diff --git a/modules/node/outputs.tf b/modules/node/outputs.tf
@@ -13,11 +13,6 @@ output "prepare_nodes_id_list" {
   value       = ["${null_resource.prepare_nodes.*.id}"]
 }
 
-output "allowed_ingress_id_list" {
-  description = "Allowed ingress resource ID list"
-  value       = ["${module.allowed_ingress.rule_id_list}"]
-}
-
 output "associate_floating_ip_id_list" {
   description = "Associate floating IP resource ID list"
   value       = ["${openstack_compute_floatingip_associate_v2.associate_floating_ip.*.id}"]

diff --git a/modules/node/variables.tf b/modules/node/variables.tf
@@ -55,18 +55,6 @@ variable labels {
   default     = {}
 }
 
-variable allowed_ingress_tcp {
-  type        = "list"
-  description = "Allowed TCP ingress traffic"
-  default     = []
-}
-
-variable allowed_ingress_udp {
-  type        = "list"
-  description = "Allowed UDP ingress traffic"
-  default     = []
-}
-
 variable docker_version {
   default = "Docker version (should be RKE-compliant: https://rancher.com/docs/rke/v0.1.x/en/os/#software)"
 }

diff --git a/variables.tf b/variables.tf
@@ -89,3 +89,15 @@ variable edge_assign_floating_ip {
   description = "If true a floating IP is assigned to each edge node"
   default     = true
 }
+
+variable allowed_ingress_tcp {
+  type        = "list"
+  description = "Allowed TCP ingress traffic"
+  default     = [22, 6443]
+}
+
+variable allowed_ingress_udp {
+  type        = "list"
+  description = "Allowed UDP ingress traffic"
+  default     = []
+}