From aa12167ecfea4c20d3ca5ec8e3fa0ef1a65d33d9 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Tue, 4 Mar 2025 17:50:55 +0000
Subject: [PATCH 1/3] fix security_group_id logic

---
 .../skeleton/{{cookiecutter.environment}}/tofu/control.tf       | 2 +-
 .../{{cookiecutter.environment}}/tofu/node_group/nodes.tf       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
index 6e52a3aed..f817a9808 100644
--- a/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
+++ b/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
@@ -15,7 +15,7 @@ resource "openstack_networking_port_v2" "control" {
   }
 
   port_security_enabled = lookup(each.value, "port_security_enabled", null)
-  security_group_ids = lookup(each.value, "port_security_enabled", null) != false ? [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id] : []
+  security_group_ids = lookup(each.value, "port_security_enabled", true) ? [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id] : []
 
   binding {
     vnic_type = lookup(var.vnic_types, each.key, "normal")
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
index 426689bb9..0a41ea71c 100644
--- a/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
+++ b/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
@@ -46,7 +46,7 @@ resource "openstack_networking_port_v2" "compute" {
   }
 
   port_security_enabled = lookup(each.value, "port_security_enabled", null)
-  security_group_ids = lookup(each.value, "port_security_enabled", null) != false ? var.security_group_ids : []
+  security_group_ids = lookup(each.value, "port_security_enabled", true) ? var.security_group_ids : []
 
   binding {
     vnic_type = lookup(var.vnic_types, each.value.network, "normal")

From 445752007c93505a15ab5af483bcbd959bc2fe6f Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Wed, 5 Mar 2025 12:10:01 +0000
Subject: [PATCH 2/3] toggle secgroups without touching port security

---
 .../skeleton/{{cookiecutter.environment}}/tofu/control.tf   | 4 ++--
 .../{{cookiecutter.environment}}/tofu/node_group/nodes.tf   | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
index f817a9808..dc1c05b3b 100644
--- a/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
+++ b/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
@@ -14,8 +14,8 @@ resource "openstack_networking_port_v2" "control" {
     subnet_id = data.openstack_networking_subnet_v2.cluster_subnet[each.key].id
   }
 
-  port_security_enabled = lookup(each.value, "port_security_enabled", null)
-  security_group_ids = lookup(each.value, "port_security_enabled", true) ? [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id] : []
+  no_security_groups = lookup(each.value, "no_security_groups", false)
+  security_group_ids = lookup(each.value, "no_security_groups", false) ? [] : [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id]
 
   binding {
     vnic_type = lookup(var.vnic_types, each.key, "normal")
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
index 0a41ea71c..f5d3424e6 100644
--- a/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
+++ b/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
@@ -44,9 +44,9 @@ resource "openstack_networking_port_v2" "compute" {
   fixed_ip {
     subnet_id = data.openstack_networking_subnet_v2.subnet[each.value.network].id
   }
-
-  port_security_enabled = lookup(each.value, "port_security_enabled", null)
-  security_group_ids = lookup(each.value, "port_security_enabled", true) ? var.security_group_ids : []
+  
+  no_security_groups = lookup(each.value, "no_security_groups", false)
+  security_group_ids = lookup(each.value, "no_security_groups", false) ? [] : var.security_group_ids
 
   binding {
     vnic_type = lookup(var.vnic_types, each.value.network, "normal")

From d261568f0ee1ab90b66f7b4b706f852b6646e29c Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Wed, 5 Mar 2025 14:57:21 +0000
Subject: [PATCH 3/3] document no_security_groups flag

---
 .../skeleton/{{cookiecutter.environment}}/tofu/variables.tf     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf
index bbcef8734..73c872feb 100644
--- a/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf
+++ b/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf
@@ -15,7 +15,7 @@ variable "cluster_networks" {
         List of mappings defining networks. Mapping key/values:
             network: Required. Name of existing network
             subnet: Required. Name of existing subnet
-            port_security_enabled: Optional. Bool, default null (for networks not owned by project)
+            no_security_groups: Optional. Bool (default: false). Disable security groups
     EOT
 }