mirror of
https://github.com/opentffoundation/opentf.git
synced 2026-03-31 18:02:48 -04:00
5f8dc6cc34
This commit removes the default security group rules that are automatically created when a security group is created. These rules are usually permissive egress rules which makes it difficult to add more strict egress security group rules.
165 lines
4.6 KiB
Go
165 lines
4.6 KiB
Go
package openstack
|
|
|
|
import (
|
|
"fmt"
|
|
"log"
|
|
"time"
|
|
|
|
"github.com/hashicorp/terraform/helper/resource"
|
|
"github.com/hashicorp/terraform/helper/schema"
|
|
|
|
"github.com/gophercloud/gophercloud"
|
|
"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
|
|
"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/rules"
|
|
)
|
|
|
|
func resourceNetworkingSecGroupV2() *schema.Resource {
|
|
return &schema.Resource{
|
|
Create: resourceNetworkingSecGroupV2Create,
|
|
Read: resourceNetworkingSecGroupV2Read,
|
|
Delete: resourceNetworkingSecGroupV2Delete,
|
|
Importer: &schema.ResourceImporter{
|
|
State: schema.ImportStatePassthrough,
|
|
},
|
|
|
|
Schema: map[string]*schema.Schema{
|
|
"region": &schema.Schema{
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
ForceNew: true,
|
|
DefaultFunc: schema.EnvDefaultFunc("OS_REGION_NAME", ""),
|
|
},
|
|
"name": &schema.Schema{
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
ForceNew: true,
|
|
},
|
|
"description": &schema.Schema{
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
ForceNew: true,
|
|
Computed: true,
|
|
},
|
|
"tenant_id": &schema.Schema{
|
|
Type: schema.TypeString,
|
|
Optional: true,
|
|
ForceNew: true,
|
|
Computed: true,
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func resourceNetworkingSecGroupV2Create(d *schema.ResourceData, meta interface{}) error {
|
|
|
|
config := meta.(*Config)
|
|
networkingClient, err := config.networkingV2Client(GetRegion(d))
|
|
if err != nil {
|
|
return fmt.Errorf("Error creating OpenStack networking client: %s", err)
|
|
}
|
|
|
|
opts := groups.CreateOpts{
|
|
Name: d.Get("name").(string),
|
|
Description: d.Get("description").(string),
|
|
TenantID: d.Get("tenant_id").(string),
|
|
}
|
|
|
|
log.Printf("[DEBUG] Create OpenStack Neutron Security Group: %#v", opts)
|
|
|
|
security_group, err := groups.Create(networkingClient, opts).Extract()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Remove the default rules
|
|
for _, rule := range security_group.Rules {
|
|
if err := rules.Delete(networkingClient, rule.ID).ExtractErr(); err != nil {
|
|
return fmt.Errorf(
|
|
"There was a problem deleting a default security group rule: %s", err)
|
|
}
|
|
}
|
|
|
|
log.Printf("[DEBUG] OpenStack Neutron Security Group created: %#v", security_group)
|
|
|
|
d.SetId(security_group.ID)
|
|
|
|
return resourceNetworkingSecGroupV2Read(d, meta)
|
|
}
|
|
|
|
func resourceNetworkingSecGroupV2Read(d *schema.ResourceData, meta interface{}) error {
|
|
log.Printf("[DEBUG] Retrieve information about security group: %s", d.Id())
|
|
|
|
config := meta.(*Config)
|
|
networkingClient, err := config.networkingV2Client(GetRegion(d))
|
|
if err != nil {
|
|
return fmt.Errorf("Error creating OpenStack networking client: %s", err)
|
|
}
|
|
|
|
security_group, err := groups.Get(networkingClient, d.Id()).Extract()
|
|
|
|
if err != nil {
|
|
return CheckDeleted(d, err, "OpenStack Neutron Security group")
|
|
}
|
|
|
|
d.Set("description", security_group.Description)
|
|
d.Set("tenant_id", security_group.TenantID)
|
|
d.Set("name", security_group.Name)
|
|
d.Set("region", GetRegion(d))
|
|
|
|
return nil
|
|
}
|
|
|
|
func resourceNetworkingSecGroupV2Delete(d *schema.ResourceData, meta interface{}) error {
|
|
log.Printf("[DEBUG] Destroy security group: %s", d.Id())
|
|
|
|
config := meta.(*Config)
|
|
networkingClient, err := config.networkingV2Client(GetRegion(d))
|
|
if err != nil {
|
|
return fmt.Errorf("Error creating OpenStack networking client: %s", err)
|
|
}
|
|
|
|
stateConf := &resource.StateChangeConf{
|
|
Pending: []string{"ACTIVE"},
|
|
Target: []string{"DELETED"},
|
|
Refresh: waitForSecGroupDelete(networkingClient, d.Id()),
|
|
Timeout: 2 * time.Minute,
|
|
Delay: 5 * time.Second,
|
|
MinTimeout: 3 * time.Second,
|
|
}
|
|
|
|
_, err = stateConf.WaitForState()
|
|
if err != nil {
|
|
return fmt.Errorf("Error deleting OpenStack Neutron Security Group: %s", err)
|
|
}
|
|
|
|
d.SetId("")
|
|
return err
|
|
}
|
|
|
|
func waitForSecGroupDelete(networkingClient *gophercloud.ServiceClient, secGroupId string) resource.StateRefreshFunc {
|
|
return func() (interface{}, string, error) {
|
|
log.Printf("[DEBUG] Attempting to delete OpenStack Security Group %s.\n", secGroupId)
|
|
|
|
r, err := groups.Get(networkingClient, secGroupId).Extract()
|
|
if err != nil {
|
|
if _, ok := err.(gophercloud.ErrDefault404); ok {
|
|
log.Printf("[DEBUG] Successfully deleted OpenStack Neutron Security Group %s", secGroupId)
|
|
return r, "DELETED", nil
|
|
}
|
|
return r, "ACTIVE", err
|
|
}
|
|
|
|
err = groups.Delete(networkingClient, secGroupId).ExtractErr()
|
|
if err != nil {
|
|
if _, ok := err.(gophercloud.ErrDefault404); ok {
|
|
log.Printf("[DEBUG] Successfully deleted OpenStack Neutron Security Group %s", secGroupId)
|
|
return r, "DELETED", nil
|
|
}
|
|
return r, "ACTIVE", err
|
|
}
|
|
|
|
log.Printf("[DEBUG] OpenStack Neutron Security Group %s still active.\n", secGroupId)
|
|
return r, "ACTIVE", nil
|
|
}
|
|
}
|