FIX: Tofu attempts to apply security groups when port_security_enabled is false (#601)

bertiethorpe · web-flow · commit 0dcf774b6510 · 2025-03-05T15:19:59.000Z
* fix security_group_id logic

* toggle secgroups without touching port security

* document no_security_groups flag
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/control.tf
@@ -14,8 +14,8 @@ resource "openstack_networking_port_v2" "control" {
     subnet_id = data.openstack_networking_subnet_v2.cluster_subnet[each.key].id
   }
 
-  port_security_enabled = lookup(each.value, "port_security_enabled", null)
-  security_group_ids = lookup(each.value, "port_security_enabled", null) != false ? [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id] : []
+  no_security_groups = lookup(each.value, "no_security_groups", false)
+  security_group_ids = lookup(each.value, "no_security_groups", false) ? [] : [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id]
 
   binding {
     vnic_type = lookup(var.vnic_types, each.key, "normal")
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/node_group/nodes.tf
@@ -44,9 +44,9 @@ resource "openstack_networking_port_v2" "compute" {
   fixed_ip {
     subnet_id = data.openstack_networking_subnet_v2.subnet[each.value.network].id
   }
-
-  port_security_enabled = lookup(each.value, "port_security_enabled", null)
-  security_group_ids = lookup(each.value, "port_security_enabled", null) != false ? var.security_group_ids : []
+  
+  no_security_groups = lookup(each.value, "no_security_groups", false)
+  security_group_ids = lookup(each.value, "no_security_groups", false) ? [] : var.security_group_ids
 
   binding {
     vnic_type = lookup(var.vnic_types, each.value.network, "normal")
diff --git a/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf b/environments/skeleton/{{cookiecutter.environment}}/tofu/variables.tf
@@ -15,7 +15,7 @@ variable "cluster_networks" {
         List of mappings defining networks. Mapping key/values:
             network: Required. Name of existing network
             subnet: Required. Name of existing subnet
-            port_security_enabled: Optional. Bool, default null (for networks not owned by project)
+            no_security_groups: Optional. Bool (default: false). Disable security groups
     EOT
 }
 

Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,8 @@ resource "openstack_networking_port_v2" "control" {`
`14`	`14`	`subnet_id = data.openstack_networking_subnet_v2.cluster_subnet[each.key].id`
`15`	`15`	`}`
`16`	`16`
`17`		`- port_security_enabled = lookup(each.value, "port_security_enabled", null)`
`18`		`- security_group_ids = lookup(each.value, "port_security_enabled", null) != false ? [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id] : []`
	`17`	`+ no_security_groups = lookup(each.value, "no_security_groups", false)`
	`18`	`+ security_group_ids = lookup(each.value, "no_security_groups", false) ? [] : [for o in data.openstack_networking_secgroup_v2.nonlogin: o.id]`
`19`	`19`
`20`	`20`	`binding {`
`21`	`21`	`vnic_type = lookup(var.vnic_types, each.key, "normal")`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ variable "cluster_networks" {`
`15`	`15`	`List of mappings defining networks. Mapping key/values:`
`16`	`16`	`network: Required. Name of existing network`
`17`	`17`	`subnet: Required. Name of existing subnet`
`18`		`- port_security_enabled: Optional. Bool, default null (for networks not owned by project)`
	`18`	`+ no_security_groups: Optional. Bool (default: false). Disable security groups`
`19`	`19`	`EOT`
`20`	`20`	`}`
`21`	`21`