OCPBUGS-11796: azure: skip NSG creation when BYO vnet

r4f4 · r4f4 · commit f03a0afc72dc · 2023-04-14T10:44:01.000+02:00
In an install where users bring their networks they also bring their own
NSGs. However, the installer still creates NSG. In Azure environments
using the rule [1] below, users are prohibited from installing cluster,
as the apiserver_in rule has the rule set as 0.0.0.0. Having a rule in
place where the users could define this before install would allow them
to set this connectivity without having the inbound access.

[1] - Rule: Network Security Groups shall not allow rule with 0.0.0.0/Any Source/Destination IP Addresses - Custom Deny
diff --git a/data/data/azure/vnet/nsg.tf b/data/data/azure/vnet/nsg.tf
@@ -20,6 +20,7 @@ resource "azurerm_subnet_network_security_group_association" "worker" {
 }
 
 resource "azurerm_network_security_rule" "apiserver_in" {
+  count                       = var.azure_preexisting_network ? 0 : 1
   name                        = "apiserver_in"
   priority                    = 101
   direction                   = "Inbound"

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ resource "azurerm_subnet_network_security_group_association" "worker" {`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`resource "azurerm_network_security_rule" "apiserver_in" {`
	`23`	`+ count = var.azure_preexisting_network ? 0 : 1`
`23`	`24`	`name = "apiserver_in"`
`24`	`25`	`priority = 101`
`25`	`26`	`direction = "Inbound"`