fix: added rule for internal lb. (#504)

hyder · web-flow · commit 92265babe2f6 · 2022-04-27T08:49:16.000+10:00
diff --git a/modules/network/locals.tf b/modules/network/locals.tf
@@ -247,28 +247,28 @@ locals {
   ]
 
   # Combine supplied allow list and the public load balancer subnet
-  internal_lb_allowed_cidrs = concat(var.internal_lb_allowed_cidrs, tolist([local.pub_lb_subnet]))
+  internal_lb_allowed_cidrs = var.load_balancers == "both"? concat(var.internal_lb_allowed_cidrs, tolist([local.pub_lb_subnet])) : var.internal_lb_allowed_cidrs
 
   # Create a Cartesian product of allowed cidrs and ports
   internal_lb_allowed_cidrs_and_ports = setproduct(local.internal_lb_allowed_cidrs, var.internal_lb_allowed_ports)
 
   pub_lb_egress = [
-    {
-      description      = "Allow stateful egress to internal load balancers subnet on port 80",
-      destination      = local.int_lb_subnet,
-      destination_type = "CIDR_BLOCK",
-      protocol         = local.tcp_protocol,
-      port             = 80
-      stateless        = false
-    },
-    {
-      description      = "Allow stateful egress to internal load balancers subnet on port 443",
-      destination      = local.int_lb_subnet,
-      destination_type = "CIDR_BLOCK",
-      protocol         = local.tcp_protocol,
-      port             = 443
-      stateless        = false
-    },
+    # {
+    #   description      = "Allow stateful egress to internal load balancers subnet on port 80",
+    #   destination      = local.int_lb_subnet,
+    #   destination_type = "CIDR_BLOCK",
+    #   protocol         = local.tcp_protocol,
+    #   port             = 80
+    #   stateless        = false
+    # },
+    # {
+    #   description      = "Allow stateful egress to internal load balancers subnet on port 443",
+    #   destination      = local.int_lb_subnet,
+    #   destination_type = "CIDR_BLOCK",
+    #   protocol         = local.tcp_protocol,
+    #   port             = 443
+    #   stateless        = false
+    # },
     {
       description      = "Allow stateful egress to workers. Required for NodePorts",
       destination      = local.workers_subnet,
diff --git a/modules/network/nsgs.tf b/modules/network/nsgs.tf
@@ -38,9 +38,6 @@ resource "oci_core_network_security_group_security_rule" "cp_egress" {
 
   count = length(local.cp_egress)
 
-  lifecycle {
-    ignore_changes = [destination, destination_type, direction, protocol, tcp_options]
-  }
 }
 
 resource "oci_core_network_security_group_security_rule" "cp_ingress" {
@@ -73,9 +70,6 @@ resource "oci_core_network_security_group_security_rule" "cp_ingress" {
 
   count = length(local.cp_ingress)
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options]
-  }
 }
 
 resource "oci_core_network_security_group_security_rule" "cp_ingress_additional_cidrs" {
@@ -102,9 +96,6 @@ resource "oci_core_network_security_group_security_rule" "cp_ingress_additional_
 
   count = length(var.control_plane_allowed_cidrs)
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options]
-  }
 }
 
 # workers nsg and rules
@@ -144,9 +135,6 @@ resource "oci_core_network_security_group_security_rule" "workers_egress" {
 
   count = length(local.workers_egress)
 
-  lifecycle {
-    ignore_changes = [destination, destination_type, direction, protocol, tcp_options]
-  }
 }
 
 # add this rule separately so it can be controlled independently
@@ -162,9 +150,6 @@ resource "oci_core_network_security_group_security_rule" "workers_egress_interne
 
   count = var.allow_worker_internet_access == true ? 1 : 0
 
-  lifecycle {
-    ignore_changes = [destination, destination_type, direction, protocol, tcp_options]
-  }
 }
 
 resource "oci_core_network_security_group_security_rule" "workers_ingress" {
@@ -197,9 +182,6 @@ resource "oci_core_network_security_group_security_rule" "workers_ingress" {
 
   count = length(local.workers_ingress)
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options]
-  }
 }
 
 # add the next 4 rules separately so it can be controlled independently based on which lbs are created
@@ -222,9 +204,6 @@ resource "oci_core_network_security_group_security_rule" "workers_ingress_from_i
 
   count = var.load_balancers == "internal" || var.load_balancers == "both" ? 1 : 0
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options]
-  }
 }
 
 resource "oci_core_network_security_group_security_rule" "workers_healthcheck_ingress_from_int_lb" {
@@ -246,9 +225,6 @@ resource "oci_core_network_security_group_security_rule" "workers_healthcheck_in
 
   count = var.load_balancers == "internal" || var.load_balancers == "both" ? 1 : 0
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options]
-  }
 }
 
 resource "oci_core_network_security_group_security_rule" "workers_ingress_from_pub_lb" {
@@ -270,9 +246,6 @@ resource "oci_core_network_security_group_security_rule" "workers_ingress_from_p
 
   count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options]
-  }
 }
 
 resource "oci_core_network_security_group_security_rule" "workers_healthcheck_ingress_from_pub_lb" {
@@ -294,9 +267,6 @@ resource "oci_core_network_security_group_security_rule" "workers_healthcheck_in
 
   count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options]
-  }
 }
 
 resource "oci_core_network_security_group_security_rule" "workers_ssh_ingress_from_bastion" {
@@ -357,38 +327,50 @@ resource "oci_core_network_security_group_security_rule" "int_lb_egress" {
     }
   }
 
-  lifecycle {
-    ignore_changes = [destination, destination_type, direction, protocol, tcp_options]
-  }
-
   count = var.load_balancers == "internal" || var.load_balancers == "both" ? length(local.int_lb_egress) : 0
 }
 
-# add this rule separately so it can be controlled independently
-resource "oci_core_network_security_group_security_rule" "int_lb_healthcheck_ingress_from_pub_lb" {
+resource "oci_core_network_security_group_security_rule" "int_lb_ingress" {
   network_security_group_id = oci_core_network_security_group.int_lb[0].id
-  description               = "Allow healthchecks from public load balancers"
+  description               = "Allow stateful ingress from ${element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 0)} on port ${element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)}"
   direction                 = "INGRESS"
   protocol                  = local.tcp_protocol
-  source                    = local.pub_lb_subnet
+  source                    = element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 0)
   source_type               = "CIDR_BLOCK"
 
   stateless = false
 
   tcp_options {
     destination_port_range {
-      min = length(regexall("-", element(var.internal_lb_allowed_ports, count.index))) > 0 ? tonumber(element(split("-", element(var.internal_lb_allowed_ports, count.index)), 0)) : element(var.internal_lb_allowed_ports, count.index)
-      max = length(regexall("-", element(var.internal_lb_allowed_ports, count.index))) > 0 ? tonumber(element(split("-", element(var.internal_lb_allowed_ports, count.index)), 1)) : element(var.internal_lb_allowed_ports, count.index)
+      min = length(regexall("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)), 0) : element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)
+      max = length(regexall("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)), 1) : element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)
     }
   }
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options, icmp_options]
-  }
-
-  count = var.load_balancers == "both" ? length(var.internal_lb_allowed_ports) : 0
+  count = var.load_balancers == "internal" || var.load_balancers == "both" ? length(local.internal_lb_allowed_cidrs_and_ports) : 0
 }
 
+# add this rule separately so it can be controlled independently
+# resource "oci_core_network_security_group_security_rule" "int_lb_healthcheck_ingress_from_pub_lb" {
+#   network_security_group_id = oci_core_network_security_group.int_lb[0].id
+#   description               = "Allow healthchecks from public load balancers"
+#   direction                 = "INGRESS"
+#   protocol                  = local.tcp_protocol
+#   source                    = local.pub_lb_subnet
+#   source_type               = "CIDR_BLOCK"
+
+#   stateless = false
+
+#   tcp_options {
+#     destination_port_range {
+#       min = length(regexall("-", element(var.internal_lb_allowed_ports, count.index))) > 0 ? tonumber(element(split("-", element(var.internal_lb_allowed_ports, count.index)), 0)) : element(var.internal_lb_allowed_ports, count.index)
+#       max = length(regexall("-", element(var.internal_lb_allowed_ports, count.index))) > 0 ? tonumber(element(split("-", element(var.internal_lb_allowed_ports, count.index)), 1)) : element(var.internal_lb_allowed_ports, count.index)
+#     }
+#   }
+
+#   count = var.load_balancers == "both" ? length(var.internal_lb_allowed_ports) : 0
+# }
+
 # public lb nsg and rules
 resource "oci_core_network_security_group" "pub_lb" {
   compartment_id = var.compartment_id
@@ -426,10 +408,6 @@ resource "oci_core_network_security_group_security_rule" "pub_lb_egress" {
     }
   }
 
-  lifecycle {
-    ignore_changes = [destination, destination_type, direction, protocol, tcp_options]
-  }
-
   count = var.load_balancers == "public" || var.load_balancers == "both" ? length(local.pub_lb_egress) : 0
 }
 
@@ -450,10 +428,6 @@ resource "oci_core_network_security_group_security_rule" "pub_lb_egress_health_c
     }
   }
 
-  lifecycle {
-    ignore_changes = [destination, destination_type, direction, protocol, tcp_options]
-  }
-
   count = var.load_balancers == "public" || var.load_balancers == "both" ? 1 : 0
 }
 
@@ -474,10 +448,6 @@ resource "oci_core_network_security_group_security_rule" "pub_lb_egress_health_c
     }
   }
 
-  lifecycle {
-    ignore_changes = [destination, destination_type, direction, protocol, tcp_options]
-  }
-
   count = var.load_balancers == "both" ? length(var.internal_lb_allowed_ports) : 0
 }
 
@@ -498,10 +468,6 @@ resource "oci_core_network_security_group_security_rule" "pub_lb_ingress" {
     }
   }
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options, icmp_options]
-  }
-
   count = var.load_balancers == "public" || var.load_balancers == "both" ? length(local.public_lb_allowed_cidrs_and_ports) : 0
 }
 
@@ -532,9 +498,6 @@ resource "oci_core_network_security_group_security_rule" "waf_ingress" {
     }
   }
 
-  lifecycle {
-    ignore_changes = [source, source_type, direction, protocol, tcp_options, icmp_options]
-  }
 }
 
 ## fss : instance network security group rules

Original file line number	Diff line number	Diff line change
`@@ -38,9 +38,6 @@ resource "oci_core_network_security_group_security_rule" "cp_egress" {`
`38`	`38`
`39`	`39`	`count = length(local.cp_egress)`
`40`	`40`
`41`		`- lifecycle {`
`42`		`- ignore_changes = [destination, destination_type, direction, protocol, tcp_options]`
`43`		`- }`
`44`	`41`	`}`
`45`	`42`
`46`	`43`	`resource "oci_core_network_security_group_security_rule" "cp_ingress" {`
`@@ -73,9 +70,6 @@ resource "oci_core_network_security_group_security_rule" "cp_ingress" {`
`73`	`70`
`74`	`71`	`count = length(local.cp_ingress)`
`75`	`72`
`76`		`- lifecycle {`
`77`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options]`
`78`		`- }`
`79`	`73`	`}`
`80`	`74`
`81`	`75`	`resource "oci_core_network_security_group_security_rule" "cp_ingress_additional_cidrs" {`
`@@ -102,9 +96,6 @@ resource "oci_core_network_security_group_security_rule" "cp_ingress_additional_`
`102`	`96`
`103`	`97`	`count = length(var.control_plane_allowed_cidrs)`
`104`	`98`
`105`		`- lifecycle {`
`106`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options]`
`107`		`- }`
`108`	`99`	`}`
`109`	`100`
`110`	`101`	`# workers nsg and rules`
`@@ -144,9 +135,6 @@ resource "oci_core_network_security_group_security_rule" "workers_egress" {`
`144`	`135`
`145`	`136`	`count = length(local.workers_egress)`
`146`	`137`
`147`		`- lifecycle {`
`148`		`- ignore_changes = [destination, destination_type, direction, protocol, tcp_options]`
`149`		`- }`
`150`	`138`	`}`
`151`	`139`
`152`	`140`	`# add this rule separately so it can be controlled independently`
`@@ -162,9 +150,6 @@ resource "oci_core_network_security_group_security_rule" "workers_egress_interne`
`162`	`150`
`163`	`151`	`count = var.allow_worker_internet_access == true ? 1 : 0`
`164`	`152`
`165`		`- lifecycle {`
`166`		`- ignore_changes = [destination, destination_type, direction, protocol, tcp_options]`
`167`		`- }`
`168`	`153`	`}`
`169`	`154`
`170`	`155`	`resource "oci_core_network_security_group_security_rule" "workers_ingress" {`
`@@ -197,9 +182,6 @@ resource "oci_core_network_security_group_security_rule" "workers_ingress" {`
`197`	`182`
`198`	`183`	`count = length(local.workers_ingress)`
`199`	`184`
`200`		`- lifecycle {`
`201`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options]`
`202`		`- }`
`203`	`185`	`}`
`204`	`186`
`205`	`187`	`# add the next 4 rules separately so it can be controlled independently based on which lbs are created`
`@@ -222,9 +204,6 @@ resource "oci_core_network_security_group_security_rule" "workers_ingress_from_i`
`222`	`204`
`223`	`205`	`count = var.load_balancers == "internal" \|\| var.load_balancers == "both" ? 1 : 0`
`224`	`206`
`225`		`- lifecycle {`
`226`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options]`
`227`		`- }`
`228`	`207`	`}`
`229`	`208`
`230`	`209`	`resource "oci_core_network_security_group_security_rule" "workers_healthcheck_ingress_from_int_lb" {`
`@@ -246,9 +225,6 @@ resource "oci_core_network_security_group_security_rule" "workers_healthcheck_in`
`246`	`225`
`247`	`226`	`count = var.load_balancers == "internal" \|\| var.load_balancers == "both" ? 1 : 0`
`248`	`227`
`249`		`- lifecycle {`
`250`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options]`
`251`		`- }`
`252`	`228`	`}`
`253`	`229`
`254`	`230`	`resource "oci_core_network_security_group_security_rule" "workers_ingress_from_pub_lb" {`
`@@ -270,9 +246,6 @@ resource "oci_core_network_security_group_security_rule" "workers_ingress_from_p`
`270`	`246`
`271`	`247`	`count = var.load_balancers == "public" \|\| var.load_balancers == "both" ? 1 : 0`
`272`	`248`
`273`		`- lifecycle {`
`274`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options]`
`275`		`- }`
`276`	`249`	`}`
`277`	`250`
`278`	`251`	`resource "oci_core_network_security_group_security_rule" "workers_healthcheck_ingress_from_pub_lb" {`
`@@ -294,9 +267,6 @@ resource "oci_core_network_security_group_security_rule" "workers_healthcheck_in`
`294`	`267`
`295`	`268`	`count = var.load_balancers == "public" \|\| var.load_balancers == "both" ? 1 : 0`
`296`	`269`
`297`		`- lifecycle {`
`298`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options]`
`299`		`- }`
`300`	`270`	`}`
`301`	`271`
`302`	`272`	`resource "oci_core_network_security_group_security_rule" "workers_ssh_ingress_from_bastion" {`
`@@ -357,38 +327,50 @@ resource "oci_core_network_security_group_security_rule" "int_lb_egress" {`
`357`	`327`	`}`
`358`	`328`	`}`
`359`	`329`
`360`		`- lifecycle {`
`361`		`- ignore_changes = [destination, destination_type, direction, protocol, tcp_options]`
`362`		`- }`
`363`		`-`
`364`	`330`	`count = var.load_balancers == "internal" \|\| var.load_balancers == "both" ? length(local.int_lb_egress) : 0`
`365`	`331`	`}`
`366`	`332`
`367`		`-# add this rule separately so it can be controlled independently`
`368`		`-resource "oci_core_network_security_group_security_rule" "int_lb_healthcheck_ingress_from_pub_lb" {`
	`333`	`+resource "oci_core_network_security_group_security_rule" "int_lb_ingress" {`
`369`	`334`	`network_security_group_id = oci_core_network_security_group.int_lb[0].id`
`370`		`- description = "Allow healthchecks from public load balancers"`
	`335`	`+ description = "Allow stateful ingress from ${element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 0)} on port ${element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)}"`
`371`	`336`	`direction = "INGRESS"`
`372`	`337`	`protocol = local.tcp_protocol`
`373`		`- source = local.pub_lb_subnet`
	`338`	`+ source = element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 0)`
`374`	`339`	`source_type = "CIDR_BLOCK"`
`375`	`340`
`376`	`341`	`stateless = false`
`377`	`342`
`378`	`343`	`tcp_options {`
`379`	`344`	`destination_port_range {`
`380`		`- min = length(regexall("-", element(var.internal_lb_allowed_ports, count.index))) > 0 ? tonumber(element(split("-", element(var.internal_lb_allowed_ports, count.index)), 0)) : element(var.internal_lb_allowed_ports, count.index)`
`381`		`- max = length(regexall("-", element(var.internal_lb_allowed_ports, count.index))) > 0 ? tonumber(element(split("-", element(var.internal_lb_allowed_ports, count.index)), 1)) : element(var.internal_lb_allowed_ports, count.index)`
	`345`	`+ min = length(regexall("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)), 0) : element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)`
	`346`	`+ max = length(regexall("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1))) > 0 ? element(split("-", element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)), 1) : element(element(local.internal_lb_allowed_cidrs_and_ports, count.index), 1)`
`382`	`347`	`}`
`383`	`348`	`}`
`384`	`349`
`385`		`- lifecycle {`
`386`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options, icmp_options]`
`387`		`- }`
`388`		`-`
`389`		`- count = var.load_balancers == "both" ? length(var.internal_lb_allowed_ports) : 0`
	`350`	`+ count = var.load_balancers == "internal" \|\| var.load_balancers == "both" ? length(local.internal_lb_allowed_cidrs_and_ports) : 0`
`390`	`351`	`}`
`391`	`352`
	`353`	`+# add this rule separately so it can be controlled independently`
	`354`	`+# resource "oci_core_network_security_group_security_rule" "int_lb_healthcheck_ingress_from_pub_lb" {`
	`355`	`+# network_security_group_id = oci_core_network_security_group.int_lb[0].id`
	`356`	`+# description = "Allow healthchecks from public load balancers"`
	`357`	`+# direction = "INGRESS"`
	`358`	`+# protocol = local.tcp_protocol`
	`359`	`+# source = local.pub_lb_subnet`
	`360`	`+# source_type = "CIDR_BLOCK"`
	`361`	`+`
	`362`	`+# stateless = false`
	`363`	`+`
	`364`	`+# tcp_options {`
	`365`	`+# destination_port_range {`
	`366`	`+# min = length(regexall("-", element(var.internal_lb_allowed_ports, count.index))) > 0 ? tonumber(element(split("-", element(var.internal_lb_allowed_ports, count.index)), 0)) : element(var.internal_lb_allowed_ports, count.index)`
	`367`	`+# max = length(regexall("-", element(var.internal_lb_allowed_ports, count.index))) > 0 ? tonumber(element(split("-", element(var.internal_lb_allowed_ports, count.index)), 1)) : element(var.internal_lb_allowed_ports, count.index)`
	`368`	`+# }`
	`369`	`+# }`
	`370`	`+`
	`371`	`+# count = var.load_balancers == "both" ? length(var.internal_lb_allowed_ports) : 0`
	`372`	`+# }`
	`373`	`+`
`392`	`374`	`# public lb nsg and rules`
`393`	`375`	`resource "oci_core_network_security_group" "pub_lb" {`
`394`	`376`	`compartment_id = var.compartment_id`
`@@ -426,10 +408,6 @@ resource "oci_core_network_security_group_security_rule" "pub_lb_egress" {`
`426`	`408`	`}`
`427`	`409`	`}`
`428`	`410`
`429`		`- lifecycle {`
`430`		`- ignore_changes = [destination, destination_type, direction, protocol, tcp_options]`
`431`		`- }`
`432`		`-`
`433`	`411`	`count = var.load_balancers == "public" \|\| var.load_balancers == "both" ? length(local.pub_lb_egress) : 0`
`434`	`412`	`}`
`435`	`413`
`@@ -450,10 +428,6 @@ resource "oci_core_network_security_group_security_rule" "pub_lb_egress_health_c`
`450`	`428`	`}`
`451`	`429`	`}`
`452`	`430`
`453`		`- lifecycle {`
`454`		`- ignore_changes = [destination, destination_type, direction, protocol, tcp_options]`
`455`		`- }`
`456`		`-`
`457`	`431`	`count = var.load_balancers == "public" \|\| var.load_balancers == "both" ? 1 : 0`
`458`	`432`	`}`
`459`	`433`
`@@ -474,10 +448,6 @@ resource "oci_core_network_security_group_security_rule" "pub_lb_egress_health_c`
`474`	`448`	`}`
`475`	`449`	`}`
`476`	`450`
`477`		`- lifecycle {`
`478`		`- ignore_changes = [destination, destination_type, direction, protocol, tcp_options]`
`479`		`- }`
`480`		`-`
`481`	`451`	`count = var.load_balancers == "both" ? length(var.internal_lb_allowed_ports) : 0`
`482`	`452`	`}`
`483`	`453`
`@@ -498,10 +468,6 @@ resource "oci_core_network_security_group_security_rule" "pub_lb_ingress" {`
`498`	`468`	`}`
`499`	`469`	`}`
`500`	`470`
`501`		`- lifecycle {`
`502`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options, icmp_options]`
`503`		`- }`
`504`		`-`
`505`	`471`	`count = var.load_balancers == "public" \|\| var.load_balancers == "both" ? length(local.public_lb_allowed_cidrs_and_ports) : 0`
`506`	`472`	`}`
`507`	`473`
`@@ -532,9 +498,6 @@ resource "oci_core_network_security_group_security_rule" "waf_ingress" {`
`532`	`498`	`}`
`533`	`499`	`}`
`534`	`500`
`535`		`- lifecycle {`
`536`		`- ignore_changes = [source, source_type, direction, protocol, tcp_options, icmp_options]`
`537`		`- }`
`538`	`501`	`}`
`539`	`502`
`540`	`503`	`## fss : instance network security group rules`