terraform-ibm-modules
diff --git a/‎README.md‎
Lines changed: 1 addition & 0 deletions b/‎README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/add_rules_to_sg/README.md‎
Lines changed: 3 additions & 0 deletions b/‎examples/add_rules_to_sg/README.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎examples/add_rules_to_sg/main.tf‎
Lines changed: 142 additions & 0 deletions b/‎examples/add_rules_to_sg/main.tf‎
Lines changed: 142 additions & 0 deletions
diff --git a/‎examples/add_rules_to_sg/outputs.tf‎
Lines changed: 22 additions & 0 deletions b/‎examples/add_rules_to_sg/outputs.tf‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎examples/add_rules_to_sg/provider.tf‎
Lines changed: 10 additions & 0 deletions b/‎examples/add_rules_to_sg/provider.tf‎
Lines changed: 10 additions & 0 deletions
@@ -115,6 +115,7 @@ You need the following permissions to run this module.
 <!-- BEGIN EXAMPLES HOOK -->
 ## Examples
 
+- [ Add Rules to Security Groups Example](examples/add_rules_to_sg)
 - [ Apply Taints Example](examples/apply_taints)
 - [ Existing COS](examples/existing_cos)
 - [ 2 MZR clusters in same VPC](examples/multiple_mzr_clusters)
 
@@ -0,0 +1,3 @@
+# Add Rules to Security Groups Example
+
+This example will add security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups
@@ -0,0 +1,142 @@
+##############################################################################
+# Provision an OCP cluster with one extra worker pool inside a VPC
+##############################################################################
+
+module "resource_group" {
+  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git?ref=v1.0.5"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}
+
+###############################################################################
+# VPC
+###############################################################################
+
+module "vpc" {
+  source              = "git::https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc.git?ref=v5.0.1"
+  resource_group_id   = module.resource_group.resource_group_id
+  region              = var.region
+  prefix              = var.prefix
+  tags                = var.resource_tags
+  name                = var.vpc_name
+  address_prefixes    = var.addresses
+  subnets             = var.subnets
+  use_public_gateways = var.public_gateway
+}
+
+
+##############################################################################
+# Security Group Rules addition.
+##############################################################################
+
+# Kube-<vpc id> Security Group
+data "ibm_is_security_group" "kube_vpc_sg" {
+  name = "kube-${module.ocp_base.vpc_id}"
+}
+
+resource "ibm_is_security_group_rule" "kube_vpc_rules" {
+
+  for_each  = { for rule in var.sg_rules_vpc : rule.name => rule }
+  group     = data.ibm_is_security_group.kube_vpc_sg.id
+  direction = each.value.direction
+  remote    = each.value.remote
+
+  dynamic "tcp" {
+    for_each = each.value.tcp == null ? [] : [each.value]
+    content {
+      port_min = each.value.tcp.port_min
+      port_max = each.value.tcp.port_max
+    }
+  }
+
+  dynamic "udp" {
+    for_each = each.value.udp == null ? [] : [each.value]
+    content {
+      port_min = each.value.udp.port_min
+      port_max = each.value.udp.port_max
+    }
+  }
+
+  dynamic "icmp" {
+    for_each = each.value.icmp == null ? [] : [each.value]
+    content {
+      type = lookup(each.value.icmp, "type", null)
+      code = lookup(each.value.icmp, "code", null)
+    }
+  }
+}
+
+# Kube-<cluster id> Security Group
+data "ibm_is_security_group" "kube_cluster_sg" {
+  name = "kube-${module.ocp_base.cluster_id}"
+}
+
+resource "ibm_is_security_group_rule" "kube_cluster_rules" {
+
+  for_each  = { for rule in var.sg_rules_cluster : rule.name => rule }
+  group     = data.ibm_is_security_group.kube_cluster_sg.id
+  direction = each.value.direction
+  remote    = each.value.remote
+
+  dynamic "tcp" {
+    for_each = each.value.tcp == null ? [] : [each.value]
+    content {
+      port_min = each.value.tcp.port_min
+      port_max = each.value.tcp.port_max
+    }
+  }
+
+  dynamic "udp" {
+    for_each = each.value.udp == null ? [] : [each.value]
+    content {
+      port_min = each.value.udp.port_min
+      port_max = each.value.udp.port_max
+    }
+  }
+
+  dynamic "icmp" {
+    for_each = each.value.icmp == null ? [] : [each.value]
+    content {
+      type = lookup(each.value.icmp, "type", null)
+      code = lookup(each.value.icmp, "code", null)
+    }
+  }
+}
+
+##############################################################################
+# Key Protect
+##############################################################################
+
+module "kp_all_inclusive" {
+  source                    = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect-all-inclusive.git?ref=v4.0.0"
+  key_protect_instance_name = "${var.prefix}-kp-instance"
+  resource_group_id         = module.resource_group.resource_group_id
+  region                    = var.region
+  resource_tags             = var.resource_tags
+  key_map                   = { "ocp" = ["${var.prefix}-cluster-key"] }
+}
+
+##############################################################################
+# Base OCP Cluster
+##############################################################################
+
+module "ocp_base" {
+  source               = "../.."
+  cluster_name         = var.prefix
+  ibmcloud_api_key     = var.ibmcloud_api_key
+  resource_group_id    = module.resource_group.resource_group_id
+  region               = var.region
+  force_delete_storage = true
+  vpc_id               = module.vpc.vpc_id
+  vpc_subnets          = module.vpc.subnet_detail_map
+  worker_pools         = var.worker_pools
+  ocp_version          = var.ocp_version
+  tags                 = var.resource_tags
+  kms_config = {
+    instance_id = module.kp_all_inclusive.key_protect_guid
+    crk_id      = module.kp_all_inclusive.keys["ocp.${var.prefix}-cluster-key"].key_id
+  }
+}
+
+##############################################################################
@@ -0,0 +1,22 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "cluster_name" {
+  value       = module.ocp_base.cluster_name
+  description = "The name of the provisioned cluster."
+}
+
+
+output "kube_vpc_rule_id" {
+  description = "The kube-vpc-id security group rule ids"
+  value       = join(",", [for rule in data.ibm_is_security_group.kube_vpc_sg.rules : rule.rule_id])
+}
+
+
+output "kube_cluster_rule_id" {
+  description = "The kube-cluster-id security group rule ids"
+  value       = join(",", [for rule in data.ibm_is_security_group.kube_cluster_sg.rules : rule.rule_id])
+}
+
+##############################################################################
@@ -0,0 +1,10 @@
+##############################################################################
+# Terraform providers
+##############################################################################
+
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+  region           = var.region
+}
+
+##############################################################################
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Add Rules to Security Groups Example`
	`2`	`+`
	`3`	+This example will add security rules to the `kube-<vpcid>` and `kube-<clusterId>` security groups