fix: separated ingress rule for operator when create_operator=false

hyder · hyder · commit 440eb339bca7 · 2023-04-11T14:15:28.000+10:00
Resolves #693 Signed-off-by: Ali Mukadam <ali.mukadam@oracle.com>
diff --git a/modules/network/locals.tf b/modules/network/locals.tf
@@ -1,4 +1,4 @@
-# Copyright 2017, 2021 Oracle Corporation and/or affiliates.
+# Copyright 2017, 2023 Oracle Corporation and/or affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 locals {
@@ -145,14 +145,6 @@ locals {
       source_type = "CIDR_BLOCK",
       stateless   = false
     },
-    {
-      description = "Allow operator host access to control plane. Required for kubectl/helm."
-      protocol    = local.tcp_protocol,
-      port        = 6443,
-      source      = local.operator_subnet,
-      source_type = "CIDR_BLOCK",
-      stateless   = false
-    },
   ])
 
   # Network Security Group ingress rules for control plane subnet (Only VCN-Native Pod networking)
diff --git a/modules/network/nsgs.tf b/modules/network/nsgs.tf
@@ -1,4 +1,4 @@
-# Copyright 2017, 2021, Oracle Corporation and/or affiliates.
+# Copyright 2017, 2023, Oracle Corporation and/or affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 # control plane nsg and rules
@@ -85,6 +85,28 @@ resource "oci_core_network_security_group_security_rule" "cp_ingress" {
 
 }
 
+# separate the operator rule for users who do not wish to use the operator
+resource "oci_core_network_security_group_security_rule" "cp_ingress_operator" {
+  network_security_group_id = oci_core_network_security_group.cp.id
+  description               = "Allow operator host access to control plane. Required for kubectl/helm."
+  direction                 = "INGRESS"
+  protocol                  = local.tcp_protocol
+  source                    = local.operator_subnet
+  source_type               = "CIDR_BLOCK"
+
+  stateless = false
+
+  tcp_options {
+      destination_port_range {
+        min = 6443
+        max = 6443
+      }
+    }
+
+  count = var.create_operator ? 1: 0
+
+}
+
 resource "oci_core_network_security_group_security_rule" "cp_ingress_additional_cidrs" {
   network_security_group_id = oci_core_network_security_group.cp.id
   description               = "Allow additional CIDR block access to control plane. Required for kubectl/helm."
