support changing security groups for additional nodes

sjpb · sjpb · commit de861777ed32 · 2025-06-13T14:54:26.000Z
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/additional.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/additional.tf
@@ -31,6 +31,7 @@ module "additional" {
   match_ironic_node = lookup(each.value, "match_ironic_node", null)
   availability_zone = lookup(each.value, "availability_zone", null)
   ip_addresses = lookup(each.value, "ip_addresses", null)
+  security_group_ids = lookup(each.value, "security_group_ids", [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id])
 
   # can't be set for additional nodes
   compute_init_enable = []
@@ -40,7 +41,6 @@ module "additional" {
   # not using openstack_compute_instance_v2.control.access_ip_v4 to avoid
   # updates to node metadata on deletion/recreation of the control node:
   control_address = openstack_networking_port_v2.control[var.cluster_networks[0].network].all_fixed_ips[0]
-  security_group_ids = [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id]
   baremetal_nodes = data.external.baremetal_nodes.result
 
   # input dict validation:
@@ -63,5 +63,6 @@ module "additional" {
     "ip_addresses",
     "gateway_ip",
     "nodename_template",
+    "security_group_ids",
   ]
 }
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/variables.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/variables.tf
@@ -72,7 +72,8 @@ variable "extra_volumes" {
 }
 
 variable "security_group_ids" {
-    type = list
+    type = list(string)
+    nullable = false
 }
 
 variable "control_address" {
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf
@@ -143,7 +143,12 @@ variable "additional_nodegroups" {
         will not run slurmd.
 
         Keys are names of groups.
-        Values are a mapping as for the "login" variable.
+        Values are a mapping as for the "login" variable, with the addition of
+        the optional entry:
+        
+            security_group_ids: List of strings giving IDs of security groups
+                                to apply. If not specified the groups from the
+                                variable nonlogin_security_groups are applied.
 
         Nodes are added to the following inventory groups:
         - $group_name

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,8 @@ variable "extra_volumes" {`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`variable "security_group_ids" {`
`75`		`- type = list`
	`75`	`+ type = list(string)`
	`76`	`+ nullable = false`
`76`	`77`	`}`
`77`	`78`
`78`	`79`	`variable "control_address" {`