💡 The module supports complex rule sets, such as those required to create a subnet security group for IPA services (i.e. Kerberos, LDAP and DNS).
This Terraform module creates and configures an OpenStack Security Group with a user-defined set of rules. It is designed to be reusable, flexible, and aligned with Terraform best practices for OpenStack deployments.
More specifically, the module:
- Creates an OpenStack Security Group with customizable name and description.
- Attaches an arbitrary number of user-defined rules to the security group.
Copyright © EUMETSAT 2025.
The provided code and instructions are licensed under the MIT license. They are intended to automate the setup of an environment that includes third-party software components. The usage and distribution terms of the resulting environment are subject to the individual licenses of those third-party libraries.
Users are responsible for reviewing and complying with the licenses of all third-party components included in the environment.
Contact EUMETSAT for details on the usage and distribution terms.
Before proceeding, if you lack OpenStack Application Credentials or do not know how to make them available to Ansible in your development environment, make sure to check out the EWC documentation.
module "ipa_security_group" {
source = "/path/to/terraform/module"
security_group_name = "ipa"
security_group_rules = [
{
direction = "ingress"
ether_type = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "udp"
port_range_min = 123
port_range_max = 123
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "tcp"
port_range_min = 88
port_range_max = 88
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "udp"
port_range_min = 88
port_range_max = 88
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "tcp"
port_range_min = 53
port_range_max = 53
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "udp"
port_range_min = 53
port_range_max = 53
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "tcp"
port_range_min = 389
port_range_max = 389
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = "0.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "tcp"
port_range_min = 636
port_range_max = 636
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "tcp"
port_range_min = 464
port_range_max = 464
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "udp"
port_range_min = 464
port_range_max = 464
remote_ip_prefix = "10.0.0.0/0"
},
{
direction = "ingress"
ether_type = "IPv4"
protocol = "tcp"
port_range_min = 443
port_range_max = 443
remote_ip_prefix = "10.0.0.0/0"
}
]
tags = {
environment = "production"
project = "ewc"
provisioning-tool = "terraform"
}
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
security_group_name |
Name of the security group. Example: ipa |
string |
n/a | yes |
security_group_description |
Description of the security group | string |
n/a | no |
security_group_rules |
List of security group rules | list(object({direction = string, ether_type = string, protocol = string, port_range_min = number, port_range_max = number, remote_ip_prefix = string})) |
n/a | yes |
tags |
Map of tags to assign to the security group | map(string) |
{} |
no |
Each rule in the security_group_rules list is an object with the following attributes:
direction: The direction of the rule (ingressoregress).ether_type: The ether type (IPv4orIPv6).protocol: The protocol (e.g.,tcp,udp,icmp, ornullfor any).port_range_min: The minimum port number (1-65535, ornullfor protocols likeicmp).port_range_max: The maximum port number (1-65535, ornullfor protocols likeicmp).remote_ip_prefix: The remote IP prefix in CIDR notation (e.g.,10.0.0.0/0).
Third-party components used in the working environment.
The following components will be included in the working environment:
| Component | Version | License | Home URL |
|---|---|---|---|
| terraform-provider-openstack | 1.53.0 | MPL-2.0 | https://github.com/terraform-provider-openstack/terraform-provider-openstack |
| Name | Description |
|---|---|
security_group_id |
ID of the created security group |
security_group_name |
Name of the created security group |
security_group_rules |
List of created security group rule IDs |
This module supports tagging of the security group using the tags variable. Tags are applied as a list of strings to the openstack_networking_secgroup_v2 resource.
Example:
tags = {
environment = "production"
project = "ewc"
provisioning-tool = "terraform"
}The above results in the security group being tagged with environment=production, project=ewc and provisioning-tool=terraform.
All notable changes (i.e. fixes, features and breaking changes) are documented in the CHANGELOG.md.
Thanks for taking the time to join our community and start contributing! Please make sure to:
- Familiarize yourself with our Code of Conduct before contributing.
- See CONTRIBUTING.md for instructions on how to request or submit changes.