chore: Address review feedback

openshift · Jul 14, 2021 · 4d91d63 · 4d91d63
1 parent f3f01fd
commit 4d91d63
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 14 deletions.
diff --git a/data/data/ibmcloud/bootstrap/main.tf b/data/data/ibmcloud/bootstrap/main.tf
@@ -18,7 +18,7 @@ resource "ibm_is_instance" "bootstrap_node" {
   primary_network_interface {
     name            = "eth0"
     subnet          = var.subnet_id
-    security_groups = var.security_group_id_list
+    security_groups = concat(var.security_group_id_list, [ibm_is_security_group.bootstrap.id])
   }
 
   vpc  = var.vpc_id
@@ -50,6 +50,28 @@ resource "ibm_is_floating_ip" "bootstrap_floatingip" {
   tags           = var.tags
 }
 
+############################################
+# Security group
+############################################
+
+resource "ibm_is_security_group" "bootstrap" {
+  name           = "${local.prefix}-security-group-bootstrap"
+  resource_group = var.resource_group_id
+  tags           = var.tags
+  vpc            = var.vpc_id
+}
+
+# SSH
+resource "ibm_is_security_group_rule" "bootstrap_ssh_inbound" {
+  group     = ibm_is_security_group.bootstrap.id
+  direction = "inbound"
+  remote    = var.public_endpoints ? "0.0.0.0/0" : var.security_group_id_list.0.id
+  tcp {
+    port_min = 22
+    port_max = 22
+  }
+}
+
 ############################################
 # Load balancer backend pool members
 ############################################

diff --git a/data/data/ibmcloud/vpc/security-groups.tf b/data/data/ibmcloud/vpc/security-groups.tf
@@ -21,7 +21,7 @@ resource "ibm_is_security_group" "cluster_wide" {
 resource "ibm_is_security_group_rule" "cluster_wide_ssh_inbound" {
   group     = ibm_is_security_group.cluster_wide.id
   direction = "inbound"
-  remote    = var.public_endpoints ? "0.0.0.0/0" : ibm_is_security_group.cluster_wide.id
+  remote    = ibm_is_security_group.cluster_wide.id
   tcp {
     port_min = 22
     port_max = 22
@@ -36,17 +36,6 @@ resource "ibm_is_security_group_rule" "cluster_wide_icmp_inbound" {
   icmp {}
 }
 
-# Metrics
-resource "ibm_is_security_group_rule" "cluster_wide_metrics_inbound" {
-  group     = ibm_is_security_group.cluster_wide.id
-  direction = "inbound"
-  remote    = ibm_is_security_group.cluster_wide.id
-  tcp {
-    port_min = 1936
-    port_max = 1936
-  }
-}
-
 # VXLAN and Geneve - port 4789
 resource "ibm_is_security_group_rule" "cluster_wide_vxlan_geneve_4789_inbound" {
   group     = ibm_is_security_group.cluster_wide.id
@@ -116,7 +105,7 @@ resource "ibm_is_security_group_rule" "openshift_network_kube_default_ports_inbo
   remote    = ibm_is_security_group.openshift_network.id
   tcp {
     port_min = 10250
-    port_max = 10259
+    port_max = 10250
   }
 }
 
@@ -219,6 +208,17 @@ resource "ibm_is_security_group_rule" "control_plane_etcd_inbound" {
   }
 }
 
+# Kubernetes default ports
+resource "ibm_is_security_group_rule" "control_plane_kube_default_ports_inbound" {
+  group     = ibm_is_security_group.control_plane.id
+  direction = "inbound"
+  remote    = ibm_is_security_group.control_plane.id
+  tcp {
+    port_min = 10257
+    port_max = 10259
+  }
+}
+
 # Kubernetes API - inbound
 resource "ibm_is_security_group_rule" "control_plane_kubernetes_api_inbound" {
   group     = ibm_is_security_group.control_plane.id