support disabling port security (#592)

sjpb · web-flow · commit 30d6ce458368 · 2025-02-25T09:37:29.000Z
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
@@ -14,7 +14,8 @@ resource "openstack_networking_port_v2" "control" {
     subnet_id = data.openstack_networking_subnet_v2.cluster_subnet[each.key].id
   }
 
-  security_group_ids = [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id]
+  port_security_enabled = lookup(each.value, "port_security_enabled", true)
+  security_group_ids = lookup(each.value, "port_security_enabled", true) ? [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id] : []
 
   binding {
     vnic_type = lookup(var.vnic_types, each.key, "normal")
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
@@ -45,7 +45,8 @@ resource "openstack_networking_port_v2" "compute" {
     subnet_id = data.openstack_networking_subnet_v2.subnet[each.value.network].id
   }
 
-  security_group_ids = var.security_group_ids
+  port_security_enabled = lookup(each.value, "port_security_enabled", true)
+  security_group_ids = lookup(each.value, "port_security_enabled", true) ? var.security_group_ids : []
 
   binding {
     vnic_type = lookup(var.vnic_types, each.value.network, "normal")
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf
@@ -13,8 +13,9 @@ variable "cluster_networks" {
     type = list(map(string))
     description = <<-EOT
         List of mappings defining networks. Mapping key/values:
-            network: Name of existing network
-            subnet: Name of existing subnet
+            network: Required. Name of existing network
+            subnet: Required. Name of existing subnet
+            port_security_enabled: Optional. Bool, default true
     EOT
 }
 

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,8 @@ resource "openstack_networking_port_v2" "control" {`
`14`	`14`	`subnet_id = data.openstack_networking_subnet_v2.cluster_subnet[each.key].id`
`15`	`15`	`}`
`16`	`16`
`17`		`- security_group_ids = [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id]`
	`17`	`+ port_security_enabled = lookup(each.value, "port_security_enabled", true)`
	`18`	`+ security_group_ids = lookup(each.value, "port_security_enabled", true) ? [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id] : []`
`18`	`19`
`19`	`20`	`binding {`
`20`	`21`	`vnic_type = lookup(var.vnic_types, each.key, "normal")`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,8 @@ resource "openstack_networking_port_v2" "compute" {`
`45`	`45`	`subnet_id = data.openstack_networking_subnet_v2.subnet[each.value.network].id`
`46`	`46`	`}`
`47`	`47`
`48`		`- security_group_ids = var.security_group_ids`
	`48`	`+ port_security_enabled = lookup(each.value, "port_security_enabled", true)`
	`49`	`+ security_group_ids = lookup(each.value, "port_security_enabled", true) ? var.security_group_ids : []`
`49`	`50`
`50`	`51`	`binding {`
`51`	`52`	`vnic_type = lookup(var.vnic_types, each.value.network, "normal")`