feat: add support to reference module nsgs in the nsg rules

robo-cap · hyder · commit ce2de7a60fa3 · 2024-12-04T14:34:36.000+11:00
diff --git a/examples/network/vars-network.auto.tfvars b/examples/network/vars-network.auto.tfvars
@@ -51,12 +51,21 @@ allow_rules_public_lb = {
   # "Allow TCP ingress to public load balancers for SSL traffic from anywhere" : {
   #   protocol = 6, port = 443, source = "0.0.0.0/0", source_type = "CIDR_BLOCK",
   # },
+  # "Allow UDP egress to workers port range 50000-52767 from Public LBs" : {
+  #   protocol = 17, destination_port_min = 50000, destination_port_max=52767, destination = "workers", destination_type = "NETWORK_SECURITY_GROUP"
+  # },
 }
 
 allow_rules_workers = {
   # "Allow TCP ingress to workers for port 8080 from VCN" : {
   #   protocol = 6, port = 8080, source = "10.0.0.0/16", source_type = "CIDR_BLOCK",
   # },
+  # "Allow UDP ingress to workers for port range 50000-52767 from Public LBs" : {
+  #   protocol = 17, destination_port_min = 50000, destination_port_max=52767, source = "pub_lb", source_type = "NETWORK_SECURITY_GROUP"
+  # },
+  # "Allow TCP ingress to workers for port range 8888-8888 from existing NSG" : {
+  #   protocol = 6, destination_port_min = 8888, destination_port_max=8888, source = "ocid1.networksecuritygroup.oc1.eu-frankfurt-1.aaaaaaaai6z4le2ji7dkpmuwff4525b734wrjlifjqkrzlr5qctgxdsyoyra", source_type = "NETWORK_SECURITY_GROUP"
+  # },
 }
 
 # Dynamic routing gateway (DRG)
diff --git a/modules/network/rules.tf b/modules/network/rules.tf
@@ -24,9 +24,21 @@ locals {
       network_security_group_id = lookup(y, "nsg_id")
       direction                 = contains(keys(y), "source") ? "INGRESS" : "EGRESS"
       protocol                  = lookup(y, "protocol")
-      source                    = lookup(y, "source", null)
+      source                    = (
+        alltrue([
+          upper(lookup(y, "source_type", "")) == local.rule_type_nsg,
+          length(regexall("ocid\\d+\\.networksecuritygroup", lower(lookup(y, "source", "")))) == 0]) ?
+          lookup(local.all_nsg_ids, lower(lookup(y, "source", "")), null) :
+          lookup(y, "source", null)
+      )
       source_type               = lookup(y, "source_type", null)
-      destination               = lookup(y, "destination", null)
+      destination               = (
+        alltrue([
+          upper(lookup(y, "destination_type", "")) == local.rule_type_nsg,
+          length(regexall("ocid\\d+\\.networksecuritygroup", lower(lookup(y, "destination", "")))) == 0]) ?
+          lookup(local.all_nsg_ids, lower(lookup(y, "destination", "")), null) :
+          lookup(y, "destination", null)
+      )
       destination_type          = lookup(y, "destination_type", null)
   }) }
 
