Don't create security groups for a bastion host on openstack, if doesn't exist (#4291)
This commit is contained in:
parent
aa162b0d5d
commit
20ebb49568
1 changed files with 20 additions and 15 deletions
|
@ -20,11 +20,12 @@ resource "openstack_networking_secgroup_rule_v2" "k8s_master" {
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_v2" "bastion" {
|
resource "openstack_networking_secgroup_v2" "bastion" {
|
||||||
name = "${var.cluster_name}-bastion"
|
name = "${var.cluster_name}-bastion"
|
||||||
|
count = "${var.number_of_bastions ? 1 : 0}"
|
||||||
description = "${var.cluster_name} - Bastion Server"
|
description = "${var.cluster_name} - Bastion Server"
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "openstack_networking_secgroup_rule_v2" "bastion" {
|
resource "openstack_networking_secgroup_rule_v2" "bastion" {
|
||||||
count = "${length(var.bastion_allowed_remote_ips)}"
|
count = "${var.number_of_bastions ? length(var.bastion_allowed_remote_ips) : 0}"
|
||||||
direction = "ingress"
|
direction = "ingress"
|
||||||
ethertype = "IPv4"
|
ethertype = "IPv4"
|
||||||
protocol = "tcp"
|
protocol = "tcp"
|
||||||
|
@ -101,18 +102,20 @@ resource "openstack_compute_instance_v2" "k8s_master" {
|
||||||
name = "${var.network_name}"
|
name = "${var.network_name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
# The join() hack is described here: https://github.com/hashicorp/terraform/issues/11566
|
||||||
"${openstack_networking_secgroup_v2.bastion.name}",
|
# As a workaround for creating "dynamic" lists (when, for example, no bastion host is created)
|
||||||
"${openstack_networking_secgroup_v2.k8s.name}",
|
|
||||||
"default",
|
|
||||||
]
|
|
||||||
|
|
||||||
|
security_groups = ["${compact(list(
|
||||||
|
openstack_networking_secgroup_v2.k8s_master.name,
|
||||||
|
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
|
||||||
|
openstack_networking_secgroup_v2.k8s.name,
|
||||||
|
"default",
|
||||||
|
))}"]
|
||||||
metadata = {
|
metadata = {
|
||||||
ssh_user = "${var.ssh_user}"
|
ssh_user = "${var.ssh_user}"
|
||||||
kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
|
kubespray_groups = "etcd,kube-master,${var.supplementary_master_groups},k8s-cluster,vault"
|
||||||
depends_on = "${var.network_id}"
|
depends_on = "${var.network_id}"
|
||||||
}
|
}
|
||||||
|
|
||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > contrib/terraform/group_vars/no-floating.yml"
|
command = "sed s/USER/${var.ssh_user}/ contrib/terraform/openstack/ansible_bastion_template.txt | sed s/BASTION_ADDRESS/${element( concat(var.bastion_fips, var.k8s_master_fips), 0)}/ > contrib/terraform/group_vars/no-floating.yml"
|
||||||
}
|
}
|
||||||
|
@ -130,10 +133,11 @@ resource "openstack_compute_instance_v2" "k8s_master_no_etcd" {
|
||||||
name = "${var.network_name}"
|
name = "${var.network_name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s_master.name}",
|
security_groups = ["${compact(list(
|
||||||
"${openstack_networking_secgroup_v2.bastion.name}",
|
openstack_networking_secgroup_v2.k8s_master.name,
|
||||||
"${openstack_networking_secgroup_v2.k8s.name}",
|
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
|
||||||
]
|
openstack_networking_secgroup_v2.k8s.name,
|
||||||
|
))}"]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
ssh_user = "${var.ssh_user}"
|
ssh_user = "${var.ssh_user}"
|
||||||
|
@ -226,11 +230,12 @@ resource "openstack_compute_instance_v2" "k8s_node" {
|
||||||
name = "${var.network_name}"
|
name = "${var.network_name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
security_groups = ["${openstack_networking_secgroup_v2.k8s.name}",
|
security_groups = ["${compact(list(
|
||||||
"${openstack_networking_secgroup_v2.bastion.name}",
|
openstack_networking_secgroup_v2.k8s_master.name,
|
||||||
"${openstack_networking_secgroup_v2.worker.name}",
|
join(" ", openstack_networking_secgroup_v2.bastion.*.id),
|
||||||
|
openstack_networking_secgroup_v2.k8s.name,
|
||||||
"default",
|
"default",
|
||||||
]
|
))}"]
|
||||||
|
|
||||||
metadata = {
|
metadata = {
|
||||||
ssh_user = "${var.ssh_user}"
|
ssh_user = "${var.ssh_user}"
|
||||||
|
|
Loading…
Reference in a new issue