search

lxc / terraform-provider-incus

Incus provider for Terraform/OpenTofu
https://linuxcontainers.org/incus
Mozilla Public License 2.0
35 stars 8 forks source link

Add support for `incus_network_acl` #78

Closed stgraber closed 2 weeks ago

stgraber commented 3 weeks ago

It'd be great if we could define network ACLs through the provider and then tie those to instance network interfaces or networks.

The basic structure of an ACL can be found here: https://github.com/lxc/incus/blob/main/shared/api/network_acl.go

The top level record basically contains:

With egress and ingress rules being an ordered list of rules that each have:

I think the naive approach of just adding a incus_network_acl resource matching this should be fine.

resource "incus_network_acl" "this" {
    remote = "my-cluster"
    project = "foo"
    name "my_acl"

    egress {
        rule {
            action = "allow"
            destination = "1.1.1.1,1.0.0.1"
            destination_port = "53"
            protocol = "udp"
            description = "DNS to cloudflare public resolvers (UDP)"
            state = "enabled"
        }

        rule {
            action = "allow"
            destination = "1.1.1.1,1.0.0.1"
            destination_port = "53"
            protocol = "tcp"
            description = "DNS to cloudflare public resolvers (TCP)"
            state = "enabled"
        }
    }

    ingress {
        rule {
            action = "allow"
            source = "@external"
            destination_port = "22"
            protocol = "tcp"
            description = "Incoming SSH connections"
            state = "logging"
        }
    }
}
maveonair commented 3 weeks ago

According to the Terraform documentation:

Blocks can only be defined on schemas or nested blocks within a schema, not underneath an attribute or nested attribute.

Instead, we could write it like this:

resource "incus_network_acl" "this" {
  remote  = "my-cluster"
  project = "foo"
  name    = "my_acl"

  egress = [
    {
      action           = "allow"
      destination      = "1.1.1.1,1.0.0.1"
      destination_port = "53"
      protocol         = "udp"
      description      = "DNS to cloudflare public resolvers (UDP)"
      state            = "enabled"
    },
    {
      action           = "allow"
      destination      = "1.1.1.1,1.0.0.1"
      destination_port = "53"
      protocol         = "tcp"
      description      = "DNS to cloudflare public resolvers (TCP)"
      state            = "enabled"
    }
  ]

  ingress = [
    {
      action           = "allow"
      source           = "@external"
      destination_port = "22"
      protocol         = "tcp"
      description      = "Incoming SSH connections"
      state            = "logging"
    }
  ]
}

Would that be fine?

stgraber commented 3 weeks ago

Yeah, that should be perfectly fine.