allow user to add additional rules to the workers NSG

robo-cap · hyder · commit 1c3299972078 · 2024-07-03T10:54:01.000+10:00
diff --git a/examples/network/vars-network.auto.tfvars b/examples/network/vars-network.auto.tfvars
@@ -53,6 +53,12 @@ allow_rules_public_lb = {
   # },
 }
 
+allow_rules_workers = {
+  # "Allow TCP ingress to workers for port 8080 from VCN" : {
+  #   protocol = 6, port = 8080, source = "10.0.0.0/16", source_type = "CIDR_BLOCK",
+  # },
+}
+
 # Dynamic routing gateway (DRG)
 create_drg       = false # true/*false
 drg_display_name = "drg"
diff --git a/module-network.tf b/module-network.tf
@@ -115,6 +115,7 @@ module "network" {
   allow_pod_internet_access    = var.allow_pod_internet_access
   allow_rules_internal_lb      = var.allow_rules_internal_lb
   allow_rules_public_lb        = var.allow_rules_public_lb
+  allow_rules_workers          = var.allow_rules_workers
   allow_worker_internet_access = var.allow_worker_internet_access
   allow_worker_ssh_access      = var.allow_worker_ssh_access
   allow_bastion_cluster_access = var.allow_bastion_cluster_access
diff --git a/modules/network/nsg-workers.tf b/modules/network/nsg-workers.tf
@@ -112,7 +112,9 @@ locals {
       "Allow UDP egress from workers for NFS to FSS mounts" : {
         protocol = local.udp_protocol, port = local.fss_nfs_port_min, destination = local.fss_nsg_id, destination_type = local.rule_type_nsg,
       },
-  } : {}) : {}
+    } : {},
+    var.allow_rules_workers
+    ) : {}
 }
 
 resource "oci_core_network_security_group" "workers" {
diff --git a/modules/network/variables.tf b/modules/network/variables.tf
@@ -16,6 +16,7 @@ variable "allow_node_port_access" { type = bool }
 variable "allow_pod_internet_access" { type = bool }
 variable "allow_rules_internal_lb" { type = any }
 variable "allow_rules_public_lb" { type = any }
+variable "allow_rules_workers" { type = any }
 variable "allow_worker_internet_access" { type = bool }
 variable "allow_worker_ssh_access" { type = bool }
 variable "allow_bastion_cluster_access" { type = bool }
diff --git a/variables-network.tf b/variables-network.tf
@@ -262,6 +262,12 @@ variable "allow_rules_public_lb" {
   type        = any
 }
 
+variable "allow_rules_workers" {
+  default     = {}
+  description = "A map of additional rules to allow traffic for the workers."
+  type        = any
+}
+
 variable "control_plane_allowed_cidrs" {
   default     = []
   description = "The list of CIDR blocks from which the control plane can be accessed."
