search

iits-consulting / terraform-opentelekomcloud-project-factory

This repository helps to create an OTC-based cloud-native infrastructure landscape with Kubernetes, load balancers, VPCs, etc. With these modules, we provide you a rocket start while you can still deep-dive into detailed configuration later.
GNU General Public License v3.0
83 stars 20 forks source link

Extension of loadbalancer/snat terraform module #32

Closed iliefa closed 2 years ago

iliefa commented 2 years ago

We need to add an snat rule via terraform . For this, floating ip id is required ( https://registry.terraform.io/providers/opentelekomcloud/opentelekomcloud/latest/docs/resources/nat_snat_rule_v2) . we want to use as floating ip id the elastic ip id. . this could be taken from the loadbalancer module ( https://github.com/iits-consulting/terraform-opentelekomcloud-project-factory/blob/master/modules/loadbalancer/main.tf) unfortunately this does not have the elastic ip id as output. can this output be added to the module?

canaykin commented 2 years ago

Greetings @iliefa ,

We can certainly add the EIP ID to the output, however the scenario you described will not work due to the EIP already being bound to the loadbalancer.

To be absolutely sure, I have tried the use case you described by trying to use the loadbalancer EIP for the SNAT rule. This was the result:

error creating SNAT Rule: Bad request with: [POST https://nat.eu-de.otc.t-systems.com/v2.0/snat_rules], error message: {"NeutronError": {"type": "FIPAssociatedWithOtherPort", "detail": "", "message": "Floating Ip xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx has associated with port yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy."}}

Similarly, the OTC console only permit using unbound EIPS for SNAT rules (it is however possible to create multiple SNAT rules with the same EIP).

This limitation applies to all EIPs as far as I tested. And since all modules that create EIP will bind a resource to it, the EIP id would only be usable in a read only context.

I hope it helps, Can

iliefa commented 2 years ago

thingss are now clearer. with the snat module, we create an nat gateway , and add an elastic ip. how we can add an snat rule,using the nat module?

we configured :

module "nat" {
  source     = "iits-consulting/project-factory/opentelekomcloud//modules/snat"
  version    = "4.0.1"
  name_prefix = "${var.context}-${var.stage}"
  nat_size = "1"
  nat_bandwidth = var.nat_bandwidth
  tags       = local.tags
  vpc_id     = module.vpc.vpc.id 
  subnet_id  = values(module.vpc.subnets)[0].id
  network_cidrs = var.network_cidrs

}
canaykin commented 2 years ago

Hi again, The module already includes an SNAT rule. In fact the module is specifically designed for SNAT use and does not support DNAT. With that being said you can configure the existing SNAT rule to match your needs. For example:

module "nat" {
  source     = "iits-consulting/project-factory/opentelekomcloud//modules/snat"
  version    = "4.0.1"
  name_prefix = "${var.context}-${var.stage}"
  nat_size = "1"
  nat_bandwidth = var.nat_bandwidth
  tags       = local.tags
  vpc_id     = module.vpc.vpc.id 
  subnet_id  = values(module.vpc.subnets)[0].id
  network_ids = values(module.vpc.subnets)[*].id
}

would add all subnets created within the VPC module to use this NAT gateway when connecting to internet. Alternatively, for a specific subnet:

module "nat" {
  source     = "iits-consulting/project-factory/opentelekomcloud//modules/snat"
  version    = "4.0.1"
  name_prefix = "${var.context}-${var.stage}"
  nat_size = "1"
  nat_bandwidth = var.nat_bandwidth
  tags       = local.tags
  vpc_id     = module.vpc.vpc.id 
  subnet_id  = values(module.vpc.subnets)[0].id
  network_ids = module.vpc.subnets["<subnet_name>"].id
}

While it will not affect the code examples above, the module had some bugs which are fixed and will be included with the new release:

When the changes are live, you can also use:

module "nat" {
  source     = "iits-consulting/project-factory/opentelekomcloud//modules/snat"
  version    = "4.0.1"
  name_prefix = "${var.context}-${var.stage}"
  nat_size = "1"
  nat_bandwidth = var.nat_bandwidth
  tags       = local.tags
  vpc_id     = module.vpc.vpc.id 
  subnet_id  = values(module.vpc.subnets)[0].id
  network_cidrs = [module.vpc.vpc.cidr]
}
canaykin commented 2 years ago

The SNAT module is now fully documented with v4.1.2 Please let me know if you have any further questions, otherwise I will proceed to close the issue.

ailief commented 2 years ago

thanks for the clarifications, you can close this