[ECS/VPC] feature request: add support for Disabling Source and Destination Check

[gberche-orange]

• As a terraform-provider-flexibleengine user
• in order to manage ECS servers which emit packets with source IP addresses other than those associated with its NICs (such as a VM implementing software-defined VPN)
• I need the provider to let me control the Disabling Source and Destination Check option documented into the following resources
  • Help Center > Virtual Private Cloud > User Guide> Virtual IP Address> Disabling Source and Destination Check
  • Help Center > Virtual Private Cloud > FAQs> Connectivity> What Do I Do If a Virtual IP Address Cannot Be Pinged After It Is Bound to an ECS NIC?

Note: I'm not sure how this option is currently supported in the huawei cloud api. I have not yet found it into the following api endpoints including Virtual Private Cloud > API Reference> OpenStack Neutron APIs> Port> Creating a Port

Surprisingly, the flexible engine UI translates the "disable check" button into the following rest call https://console.prod-cloud-ocb.orange-business.com/ecm/rest/v1/491849b50fb94252893dc396ecfdb600/cloudservers/nics/b3e8c2ce-0084-4c6a-81f9-292083da24ea with body

    {"nic":{"subnet_id":"","ip_address":"1.1.1.1/0"}}

While the "enable check" button translates https://console.prod-cloud-ocb.orange-business.com/ecm/rest/v1/491849b50fb94252893dc396ecfdb600/cloudservers/nics/b3e8c2ce-0084-4c6a-81f9-292083da24ea with body

    {}

This looks like if the UI is using a specific magic ip address format to control this flag. Is this something that is currently possible using the terraform provider as well, such as with https://www.terraform.io/docs/providers/flexibleengine/r/compute_interface_attach_v2.html ?

/CC @poblin-orange

[gberche-orange]

The openstack API at https://support.huaweicloud.com/intl/en-us/api-vpc/vpc_port01_0006.html#vpc_port01_0006__table2033432574917 seems to imply the ip address in the allowed_adresss_pair can accept a CIDR and hence a 1.1.1.1/0 block

whereas the terraform provider does not (yet?) describe this CIDR support at https://www.terraform.io/docs/providers/flexibleengine/r/networking_port_v2.html#allowed_address_pairs

[DafuSHI]

@niuzhenguo Please help on this subject. An important internal project is blocked by the source ip check feature from Terraform

[niuzhenguo]

@ShiChangkuo Please help with this.

[ShiChangkuo]

@gberche-orange Sorry for late reply, have you tried the allowed_address_pairs block in flexibleengine_networking_port_v2 resource or could you provide the terraform script?

[gberche-orange]

thanks @ShiChangkuo for your response. We have worked around for now the issue with a manual check in the UI, but plan to test usage of the flexibleengine_networking_port_v2 resource with a CIDR (when our priorities would allow it).

In the meantime, would it be possible to improve the documentation of terraform-provider-flexibleengine to make the support of CIDR explici (for instance by providing examples with both single address and cidrs)

[ShiChangkuo]

sure, I will test it then update the documentation.

[ShiChangkuo]

@gberche-orange I have updated the documentation. The value of allowed_address_pairs/id_address can be an IP address or a CIDR. Please let me know how the allowed_address_pairs block worked for you. I am looking forward to your feedback.

[gberche-orange]

thanks @ShiChangkuo for the documentation update!

We'll test and reopen an issue if we have problems using the CIDR syntax.

[Arkhenys]

Hello everyone,

As already discussed with @gberche-orange we faced the same issue in my team. Thanks to Guillaume, his colleagues and few days of work, we were able to solve the issue and have the possibility to disable the source/destination check directly in the terraform plan.

We had to first, declare a flexibleengine_networking_port_v2 before the instance declaration. Then we added the allowed_address_pairs block in the flexibleengine_networking_port_v2 declaration. Finally we had to link the port to the instance using the network block.

Here is what we did in details:

1. Retrieve secgroup ids : We will see it in a next point, but this will allow us to set the secgroups directly in the flexibleengine_networking_port_v2, not in the instance. To declare secgroups in the port, we have to use a set of IDs, instead of using a set of secgroup names in the instance declaration. We use a for_each = toset() because our current plans send a set of secgroup names when creating an ECS.

# Build a datasource for each security group
data "flexibleengine_networking_secgroup_v2" "secgroup" {
 for_each = toset(var.security_groups)
 name     = each.key
}

2. Build a set in the locals. Set is mandatory as the created flexibleengine_networking_port_v2 waits for a set of security group ids in its parameters.

locals {
 sec_groups_ids = [for secgroup indata.flexibleengine_networking_secgroup_v2.secgroup: secgroup.id]
}

3. Create the flexibleengine_networking_port_v2 that will contain the allowed_address_pairs block. Here is the reason we had to declare secgroups in port and not in instance anymore. Port secgroups have a higher priority than instance secgroups. Because of that, our instances were all linked to the default secgroup and not in the one we expected.

resource "flexibleengine_networking_port_v2" "port" {
  network_id         = data.flexibleengine_vpc_subnet_v1.subnet.id
  security_group_ids = local.sec_groups_ids
  admin_state_up     = "true"

  allowed_address_pairs {
    ip_address       = "1.1.1.1/0"
  }

  fixed_ip {
    subnet_id        = data.flexibleengine_vpc_subnet_v1.subnet.ipv4_subnet_id
    ip_address       = var.ip_v4
  }
}

4. Finally, all we have to do left is to link the flexibleengine_networking_port_v2 to the instance, in the network block.

resource "flexibleengine_compute_instance_v2" "ecs" {

  name                    = var.name
  flavor_id               = var.flavor_id
  key_pair                = var.key_pair

  block_device {
    uuid                  = var.image_id
    source_type           = "image"
    volume_size           = var.volume_size
    volume_type           = var.volume_type
    boot_index            = 0
    destination_type      = "volume"
    delete_on_termination = true
  }

  network {
    port                  = flexibleengine_networking_port_v2.port.id
  }

  user_data               = var.user_data
  tags                    = var.tags
  metadata                = var.metadata

  depends_on              = [flexibleengine_networking_port_v2.port]

}

After that, if you deploy a new instance, it will have source/destination option unchecked (and your instance will be in the expected secgroup).

[Arkhenys]

In addition to my previous message, I would highly recommand using a boolean to enable/disable this option. This can easily be done using the dynamic block expression of terraform.

If you use a module for example, you could declare the boolean variable in your input variables (variables.tf file) such as

variable "source_dest_check_enabled" {
  type        = bool
  default     = true
}

In my example I set it to true because I want the option enabled by default and disabled on demand.

You can then choose to activate or not the option by changing the content of the allowed_address_pairs block in the flexibleengine_networking_port_v2 on a condition. This is where the dynamic block do the trick :

resource "flexibleengine_networking_port_v2" "port" {
  network_id         = data.flexibleengine_vpc_subnet_v1.subnet.id
  security_group_ids = local.sec_groups_ids
  admin_state_up     = "true"

  dynamic "allowed_address_pairs" {
    for_each         = var.source_dest_check_enabled ? [] : [1]

    content {
      ip_address     = "1.1.1.1/0"
    }
  }

  fixed_ip {
    subnet_id        = data.flexibleengine_vpc_subnet_v1.subnet.ipv4_subnet_id
    ip_address       = var.ip_v4
  }
}

Here is the explaination of this block :

• dynamic "allowed_address_pairs" {} → the block allowed_address_pairs will have a different content based on condition
• for_each = var.source_dest_check_enabled ? [] : [1] → the ? indicates a condition. We retrieve our condition and parse it. Here our condition is on the source_dest_check_enabled var. We want the block to get some content when our var is false, so we put a 1 into right brackets. This litteraly means "next lines (content) will appear if my variable source_dest_check_enabled is set to false". If we want the content when the variable is set to true, here is what to do :

  for_each         = var.source_dest_check_enabled ? [1] : []

• the content part is what will be set into the created block when the condition is filled. Here it means that if the var is true, the block allowed_address_pairs will be empty. If the var is false, ip_address = "1.1.1.1/0" will be added to the allowed_address_pairs block.