From 34c883a703dc5e5882ae1aa95cb3a9a7c14ab672 Mon Sep 17 00:00:00 2001
From: wtripp180901 <will.tripp@btinternet.com>
Date: Mon, 11 Aug 2025 09:05:13 +0100
Subject: [PATCH] Allow specifying secgroups for individual login nodes

---
 environments/site/tofu/login.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/environments/site/tofu/login.tf b/environments/site/tofu/login.tf
index b8abe4ea3..1ab3e6c06 100644
--- a/environments/site/tofu/login.tf
+++ b/environments/site/tofu/login.tf
@@ -40,7 +40,7 @@ module "login" {
   # not using openstack_compute_instance_v2.control.access_ip_v4 to avoid
   # updates to node metadata on deletion/recreation of the control node:
   control_address = openstack_networking_port_v2.control[var.cluster_networks[0].network].all_fixed_ips[0]
-  security_group_ids = [for o in data.openstack_networking_secgroup_v2.login: o.id]
+  security_group_ids = lookup(each.value, "security_group_ids", [for o in data.openstack_networking_secgroup_v2.login: o.id])
   baremetal_nodes = data.external.baremetal_nodes.result
 
   # input dict validation:
@@ -63,5 +63,6 @@ module "login" {
     "ip_addresses",
     "gateway_ip",
     "nodename_template",
+    "security_group_ids"
   ]
 }