We can deploy cloud Infrastructure on IDrive® Compute with the help of widely used open-source infrastructure as code software Terraform. While we can deploy various virtual resources on IDrive® Compute with Terraform, In this article we will try to concentrate on creating IDrive® Compute Firewall

Pre-requisite:

We need to install the following software on your local system.

• Terraform
• Openstack_cli

Terraform code:

Here are the terraform files required for the creation.

1) Providers file:

Create a file named main.tf and write the file with below code.

$ touch main.tf

Append the following configuration to the main.tf file. 

# Configure the OpenStack Provider
terraform {
required_providers {
openstack = {
source = "terraform-provider-openstack/openstack"
}
}
}

2) Deployment file: deploy.tf

$ touch deploy.tf

Add the below code to deploy.tf file.

resource "openstack_networking_secgroup_v2" "test_secgroup_1" {
name = "test_secgroup_1"
description = "My neutron security group"
}

resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_1" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = "0.0.0.0/0"
security_group_id = "${openstack_networking_secgroup_v2.test_secgroup_1.id}"
}

Here we are creating a security group called "test_secgroup_rule_1" in the region "LA3" and also assigning a security group rule name "secgroup_rule_1" to it. The security group rule allows incoming connections on port 22  for all subnets. To know more about security group rules refer here. 

Using Terraform to create a security group

we execute the below operations:

•  terraform init ( Needs  to be executed only once for initializing)
•  terraform plan ( To see what's being deployed)
•  terraform deploy (creates the requested resources)

Initializing terraform:

$ terraform init

Output:

Initializing the backend...

Initializing provider plugins...
- Finding latest version of terraform-provider-openstack/openstack...
- Installing terraform-provider-openstack/openstack v1.49.0...
- Installed terraform-provider-openstack/openstack v1.49.0 (self-signed, key ID 4F80527A391BEFD2)

Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Applying terraform plan:

$ terraform plan

Output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# openstack_networking_secgroup_rule_v2.secgroup_rule_1 will be created
+ resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_1" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ id = (known after apply)
+ port_range_max = 22
+ port_range_min = 22
+ protocol = "tcp"
+ region = (known after apply)
+ remote_group_id = (known after apply)
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = (known after apply)
+ tenant_id = (known after apply)
}

# openstack_networking_secgroup_v2.test_secgroup_1 will be created
+ resource "openstack_networking_secgroup_v2" "test_secgroup_1" {
+ all_tags = (known after apply)
+ description = "My neutron security group"
+ id = (known after apply)
+ name = "test_secgroup_1"
+ region = (known after apply)
+ tenant_id = (known after apply)
}

Plan: 2 to add, 0 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.

Applying the configuration:

$ terraform apply 

Output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# openstack_networking_secgroup_rule_v2.secgroup_rule_1 will be created
+ resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_1" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ id = (known after apply)
+ port_range_max = 22
+ port_range_min = 22
+ protocol = "tcp"
+ region = (known after apply)
+ remote_group_id = (known after apply)
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = (known after apply)
+ tenant_id = (known after apply)
}

# openstack_networking_secgroup_v2.test_secgroup_1 will be created
+ resource "openstack_networking_secgroup_v2" "test_secgroup_1" {
+ all_tags = (known after apply)
+ description = "My neutron security group"
+ id = (known after apply)
+ name = "test_secgroup_1"
+ region = (known after apply)
+ tenant_id = (known after apply)
}

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

openstack_networking_secgroup_v2.test_secgroup_1: Creating...
openstack_networking_secgroup_v2.test_secgroup_1: Creation complete after 2s [id=6ebcd723-931f-42ad-93c6-10fc209094ba]
openstack_networking_secgroup_rule_v2.secgroup_rule_1: Creating...
openstack_networking_secgroup_rule_v2.secgroup_rule_1: Creation complete after 0s [id=317a0c89-2571-48ea-a8e6-baef0c84cd18]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Verification

You can verify the creation of the security group and associated security group rule by the bellow command.

$ openstack security group show test_secgroup_1 -f json

Output:

"created_at": "2023-01-16T09:31:48Z",
"description": "My neutron security group",
"id": "6ebcd723-931f-42ad-93c6-10fc209094ba",
"name": "test_secgroup_1",
"project_id": "b88176b3de3f4771aa183e8bd7e1edc7",
"revision_number": 2,
"rules": [
{
"direction": "ingress",
"protocol": "tcp",
"description": "",
"tags": [],
"port_range_max": 22,
"updated_at": "2023-01-16T09:31:48Z",
"revision_number": 0,
"id": "317a0c89-2571-48ea-a8e6-baef0c84cd18",
"remote_group_id": null,
"remote_ip_prefix": "0.0.0.0/0",
"created_at": "2023-01-16T09:31:48Z",
"security_group_id": "6ebcd723-931f-42ad-93c6-10fc209094ba",
"tenant_id": "b88176b3de3f4771aa183e8bd7e1edc7",
"port_range_min": 22,
"ethertype": "IPv4",
"project_id": "b88176b3de3f4771aa183e8bd7e1edc7"
},
{
"direction": "egress",
"protocol": null,
"description": null,
"tags": [],
"port_range_max": null,
"updated_at": "2023-01-16T09:31:48Z",
"revision_number": 0,
"id": "9ad780d1-79c3-4dbf-bfb7-64bf00632907",
"remote_group_id": null,
"remote_ip_prefix": null,
"created_at": "2023-01-16T09:31:48Z",
"security_group_id": "6ebcd723-931f-42ad-93c6-10fc209094ba",
"tenant_id": "b88176b3de3f4771aa183e8bd7e1edc7",
"port_range_min": null,
"ethertype": "IPv4",
"project_id": "b88176b3de3f4771aa183e8bd7e1edc7"
},
{
"direction": "egress",
"protocol": null,
"description": null,
"tags": [],
"port_range_max": null,
"updated_at": "2023-01-16T09:31:48Z",
"revision_number": 0,
"id": "c115ee29-d70f-4518-a71a-d366bba12445",
"remote_group_id": null,
"remote_ip_prefix": null,
"created_at": "2023-01-16T09:31:48Z",
"security_group_id": "6ebcd723-931f-42ad-93c6-10fc209094ba",
"tenant_id": "b88176b3de3f4771aa183e8bd7e1edc7",
"port_range_min": null,
"ethertype": "IPv6",
"project_id": "b88176b3de3f4771aa183e8bd7e1edc7"
}
],
"stateful": null,
"tags": [],
"updated_at": "2023-01-16T09:31:48Z"
}

Removing Security group

To remove the created security group and the associated rule run the below.

$ terraform destroy

Output:

openstack_networking_secgroup_rule_v2.secgroup_rule_1: Refreshing state... [id=317a0c89-2571-48ea-a8e6-baef0c84cd18]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
- destroy

Terraform will perform the following actions:

# openstack_networking_secgroup_rule_v2.secgroup_rule_1 will be destroyed
- resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_1" {
- direction = "ingress" -> null
- ethertype = "IPv4" -> null
- id = "317a0c89-2571-48ea-a8e6-baef0c84cd18" -> null
- port_range_max = 22 -> null
- port_range_min = 22 -> null
- protocol = "tcp" -> null
- remote_ip_prefix = "0.0.0.0/0" -> null
- security_group_id = "6ebcd723-931f-42ad-93c6-10fc209094ba" -> null
- tenant_id = "b88176b3de3f4771aa183e8bd7e1edc7" -> null
}

# openstack_networking_secgroup_v2.test_secgroup_1 will be destroyed
- resource "openstack_networking_secgroup_v2" "test_secgroup_1" {
- all_tags = [] -> null
- description = "My neutron security group" -> null
- id = "6ebcd723-931f-42ad-93c6-10fc209094ba" -> null
- name = "test_secgroup_1" -> null
- tags = [] -> null
- tenant_id = "b88176b3de3f4771aa183e8bd7e1edc7" -> null
}

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.

Enter a value: yes

openstack_networking_secgroup_rule_v2.secgroup_rule_1: Destroying... [id=317a0c89-2571-48ea-a8e6-baef0c84cd18]
openstack_networking_secgroup_rule_v2.secgroup_rule_1: Destruction complete after 7s
openstack_networking_secgroup_v2.test_secgroup_1: Destroying... [id=6ebcd723-931f-42ad-93c6-10fc209094ba]
openstack_networking_secgroup_v2.test_secgroup_1: Destruction complete after 9s

Destroy complete! Resources: 2 destroyed.