From d40020845cb39deb03732b0066cacd14e41c5320 Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Mon, 9 Dec 2024 19:56:47 +0530 Subject: [PATCH 01/13] sg 1 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/README.md | 8 +++++ .../sub_modules/instance_template/main.tf | 36 +++++++++++++++++++ .../instance_template/variables.tf | 26 ++++++++++++++ 3 files changed, 70 insertions(+) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/README.md b/ibmcloud_scale_templates/sub_modules/instance_template/README.md index a35c02c4..f5a090f4 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/README.md +++ b/ibmcloud_scale_templates/sub_modules/instance_template/README.md @@ -92,6 +92,7 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [client_vsi_profile](#input_client_vsi_profile) | Client nodes vis profile | `string` | | [colocate_protocol_cluster_instances](#input_colocate_protocol_cluster_instances) | Enable it to use storage instances as protocol instances | `bool` | | [comp_sg_id](#input_comp_sg_id) | Existing compute security group id | `string` | +| [comp_sg_name](#input_comp_sg_name) | Existing compute security group name | `string` | | [compute_cluster_filesystem_mountpoint](#input_compute_cluster_filesystem_mountpoint) | Compute cluster (accessingCluster) Filesystem mount point. | `string` | | [compute_cluster_gui_password](#input_compute_cluster_gui_password) | Password for compute cluster GUI | `string` | | [compute_cluster_gui_username](#input_compute_cluster_gui_username) | GUI user to perform system management and monitoring tasks on compute cluster. | `string` | @@ -110,6 +111,7 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [gklm_instance_dns_zone_id](#input_gklm_instance_dns_zone_id) | IBM GKLM Instance DNS zone id. | `string` | | [gklm_instance_key_pair](#input_gklm_instance_key_pair) | The key pair to use to launch the GKLM host. | `list(string)` | | [gklm_sg_id](#input_gklm_sg_id) | Existing gklm security group id | `string` | +| [gklm_sg_name](#input_gklm_sg_name) | Existing gklm security group name | `string` | | [gklm_vsi_osimage_id](#input_gklm_vsi_osimage_id) | Image id to use for provisioning the GKLM instances. | `string` | | [gklm_vsi_osimage_name](#input_gklm_vsi_osimage_name) | Image name to use for provisioning the GKLM instances. | `string` | | [gklm_vsi_profile](#input_gklm_vsi_profile) | Profile to be used for GKLM virtual server instance. | `string` | @@ -121,6 +123,7 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [ldap_server](#input_ldap_server) | Provide the IP address for the existing LDAP server. If no address is given, a new LDAP server will be created. | `string` | | [ldap_server_cert](#input_ldap_server_cert) | Provide the existing LDAP server certificate. This value is required if the 'ldap_server' variable is not set to null. If the certificate is not provided or is invalid, the LDAP configuration may fail. | `string` | | [ldap_sg_id](#input_ldap_sg_id) | Existing ldap security group id | `string` | +| [ldap_sg_name](#input_ldap_sg_name) | Existing ldap security group name | `string` | | [ldap_user_name](#input_ldap_user_name) | Custom LDAP User for performing cluster operations. Note: Username should be between 4 to 32 characters, (any combination of lowercase and uppercase letters).[This value is ignored for an existing LDAP server] | `string` | | [ldap_user_password](#input_ldap_user_password) | The LDAP user password should be 8 to 20 characters long, with a mix of at least three alphabetic characters, including one uppercase and one lowercase letter. It must also include two numerical digits and at least one special character from (~@_+:) are required.It is important to avoid including the username in the password for enhanced security.[This value is ignored for an existing LDAP server]. | `string` | | [ldap_vsi_osimage_name](#input_ldap_vsi_osimage_name) | Image name to be used for provisioning the LDAP instances. Note: Debian based OS are only supported for the LDAP feature. | `string` | @@ -145,6 +148,7 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [storage_vsi_osimage_name](#input_storage_vsi_osimage_name) | Image name to use for provisioning the storage cluster instances. | `string` | | [storage_vsi_profile](#input_storage_vsi_profile) | Profile to be used for storage cluster virtual server instance. | `string` | | [strg_sg_id](#input_strg_sg_id) | Existing storage security group id | `string` | +| [strg_sg_name](#input_strg_sg_name) | Existing storage security group name | `string` | | [total_afm_cluster_instances](#input_total_afm_cluster_instances) | Total number of instance count that you need to provision for afm nodes and enable AFM. | `number` | | [total_client_cluster_instances](#input_total_client_cluster_instances) | Total number of client cluster instances that you need to provision. A minimum of 2 nodes and a maximum of 64 nodes are supported | `number` | | [total_compute_cluster_instances](#input_total_compute_cluster_instances) | Number of instances to be launched for compute cluster. | `number` | @@ -176,4 +180,8 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [storage_cluster_instance_ids](#output_storage_cluster_instance_ids) | Storage cluster instance ids. | | [storage_cluster_instance_private_ips](#output_storage_cluster_instance_private_ips) | Private IP address of storage cluster instances. | | [storage_cluster_with_data_volume_mapping](#output_storage_cluster_with_data_volume_mapping) | Mapping of storage cluster instance ip vs. device path. | +| [strg_sg_rules1](#output_strg_sg_rules1) | n/a | +| [strg_sg_rules2](#output_strg_sg_rules2) | n/a | +| [strg_sg_rules3](#output_strg_sg_rules3) | n/a | +| [strg_sg_rules4](#output_strg_sg_rules4) | n/a | diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 4651da7c..9a7e7c92 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -75,6 +75,42 @@ locals { deploy_sec_group_id = var.deploy_controller_sec_group_id == null ? module.deploy_security_group.sec_group_id : var.deploy_controller_sec_group_id } +data "ibm_is_security_group" "strg_security_group" { + name = var.strg_sg_name +} + +data "ibm_is_security_group" "comp_security_group" { + name = var.comp_sg_name +} + +data "ibm_is_security_group" "gklm_security_group" { + name = var.gklm_sg_name +} + +data "ibm_is_security_group" "ldap_security_group" { + name = var.ldap_sg_name +} + +locals { + strg_sg_rules = try({ for remote in data.ibm_is_security_group.strg_security_group.rules[*] : remote.direction => remote.remote... }, {}) + comp_sg_rules = try({ for remote in data.ibm_is_security_group.comp_security_group.rules[*] : remote.direction => remote.remote... }, {}) + gklm_sg_rules = try({ for remote in data.ibm_is_security_group.gklm_security_group.rules[*] : remote.direction => remote.remote... }, {}) + ldap_sg_rules = try({ for remote in data.ibm_is_security_group.ldap_security_group.rules[*] : remote.direction => remote.remote... }, {}) +} + +output "strg_sg_rules1" { + value = local.strg_sg_rules +} +output "strg_sg_rules2" { + value = local.comp_sg_rules +} +output "strg_sg_rules3" { + value = local.gklm_sg_rules +} +output "strg_sg_rules4" { + value = local.ldap_sg_rules +} + module "compute_cluster_security_group" { source = "../../../resources/ibmcloud/security/security_group" turn_on = (var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.comp_sg_id == null ? true : false diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf index cd79802c..0a33a54c 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf @@ -605,3 +605,29 @@ variable "key_protect_instance_id" { default = null description = "Existing Key Protect ID" } + +# Existing Security Group Variables + +variable "strg_sg_name" { + type = string + default = null + description = "Existing storage security group name" +} + +variable "comp_sg_name" { + type = string + default = null + description = "Existing compute security group name" +} + +variable "gklm_sg_name" { + type = string + default = null + description = "Existing gklm security group name" +} + +variable "ldap_sg_name" { + type = string + default = null + description = "Existing ldap security group name" +} From 9fd49a1611e210f3926bcee3870dc673c70ba705 Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Mon, 9 Dec 2024 20:22:29 +0530 Subject: [PATCH 02/13] sg 2 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/README.md | 4 -- .../sub_modules/instance_template/main.tf | 52 ++++++++++--------- .../instance_template/variables.tf | 46 ++++++++-------- 3 files changed, 50 insertions(+), 52 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/README.md b/ibmcloud_scale_templates/sub_modules/instance_template/README.md index f5a090f4..2786ed7c 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/README.md +++ b/ibmcloud_scale_templates/sub_modules/instance_template/README.md @@ -91,7 +91,6 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [client_vsi_osimage_name](#input_client_vsi_osimage_name) | Name of the image that you would like to use to create the client cluster nodes for the IBM Storage Scale cluster. The solution supports only stock images that use RHEL8.8 version. | `string` | | [client_vsi_profile](#input_client_vsi_profile) | Client nodes vis profile | `string` | | [colocate_protocol_cluster_instances](#input_colocate_protocol_cluster_instances) | Enable it to use storage instances as protocol instances | `bool` | -| [comp_sg_id](#input_comp_sg_id) | Existing compute security group id | `string` | | [comp_sg_name](#input_comp_sg_name) | Existing compute security group name | `string` | | [compute_cluster_filesystem_mountpoint](#input_compute_cluster_filesystem_mountpoint) | Compute cluster (accessingCluster) Filesystem mount point. | `string` | | [compute_cluster_gui_password](#input_compute_cluster_gui_password) | Password for compute cluster GUI | `string` | @@ -110,7 +109,6 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [gklm_instance_dns_service_id](#input_gklm_instance_dns_service_id) | IBM Cloud GKLM Instance DNS service resource id. | `string` | | [gklm_instance_dns_zone_id](#input_gklm_instance_dns_zone_id) | IBM GKLM Instance DNS zone id. | `string` | | [gklm_instance_key_pair](#input_gklm_instance_key_pair) | The key pair to use to launch the GKLM host. | `list(string)` | -| [gklm_sg_id](#input_gklm_sg_id) | Existing gklm security group id | `string` | | [gklm_sg_name](#input_gklm_sg_name) | Existing gklm security group name | `string` | | [gklm_vsi_osimage_id](#input_gklm_vsi_osimage_id) | Image id to use for provisioning the GKLM instances. | `string` | | [gklm_vsi_osimage_name](#input_gklm_vsi_osimage_name) | Image name to use for provisioning the GKLM instances. | `string` | @@ -122,7 +120,6 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [ldap_instance_key_pair](#input_ldap_instance_key_pair) | Name of the SSH key configured in your IBM Cloud account that is used to establish a connection to the LDAP Server. Make sure that the SSH key is present in the same resource group and region where the LDAP Servers are provisioned. If you do not have an SSH key in your IBM Cloud account, create one by using the [SSH keys](https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys) instructions. | `list(string)` | | [ldap_server](#input_ldap_server) | Provide the IP address for the existing LDAP server. If no address is given, a new LDAP server will be created. | `string` | | [ldap_server_cert](#input_ldap_server_cert) | Provide the existing LDAP server certificate. This value is required if the 'ldap_server' variable is not set to null. If the certificate is not provided or is invalid, the LDAP configuration may fail. | `string` | -| [ldap_sg_id](#input_ldap_sg_id) | Existing ldap security group id | `string` | | [ldap_sg_name](#input_ldap_sg_name) | Existing ldap security group name | `string` | | [ldap_user_name](#input_ldap_user_name) | Custom LDAP User for performing cluster operations. Note: Username should be between 4 to 32 characters, (any combination of lowercase and uppercase letters).[This value is ignored for an existing LDAP server] | `string` | | [ldap_user_password](#input_ldap_user_password) | The LDAP user password should be 8 to 20 characters long, with a mix of at least three alphabetic characters, including one uppercase and one lowercase letter. It must also include two numerical digits and at least one special character from (~@_+:) are required.It is important to avoid including the username in the password for enhanced security.[This value is ignored for an existing LDAP server]. | `string` | @@ -147,7 +144,6 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [storage_vsi_osimage_id](#input_storage_vsi_osimage_id) | Image id to use for provisioning the storage cluster instances. | `string` | | [storage_vsi_osimage_name](#input_storage_vsi_osimage_name) | Image name to use for provisioning the storage cluster instances. | `string` | | [storage_vsi_profile](#input_storage_vsi_profile) | Profile to be used for storage cluster virtual server instance. | `string` | -| [strg_sg_id](#input_strg_sg_id) | Existing storage security group id | `string` | | [strg_sg_name](#input_strg_sg_name) | Existing storage security group name | `string` | | [total_afm_cluster_instances](#input_total_afm_cluster_instances) | Total number of instance count that you need to provision for afm nodes and enable AFM. | `number` | | [total_client_cluster_instances](#input_total_client_cluster_instances) | Total number of client cluster instances that you need to provision. A minimum of 2 nodes and a maximum of 64 nodes are supported | `number` | diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 9a7e7c92..7913d432 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -31,10 +31,11 @@ locals { enable_afm = var.total_afm_cluster_instances > 0 ? true : false afm_server_type = strcontains(var.afm_vsi_profile, "metal") ces_server_type = strcontains(var.protocol_vsi_profile, "metal") - existing_strg_sg_id = var.strg_sg_id != null ? [var.strg_sg_id] : [module.storage_cluster_security_group.sec_group_id] - existing_comp_sg_id = var.comp_sg_id != null ? [var.comp_sg_id] : [module.compute_cluster_security_group.sec_group_id] - existing_gklm_sg_id = var.gklm_sg_id != null ? [var.gklm_sg_id] : [module.gklm_instance_security_group.sec_group_id] - existing_ldap_sg_id = var.ldap_sg_id != null ? [var.ldap_sg_id] : [module.ldap_instance_security_group.sec_group_id] + existing_strg_sg_id = var.strg_sg_name != null ? [data.ibm_is_security_group.strg_security_group.id] : [module.storage_cluster_security_group.sec_group_id] + existing_comp_sg_id = var.comp_sg_name != null ? [data.ibm_is_security_group.comp_security_group.id] : [module.compute_cluster_security_group.sec_group_id] + existing_gklm_sg_id = var.gklm_sg_name != null ? [data.ibm_is_security_group.gklm_security_group.id] : [module.gklm_instance_security_group.sec_group_id] + existing_ldap_sg_id = var.ldap_sg_name != null ? [data.ibm_is_security_group.ldap_security_group.id] : [module.ldap_instance_security_group.sec_group_id] + } module "generate_compute_cluster_keys" { @@ -96,6 +97,7 @@ locals { comp_sg_rules = try({ for remote in data.ibm_is_security_group.comp_security_group.rules[*] : remote.direction => remote.remote... }, {}) gklm_sg_rules = try({ for remote in data.ibm_is_security_group.gklm_security_group.rules[*] : remote.direction => remote.remote... }, {}) ldap_sg_rules = try({ for remote in data.ibm_is_security_group.ldap_security_group.rules[*] : remote.direction => remote.remote... }, {}) + } output "strg_sg_rules1" { @@ -113,7 +115,7 @@ output "strg_sg_rules4" { module "compute_cluster_security_group" { source = "../../../resources/ibmcloud/security/security_group" - turn_on = (var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.comp_sg_id == null ? true : false + turn_on = (var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.comp_sg_name == null ? true : false sec_group_name = [format("%s-compute-sg", var.resource_prefix)] vpc_id = var.vpc_id resource_group_id = var.resource_group_id @@ -123,7 +125,7 @@ module "compute_cluster_security_group" { # FIXME - Fine grain port inbound is needed, but hits limitation of 5 rules module "compute_cluster_ingress_security_rule" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = ((var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.using_jumphost_connection == false && var.comp_sg_id == null) ? 3 : 0 + total_rules = ((var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.using_jumphost_connection == false && var.comp_sg_name == null) ? 3 : 0 security_group_id = [module.compute_cluster_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.compute_cluster_security_group.sec_group_id] @@ -131,7 +133,7 @@ module "compute_cluster_ingress_security_rule" { module "compute_cluster_ingress_security_rule_wt_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = ((var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null && var.comp_sg_id == null) ? 3 : 0 + total_rules = ((var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null && var.comp_sg_name == null) ? 3 : 0 security_group_id = [module.compute_cluster_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.compute_cluster_security_group.sec_group_id] @@ -139,7 +141,7 @@ module "compute_cluster_ingress_security_rule_wt_bastion" { module "compute_cluster_ingress_security_rule_wo_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = ((var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null && var.comp_sg_id == null) ? 2 : 0 + total_rules = ((var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null && var.comp_sg_name == null) ? 2 : 0 security_group_id = [module.compute_cluster_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [local.deploy_sec_group_id, module.compute_cluster_security_group.sec_group_id] @@ -147,7 +149,7 @@ module "compute_cluster_ingress_security_rule_wo_bastion" { module "compute_egress_security_rule" { source = "../../../resources/ibmcloud/security/security_allow_all" - turn_on = (var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.comp_sg_id == null ? true : false + turn_on = (var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.comp_sg_name == null ? true : false security_group_ids = module.compute_cluster_security_group.sec_group_id sg_direction = "outbound" remote_ip_addr = "0.0.0.0/0" @@ -155,7 +157,7 @@ module "compute_egress_security_rule" { module "storage_egress_security_rule" { source = "../../../resources/ibmcloud/security/security_allow_all" - turn_on = var.total_storage_cluster_instances > 0 && var.strg_sg_id == null ? true : false + turn_on = var.total_storage_cluster_instances > 0 && var.strg_sg_name == null ? true : false security_group_ids = module.storage_cluster_security_group.sec_group_id sg_direction = "outbound" remote_ip_addr = "0.0.0.0/0" @@ -163,7 +165,7 @@ module "storage_egress_security_rule" { module "gklm_instance_egress_security_rule" { source = "../../../resources/ibmcloud/security/security_allow_all" - turn_on = (var.scale_encryption_enabled && var.scale_encryption_type == "gklm" && var.gklm_sg_id == null) ? true : false + turn_on = (var.scale_encryption_enabled && var.scale_encryption_type == "gklm" && var.gklm_sg_name == null) ? true : false security_group_ids = module.gklm_instance_security_group.sec_group_id sg_direction = "outbound" remote_ip_addr = "0.0.0.0/0" @@ -171,7 +173,7 @@ module "gklm_instance_egress_security_rule" { module "ldap_instance_egress_security_rule" { source = "../../../resources/ibmcloud/security/security_allow_all" - turn_on = var.enable_ldap && var.ldap_server == "null" && var.ldap_sg_id == null + turn_on = var.enable_ldap && var.ldap_server == "null" && var.ldap_sg_name == null security_group_ids = module.ldap_instance_security_group.sec_group_id sg_direction = "outbound" remote_ip_addr = "0.0.0.0/0" @@ -179,7 +181,7 @@ module "ldap_instance_egress_security_rule" { module "storage_cluster_security_group" { source = "../../../resources/ibmcloud/security/security_group" - turn_on = var.total_storage_cluster_instances > 0 && var.strg_sg_id == null ? true : false + turn_on = var.total_storage_cluster_instances > 0 && var.strg_sg_name == null ? true : false sec_group_name = [format("%s-storage-sg", var.resource_prefix)] vpc_id = var.vpc_id resource_group_id = var.resource_group_id @@ -188,7 +190,7 @@ module "storage_cluster_security_group" { module "storage_cluster_ingress_security_rule" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.total_storage_cluster_instances > 0 && var.using_jumphost_connection == false && var.strg_sg_id == null) ? 3 : 0 + total_rules = (var.total_storage_cluster_instances > 0 && var.using_jumphost_connection == false && var.strg_sg_name == null) ? 3 : 0 security_group_id = [module.storage_cluster_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -196,7 +198,7 @@ module "storage_cluster_ingress_security_rule" { module "storage_cluster_ingress_security_rule_wt_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.total_storage_cluster_instances > 0 && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null && var.strg_sg_id == null) ? 3 : 0 + total_rules = (var.total_storage_cluster_instances > 0 && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null && var.strg_sg_name == null) ? 3 : 0 security_group_id = [module.storage_cluster_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -204,7 +206,7 @@ module "storage_cluster_ingress_security_rule_wt_bastion" { module "storage_cluster_ingress_security_rule_wo_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.total_storage_cluster_instances > 0 && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null && var.strg_sg_id == null) ? 2 : 0 + total_rules = (var.total_storage_cluster_instances > 0 && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null && var.strg_sg_name == null) ? 2 : 0 security_group_id = [module.storage_cluster_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [local.deploy_sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -212,7 +214,7 @@ module "storage_cluster_ingress_security_rule_wo_bastion" { module "bicluster_ingress_security_rule" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.total_storage_cluster_instances > 0 && (var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.strg_sg_id == null) ? 2 : 0 + total_rules = (var.total_storage_cluster_instances > 0 && (var.total_client_cluster_instances > 0 || var.total_compute_cluster_instances > 0) && var.strg_sg_name == null) ? 2 : 0 security_group_id = [module.storage_cluster_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id] sg_direction = ["inbound", "inbound"] source_security_group_id = [module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -220,7 +222,7 @@ module "bicluster_ingress_security_rule" { module "gklm_instance_security_group" { source = "../../../resources/ibmcloud/security/security_group" - turn_on = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" && var.gklm_sg_id == null ? true : false + turn_on = var.scale_encryption_enabled && var.scale_encryption_type == "gklm" && var.gklm_sg_name == null ? true : false sec_group_name = [format("%s-gklm-sg", var.resource_prefix)] vpc_id = var.vpc_id resource_group_id = var.resource_group_id @@ -229,7 +231,7 @@ module "gklm_instance_security_group" { module "gklm_instance_ingress_security_rule" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == false && var.gklm_sg_id == null) ? 5 : 0 + total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == false && var.gklm_sg_name == null) ? 5 : 0 security_group_id = [module.gklm_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -237,7 +239,7 @@ module "gklm_instance_ingress_security_rule" { module "gklm_instance_ingress_security_rule_wt_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null && var.gklm_sg_id == null) ? 5 : 0 + total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null && var.gklm_sg_name == null) ? 5 : 0 security_group_id = [module.gklm_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -245,7 +247,7 @@ module "gklm_instance_ingress_security_rule_wt_bastion" { module "gklm_instance_ingress_security_rule_wo_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null && var.gklm_sg_id == null) ? 4 : 0 + total_rules = (var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null && var.gklm_sg_name == null) ? 4 : 0 security_group_id = [module.gklm_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [local.deploy_sec_group_id, module.gklm_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -253,7 +255,7 @@ module "gklm_instance_ingress_security_rule_wo_bastion" { module "ldap_instance_security_group" { source = "../../../resources/ibmcloud/security/security_group" - turn_on = var.enable_ldap && var.ldap_server == "null" && var.ldap_sg_id == null + turn_on = var.enable_ldap && var.ldap_server == "null" && var.ldap_sg_name == null sec_group_name = [format("%s-ldap-sg", var.resource_prefix)] vpc_id = var.vpc_id resource_group_id = var.resource_group_id @@ -262,7 +264,7 @@ module "ldap_instance_security_group" { module "ldap_instance_ingress_security_rule" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.enable_ldap == true && var.ldap_server == "null" && var.using_jumphost_connection == false && var.ldap_sg_id == null) ? 5 : 0 + total_rules = (var.enable_ldap == true && var.ldap_server == "null" && var.using_jumphost_connection == false && var.ldap_sg_name == null) ? 5 : 0 security_group_id = [module.ldap_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.ldap_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -270,7 +272,7 @@ module "ldap_instance_ingress_security_rule" { module "ldap_instance_ingress_security_rule_wt_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.enable_ldap == true && var.ldap_server == "null" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null && var.ldap_sg_id == null) ? 5 : 0 + total_rules = (var.enable_ldap == true && var.ldap_server == "null" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id != null && var.ldap_sg_name == null) ? 5 : 0 security_group_id = [module.ldap_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [var.bastion_security_group_id, local.deploy_sec_group_id, module.ldap_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] @@ -278,7 +280,7 @@ module "ldap_instance_ingress_security_rule_wt_bastion" { module "ldap_instance_ingress_security_rule_wo_bastion" { source = "../../../resources/ibmcloud/security/security_rule_source" - total_rules = (var.enable_ldap == true && var.ldap_server == "null" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null && var.ldap_sg_id == null) ? 4 : 0 + total_rules = (var.enable_ldap == true && var.ldap_server == "null" && var.using_jumphost_connection == true && var.deploy_controller_sec_group_id == null && var.ldap_sg_name == null) ? 4 : 0 security_group_id = [module.ldap_instance_security_group.sec_group_id] sg_direction = ["inbound"] source_security_group_id = [local.deploy_sec_group_id, module.ldap_instance_security_group.sec_group_id, module.compute_cluster_security_group.sec_group_id, module.storage_cluster_security_group.sec_group_id] diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf index 0a33a54c..43bfda22 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf @@ -576,29 +576,29 @@ variable "afm_cos_config" { description = "Please provide details for the Cloud Object Storage (COS) instance, including information about the COS bucket, service credentials (HMAC key), AFM fileset, mode (such as Read-only (RO), Single writer (SW), Local updates (LU), and Independent writer (IW)), storage class (standard, vault, cold, or smart), and bucket type (single_site_location, region_location, cross_region_location). Note : The 'afm_cos_config' can contain up to 5 entries. For further details on COS bucket locations, refer to the relevant documentation https://cloud.ibm.com/docs/cloud-object-storage/basics?topic=cloud-object-storage-endpoints." } -variable "strg_sg_id" { - type = string - default = null - description = "Existing storage security group id" -} - -variable "comp_sg_id" { - type = string - default = null - description = "Existing compute security group id" -} - -variable "gklm_sg_id" { - type = string - default = null - description = "Existing gklm security group id" -} - -variable "ldap_sg_id" { - type = string - default = null - description = "Existing ldap security group id" -} +# variable "strg_sg_id" { +# type = string +# default = null +# description = "Existing storage security group id" +# } + +# variable "comp_sg_id" { +# type = string +# default = null +# description = "Existing compute security group id" +# } + +# variable "gklm_sg_id" { +# type = string +# default = null +# description = "Existing gklm security group id" +# } + +# variable "ldap_sg_id" { +# type = string +# default = null +# description = "Existing ldap security group id" +# } variable "key_protect_instance_id" { type = string From 64312fb16d203881e47a062f61e7d175a3da1ccc Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Tue, 10 Dec 2024 09:34:27 +0530 Subject: [PATCH 03/13] Sg validation Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/main.tf | 65 ++++++++++++++----- .../instance_template/variables.tf | 24 ------- 2 files changed, 48 insertions(+), 41 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 7913d432..0e49624a 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -93,24 +93,55 @@ data "ibm_is_security_group" "ldap_security_group" { } locals { - strg_sg_rules = try({ for remote in data.ibm_is_security_group.strg_security_group.rules[*] : remote.direction => remote.remote... }, {}) - comp_sg_rules = try({ for remote in data.ibm_is_security_group.comp_security_group.rules[*] : remote.direction => remote.remote... }, {}) - gklm_sg_rules = try({ for remote in data.ibm_is_security_group.gklm_security_group.rules[*] : remote.direction => remote.remote... }, {}) - ldap_sg_rules = try({ for remote in data.ibm_is_security_group.ldap_security_group.rules[*] : remote.direction => remote.remote... }, {}) -} - -output "strg_sg_rules1" { - value = local.strg_sg_rules -} -output "strg_sg_rules2" { - value = local.comp_sg_rules -} -output "strg_sg_rules3" { - value = local.gklm_sg_rules -} -output "strg_sg_rules4" { - value = local.ldap_sg_rules + strg_sg_rules = try([for remote in data.ibm_is_security_group.strg_security_group.rules[*] : remote.remote], []) + comp_sg_rules = try([for remote in data.ibm_is_security_group.comp_security_group.rules[*] : remote.remote], []) + gklm_sg_rules = try([for remote in data.ibm_is_security_group.gklm_security_group.rules[*] : remote.remote], []) + ldap_sg_rules = try([for remote in data.ibm_is_security_group.ldap_security_group.rules[*] : remote.remote], []) + + # Storage Security group validation + validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group.id)) + strg_sg_in_strg_sg_msg = "Storage security group is not present in Storage security group" + validate_strg_sg_in_strg_sg_chk = regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) + + validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group.id)) + comp_sg_in_strg_sg_msg = "Compute security group is not present in Storage security group" + validate_comp_sg_in_strg_sg_chk = regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) + + # Compute Security group validation + validate_strg_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group.id)) + strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" + validate_strg_sg_in_comp_sg_chk = regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) + + validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group.id)) + comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" + validate_comp_sg_in_comp_sg_chk = regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) + + # GKLM Security group validation + validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group.id)) + strg_sg_in_gklm_sg_msg = "Storage security group is not present in GKLM security group" + validate_strg_sg_in_gklm_sg_chk = regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) + + validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group.id)) + comp_sg_in_gklm_sg_msg = "Compute security group is not present in GKLM security group" + validate_comp_sg_in_gklm_sg_chk = regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) + + validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group.id)) + gklm_sg_in_gklm_sg_msg = "GKLM security group is not present in GKLM security group" + validate_gklm_sg_in_gklm_sg_chk = regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) + + # LDAP Security group validation + validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group.id)) + strg_sg_in_ldap_sg_msg = "Storage security group is not present in LDAP security group" + validate_strg_sg_in_ldap_sg_chk = regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) + + validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group.id)) + comp_sg_in_ldap_sg_msg = "Compute security group is not present in LDAP security group" + validate_comp_sg_in_ldap_sg_chk = regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) + + validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group.id)) + ldap_sg_in_ldap_sg_msg = "LDAP security group is not present in LDAP security group" + validate_ldap_sg_in_ldap_sg_chk = regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) } module "compute_cluster_security_group" { diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf index 43bfda22..4c9df6dd 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/variables.tf @@ -576,30 +576,6 @@ variable "afm_cos_config" { description = "Please provide details for the Cloud Object Storage (COS) instance, including information about the COS bucket, service credentials (HMAC key), AFM fileset, mode (such as Read-only (RO), Single writer (SW), Local updates (LU), and Independent writer (IW)), storage class (standard, vault, cold, or smart), and bucket type (single_site_location, region_location, cross_region_location). Note : The 'afm_cos_config' can contain up to 5 entries. For further details on COS bucket locations, refer to the relevant documentation https://cloud.ibm.com/docs/cloud-object-storage/basics?topic=cloud-object-storage-endpoints." } -# variable "strg_sg_id" { -# type = string -# default = null -# description = "Existing storage security group id" -# } - -# variable "comp_sg_id" { -# type = string -# default = null -# description = "Existing compute security group id" -# } - -# variable "gklm_sg_id" { -# type = string -# default = null -# description = "Existing gklm security group id" -# } - -# variable "ldap_sg_id" { -# type = string -# default = null -# description = "Existing ldap security group id" -# } - variable "key_protect_instance_id" { type = string default = null From 8017720a73cc28dc9bbac140c04b0ab76c062903 Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Tue, 10 Dec 2024 13:36:54 +0530 Subject: [PATCH 04/13] sg 2 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 0e49624a..9a48583e 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -77,18 +77,22 @@ locals { } data "ibm_is_security_group" "strg_security_group" { + count = var.strg_sg_name != null ? 1 : 0 name = var.strg_sg_name } data "ibm_is_security_group" "comp_security_group" { + count = var.comp_sg_name != null ? 1 : 0 name = var.comp_sg_name } data "ibm_is_security_group" "gklm_security_group" { + count = var.gklm_sg_name != null ? 1 : 0 name = var.gklm_sg_name } data "ibm_is_security_group" "ldap_security_group" { + count = var.ldap_sg_name != null ? 1 : 0 name = var.ldap_sg_name } From ab7b1e689abea30c816d0966a696a73ae7d76367 Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Tue, 10 Dec 2024 13:49:02 +0530 Subject: [PATCH 05/13] sg 3 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/main.tf | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 9a48583e..501ab311 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -98,52 +98,52 @@ data "ibm_is_security_group" "ldap_security_group" { locals { - strg_sg_rules = try([for remote in data.ibm_is_security_group.strg_security_group.rules[*] : remote.remote], []) - comp_sg_rules = try([for remote in data.ibm_is_security_group.comp_security_group.rules[*] : remote.remote], []) - gklm_sg_rules = try([for remote in data.ibm_is_security_group.gklm_security_group.rules[*] : remote.remote], []) - ldap_sg_rules = try([for remote in data.ibm_is_security_group.ldap_security_group.rules[*] : remote.remote], []) + strg_sg_rules = try([for remote in data.ibm_is_security_group.strg_security_group[0].rules[*] : remote.remote], []) + comp_sg_rules = try([for remote in data.ibm_is_security_group.comp_security_group[0].rules[*] : remote.remote], []) + gklm_sg_rules = try([for remote in data.ibm_is_security_group.gklm_security_group[0].rules[*] : remote.remote], []) + ldap_sg_rules = try([for remote in data.ibm_is_security_group.ldap_security_group[0].rules[*] : remote.remote], []) # Storage Security group validation - validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group.id)) + validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group[0].id)) strg_sg_in_strg_sg_msg = "Storage security group is not present in Storage security group" validate_strg_sg_in_strg_sg_chk = regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) - validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group.id)) + validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group[0].id)) comp_sg_in_strg_sg_msg = "Compute security group is not present in Storage security group" validate_comp_sg_in_strg_sg_chk = regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) # Compute Security group validation - validate_strg_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group.id)) + validate_strg_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[0].id)) strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" validate_strg_sg_in_comp_sg_chk = regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) - validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group.id)) + validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[0].id)) comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" validate_comp_sg_in_comp_sg_chk = regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) # GKLM Security group validation - validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group.id)) + validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group[0].id)) strg_sg_in_gklm_sg_msg = "Storage security group is not present in GKLM security group" validate_strg_sg_in_gklm_sg_chk = regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) - validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group.id)) + validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group[0].id)) comp_sg_in_gklm_sg_msg = "Compute security group is not present in GKLM security group" validate_comp_sg_in_gklm_sg_chk = regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) - validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group.id)) + validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group[0].id)) gklm_sg_in_gklm_sg_msg = "GKLM security group is not present in GKLM security group" validate_gklm_sg_in_gklm_sg_chk = regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) # LDAP Security group validation - validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group.id)) + validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group[0].id)) strg_sg_in_ldap_sg_msg = "Storage security group is not present in LDAP security group" validate_strg_sg_in_ldap_sg_chk = regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) - validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group.id)) + validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group[0].id)) comp_sg_in_ldap_sg_msg = "Compute security group is not present in LDAP security group" validate_comp_sg_in_ldap_sg_chk = regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) - validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group.id)) + validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group[0].id)) ldap_sg_in_ldap_sg_msg = "LDAP security group is not present in LDAP security group" validate_ldap_sg_in_ldap_sg_chk = regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) } From d06a797c6839145eeca921ad2d14404ccfb7e978 Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Tue, 10 Dec 2024 13:51:42 +0530 Subject: [PATCH 06/13] sg 4 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 501ab311..ed524d9c 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -31,10 +31,10 @@ locals { enable_afm = var.total_afm_cluster_instances > 0 ? true : false afm_server_type = strcontains(var.afm_vsi_profile, "metal") ces_server_type = strcontains(var.protocol_vsi_profile, "metal") - existing_strg_sg_id = var.strg_sg_name != null ? [data.ibm_is_security_group.strg_security_group.id] : [module.storage_cluster_security_group.sec_group_id] - existing_comp_sg_id = var.comp_sg_name != null ? [data.ibm_is_security_group.comp_security_group.id] : [module.compute_cluster_security_group.sec_group_id] - existing_gklm_sg_id = var.gklm_sg_name != null ? [data.ibm_is_security_group.gklm_security_group.id] : [module.gklm_instance_security_group.sec_group_id] - existing_ldap_sg_id = var.ldap_sg_name != null ? [data.ibm_is_security_group.ldap_security_group.id] : [module.ldap_instance_security_group.sec_group_id] + existing_strg_sg_id = var.strg_sg_name != null ? [data.ibm_is_security_group.strg_security_group[0].id] : [module.storage_cluster_security_group.sec_group_id] + existing_comp_sg_id = var.comp_sg_name != null ? [data.ibm_is_security_group.comp_security_group[0].id] : [module.compute_cluster_security_group.sec_group_id] + existing_gklm_sg_id = var.gklm_sg_name != null ? [data.ibm_is_security_group.gklm_security_group[0].id] : [module.gklm_instance_security_group.sec_group_id] + existing_ldap_sg_id = var.ldap_sg_name != null ? [data.ibm_is_security_group.ldap_security_group[0].id] : [module.ldap_instance_security_group.sec_group_id] } From d3d97cb4cd9e8f2be345c6ef0a6e876114e96235 Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Tue, 10 Dec 2024 13:54:18 +0530 Subject: [PATCH 07/13] sg5 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/main.tf | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index ed524d9c..40e24cb1 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -31,10 +31,10 @@ locals { enable_afm = var.total_afm_cluster_instances > 0 ? true : false afm_server_type = strcontains(var.afm_vsi_profile, "metal") ces_server_type = strcontains(var.protocol_vsi_profile, "metal") - existing_strg_sg_id = var.strg_sg_name != null ? [data.ibm_is_security_group.strg_security_group[0].id] : [module.storage_cluster_security_group.sec_group_id] - existing_comp_sg_id = var.comp_sg_name != null ? [data.ibm_is_security_group.comp_security_group[0].id] : [module.compute_cluster_security_group.sec_group_id] - existing_gklm_sg_id = var.gklm_sg_name != null ? [data.ibm_is_security_group.gklm_security_group[0].id] : [module.gklm_instance_security_group.sec_group_id] - existing_ldap_sg_id = var.ldap_sg_name != null ? [data.ibm_is_security_group.ldap_security_group[0].id] : [module.ldap_instance_security_group.sec_group_id] + existing_strg_sg_id = var.strg_sg_name != null ? [data.ibm_is_security_group.strg_security_group[*].id] : [module.storage_cluster_security_group.sec_group_id] + existing_comp_sg_id = var.comp_sg_name != null ? [data.ibm_is_security_group.comp_security_group[*].id] : [module.compute_cluster_security_group.sec_group_id] + existing_gklm_sg_id = var.gklm_sg_name != null ? [data.ibm_is_security_group.gklm_security_group[*].id] : [module.gklm_instance_security_group.sec_group_id] + existing_ldap_sg_id = var.ldap_sg_name != null ? [data.ibm_is_security_group.ldap_security_group[*].id] : [module.ldap_instance_security_group.sec_group_id] } @@ -98,52 +98,52 @@ data "ibm_is_security_group" "ldap_security_group" { locals { - strg_sg_rules = try([for remote in data.ibm_is_security_group.strg_security_group[0].rules[*] : remote.remote], []) - comp_sg_rules = try([for remote in data.ibm_is_security_group.comp_security_group[0].rules[*] : remote.remote], []) - gklm_sg_rules = try([for remote in data.ibm_is_security_group.gklm_security_group[0].rules[*] : remote.remote], []) - ldap_sg_rules = try([for remote in data.ibm_is_security_group.ldap_security_group[0].rules[*] : remote.remote], []) + strg_sg_rules = try([for remote in data.ibm_is_security_group.strg_security_group[*].rules[*] : remote.remote], []) + comp_sg_rules = try([for remote in data.ibm_is_security_group.comp_security_group[*].rules[*] : remote.remote], []) + gklm_sg_rules = try([for remote in data.ibm_is_security_group.gklm_security_group[*].rules[*] : remote.remote], []) + ldap_sg_rules = try([for remote in data.ibm_is_security_group.ldap_security_group[*].rules[*] : remote.remote], []) # Storage Security group validation - validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group[0].id)) + validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) strg_sg_in_strg_sg_msg = "Storage security group is not present in Storage security group" validate_strg_sg_in_strg_sg_chk = regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) - validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group[0].id)) + validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) comp_sg_in_strg_sg_msg = "Compute security group is not present in Storage security group" validate_comp_sg_in_strg_sg_chk = regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) # Compute Security group validation - validate_strg_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[0].id)) + validate_strg_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" validate_strg_sg_in_comp_sg_chk = regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) - validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[0].id)) + validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" validate_comp_sg_in_comp_sg_chk = regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) # GKLM Security group validation - validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group[0].id)) + validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) strg_sg_in_gklm_sg_msg = "Storage security group is not present in GKLM security group" validate_strg_sg_in_gklm_sg_chk = regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) - validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group[0].id)) + validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) comp_sg_in_gklm_sg_msg = "Compute security group is not present in GKLM security group" validate_comp_sg_in_gklm_sg_chk = regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) - validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group[0].id)) + validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group[*].id)) gklm_sg_in_gklm_sg_msg = "GKLM security group is not present in GKLM security group" validate_gklm_sg_in_gklm_sg_chk = regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) # LDAP Security group validation - validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group[0].id)) + validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) strg_sg_in_ldap_sg_msg = "Storage security group is not present in LDAP security group" validate_strg_sg_in_ldap_sg_chk = regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) - validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group[0].id)) + validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) comp_sg_in_ldap_sg_msg = "Compute security group is not present in LDAP security group" validate_comp_sg_in_ldap_sg_chk = regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) - validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group[0].id)) + validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group[*].id)) ldap_sg_in_ldap_sg_msg = "LDAP security group is not present in LDAP security group" validate_ldap_sg_in_ldap_sg_chk = regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) } From 3a68adb062c40fd4e80d2b4c8774a0026014618e Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Wed, 11 Dec 2024 10:56:28 +0530 Subject: [PATCH 08/13] sg 5 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/main.tf | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 40e24cb1..a93aa8fd 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -31,10 +31,10 @@ locals { enable_afm = var.total_afm_cluster_instances > 0 ? true : false afm_server_type = strcontains(var.afm_vsi_profile, "metal") ces_server_type = strcontains(var.protocol_vsi_profile, "metal") - existing_strg_sg_id = var.strg_sg_name != null ? [data.ibm_is_security_group.strg_security_group[*].id] : [module.storage_cluster_security_group.sec_group_id] - existing_comp_sg_id = var.comp_sg_name != null ? [data.ibm_is_security_group.comp_security_group[*].id] : [module.compute_cluster_security_group.sec_group_id] - existing_gklm_sg_id = var.gklm_sg_name != null ? [data.ibm_is_security_group.gklm_security_group[*].id] : [module.gklm_instance_security_group.sec_group_id] - existing_ldap_sg_id = var.ldap_sg_name != null ? [data.ibm_is_security_group.ldap_security_group[*].id] : [module.ldap_instance_security_group.sec_group_id] + existing_strg_sg_id = var.strg_sg_name != null ? flatten([data.ibm_is_security_group.strg_security_group[*].id]) : [module.storage_cluster_security_group.sec_group_id] + existing_comp_sg_id = var.comp_sg_name != null ? flatten([data.ibm_is_security_group.comp_security_group[*].id]) : [module.compute_cluster_security_group.sec_group_id] + existing_gklm_sg_id = var.gklm_sg_name != null ? flatten([data.ibm_is_security_group.gklm_security_group[*].id]) : [module.gklm_instance_security_group.sec_group_id] + existing_ldap_sg_id = var.ldap_sg_name != null ? flatten([data.ibm_is_security_group.ldap_security_group[*].id]) : [module.ldap_instance_security_group.sec_group_id] } @@ -105,47 +105,47 @@ locals { # Storage Security group validation validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_strg_sg_msg = "Storage security group is not present in Storage security group" - validate_strg_sg_in_strg_sg_chk = regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) + strg_sg_in_strg_sg_msg = var.strg_sg_name != null ? "Storage security group is not present in Storage security group" : "" + validate_strg_sg_in_strg_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) : true validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_strg_sg_msg = "Compute security group is not present in Storage security group" - validate_comp_sg_in_strg_sg_chk = regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) + comp_sg_in_strg_sg_msg = var.comp_sg_name != null ? "Compute security group is not present in Storage security group" : "" + validate_comp_sg_in_strg_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) : true # Compute Security group validation - validate_strg_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" - validate_strg_sg_in_comp_sg_chk = regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) + validate_strg_sg_in_comp_sg = (var.strg_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + strg_sg_in_comp_sg_msg = var.strg_sg_name != null ? "Storage security group is not present in Compute security group" : "" + validate_strg_sg_in_comp_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) : true validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" - validate_comp_sg_in_comp_sg_chk = regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) + comp_sg_in_comp_sg_msg = var.comp_sg_name != null ? "Compute security group is not present in Compute security group" : "" + validate_comp_sg_in_comp_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) : true # GKLM Security group validation validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_gklm_sg_msg = "Storage security group is not present in GKLM security group" - validate_strg_sg_in_gklm_sg_chk = regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) + strg_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "Storage security group is not present in GKLM security group" : "" + validate_strg_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) : true validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_gklm_sg_msg = "Compute security group is not present in GKLM security group" - validate_comp_sg_in_gklm_sg_chk = regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) + comp_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "Compute security group is not present in GKLM security group" : "" + validate_comp_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) : true validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group[*].id)) - gklm_sg_in_gklm_sg_msg = "GKLM security group is not present in GKLM security group" - validate_gklm_sg_in_gklm_sg_chk = regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) + gklm_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "GKLM security group is not present in GKLM security group" : "" + validate_gklm_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) : true # LDAP Security group validation validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_ldap_sg_msg = "Storage security group is not present in LDAP security group" - validate_strg_sg_in_ldap_sg_chk = regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) + strg_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "Storage security group is not present in LDAP security group" : "" + validate_strg_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) : true validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_ldap_sg_msg = "Compute security group is not present in LDAP security group" - validate_comp_sg_in_ldap_sg_chk = regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) + comp_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "Compute security group is not present in LDAP security group" : "" + validate_comp_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) : true validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group[*].id)) - ldap_sg_in_ldap_sg_msg = "LDAP security group is not present in LDAP security group" - validate_ldap_sg_in_ldap_sg_chk = regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) + ldap_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "LDAP security group is not present in LDAP security group" : "" + validate_ldap_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) : true } module "compute_cluster_security_group" { From 9d9d088f4f9f142ba4bb495e920825847f23a934 Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Wed, 11 Dec 2024 15:09:10 +0530 Subject: [PATCH 09/13] sg 6 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/README.md | 4 -- .../sub_modules/instance_template/main.tf | 58 +++++++++++-------- 2 files changed, 34 insertions(+), 28 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/README.md b/ibmcloud_scale_templates/sub_modules/instance_template/README.md index 2786ed7c..824168d9 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/README.md +++ b/ibmcloud_scale_templates/sub_modules/instance_template/README.md @@ -176,8 +176,4 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [storage_cluster_instance_ids](#output_storage_cluster_instance_ids) | Storage cluster instance ids. | | [storage_cluster_instance_private_ips](#output_storage_cluster_instance_private_ips) | Private IP address of storage cluster instances. | | [storage_cluster_with_data_volume_mapping](#output_storage_cluster_with_data_volume_mapping) | Mapping of storage cluster instance ip vs. device path. | -| [strg_sg_rules1](#output_strg_sg_rules1) | n/a | -| [strg_sg_rules2](#output_strg_sg_rules2) | n/a | -| [strg_sg_rules3](#output_strg_sg_rules3) | n/a | -| [strg_sg_rules4](#output_strg_sg_rules4) | n/a | diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index a93aa8fd..2e7a9525 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -78,22 +78,22 @@ locals { data "ibm_is_security_group" "strg_security_group" { count = var.strg_sg_name != null ? 1 : 0 - name = var.strg_sg_name + name = var.strg_sg_name } data "ibm_is_security_group" "comp_security_group" { count = var.comp_sg_name != null ? 1 : 0 - name = var.comp_sg_name + name = var.comp_sg_name } data "ibm_is_security_group" "gklm_security_group" { count = var.gklm_sg_name != null ? 1 : 0 - name = var.gklm_sg_name + name = var.gklm_sg_name } data "ibm_is_security_group" "ldap_security_group" { count = var.ldap_sg_name != null ? 1 : 0 - name = var.ldap_sg_name + name = var.ldap_sg_name } locals { @@ -104,47 +104,57 @@ locals { ldap_sg_rules = try([for remote in data.ibm_is_security_group.ldap_security_group[*].rules[*] : remote.remote], []) # Storage Security group validation - validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_strg_sg_msg = var.strg_sg_name != null ? "Storage security group is not present in Storage security group" : "" + validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + strg_sg_in_strg_sg_msg = var.strg_sg_name != null ? "Storage security group is not present in Storage security group" : "" + # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_strg_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) : true - validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_strg_sg_msg = var.comp_sg_name != null ? "Compute security group is not present in Storage security group" : "" + validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + comp_sg_in_strg_sg_msg = var.comp_sg_name != null ? "Compute security group is not present in Storage security group" : "" + # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_strg_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) : true # Compute Security group validation - validate_strg_sg_in_comp_sg = (var.strg_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_comp_sg_msg = var.strg_sg_name != null ? "Storage security group is not present in Compute security group" : "" + validate_strg_sg_in_comp_sg = (var.strg_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + strg_sg_in_comp_sg_msg = var.strg_sg_name != null ? "Storage security group is not present in Compute security group" : "" + # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_comp_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) : true - validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_comp_sg_msg = var.comp_sg_name != null ? "Compute security group is not present in Compute security group" : "" + validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + comp_sg_in_comp_sg_msg = var.comp_sg_name != null ? "Compute security group is not present in Compute security group" : "" + # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_comp_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) : true # GKLM Security group validation - validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "Storage security group is not present in GKLM security group" : "" + validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + strg_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "Storage security group is not present in GKLM security group" : "" + # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) : true - validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "Compute security group is not present in GKLM security group" : "" + validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + comp_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "Compute security group is not present in GKLM security group" : "" + # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) : true - validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group[*].id)) - gklm_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "GKLM security group is not present in GKLM security group" : "" + validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group[*].id)) + gklm_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "GKLM security group is not present in GKLM security group" : "" + # tflint-ignore: terraform_unused_declarations validate_gklm_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) : true # LDAP Security group validation - validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "Storage security group is not present in LDAP security group" : "" + validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + strg_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "Storage security group is not present in LDAP security group" : "" + # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) : true - validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "Compute security group is not present in LDAP security group" : "" + validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + comp_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "Compute security group is not present in LDAP security group" : "" + # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) : true - validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group[*].id)) - ldap_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "LDAP security group is not present in LDAP security group" : "" + validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group[*].id)) + ldap_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "LDAP security group is not present in LDAP security group" : "" + # tflint-ignore: terraform_unused_declarations validate_ldap_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) : true } From bb6a25677b6b7db27eebb7a3e509dff52381809d Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Wed, 11 Dec 2024 17:26:53 +0530 Subject: [PATCH 10/13] sg 7 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/main.tf | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 2e7a9525..9b7e6546 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -105,55 +105,55 @@ locals { # Storage Security group validation validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_strg_sg_msg = var.strg_sg_name != null ? "Storage security group is not present in Storage security group" : "" + strg_sg_in_strg_sg_msg = "Storage security group is not present in Storage security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_strg_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) : true validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_strg_sg_msg = var.comp_sg_name != null ? "Compute security group is not present in Storage security group" : "" + comp_sg_in_strg_sg_msg = "Compute security group is not present in Storage security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_strg_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) : true # Compute Security group validation validate_strg_sg_in_comp_sg = (var.strg_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_comp_sg_msg = var.strg_sg_name != null ? "Storage security group is not present in Compute security group" : "" + strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_comp_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) : true validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_comp_sg_msg = var.comp_sg_name != null ? "Compute security group is not present in Compute security group" : "" + comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_comp_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) : true # GKLM Security group validation validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "Storage security group is not present in GKLM security group" : "" + strg_sg_in_gklm_sg_msg = "Storage security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) : true validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "Compute security group is not present in GKLM security group" : "" + comp_sg_in_gklm_sg_msg = "Compute security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) : true validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group[*].id)) - gklm_sg_in_gklm_sg_msg = var.gklm_sg_name != null ? "GKLM security group is not present in GKLM security group" : "" + gklm_sg_in_gklm_sg_msg = "GKLM security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_gklm_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) : true # LDAP Security group validation validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) - strg_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "Storage security group is not present in LDAP security group" : "" + strg_sg_in_ldap_sg_msg = "Storage security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) : true validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - comp_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "Compute security group is not present in LDAP security group" : "" + comp_sg_in_ldap_sg_msg = "Compute security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) : true validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group[*].id)) - ldap_sg_in_ldap_sg_msg = var.ldap_sg_name != null ? "LDAP security group is not present in LDAP security group" : "" + ldap_sg_in_ldap_sg_msg = "LDAP security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_ldap_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) : true } From a579430bac085d0e10d325e213b00448b47ae1da Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Thu, 12 Dec 2024 23:25:25 +0530 Subject: [PATCH 11/13] sg 8 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/README.md | 3 ++ .../sub_modules/instance_template/main.tf | 52 ++++++++++++++----- 2 files changed, 41 insertions(+), 14 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/README.md b/ibmcloud_scale_templates/sub_modules/instance_template/README.md index 824168d9..dc34d542 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/README.md +++ b/ibmcloud_scale_templates/sub_modules/instance_template/README.md @@ -170,6 +170,9 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [baremetal_cluster_with_data_volume_mapping](#output_baremetal_cluster_with_data_volume_mapping) | Mapping of storage cluster bare meteal server ip vs device path. | | [compute_cluster_instance_ids](#output_compute_cluster_instance_ids) | Compute cluster instance ids. | | [compute_cluster_instance_private_ips](#output_compute_cluster_instance_private_ips) | Private IP address of compute cluster instances. | +| [sg](#output_sg) | n/a | +| [sg_check](#output_sg_check) | n/a | +| [sg_comp](#output_sg_comp) | n/a | | [storage_cluster_desc_data_volume_mapping](#output_storage_cluster_desc_data_volume_mapping) | Mapping of storage cluster desc instance ip vs. device path. | | [storage_cluster_desc_instance_ids](#output_storage_cluster_desc_instance_ids) | Storage cluster desc instance id. | | [storage_cluster_desc_instance_private_ips](#output_storage_cluster_desc_instance_private_ips) | Private IP address of storage cluster desc instance. | diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 9b7e6546..4ff226d3 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -96,63 +96,87 @@ data "ibm_is_security_group" "ldap_security_group" { name = var.ldap_sg_name } +output "sg_comp" { + value = local.comp_sg_rules +} + +output "sg" { + value = local.validate_strg_sg_in_comp_sg +} + +output "sg_check" { + value = local.validate_strg_sg_in_comp_sg_chk +} + locals { - strg_sg_rules = try([for remote in data.ibm_is_security_group.strg_security_group[*].rules[*] : remote.remote], []) - comp_sg_rules = try([for remote in data.ibm_is_security_group.comp_security_group[*].rules[*] : remote.remote], []) - gklm_sg_rules = try([for remote in data.ibm_is_security_group.gklm_security_group[*].rules[*] : remote.remote], []) - ldap_sg_rules = try([for remote in data.ibm_is_security_group.ldap_security_group[*].rules[*] : remote.remote], []) + strg_sg_rules = flatten([for remote in data.ibm_is_security_group.strg_security_group[*].rules[*] : remote[*].remote]) + comp_sg_rules = flatten([for remote in data.ibm_is_security_group.comp_security_group[*].rules[*] : remote[*].remote]) + gklm_sg_rules = flatten([for remote in data.ibm_is_security_group.gklm_security_group[*].rules[*] : remote[*].remote]) + ldap_sg_rules = flatten([for remote in data.ibm_is_security_group.ldap_security_group[*].rules[*] : remote[*].remote]) + + # # Compute Security group validation + # validate_strg_sg_in_comp_sg = var.strg_sg_name != null ? contains(local.comp_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true + # strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" + # # tflint-ignore: terraform_unused_declarations + # validate_strg_sg_in_comp_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) : true + + # validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + # comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" + # # tflint-ignore: terraform_unused_declarations + # validate_comp_sg_in_comp_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) : true + # Storage Security group validation - validate_strg_sg_in_strg_sg = (var.strg_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + validate_strg_sg_in_strg_sg = var.strg_sg_name != null ? contains(local.strg_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true strg_sg_in_strg_sg_msg = "Storage security group is not present in Storage security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_strg_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) : true - validate_comp_sg_in_strg_sg = (var.comp_sg_name != null && contains(local.strg_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + validate_comp_sg_in_strg_sg = var.comp_sg_name != null ? contains(local.strg_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true comp_sg_in_strg_sg_msg = "Compute security group is not present in Storage security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_strg_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) : true # Compute Security group validation - validate_strg_sg_in_comp_sg = (var.strg_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + validate_strg_sg_in_comp_sg = var.strg_sg_name != null ? contains(local.comp_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_comp_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) : true - validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + validate_comp_sg_in_comp_sg = var.comp_sg_name != null ? contains(local.comp_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_comp_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) : true # GKLM Security group validation - validate_strg_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + validate_strg_sg_in_gklm_sg = var.gklm_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true strg_sg_in_gklm_sg_msg = "Storage security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) : true - validate_comp_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + validate_comp_sg_in_gklm_sg = var.gklm_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true comp_sg_in_gklm_sg_msg = "Compute security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) : true - validate_gklm_sg_in_gklm_sg = (var.gklm_sg_name != null && contains(local.gklm_sg_rules, data.ibm_is_security_group.gklm_security_group[*].id)) + validate_gklm_sg_in_gklm_sg = var.gklm_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.gklm_security_group[*].id)[0]) : true gklm_sg_in_gklm_sg_msg = "GKLM security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_gklm_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) : true # LDAP Security group validation - validate_strg_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.strg_security_group[*].id)) + validate_strg_sg_in_ldap_sg = var.ldap_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true strg_sg_in_ldap_sg_msg = "Storage security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) : true - validate_comp_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) + validate_comp_sg_in_ldap_sg = var.ldap_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true comp_sg_in_ldap_sg_msg = "Compute security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) : true - validate_ldap_sg_in_ldap_sg = (var.ldap_sg_name != null && contains(local.ldap_sg_rules, data.ibm_is_security_group.ldap_security_group[*].id)) + validate_ldap_sg_in_ldap_sg = var.ldap_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.ldap_security_group[*].id)[0]) : true ldap_sg_in_ldap_sg_msg = "LDAP security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_ldap_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) : true From d31e4aa0a89b52b40e351b8e4ec606a2a5063fd8 Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Fri, 13 Dec 2024 00:55:25 +0530 Subject: [PATCH 12/13] sg 9 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/README.md | 3 --- .../sub_modules/instance_template/main.tf | 25 ------------------- 2 files changed, 28 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/README.md b/ibmcloud_scale_templates/sub_modules/instance_template/README.md index dc34d542..824168d9 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/README.md +++ b/ibmcloud_scale_templates/sub_modules/instance_template/README.md @@ -170,9 +170,6 @@ Below steps will provision IBM Cloud resources (compute and storage instances in | [baremetal_cluster_with_data_volume_mapping](#output_baremetal_cluster_with_data_volume_mapping) | Mapping of storage cluster bare meteal server ip vs device path. | | [compute_cluster_instance_ids](#output_compute_cluster_instance_ids) | Compute cluster instance ids. | | [compute_cluster_instance_private_ips](#output_compute_cluster_instance_private_ips) | Private IP address of compute cluster instances. | -| [sg](#output_sg) | n/a | -| [sg_check](#output_sg_check) | n/a | -| [sg_comp](#output_sg_comp) | n/a | | [storage_cluster_desc_data_volume_mapping](#output_storage_cluster_desc_data_volume_mapping) | Mapping of storage cluster desc instance ip vs. device path. | | [storage_cluster_desc_instance_ids](#output_storage_cluster_desc_instance_ids) | Storage cluster desc instance id. | | [storage_cluster_desc_instance_private_ips](#output_storage_cluster_desc_instance_private_ips) | Private IP address of storage cluster desc instance. | diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index 4ff226d3..f2ff6ce3 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -96,37 +96,12 @@ data "ibm_is_security_group" "ldap_security_group" { name = var.ldap_sg_name } -output "sg_comp" { - value = local.comp_sg_rules -} - -output "sg" { - value = local.validate_strg_sg_in_comp_sg -} - -output "sg_check" { - value = local.validate_strg_sg_in_comp_sg_chk -} - locals { - strg_sg_rules = flatten([for remote in data.ibm_is_security_group.strg_security_group[*].rules[*] : remote[*].remote]) comp_sg_rules = flatten([for remote in data.ibm_is_security_group.comp_security_group[*].rules[*] : remote[*].remote]) gklm_sg_rules = flatten([for remote in data.ibm_is_security_group.gklm_security_group[*].rules[*] : remote[*].remote]) ldap_sg_rules = flatten([for remote in data.ibm_is_security_group.ldap_security_group[*].rules[*] : remote[*].remote]) - # # Compute Security group validation - # validate_strg_sg_in_comp_sg = var.strg_sg_name != null ? contains(local.comp_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true - # strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" - # # tflint-ignore: terraform_unused_declarations - # validate_strg_sg_in_comp_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) : true - - # validate_comp_sg_in_comp_sg = (var.comp_sg_name != null && contains(local.comp_sg_rules, data.ibm_is_security_group.comp_security_group[*].id)) - # comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" - # # tflint-ignore: terraform_unused_declarations - # validate_comp_sg_in_comp_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) : true - - # Storage Security group validation validate_strg_sg_in_strg_sg = var.strg_sg_name != null ? contains(local.strg_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true strg_sg_in_strg_sg_msg = "Storage security group is not present in Storage security group" From c172efaad48ded342d88bc306081791844e3f34e Mon Sep 17 00:00:00 2001 From: Jayesh-Kumar3 Date: Fri, 13 Dec 2024 12:57:14 +0530 Subject: [PATCH 13/13] sg 10 Signed-off-by: Jayesh-Kumar3 --- .../sub_modules/instance_template/main.tf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf index f2ff6ce3..812b3b84 100644 --- a/ibmcloud_scale_templates/sub_modules/instance_template/main.tf +++ b/ibmcloud_scale_templates/sub_modules/instance_template/main.tf @@ -108,50 +108,50 @@ locals { # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_strg_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_strg_sg_msg}$", (local.validate_strg_sg_in_strg_sg ? local.strg_sg_in_strg_sg_msg : "")) : true - validate_comp_sg_in_strg_sg = var.comp_sg_name != null ? contains(local.strg_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true + validate_comp_sg_in_strg_sg = var.total_compute_cluster_instances > 0 && var.comp_sg_name != null ? contains(local.strg_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true comp_sg_in_strg_sg_msg = "Compute security group is not present in Storage security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_strg_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_strg_sg_msg}$", (local.validate_comp_sg_in_strg_sg ? local.comp_sg_in_strg_sg_msg : "")) : true # Compute Security group validation - validate_strg_sg_in_comp_sg = var.strg_sg_name != null ? contains(local.comp_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true + validate_strg_sg_in_comp_sg = var.total_compute_cluster_instances > 0 && var.strg_sg_name != null ? contains(local.comp_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true strg_sg_in_comp_sg_msg = "Storage security group is not present in Compute security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_comp_sg_chk = var.strg_sg_name != null ? regex("^${local.strg_sg_in_comp_sg_msg}$", (local.validate_strg_sg_in_comp_sg ? local.strg_sg_in_comp_sg_msg : "")) : true - validate_comp_sg_in_comp_sg = var.comp_sg_name != null ? contains(local.comp_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true + validate_comp_sg_in_comp_sg = var.total_compute_cluster_instances > 0 && var.comp_sg_name != null ? contains(local.comp_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true comp_sg_in_comp_sg_msg = "Compute security group is not present in Compute security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_comp_sg_chk = var.comp_sg_name != null ? regex("^${local.comp_sg_in_comp_sg_msg}$", (local.validate_comp_sg_in_comp_sg ? local.comp_sg_in_comp_sg_msg : "")) : true # GKLM Security group validation - validate_strg_sg_in_gklm_sg = var.gklm_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true + validate_strg_sg_in_gklm_sg = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.gklm_sg_name != null && var.strg_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true strg_sg_in_gklm_sg_msg = "Storage security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.strg_sg_in_gklm_sg_msg}$", (local.validate_strg_sg_in_gklm_sg ? local.strg_sg_in_gklm_sg_msg : "")) : true - validate_comp_sg_in_gklm_sg = var.gklm_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true + validate_comp_sg_in_gklm_sg = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.total_compute_cluster_instances > 0 && var.comp_sg_name != null && var.gklm_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true comp_sg_in_gklm_sg_msg = "Compute security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.comp_sg_in_gklm_sg_msg}$", (local.validate_comp_sg_in_gklm_sg ? local.comp_sg_in_gklm_sg_msg : "")) : true - validate_gklm_sg_in_gklm_sg = var.gklm_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.gklm_security_group[*].id)[0]) : true + validate_gklm_sg_in_gklm_sg = var.scale_encryption_enabled == true && var.scale_encryption_type == "gklm" && var.gklm_sg_name != null ? contains(local.gklm_sg_rules, tolist(data.ibm_is_security_group.gklm_security_group[*].id)[0]) : true gklm_sg_in_gklm_sg_msg = "GKLM security group is not present in GKLM security group" # tflint-ignore: terraform_unused_declarations validate_gklm_sg_in_gklm_sg_chk = var.gklm_sg_name != null ? regex("^${local.gklm_sg_in_gklm_sg_msg}$", (local.validate_gklm_sg_in_gklm_sg ? local.gklm_sg_in_gklm_sg_msg : "")) : true # LDAP Security group validation - validate_strg_sg_in_ldap_sg = var.ldap_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true + validate_strg_sg_in_ldap_sg = var.enable_ldap == true && var.ldap_server == "null" && var.ldap_sg_name != null && var.strg_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.strg_security_group[*].id)[0]) : true strg_sg_in_ldap_sg_msg = "Storage security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_strg_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.strg_sg_in_ldap_sg_msg}$", (local.validate_strg_sg_in_ldap_sg ? local.strg_sg_in_ldap_sg_msg : "")) : true - validate_comp_sg_in_ldap_sg = var.ldap_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true + validate_comp_sg_in_ldap_sg = var.enable_ldap == true && var.ldap_server == "null" && var.ldap_sg_name != null && var.total_compute_cluster_instances > 0 && var.comp_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.comp_security_group[*].id)[0]) : true comp_sg_in_ldap_sg_msg = "Compute security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_comp_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.comp_sg_in_ldap_sg_msg}$", (local.validate_comp_sg_in_ldap_sg ? local.comp_sg_in_ldap_sg_msg : "")) : true - validate_ldap_sg_in_ldap_sg = var.ldap_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.ldap_security_group[*].id)[0]) : true + validate_ldap_sg_in_ldap_sg = var.enable_ldap == true && var.ldap_server == "null" && var.ldap_sg_name != null ? contains(local.ldap_sg_rules, tolist(data.ibm_is_security_group.ldap_security_group[*].id)[0]) : true ldap_sg_in_ldap_sg_msg = "LDAP security group is not present in LDAP security group" # tflint-ignore: terraform_unused_declarations validate_ldap_sg_in_ldap_sg_chk = var.ldap_sg_name != null ? regex("^${local.ldap_sg_in_ldap_sg_msg}$", (local.validate_ldap_sg_in_ldap_sg ? local.ldap_sg_in_ldap_sg_msg : "")) : true