assign nsg_common on netapp subnet + rules

Azure · Oct 13, 2023 · 1e018b5 · 1e018b5
1 parent 6d45027
commit 1e018b5
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/bicep/azhop.bicep b/bicep/azhop.bicep
@@ -170,7 +170,6 @@ var config = {
         ]
       }
       netapp: {
-        apply_nsg: false
         name: contains(azhopConfig.network.vnet.subnets.netapp, 'name') ? azhopConfig.network.vnet.subnets.netapp.name : 'netapp'
         cidr: azhopConfig.network.vnet.subnets.netapp.address_prefixes
         delegations: [
@@ -453,7 +452,11 @@ var config = {
 
       // SLURM
       AllowComputeSlurmIn         : ['405', 'Inbound', 'Allow', '*', 'Slurmd', 'asg', 'asg-ondemand', 'subnet', 'compute']
-
+
+      // NFS
+      AllowNfsIn                  : ['430', 'Inbound', 'Allow', '*', 'Nfs', 'asg', 'asg-nfs-client', 'subnet', 'netapp']
+      AllowNfsComputeIn           : ['435', 'Inbound', 'Allow', '*', 'Nfs', 'subnet', 'compute', 'subnet', 'netapp']
+
       // CycleCloud
       AllowCycleWebIn             : ['440', 'Inbound', 'Allow', 'Tcp', 'Web', 'asg', 'asg-ondemand', 'asg', 'asg-cyclecloud']
       AllowCycleClientIn          : ['450', 'Inbound', 'Allow', 'Tcp', 'CycleCloud', 'asg', 'asg-cyclecloud-client', 'asg', 'asg-cyclecloud']

diff --git a/tf/network_security_group.tf b/tf/network_security_group.tf
@@ -96,6 +96,12 @@ resource "azurerm_subnet_network_security_group_association" "admin" {
   network_security_group_id = azurerm_network_security_group.common[0].id
 }
 
+resource "azurerm_subnet_network_security_group_association" "netapp" {
+  count                     = local.create_nsg ? 1 : 0
+  subnet_id                 = local.create_netapp_subnet ? azurerm_subnet.netapp[0].id : data.azurerm_subnet.netapp[0].id
+  network_security_group_id = azurerm_network_security_group.common[0].id
+}
+
 resource "azurerm_subnet_network_security_group_association" "outbounddns" {
   count                     = local.create_nsg ? (local.no_outbounddns_subnet ? 0 : 1) : 0
   subnet_id                 = local.create_outbounddns_subnet ? azurerm_subnet.outbounddns[0].id : data.azurerm_subnet.outbounddns[0].id

diff --git a/tf/variables_local.tf b/tf/variables_local.tf
@@ -408,6 +408,10 @@ locals {
         AllowLustreClientIn         = ["410", "Inbound", "Allow", "Tcp", "Lustre",             "asg/asg-lustre-client", "subnet/admin"],
         AllowLustreClientComputeIn  = ["420", "Inbound", "Allow", "Tcp", "Lustre",             "subnet/compute",        "subnet/admin"],
 
+        # NFS
+        AllowNfsIn                  = ["430", "Inbound", "Allow", "*",   "Nfs",                "asg/asg-nfs-client",       "subnet/netapp"],
+        AllowNfsComputeIn           = ["435", "Inbound", "Allow", "*",   "Nfs",                "subnet/compute",           "subnet/netapp"],
+
         # CycleCloud
         AllowCycleWebIn             = ["440", "Inbound", "Allow", "Tcp", "Web",                "asg/asg-ondemand",          "asg/asg-cyclecloud"],
         AllowCycleClientIn          = ["450", "Inbound", "Allow", "Tcp", "CycleCloud",         "asg/asg-cyclecloud-client", "asg/asg-cyclecloud"],