Provisions a new base security group (#35)

Sean Sundberg · web-flow · commit 239abe1c6fda · 2021-05-12T22:30:40.000-05:00
- Base security group to be used instead of default security group which has outbound "0.0.0.0/0"

Signed-off-by: Sean Sundberg &lt;seansund@us.ibm.com&gt;
diff --git a/.github/scripts/validate-deploy.sh b/.github/scripts/validate-deploy.sh
@@ -33,13 +33,13 @@ if ! ibmcloud is vpc "${VPC_ID}"; then
   exit 1
 fi
 
+SG_NAME="${VPC_NAME}-base"
+
 echo "Testing security group rules"
-ibmcloud is security-groups --output JSON | \
-  jq --arg VPC_NAME "${VPC_NAME}" '.[] | select(.vpc.name == $VPC_NAME) | .rules[]'
-OPEN_RULES=$(ibmcloud is security-groups --output JSON | jq -c --arg VPC_NAME "${VPC_NAME}" '.[] | select(.vpc.name == $VPC_NAME) | .rules[] | select(.remote.cidr == "0.0.0.0/0")')
-if [[ -n "${OPEN_RULES}" ]]; then
-  echo "Rules found with public internet address"
-  echo "${OPEN_RULES}"
+ibmcloud is security-groups --output JSON | jq '.[]'
+OPEN_RULES=$(ibmcloud is security-groups --output JSON | jq -c --arg SG_NAME "${SG_NAME}" '.[] | select(.name == $SG_NAME) | .rules[]')
+if [[ -z "${OPEN_RULES}" ]]; then
+  echo "No rules found for '${SG_NAME}'"
   exit 1
 fi
 
diff --git a/main.tf b/main.tf
@@ -6,7 +6,8 @@ locals {
   prefix_name       = var.name_prefix != "" ? var.name_prefix : var.resource_group_name
   vpc_name          = lower(replace(var.name != "" ? var.name : "${local.prefix_name}-vpc", "_", "-"))
   vpc_id            = data.ibm_is_vpc.vpc.id
-  security_group_id = data.ibm_is_vpc.vpc.default_security_group
+  security_group_count = var.provision ? 2 : 0
+  security_group_ids = var.provision ? [ data.ibm_is_vpc.vpc.default_security_group, data.ibm_is_security_group.base.id ] : []
   acl_id            = data.ibm_is_vpc.vpc.default_network_acl
   crn               = data.ibm_is_vpc.vpc.resource_crn
   ipv4_cidr_provided = var.address_prefix_count > 0 && length(var.address_prefixes) >= var.address_prefix_count
@@ -20,9 +21,9 @@ resource ibm_is_vpc vpc {
   name                        = local.vpc_name
   resource_group              = var.resource_group_id
   address_prefix_management   = local.ipv4_cidr_provided ? "manual" : "auto"
-  default_security_group_name = "${local.vpc_name}-security-group"
-  default_network_acl_name    = "${local.vpc_name}-acl"
-  default_routing_table_name  = "${local.vpc_name}-routing"
+  default_security_group_name = "${local.vpc_name}-default"
+  default_network_acl_name    = "${local.vpc_name}-default"
+  default_routing_table_name  = "${local.vpc_name}-default"
 }
 
 data ibm_is_vpc vpc {
@@ -60,11 +61,33 @@ resource null_resource post_vpc_address_pfx_default {
   }
 }
 
+resource ibm_is_security_group base {
+  count = var.provision ? 1 : 0
+
+  name = "${local.vpc_name}-base"
+  vpc  = data.ibm_is_vpc.vpc.id
+  resource_group = var.resource_group_id
+}
+
+data ibm_is_security_group base {
+  depends_on = [ibm_is_security_group.base]
+
+  name = "${local.vpc_name}-base"
+}
+
+resource null_resource print_sg_name {
+  depends_on = [data.ibm_is_security_group.base]
+
+  provisioner "local-exec" {
+    command = "echo 'SG name: ${data.ibm_is_security_group.base.name}'"
+  }
+}
+
 # from https://cloud.ibm.com/docs/vpc?topic=vpc-service-endpoints-for-vpc
 resource ibm_is_security_group_rule "cse_dns_1" {
-  count = var.provision ? 1 : 0
+  count = local.security_group_count
 
-  group     = local.security_group_id
+  group     = local.security_group_ids[count.index]
   direction = "outbound"
   remote    = "161.26.0.10"
   udp {
@@ -74,9 +97,9 @@ resource ibm_is_security_group_rule "cse_dns_1" {
 }
 
 resource ibm_is_security_group_rule cse_dns_2 {
-  count = var.provision ? 1 : 0
+  count = local.security_group_count
 
-  group     = local.security_group_id
+  group     = local.security_group_ids[count.index]
   direction = "outbound"
   remote    = "161.26.0.11"
   udp {
@@ -86,9 +109,9 @@ resource ibm_is_security_group_rule cse_dns_2 {
 }
 
 resource ibm_is_security_group_rule private_dns_1 {
-  count = var.provision ? 1 : 0
+  count = local.security_group_count
 
-  group     = local.security_group_id
+  group     = local.security_group_ids[count.index]
   direction = "outbound"
   remote    = "161.26.0.7"
   udp {
@@ -98,9 +121,9 @@ resource ibm_is_security_group_rule private_dns_1 {
 }
 
 resource ibm_is_security_group_rule private_dns_2 {
-  count = var.provision ? 1 : 0
+  count = local.security_group_count
 
-  group     = local.security_group_id
+  group     = local.security_group_ids[count.index]
   direction = "outbound"
   remote    = "161.26.0.8"
   udp {
diff --git a/outputs.tf b/outputs.tf
@@ -38,3 +38,8 @@ output "ids" {
   depends_on  = [null_resource.post_vpc_address_pfx_default, ibm_is_vpc.vpc]
   description = "The id of the vpc instance"
 }
+
+output "base_security_group" {
+  value       = data.ibm_is_security_group.base.id
+  description = "The id of the base security group to be shared by other resources. The base group is different from the default security group."
+}

Original file line number	Diff line number	Diff line change
`@@ -38,3 +38,8 @@ output "ids" {`
`38`	`38`	`depends_on = [null_resource.post_vpc_address_pfx_default, ibm_is_vpc.vpc]`
`39`	`39`	`description = "The id of the vpc instance"`
`40`	`40`	`}`
	`41`	`+`
	`42`	`+output "base_security_group" {`
	`43`	`+ value = data.ibm_is_security_group.base.id`
	`44`	`+ description = "The id of the base security group to be shared by other resources. The base group is different from the default security group."`
	`45`	`+}`