Merge pull request #183 from NetApp/rvwn_sg_list

Changed to support a list of security groups instead of just one security group
NetApp · Aug 29, 2024 · f34fc47 · f34fc47
2 parents 2482172 + 2b9a784
commit f34fc47
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 36 deletions.
diff --git a/Terraform/deploy-fsx-ontap/standalone-module/README.md b/Terraform/deploy-fsx-ontap/standalone-module/README.md
@@ -10,7 +10,7 @@
 * [License](#license)
 
 ## Introduction
-This sample demonstrates how to deploy an FSx for NetApp ONTAP file system, including an SVM and a FlexVolume in that file system, using AWS Terraform provider in a standalone Terraform module. 
+This sample demonstrates how to deploy an FSx for NetApp ONTAP file system, including an SVM and a FlexVolume in that file system, using AWS Terraform provider in a standalone Terraform module.
 Follow the instructions below to use this sample in your own environment.
 ### Repository Overview
 This is a standalone Terraform configuration repository that contains the following files:
@@ -43,7 +43,7 @@ Running this terraform sample will result the following:
 * A new FSx for Netapp ONTAP file-system. Much of the configuration is defined in the `variables.tf` file, but the following are the default values:
     * 1024Gb of storage capacity
     * Generation 1 Multi AZ deployment type
-    * 128Mbps of throughput capacity 
+    * 128Mbps of throughput capacity
     * 1 HA pair
     * 1 Storage Virtual Machine (SVM)
     * 1 FlexVol volume with the following configuration parameters:
@@ -52,7 +52,7 @@ Running this terraform sample will result the following:
         * Security style of UNIX
         * Storage efficiencies enabled
         * Auto tiering policy with 31 cooling days
-        * post-delete backup disabled 
+        * post-delete backup disabled
 
 ## Prerequisites
 
@@ -107,7 +107,7 @@ value was retrieved, and the configuration variable name.
 ### 1. Clone the repository
 In your server's terminal, navigate to the location where you wish to store this Terraform repository, and clone the repository using your preferred authentication type. In this example we are using HTTPS clone:
 
-```shell 
+```shell
 git clone https://github.com/NetApp/FSx-ONTAP-samples-scripts.git
 ```
 
@@ -211,7 +211,7 @@ terraform apply
 | route_table_ids | An array of routing table IDs that will be modified to allow access to the FSxN file system. This is only used for Multi AZ deployment types and must be left as null for Single AZ deployment types. | `list(string)` | `null` | no |
 | secret_name_prefix | The prefix to the secret names created that will contain the FSxN passwords (system, and SVM). | `string` | `"fsxn-secret"` | no |
 | secret_region | The AWS region where the secrets for the FSxN file system and SVM will be deployed. | `string` | `"us-west-2"` | no |
-| security_group_id | If you are not creating the security group, provide the ID of the security group to be used. | `string` | `""` | no |
+| security_group_ids | If you are not creating the security group, provide a list of IDs of security groups to be used. | `list(string)` | `[]` | no |
 | security_group_name_prefix | The prefix to the security group name that will be created. | `string` | `"fsxn-sg"` | no |
 | source_sg_id | The ID of the security group to allow access to the FSxN file system. Set to an empty string if you want to use the cidr_for_sg as the source. | `string` | `""` | no |
 | svm_name | The name of the Storage Virtual Machine | `string` | `"fsx"` | no |

diff --git a/Terraform/deploy-fsx-ontap/standalone-module/main.tf b/Terraform/deploy-fsx-ontap/standalone-module/main.tf
@@ -32,9 +32,9 @@ module "fsxn_rotate_secret" {
 }
 
 /*
- * The following resources are for deploying a complete FSx ONTAP file system. 
+ * The following resources are for deploying a complete FSx ONTAP file system.
  * The code below deploys the following resources in this order:
- * 1. A file system 
+ * 1. A file system
  * 2. A storage virtual machine
  * 3. A volume within the storage virtual machine
  */
@@ -43,7 +43,7 @@ resource "aws_fsx_ontap_file_system" "terraform-fsxn" {
   preferred_subnet_id = var.fsx_subnets["primarysub"]
 
   storage_capacity                = var.fsx_capacity_size_gb
-  security_group_ids              = var.create_sg ? [element(aws_security_group.fsx_sg[*].id, 0)] : [var.security_group_id]
+  security_group_ids              = var.create_sg ? [element(aws_security_group.fsx_sg[*].id, 0)] : var.security_group_ids
   deployment_type                 = var.fsx_deploy_type
   throughput_capacity_per_ha_pair = var.fsx_tput_in_MBps
   ha_pairs                        = var.ha_pairs

diff --git a/Terraform/deploy-fsx-ontap/standalone-module/security_groups.tf b/Terraform/deploy-fsx-ontap/standalone-module/security_groups.tf
@@ -1,4 +1,4 @@
-/* 
+/*
  * The following defines a Security Group for FSx ONTAP that allows the required ports for NFS, CIFS,
  * Kerberos, and iSCSI as well as SnapMirror.
  *
@@ -23,7 +23,7 @@ resource "aws_vpc_security_group_ingress_rule" "all_icmp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = -1
   to_port           = -1
   ip_protocol       = "icmp"
@@ -34,7 +34,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_tcp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 111
   to_port           = 111
   ip_protocol       = "tcp"
@@ -45,7 +45,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_udp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 111
   to_port           = 111
   ip_protocol       = "udp"
@@ -56,7 +56,7 @@ resource "aws_vpc_security_group_ingress_rule" "cifs" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 139
   to_port           = 139
   ip_protocol       = "tcp"
@@ -67,7 +67,7 @@ resource "aws_vpc_security_group_ingress_rule" "snmp_tcp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 161
   to_port           = 162
   ip_protocol       = "tcp"
@@ -78,7 +78,7 @@ resource "aws_vpc_security_group_ingress_rule" "snmp_udp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 161
   to_port           = 162
   ip_protocol       = "udp"
@@ -89,7 +89,7 @@ resource "aws_vpc_security_group_ingress_rule" "smb_cifs" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 445
   to_port           = 445
   ip_protocol       = "tcp"
@@ -100,7 +100,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_mount_tcp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 635
   to_port           = 635
   ip_protocol       = "tcp"
@@ -111,7 +111,7 @@ resource "aws_vpc_security_group_ingress_rule" "kerberos" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 749
   to_port           = 749
   ip_protocol       = "tcp"
@@ -122,7 +122,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_server_daemon" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 2049
   to_port           = 2049
   ip_protocol       = "tcp"
@@ -133,7 +133,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_server_daemon_udp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 2049
   to_port           = 2049
   ip_protocol       = "udp"
@@ -144,7 +144,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_lock_daemon" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 4045
   to_port           = 4045
   ip_protocol       = "tcp"
@@ -155,7 +155,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_lock_daemon_udp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 4045
   to_port           = 4045
   ip_protocol       = "udp"
@@ -166,7 +166,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_status_monitor" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 4046
   to_port           = 4046
   ip_protocol       = "tcp"
@@ -177,7 +177,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_status_monitor_udp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 4046
   to_port           = 4046
   ip_protocol       = "udp"
@@ -188,7 +188,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_rquotad" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 4049
   to_port           = 4049
   ip_protocol       = "udp"
@@ -199,7 +199,7 @@ resource "aws_vpc_security_group_ingress_rule" "iscsi_tcp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 3260
   to_port           = 3260
   ip_protocol       = "tcp"
@@ -210,7 +210,7 @@ resource "aws_vpc_security_group_ingress_rule" "Snapmirror_Intercluster_communic
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 11104
   to_port           = 11104
   ip_protocol       = "tcp"
@@ -221,7 +221,7 @@ resource "aws_vpc_security_group_ingress_rule" "Snapmirror_data_transfer" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 11105
   to_port           = 11105
   ip_protocol       = "tcp"
@@ -232,7 +232,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs_mount_udp" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 635
   to_port           = 635
   ip_protocol       = "udp"
@@ -243,7 +243,7 @@ resource "aws_vpc_security_group_ingress_rule" "ssh" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 22
   to_port           = 22
   ip_protocol       = "tcp"
@@ -254,7 +254,7 @@ resource "aws_vpc_security_group_ingress_rule" "s3_and_api" {
   count             = var.create_sg ? 1 : 0
   security_group_id = aws_security_group.fsx_sg[count.index].id
   cidr_ipv4         = (var.cidr_for_sg != "" ? var.cidr_for_sg : null)
-  referenced_security_group_id = (var.security_group_id != "" ? var.security_group_id : null)
+  referenced_security_group_id = (var.source_sg_id != "" ? var.source_sg_id : null)
   from_port         = 443
   to_port           = 443
   ip_protocol       = "tcp"

diff --git a/Terraform/deploy-fsx-ontap/standalone-module/variables.tf b/Terraform/deploy-fsx-ontap/standalone-module/variables.tf
@@ -6,7 +6,7 @@ variable "fsx_name" {
 
 variable "fsx_deploy_type" {
    description = "The file system deployment type. Supported values are 'MULTI_AZ_1', 'SINGLE_AZ_1', 'MULTI_AZ_2', and 'SINGLE_AZ_2'. MULTI_AZ_1 and SINGLE_AZ_1 are Gen 1. MULTI_AZ_2 and SINGLE_AZ_2 are Gen 2."
-   type        = string 
+   type        = string
    default     = "MULTI_AZ_1"
    validation {
       condition = contains(["MULTI_AZ_1", "SINGLE_AZ_1", "MULTI_AZ_2", "SINGLE_AZ_2"], var.fsx_deploy_type)
@@ -186,10 +186,10 @@ variable "create_sg" {
   default     = true
 }
 
-variable "security_group_id" {
-  description = "If you are not creating the security group, provide the ID of the security group to be used."
-  type        = string
-  default     = ""
+variable "security_group_ids" {
+  description = "If you are not creating the security group, provide a list of IDs of security groups to be used."
+  type        = list(string)
+  default     = []
 }
 
 variable "security_group_name_prefix" {