diff --git a/terraform/infrastructure/openstack/.terraform.lock.hcl b/terraform/infrastructure/openstack/.terraform.lock.hcl index 9f220a3a2..58131d13c 100644 --- a/terraform/infrastructure/openstack/.terraform.lock.hcl +++ b/terraform/infrastructure/openstack/.terraform.lock.hcl @@ -26,36 +26,27 @@ provider "registry.terraform.io/hashicorp/random" { } provider "registry.terraform.io/terraform-provider-openstack/openstack" { - version = "1.52.1" - constraints = "1.52.1" + version = "1.54.1" + constraints = "1.54.1" hashes = [ - "h1:A+g4494kx7lEsJe4M16GzM9MKNPBR5tnzbZ9+33QlkM=", - "h1:EOTtuZvB5p6DRvmHZutxA5maQUkMD7EMWTzFf2JL1HM=", - "h1:NWz1fLVT0cItJmL8t5tK5AKXrP9EA9FIPaVYWEfhAMQ=", - "h1:PAaUknZ3JC1blyZ0BOrIrYAKaV0KKt79SLWDwboG2To=", - "h1:TdvatmiIUG+9RB/IIr2E/4ISw7ktF1jUCWrZe/fibaM=", - "h1:UB2hQdQ8FA7V4jJa4q9/3sFnsXUhlLKWC8cQqX+H6ZU=", - "h1:cuiQP8rBuyh+wAv/ItSKLu4Evro8TMaB0KXL++XB18g=", - "h1:iWC3awIqtrlq/AAk5fCRrw7icPRrXducOXYA+1f2q6E=", - "h1:iuuAlX04fEyvdJTWsqa3To2lRg9+7meIO3CtIasQFOI=", - "h1:kRQXDWW2DnblI6UNmMxNf6jt+CUQ7ENGRs2Nch0aYxI=", - "h1:sP0p4CedQh3sErEZ0QIPjaqFkLHMh/OOzUwmb+sdisI=", - "h1:scQS826puQFDo6EY0B3Tlk0kXYtm+ru7YPyMM9GCIMI=", - "h1:tzawotEtjBcVWnzA+wAqcbkxW7XnJCfXqod4SBts9vI=", - "h1:yhED1rCRd7TSqnQmOUb2wiYpQP5EnhUtu3enrcf60K8=", - "zh:037f7ab5a0942daee00d23402e7ccab472380864e13013284910fa7841a6e37c", - "zh:52ac973e6c5cd584c5086494218e9b49d93217f5fbc34fc76fa8a9ddd635447a", - "zh:5acad7b8c7a493fd0b659271743e2853859a4b2669df26f21aecf1b2f60fa706", - "zh:5d9218a7f10849f2227fc11df19f78b3b11cccade6b674c314e804f0e98d4368", - "zh:91ea6bf80ff706e734300041cf22e946c049abf8dcf1bed899f93f20f7779121", - "zh:961d67ebf1116bd539b726ef483f7d67c95351efd09e55fbeb30cd2ca7946a12", - "zh:9d3d8ee11cda45804e9b759064fbc9f47d6f54203bd17654236f2f601424b460", - "zh:a0af7e5bad6114a7a0ac88cee63e2c14558572e293bebcf651ed8d8d9c20dfda", - "zh:a1fd5609f61a43c9c2a403e024042afc3a45fde39935a388009d05105e2d39d3", - "zh:bd84aae9f2ac6eb978837ea5994bb24be221e2e4d69a3e8842eef3fcf62594f0", - "zh:be690e77aa497ab8bb8ed59f7e03018e96805e2e13df334086a8c5ac4290db09", - "zh:c4ee17773e7295b0598e36148ac49b2c61caa6da3f7b02e439aa61ca6486da07", - "zh:c871d03abf9c916584dd8fc6b63ed85bbe41208eba684b2175ac741003bf9d25", - "zh:f1e5c4a5740ad75b9b37376db4ea0e3067b0c2b6871521bbc6a1625bef137abf", + "h1:Cqk18+r4bJF/sIusEK9lM0gc841RwsJ8AMhWyiU7lig=", + "h1:Cs9sP2V0MssWIQo+gur9soaNAAQleRaWdnvFP61s0Y0=", + "h1:JC0mScAPBs1MlHeEIPMZTQGhTA5aIG3iEuKMSPpR31E=", + "h1:jx2WdbttenKA2gWZDil6ffQT2CcY/TZ46pG0FlbNPuY=", + "h1:xt7LbO3lAXcDUjDxPHrQtgv4mO2GKvSOFMF1uPsK4vE=", + "zh:45ba84df17f94b15af7aab7007241e035dde8a5b46aeb761259d937058a80f71", + "zh:493b1deb7be9b600e5b1f5da2a9dfd3bce5df0c6d38090614dbe4ed05ade8441", + "zh:53551401fba8c1d5b27a08ee307552b84b1d0c1218f3717a4b766ec701b3e016", + "zh:53629bebb48ce5220f7601d776c2ac1485b6c860cb695f150fb716f5be8aa86d", + "zh:5a20f32cca767bef70b79bc8ecbd10fec3dc8696183e2d29631aa510947cb70d", + "zh:653693f630777e4aa3f410976a5169cf0f2a301516a820b3860de116054ae30a", + "zh:70f2d7bd5f5940f4fc3f023a01468890fbd9d704d0256bc65f7c64fb2cbcd4e4", + "zh:9cc22af51e5124dd5c2e0f1adefb1b08dcff3138aba9c92961cef36b1641d7aa", + "zh:9df45e893f215266159733dbc120809bc3d313188e121532dc6e2d10165e9899", + "zh:cb3e240992069cd6160f5b5cbbd50b70948f25bb337a75e780a0648461505d3f", + "zh:cb8343c0cf1bf5ca4d060826a8b68e3e5935b4a65974c76ac9c071c5a510e67e", + "zh:cc2060f93c66276dff6366b48e3a0e619874e3d939e0d2a39fc6ce10ca91232d", + "zh:d495b3051977018696113eded89c2cddfae0570f2adbdf7e9097c189ba41903e", + "zh:dfad1be943769780d5e948c06db957ce45f98b057a774964da0b82130c22f139", ] } diff --git a/terraform/infrastructure/openstack/main.tf b/terraform/infrastructure/openstack/main.tf index 67aff1142..4784ae08f 100644 --- a/terraform/infrastructure/openstack/main.tf +++ b/terraform/infrastructure/openstack/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "1.52.1" + version = "1.54.1" } random = { @@ -101,63 +101,111 @@ resource "openstack_networking_router_interface_v2" "vpc_router_interface" { subnet_id = openstack_networking_subnet_v2.vpc_subnetwork.id } -resource "openstack_compute_secgroup_v2" "vpc_secgroup" { +resource "openstack_networking_secgroup_v2" "vpc_secgroup" { name = local.name description = "Constellation VPC security group" - - rule { - from_port = -1 - to_port = -1 - ip_protocol = "icmp" - self = true - } - - rule { - from_port = 1 - to_port = 65535 - ip_protocol = "udp" - cidr = local.cidr_vpc_subnet_nodes - } - - rule { - from_port = 1 - to_port = 65535 - ip_protocol = "tcp" - cidr = local.cidr_vpc_subnet_nodes - } - - rule { - from_port = local.ports_node_range_start - to_port = local.ports_node_range_end - ip_protocol = "tcp" - cidr = "0.0.0.0/0" - } - - rule { - from_port = local.ports_node_range_start - to_port = local.ports_node_range_end - ip_protocol = "udp" - cidr = "0.0.0.0/0" - } - - dynamic "rule" { - for_each = flatten([ - local.ports_kubernetes, - local.ports_bootstrapper, - local.ports_konnectivity, - local.ports_verify, - local.ports_recovery, - var.debug ? [local.ports_debugd] : [], - ]) - content { - from_port = rule.value - to_port = rule.value - ip_protocol = "tcp" - cidr = "0.0.0.0/0" - } - } } +resource "openstack_networking_secgroup_rule_v2" "icmp_in" { + description = "icmp ingress" + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + port_range_min = 0 + port_range_max = 0 + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "icmp_out" { + description = "icmp egress" + direction = "egress" + ethertype = "IPv4" + protocol = "icmp" + port_range_min = 0 + port_range_max = 0 + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "tcp_out" { + description = "tcp egress" + direction = "egress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 0 + port_range_max = 0 + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "udp_out" { + description = "udp egress" + direction = "egress" + ethertype = "IPv4" + protocol = "udp" + port_range_min = 0 + port_range_max = 0 + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "tcp_between_nodes" { + description = "tcp between nodes" + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 0 + port_range_max = 0 + remote_ip_prefix = local.cidr_vpc_subnet_nodes + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "udp_between_nodes" { + description = "udp between nodes" + direction = "ingress" + ethertype = "IPv4" + protocol = "udp" + port_range_min = 0 + port_range_max = 0 + remote_ip_prefix = local.cidr_vpc_subnet_nodes + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "nodeport_tcp" { + description = "nodeport tcp" + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = local.ports_node_range_start + port_range_max = local.ports_node_range_end + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "nodeport_udp" { + description = "nodeport udp" + direction = "ingress" + ethertype = "IPv4" + protocol = "udp" + port_range_min = local.ports_node_range_start + port_range_max = local.ports_node_range_end + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "tcp_port_forward" { + for_each = toset(flatten([ + local.ports_kubernetes, + local.ports_bootstrapper, + local.ports_konnectivity, + local.ports_verify, + local.ports_recovery, + var.debug ? [local.ports_debugd] : [], + ])) + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = each.value + port_range_max = each.value + security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id +} + + module "instance_group" { source = "./modules/instance_group" for_each = var.node_groups @@ -170,7 +218,7 @@ module "instance_group" { availability_zone = each.value.zone image_id = openstack_images_image_v2.image_id.image_id flavor_id = each.value.flavor_id - security_groups = [openstack_compute_secgroup_v2.vpc_secgroup.id] + security_groups = [openstack_networking_secgroup_v2.vpc_secgroup.id] tags = local.tags uid = local.uid network_id = openstack_networking_network_v2.vpc_network.id diff --git a/terraform/infrastructure/openstack/modules/instance_group/main.tf b/terraform/infrastructure/openstack/modules/instance_group/main.tf index e8a154cdf..60a2ec141 100644 --- a/terraform/infrastructure/openstack/modules/instance_group/main.tf +++ b/terraform/infrastructure/openstack/modules/instance_group/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "1.52.1" + version = "1.54.1" } } } diff --git a/terraform/infrastructure/openstack/modules/loadbalancer/main.tf b/terraform/infrastructure/openstack/modules/loadbalancer/main.tf index b28c4fc3d..a10a43d8f 100644 --- a/terraform/infrastructure/openstack/modules/loadbalancer/main.tf +++ b/terraform/infrastructure/openstack/modules/loadbalancer/main.tf @@ -2,7 +2,7 @@ terraform { required_providers { openstack = { source = "terraform-provider-openstack/openstack" - version = "1.52.1" + version = "1.54.1" } } }