Terraform: Terraform Openstack attach LB to a port or security group to a LB

Created on 5 Jan 2017 · 9Comments · Source: hashicorp/terraform

So, Im trying to use terraform to assign a security group to a loadbalancer, but there doesnt seem to be an option to allow me to set the security group on a openstack_lb_loadbalancer_v2 resource nor does there seem to be an option to assign the security group to a openstack_networking_port_v2 resource and then attach a LB to the networkPort.

Terraform Version
Terraform v0.8.2

Affected Resource(s)
openstack_lb_loadbalancer_v2
openstack_networking_port_v2

resource "openstack_networking_network_v2" "test_network" {
    name = "${var.environment_name}-network"
    admin_state_up = "true"
}
resource "openstack_networking_port_v2" "lb_port" {
    name = "test_lb_port"
    network_id = "${openstack_networking_network_v2.test_network.id}"
    security_group_ids = [
        "${openstack_compute_secgroup_v2.test.id}"
    ]
    admin_state_up = "true"
}
resource "openstack_lb_loadbalancer_v2" "test_lb" {
    name = "${var.environment_name}-test-lb"
    vip_subnet_id = "${openstack_networking_subnet_v2.test_subnet.id}"
}

resource "openstack_networking_floatingip_v2" "test_lb_vip" {
    pool = "${var.floatingip_pool}"
    port_id = "${openstack_lb_loadbalancer_v2.test_lb.vip_port_id}"
    depends_on = [
        "openstack_lb_loadbalancer_v2.test_lb",
    ]
}

resource "openstack_lb_listener_v2" "test_lb_listener" {
    protocol = "HTTPS"
    protocol_port = 443
    loadbalancer_id =  "${openstack_lb_loadbalancer_v2.test_lb.id}"
}

resource "openstack_lb_pool_v2" "test_lb_pool" {
    name = "${var.environment_name}-test-pool"
    protocol = "HTTPS"
    lb_method = "ROUND_ROBIN"
    listener_id =  "${openstack_lb_listener_v2.test_lb_listener.id}"
}

resource "openstack_lb_member_v2" "test_lb_members" {
    name = "${var.environment_name}-test-member"
    count = "${var.number_of_test}"
    pool_id = "${openstack_lb_pool_v2.test_lb_pool.id}"
    subnet_id = "${openstack_networking_subnet_v2.test_subnet.id}"
    address = "${element(openstack_compute_instance_v2.test.*.network.0.fixed_ip_v4, count.index)}"
    protocol_port = 443

    depends_on = [
        "openstack_lb_loadbalancer_v2.test_lb",
    ]
}

bug

Source

yawboateng

All 9 comments

Hi there,

The openstack_lb_loadbalancer_v2 resource has a vip_address argument. Is it possible to link that to an openstack_networking_port_v2 resource?

Thanks,
Joe

jtopjian on 5 Jan 2017

Hi Joe,

I tried assigning the fixed_ip of the port to the vip_address of the openstack_lb_loadbalancer_v2 as well as assign the vip_address of the LB to the port but got an error both times that the ip address is already in use.

did something like:

resource "openstack_lb_loadbalancer_v2" "test_lb" {
    name = "${var.environment_name}-test-lb"
    vip_subnet_id = "${openstack_networking_subnet_v2.test_subnet.id}"
        vip_address = "${openstack_networking_port_v2.test_lb_port.fixed_ip.0.ip_address}"
}

and also tried:

resource "openstack_networking_port_v2" "test_lb_port" {
    name = "test_lb_port"
    network_id = "${openstack_networking_network_v2.test_network.id}"
    security_group_ids = [
        "${openstack_compute_secgroup_v2.test.id}"
    ]
    fixed_ip {
                subnet_id = "${openstack_lb_loadbalancer_v2.test_lb.vip_subnet_id}"
        ip_address = "${openstack_lb_loadbalancer_v2.test_lb.vip_address}"
        }  
    admin_state_up = "true"
}

yawboateng on 5 Jan 2017

I think it will be good if we can simply attach a sec group to a loadbalaner or at least create a port, assign a sec group to it and then attach a loadbalancer to that port

yawboateng on 5 Jan 2017

Thanks for trying that out.

I agree with your suggestion 100%, but it doesn't look to be possible from the API docs. I'm going to have to dig into the Neutron code to see if there's an undocumented way.

The example given in the OpenStack Networking Guide shows an "update" being done to the port created by the load balancer. This hidden port creation is what's making this difficult through Terraform.

jtopjian on 6 Jan 2017

it looks like openstack_lb_loadbalancer_v2 returns a vip_port_id

so, im going to try and use terraform's remote provisioner to install the neutron client on one of my instances and then use the neutron port-update command to assign the lb's port to the security group.

something like:
"neutron port-update --security-group ${openstack_compute_secgroup_v2.test.name} ${openstack_lb_loadbalancer_v2.test_lb.vip_port_id}"

yawboateng on 6 Jan 2017

That'll work :)

I've just got done digging into the Neutron LBaaS code and it most definitely is creating a port behind the scenes. So I'm going to look at adding a security_group_ids argument to the loadbalancer resource that will add security groups to this implicitly created port.

I'd prefer not having to do this, but I think your use case is absolutely appropriate.

jtopjian on 6 Jan 2017

👍1

@yawboateng #11074 adds the ability to specify security groups on a loadbalancer :)

jtopjian on 6 Jan 2017

awesome! thanks for the quick implementation :+1:

yawboateng on 6 Jan 2017

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.