OCTOPUS-555: harden the skip_create_security_group

Signed-off-by: Paul Bastide <[email protected]>
IBM · Nov 14, 2023 · b2e5991 · b2e5991
1 parent 7716af9
commit b2e5991
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 30 deletions.
diff --git a/main.tf b/main.tf
@@ -59,25 +59,26 @@ module "vpc_prepare" {
   depends_on = [module.vpc]
   source     = "./modules/1_vpc_prepare"
 
-  private_key_file        = var.private_key_file
-  ssh_agent               = var.ssh_agent
-  connection_timeout      = var.connection_timeout
-  rhel_username           = var.rhel_username
-  bastion_public_ip       = var.powervs_bastion_ip
-  vpc_create              = var.vpc_create
-  vpc_name                = local.vpc_name
-  vpc_region              = var.vpc_region
-  vpc_zone                = var.vpc_zone
-  vpc_skip_ssh_key_create = var.vpc_skip_ssh_key_create
-  name_prefix             = local.name_prefix
-  resource_group          = module.vpc.vpc_resource_group
-  public_key              = var.public_key
-  public_key_file         = var.public_key_file
-  powervs_machine_cidr    = var.powervs_machine_cidr
-  worker_1                = var.worker_1
-  worker_2                = var.worker_2
-  worker_3                = var.worker_3
-  create_custom_subnet    = var.create_custom_subnet
+  private_key_file           = var.private_key_file
+  ssh_agent                  = var.ssh_agent
+  connection_timeout         = var.connection_timeout
+  rhel_username              = var.rhel_username
+  bastion_public_ip          = var.powervs_bastion_ip
+  vpc_create                 = var.vpc_create
+  vpc_name                   = local.vpc_name
+  vpc_region                 = var.vpc_region
+  vpc_zone                   = var.vpc_zone
+  vpc_skip_ssh_key_create    = var.vpc_skip_ssh_key_create
+  name_prefix                = local.name_prefix
+  resource_group             = module.vpc.vpc_resource_group
+  public_key                 = var.public_key
+  public_key_file            = var.public_key_file
+  powervs_machine_cidr       = var.powervs_machine_cidr
+  worker_1                   = var.worker_1
+  worker_2                   = var.worker_2
+  worker_3                   = var.worker_3
+  create_custom_subnet       = var.create_custom_subnet
+  skip_create_security_group = var.skip_create_security_group
 }
 
 ### Prepares the VPC Support Machine

diff --git a/modules/1_vpc_prepare/security_groups.tf b/modules/1_vpc_prepare/security_groups.tf
@@ -3,45 +3,56 @@
 # SPDX-License-Identifier: Apache-2.0
 ################################################################
 
-data "ibm_is_security_groups" "sgs" {
-  vpc_id = data.ibm_is_vpc.vpc.id
-}
-
 resource "ibm_is_security_group" "worker_vm_sg" {
-  count          = length([for x in data.ibm_is_security_groups.sgs.security_groups : x if endswith(x.name, "${var.vpc_name}-workers-sg")]) == 0 ? 1 : 0
+  count          = !var.skip_create_security_group ? 1 : 0
   name           = "${var.vpc_name}-workers-sg"
   vpc            = data.ibm_is_vpc.vpc.id
   resource_group = data.ibm_is_vpc.vpc.resource_group
+  lifecycle {
+    ignore_changes = all
+  }
 }
 
 # outbound all
 resource "ibm_is_security_group_rule" "worker_all_outbound" {
-  count     = length([for x in data.ibm_is_security_groups.sgs.security_groups : x if endswith(x.name, "${var.vpc_name}-workers-sg")]) == 0 ? 1 : 0
+  count     = !var.skip_create_security_group ? 1 : 0
   group     = ibm_is_security_group.worker_vm_sg[0].id
   direction = "outbound"
   remote    = "0.0.0.0/0"
+  lifecycle {
+    ignore_changes = all
+  }
 }
 
 # outbound rule to powervs
 resource "ibm_is_security_group_rule" "worker_all_outbound_powervs" {
-  count     = length([for x in data.ibm_is_security_groups.sgs.security_groups : x if endswith(x.name, "${var.vpc_name}-workers-sg")]) == 0 ? 1 : 0
+  count     = !var.skip_create_security_group ? 1 : 0
   group     = ibm_is_security_group.worker_vm_sg[0].id
   direction = "outbound"
   remote    = var.powervs_machine_cidr
+  lifecycle {
+    ignore_changes = all
+  }
 }
 
 # inbound to security group
 resource "ibm_is_security_group_rule" "worker_all_sg" {
-  count     = length([for x in data.ibm_is_security_groups.sgs.security_groups : x if endswith(x.name, "${var.vpc_name}-workers-sg")]) == 0 ? 1 : 0
+  count     = !var.skip_create_security_group ? 1 : 0
   group     = ibm_is_security_group.worker_vm_sg[0].id
   direction = "inbound"
   remote    = ibm_is_security_group.worker_vm_sg[0].id
+  lifecycle {
+    ignore_changes = all
+  }
 }
 
 # inbound to cidr
 resource "ibm_is_security_group_rule" "worker_all_powervs_cidr" {
-  count     = length([for x in data.ibm_is_security_groups.sgs.security_groups : x if endswith(x.name, "${var.vpc_name}-workers-sg")]) == 0 ? 1 : 0
+  count     = !var.skip_create_security_group ? 1 : 0
   group     = ibm_is_security_group.worker_vm_sg[0].id
   direction = "inbound"
   remote    = var.powervs_machine_cidr
+  lifecycle {
+    ignore_changes = all
+  }
 }
diff --git a/modules/1_vpc_prepare/variables.tf b/modules/1_vpc_prepare/variables.tf
@@ -59,4 +59,5 @@ variable "ssh_agent" {}
 variable "bastion_public_ip" {}
 variable "private_key_file" {}
 variable "connection_timeout" {}
-variable "rhel_username" {}
+variable "rhel_username" {}
+variable "skip_create_security_group" {}
diff --git a/variables.tf b/variables.tf
@@ -331,4 +331,11 @@ variable "vpc_skip_ssh_key_create" {
   type        = bool
   description = "skips the creation of the ssh keys in the vpc environment"
   default     = false
-}
+}
+
+variable "skip_create_security_group" {
+  type        = bool
+  description = "skips the creation of the security group in a vpc environment"
+  default     = false
+}
+