terraform: switch to STACKIT network

2025-04-20 15:35:55 -04:00 · 2024-11-28 11:55:56 +01:00 · 2024-11-28 11:55:56 +01:00 · d6b39b0666
commit d6b39b0666
parent 224e6e397c
3 changed files with 20 additions and 66 deletions
--- a/terraform/infrastructure/openstack/.terraform.lock.hcl
+++ b/terraform/infrastructure/openstack/.terraform.lock.hcl
@ -29,20 +29,11 @@ provider "registry.terraform.io/stackitcloud/stackit" {
  version     = "0.35.0"
  constraints = "0.35.0"
  hashes = [
-    "h1:Cc+HFJYbY2X9KsgMvLhikdjz/bN671/osUkXFT+H1AI=",
    "h1:GnJ+gbhhJ+ZdH5L5QS4eMi638nafDqxcRsrZQLJPHnU=",
    "h1:V/ayYinMV9pGGLg7OBPeG0XONnSkmDbWDH3deWtTmM0=",
    "h1:Ws8n3pe5/cStjDF6VnRdax9ledzUja2nUNPYTEzdEAs=",
    "h1:XwLQ50fsxJ5MGUlJEs7dWIdErbrGgEExSqj22BHwykM=",
-    "h1:ZIays0MW9HD++OUktDQlrBhADXsseUhXI9LNXiV7R0I=",
-    "h1:a544QqVZaDj2QjSddFynSKjdlbw+cXw+wImF4XbKPW4=",
-    "h1:kQ7j2jRkEai4Id5BRXnky2ZcytrLP8JMrkVL0vsZJnE=",
-    "h1:s1s8GBkKD0buf48bKMcj0bQG3cR5Xfyt1MMRik46sTs=",
-    "h1:srQRAu7VfVWcKaeypDJg4Bvo2AxzZO/cwefxIt+Uduw=",
    "h1:tKEqWCG0wcOiYHaWgsqAqF4LOKHU5lahM4t9zpMsBR8=",
-    "h1:ulAmt5tk9bBD0HjN4c8Cy4Aai7gEbbo6K38Duly7jyE=",
-    "h1:wPPCGyWv6rjaZ7dcMXNsAK6x+AjVlWClHVC1ctt4lLY=",
-    "h1:zJozfYwxty/4meQ65hh6fHMqeT2LA7xTvOX3yGB2HPs=",
    "zh:0c5ff45f9d8785cf39189908c70ce989423b823f468d5664794aa1352838560f",
    "zh:0dde99e7b343fa01f8eefc378171fb8621bedb20f59157d6cc8e3d46c738105f",
    "zh:51c0fee775b63d96a6a95e4022960628d8b5257b744deb8705fc90d8763ebf42",
--- a/terraform/infrastructure/openstack/main.tf
+++ b/terraform/infrastructure/openstack/main.tf
@ -44,8 +44,6 @@ locals {
    { name = "join", port = "30090", health_check = "TCP" },
    var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [],
  ])
-  cidr_vpc_subnet_nodes = "192.168.178.0/24"
-  cidr_vpc_subnet_lbs   = "192.168.177.0/24"
  tags                  = concat(["constellation-uid-${local.uid}"], var.additional_tags)
  identity_service = [
    for entry in data.openstack_identity_auth_scope_v3.scope.service_catalog :
@ -82,51 +80,14 @@ data "openstack_networking_network_v2" "floating_ip_pool" {
  network_id = var.floating_ip_pool_id
 }

-resource "openstack_networking_network_v2" "vpc_network" {
-  name        = local.name
-  description = "Constellation VPC network"
-  tags        = local.tags
+resource "stackit_network" "vpc_network" {
+  name             = local.name
+  ipv4_nameservers = ["1.1.1.1"]
+  project_id       = var.stackit_project_id
 }

-resource "openstack_networking_subnet_v2" "vpc_subnetwork" {
-  name        = local.name
-  description = "Constellation VPC subnetwork"
-  network_id  = openstack_networking_network_v2.vpc_network.id
-  cidr        = local.cidr_vpc_subnet_nodes
-  dns_nameservers = [
-    "1.1.1.1",
-    "8.8.8.8",
-    "9.9.9.9",
-  ]
-  tags = local.tags
-}
-
-resource "openstack_networking_subnet_v2" "lb_subnetwork" {
-  name        = "${var.name}-${local.uid}-lb"
-  description = "Constellation LB subnetwork"
-  network_id  = openstack_networking_network_v2.vpc_network.id
-  cidr        = local.cidr_vpc_subnet_lbs
-  dns_nameservers = [
-    "1.1.1.1",
-    "8.8.8.8",
-    "9.9.9.9",
-  ]
-  tags = local.tags
-}
-
-resource "openstack_networking_router_v2" "vpc_router" {
-  name                = local.name
-  external_network_id = data.openstack_networking_network_v2.floating_ip_pool.network_id
-}
-
-resource "openstack_networking_router_interface_v2" "vpc_router_interface" {
-  router_id = openstack_networking_router_v2.vpc_router.id
-  subnet_id = openstack_networking_subnet_v2.vpc_subnetwork.id
-}
-
-resource "openstack_networking_router_interface_v2" "lbs_router_interface_lbs" {
-  router_id = openstack_networking_router_v2.vpc_router.id
-  subnet_id = openstack_networking_subnet_v2.lb_subnetwork.id
+data "openstack_networking_subnet_v2" "subnet1" {
+  network_id = stackit_network.vpc_network.network_id
 }

 resource "openstack_networking_secgroup_v2" "vpc_secgroup" {
@ -181,7 +142,10 @@ resource "openstack_networking_secgroup_rule_v2" "tcp_between_nodes" {
  protocol          = "tcp"
  port_range_min    = 0
  port_range_max    = 0
-  remote_ip_prefix  = local.cidr_vpc_subnet_nodes
+  # It seems that the STACKIT network does not expose
+  # the CIDRs (or the subnets, even). So we need to resort to an
+  # allow-all rule for now.
+  remote_ip_prefix  = "0.0.0.0/0"
  security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id
 }

@ -192,7 +156,10 @@ resource "openstack_networking_secgroup_rule_v2" "udp_between_nodes" {
  protocol          = "udp"
  port_range_min    = 0
  port_range_max    = 0
-  remote_ip_prefix  = local.cidr_vpc_subnet_nodes
+  # It seems that the STACKIT network does not expose
+  # the CIDRs (or the subnets, even). So we need to resort to an
+  # allow-all rule for now.
+  remote_ip_prefix  = "0.0.0.0/0"
  security_group_id = openstack_networking_secgroup_v2.vpc_secgroup.id
 }

@ -242,8 +209,8 @@ module "instance_group" {
  security_groups                  = [openstack_networking_secgroup_v2.vpc_secgroup.id]
  tags                             = local.tags
  uid                              = local.uid
-  network_id                       = openstack_networking_network_v2.vpc_network.id
-  subnet_id                        = openstack_networking_subnet_v2.vpc_subnetwork.id
+  network_id                       = stackit_network.vpc_network.network_id
+  subnet_id                        = data.openstack_networking_subnet_v2.subnet1.id
  init_secret_hash                 = local.init_secret_hash
  identity_internal_url            = local.identity_internal_url
  openstack_username               = local.cloudyaml["auth"]["username"]
@ -263,10 +230,6 @@ resource "openstack_networking_floatingip_associate_v2" "public_ip_associate" {
  count       = var.cloud == "stackit" ? 0 : 1
  floating_ip = openstack_networking_floatingip_v2.public_ip.address
  port_id     = module.instance_group["control_plane_default"].port_ids.0
-  depends_on = [
-    openstack_networking_router_v2.vpc_router,
-    openstack_networking_router_interface_v2.vpc_router_interface,
-  ]
 }

 module "stackit_loadbalancer" {
@ -275,7 +238,7 @@ module "stackit_loadbalancer" {
  name               = local.name
  stackit_project_id = var.stackit_project_id
  member_ips         = module.instance_group["control_plane_default"].ips
-  network_id         = openstack_networking_network_v2.vpc_network.id
+  network_id         = stackit_network.vpc_network.network_id
  external_address   = openstack_networking_floatingip_v2.public_ip.address
  ports = {
    for port in local.control_plane_named_ports : port.name => port.port
--- a/terraform/infrastructure/openstack/outputs.tf
+++ b/terraform/infrastructure/openstack/outputs.tf
@ -32,18 +32,18 @@ output "name" {
 }

 output "ip_cidr_node" {
-  value       = local.cidr_vpc_subnet_nodes
+  value       = stackit_network.vpc_network.prefixes[0]
  description = "CIDR block of the node network."
 }

 # OpenStack-specific outputs

 output "network_id" {
-  value       = openstack_networking_network_v2.vpc_network.id
+  value       = stackit_network.vpc_network.network_id
  description = "The OpenStack network id the cluster is deployed in."
 }

 output "lb_subnetwork_id" {
-  value       = openstack_networking_subnet_v2.lb_subnetwork.id
+  value       = data.openstack_networking_subnet_v2.subnet1.id
  description = "The OpenStack subnetwork id lbs are deployed in."
 }