Add destroy support for OpenStack security group resources

As for ports, this requires changes to the terraform-provider-openstack:

https://github.com/terraform-providers/terraform-provider-openstack/issues/453

data/data/openstack/topology/sg-lb.tf

@@ -1,5 +1,6 @@
 resource "openstack_networking_secgroup_v2" "mcs" {
   name = "mcs"
+  tags = ["${format("tectonicClusterID=%s", var.cluster_id)}"]
 }
 
 resource "openstack_networking_secgroup_rule_v2" "mcs_https" {
@@ -14,6 +15,7 @@ resource "openstack_networking_secgroup_rule_v2" "mcs_https" {
 
 resource "openstack_networking_secgroup_v2" "api" {
   name = "api"
+  tags = ["${format("tectonicClusterID=%s", var.cluster_id)}"]
 }
 
 resource "openstack_networking_secgroup_rule_v2" "api_https" {
@@ -28,6 +30,7 @@ resource "openstack_networking_secgroup_rule_v2" "api_https" {
 
 resource "openstack_networking_secgroup_v2" "console" {
   name = "console"
+  tags = ["${format("tectonicClusterID=%s", var.cluster_id)}"]
 }
 
 resource "openstack_networking_secgroup_rule_v2" "console_http" {

data/data/openstack/topology/sg-master.tf

@@ -1,5 +1,6 @@
 resource "openstack_networking_secgroup_v2" "master" {
   name = "master"
+  tags = ["${format("tectonicClusterID=%s", var.cluster_id)}"]
 }
 
 resource "openstack_networking_secgroup_rule_v2" "master_mcs" {

data/data/openstack/topology/sg-worker.tf

@@ -1,5 +1,6 @@
 resource "openstack_networking_secgroup_v2" "worker" {
   name = "worker"
+  tags = ["${format("tectonicClusterID=%s", var.cluster_id)}"]
 }
 
 resource "openstack_networking_secgroup_rule_v2" "worker_ingress_icmp" {

pkg/destroy/openstack/openstack_deprovision.go

@@ -9,6 +9,7 @@ import (
 	"github.com/openshift/installer/pkg/types"
 
 	"github.com/gophercloud/gophercloud/openstack/compute/v2/servers"
+	sg "github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/ports"
 	"github.com/gophercloud/utils/openstack/clientconfig"
 	"github.com/sirupsen/logrus"
@@ -92,6 +93,7 @@ func deleteRunner(deleteFuncName string, dFunction deleteFunc, opts *clientconfi
 func populateDeleteFuncs(funcs map[string]deleteFunc) {
 	funcs["deleteServers"] = deleteServers
 	funcs["deletePorts"] = deletePorts
+	funcs["deleteSecurityGroups"] = deleteSecurityGroups
 }
 
 // filterObjects will do client-side filtering given an appropriately filled out list of OpenStackObjectWithTags
@@ -226,6 +228,42 @@ func deletePorts(opts *clientconfig.ClientOpts, filter OpenStackFilter, logger l
 	return len(allPorts) == 0, nil
 }
 
+func deleteSecurityGroups(opts *clientconfig.ClientOpts, filter OpenStackFilter, logger logrus.FieldLogger) (bool, error) {
+	logger.Debug("Deleting openstack security-groups")
+	defer logger.Debugf("Exiting deleting openstack security-groups")
+
+	conn, err := clientconfig.NewServiceClient("network", opts)
+	if err != nil {
+		logger.Fatalf("%v", err)
+		os.Exit(1)
+	}
+	tags := filterTags(filter)
+	listOpts := sg.ListOpts{
+		TagsAny: strings.Join(tags, ","),
+	}
+
+	allPages, err := sg.List(conn, listOpts).AllPages()
+	if err != nil {
+		logger.Fatalf("%v", err)
+		os.Exit(1)
+	}
+
+	allGroups, err := sg.ExtractGroups(allPages)
+	if err != nil {
+		logger.Fatalf("%v", err)
+		os.Exit(1)
+	}
+	for _, group := range allGroups {
+		logger.Debugf("Deleting Security Group: %+v", group.ID)
+		err = sg.Delete(conn, group.ID).ExtractErr()
+		if err != nil {
+			// This can fail when sg is still in use by servers
+			return false, nil
+		}
+	}
+	return len(allGroups) == 0, nil
+}
+
 // New returns an OpenStack destroyer from ClusterMetadata.
 func New(logger logrus.FieldLogger, metadata *types.ClusterMetadata) (destroy.Destroyer, error) {
 	return &ClusterUninstaller{