fix FSS NSGs

oracle-terraform-modules · Apr 10, 2024 · b9a02e5 · b9a02e5
1 parent 9d22e9b
commit b9a02e5
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 14 deletions.
diff --git a/modules/network/nsg-fss.tf b/modules/network/nsg-fss.tf
@@ -27,18 +27,18 @@ locals {
       protocol = local.udp_protocol, port = local.fss_nfs_port_min, source = local.worker_nsg_id, source_type = local.rule_type_nsg,
     },
     "Allow TCP ingress for NFS from workers" : {
-      protocol = local.tcp_protocol, port_min = local.node_port_min, port_max = local.node_port_max, source = local.worker_nsg_id, source_type = local.rule_type_nsg,
+      protocol = local.tcp_protocol, port_min = local.fss_nfs_port_min, port_max = local.fss_nfs_port_max, source = local.worker_nsg_id, source_type = local.rule_type_nsg,
     },
 
     # Egress
-    "Allow UDP egress for NFS portmapper to workers" : {
-      protocol = local.udp_protocol, port = local.fss_nfs_portmapper_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
+    "Allow UDP egress for NFS portmapper to the workers" : {
+      protocol = local.udp_protocol, source_port_min = local.fss_nfs_portmapper_port, source_port_max = local.fss_nfs_portmapper_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
     },
-    "Allow TCP egress for NFS portmapper to workers" : {
-      protocol = local.tcp_protocol, port = local.fss_nfs_portmapper_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
+    "Allow TCP egress for NFS portmapper to the workers" : {
+      protocol = local.tcp_protocol, source_port_min = local.fss_nfs_portmapper_port, source_port_max = local.fss_nfs_portmapper_port, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
     },
-    "Allow TCP egress for NFS to workers" : {
-      protocol = local.tcp_protocol, port_min = local.node_port_min, port_max = local.node_port_max, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
+    "Allow TCP egress for NFS to the workers" : {
+      protocol = local.tcp_protocol, source_port_min = local.fss_nfs_port_min, source_port_max = local.fss_nfs_port_max, destination = local.worker_nsg_id, destination_type = local.rule_type_nsg,
     },
   } : {}
 }

diff --git a/modules/network/rules.tf b/modules/network/rules.tf
@@ -59,9 +59,33 @@ resource "oci_core_network_security_group_security_rule" "oke" {
       tonumber(lookup(each.value, "port", 0)) != local.all_ports ? [each.value] : []
     )
     content {
-      destination_port_range {
-        min = tonumber(lookup(tcp_options.value, "port_min", lookup(tcp_options.value, "port", 0)))
-        max = tonumber(lookup(tcp_options.value, "port_max", lookup(tcp_options.value, "port", 0)))
+      dynamic destination_port_range {
+         for_each = ( 
+          (contains(keys(tcp_options.value), "destination_port_min" ) &&
+          contains(keys(tcp_options.value), "destination_port_max" )) || 
+          (contains(keys(tcp_options.value), "source_port_min" ) &&
+          contains(keys(tcp_options.value), "source_port_max" ))
+          ) ? []: [tcp_options.value]
+          content {
+            min = tonumber(lookup(destination_port_range.value, "port_min", lookup(destination_port_range.value, "port", 0)))
+            max = tonumber(lookup(destination_port_range.value, "port_max", lookup(destination_port_range.value, "port", 0)))
+          }
+      }
+      dynamic "destination_port_range" {
+        for_each = (contains(keys(tcp_options.value), "destination_port_min") && 
+          contains(keys(tcp_options.value), "destination_port_max") ) ? [tcp_options.value]: []
+          content {
+            min = tonumber(lookup(destination_port_range.value, "destination_port_min", 0))
+            max = tonumber(lookup(destination_port_range.value, "destination_port_max", 0))
+          }
+      }
+      dynamic "source_port_range" {
+        for_each = (contains(keys(tcp_options.value), "source_port_min") && 
+          contains(keys(tcp_options.value), "source_port_max") ) ? [tcp_options.value]: []
+          content {
+            min = tonumber(lookup(source_port_range.value, "source_port_min", 0))
+            max = tonumber(lookup(source_port_range.value, "source_port_max", 0))
+          }
       }
     }
   }
@@ -71,9 +95,33 @@ resource "oci_core_network_security_group_security_rule" "oke" {
       tonumber(lookup(each.value, "port", 0)) != local.all_ports ? [each.value] : []
     )
     content {
-      destination_port_range {
-        min = tonumber(lookup(udp_options.value, "port_min", lookup(udp_options.value, "port", 0)))
-        max = tonumber(lookup(udp_options.value, "port_max", lookup(udp_options.value, "port", 0)))
+      dynamic "destination_port_range" {
+        for_each = ( 
+          (contains(keys(udp_options.value), "destination_port_min" ) &&
+          contains(keys(udp_options.value), "destination_port_max" )) || 
+          (contains(keys(udp_options.value), "source_port_min" ) &&
+          contains(keys(udp_options.value), "source_port_max" ))
+          ) ? []: [udp_options.value]
+        content {
+          min = tonumber(lookup(destination_port_range.value, "port_min", lookup(destination_port_range.value, "port", 0)))
+          max = tonumber(lookup(destination_port_range.value, "port_max", lookup(destination_port_range.value, "port", 0)))
+        }
+      }
+      dynamic "destination_port_range" {
+        for_each = (contains(keys(udp_options.value), "destination_port_min") && 
+          contains(keys(udp_options.value), "destination_port_max") ) ? [udp_options.value]: []
+          content {
+            min = tonumber(lookup(destination_port_range.value, "destination_port_min", 0))
+            max = tonumber(lookup(destination_port_range.value, "destination_port_max", 0))
+          }
+      }
+      dynamic "source_port_range" {
+        for_each = (contains(keys(udp_options.value), "source_port_min") && 
+          contains(keys(udp_options.value), "source_port_max") ) ? [udp_options.value]: []
+          content {
+            min = tonumber(lookup(source_port_range.value, "source_port_min", 0))
+            max = tonumber(lookup(source_port_range.value, "source_port_max", 0))
+          }
       }
     }
   }
@@ -89,7 +137,10 @@ resource "oci_core_network_security_group_security_rule" "oke" {
   lifecycle {
     precondition {
       condition = tostring(each.value.protocol) == tostring(local.icmp_protocol) || contains(keys(each.value), "port") || (
-        contains(keys(each.value), "port_min") && contains(keys(each.value), "port_max")
+        contains(keys(each.value), "port_min") && contains(keys(each.value), "port_max")) || (
+        contains(keys(each.value), "source_port_min") && contains(keys(each.value), "source_port_max") || (
+        contains(keys(each.value), "destination_port_min") && contains(keys(each.value), "destination_port_max")
+        )
       )
       error_message = "TCP/UDP rule must contain a port or port range: '${each.key}'"
     }
@@ -99,6 +150,8 @@ resource "oci_core_network_security_group_security_rule" "oke" {
         tostring(each.value.protocol) == tostring(local.icmp_protocol)
         || can(tonumber(each.value.port))
         || (can(tonumber(each.value.port_min)) && can(tonumber(each.value.port_max)))
+        || (can(tonumber(each.value.source_port_min)) && can(tonumber(each.value.source_port_max)))
+        || (can(tonumber(each.value.destination_port_min)) && can(tonumber(each.value.destination_port_max)))
       )
 
       error_message = "TCP/UDP ports must be numeric: '${each.key}'"