Generated NSG Rules for accessing FSS do not match the documentation.

[ppiechoc]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.5.7 on linux_amd64

• provider registry.terraform.io/hashicorp/cloudinit v2.3.3
• provider registry.terraform.io/hashicorp/helm v2.13.0
• provider registry.terraform.io/hashicorp/http v3.4.2
• provider registry.terraform.io/hashicorp/null v3.2.2
• provider registry.terraform.io/hashicorp/random v3.6.0
• provider registry.terraform.io/hashicorp/time v0.11.1
• provider registry.terraform.io/oracle/oci v5.16.0

Affected Resource(s)

module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow TCP egress from workers for NFS portmapper to FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow TCP egress from workers for NFS to FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow TCP ingress to workers for NFS from FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow TCP ingress to workers for NFS portmapper from FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow UDP egress from workers for NFS portmapper to FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow UDP egress from workers for NFS to FSS mounts"] module.oke.module.network.oci_core_network_security_group_security_rule.oke["Allow UDP ingress to workers for NFS portmapper from FSS mounts"]

Terraform Configuration Files

locals {
  ## Networking
  subnets = {
    bastion  = { create = "never" }
    operator = { create = "never" }
    cp       = { create = "never", id = var.cp_subnet_id }
    fss      = { create = "never" }
    int_lb   = { create = "never", id = var.int_lb_subnet_id }
    pub_lb   = { create = "never" }
    workers  = { create = "never", id = var.workers_subnet_id }
    pods     = { create = "never", id = var.pods_subnet_id }
  }
  nsgs = {
    bastion  = { create = "never" }
    operator = { create = "never" }
    cp       = { create = "always" }
    fss      = { create = "always" }
    int_lb   = { create = "always" }
    pub_lb   = { create = "never" }
    workers  = { create = "always" }
    pods     = { create = var.enable_npn ? "always" : "never" }
  }

  ## Workers
  worker_pools = {
    "oke-nodepool-${var.instance}-workers" = {
      size = 3
    }
  }

}

module "oke" {
  source    = "git::https://github.com/oracle-terraform-modules/terraform-oci-oke.git?ref=v5.1.4"
  providers =  { oci.home = oci }

  # Identity
  state_id = var.instance
  cluster_name = "oke-${var.instance}"

  # Placement
  tenancy_id = var.tenancy_ocid
  compartment_id = var.compartment_id
  network_compartment_id = var.network_compartment_id

  # Actions
  create_vcn = false
  create_drg = false
  create_bastion = false
  create_cluster = true
  create_operator = false

  # Networking
  vcn_id = var.vcn_id
  subnets = local.subnets
  nsgs = local.nsgs
  allow_worker_internet_access = false
  allow_pod_internet_access = false

  # Cluster
  kubernetes_version = var.kubernetes_version
  cluster_type = "enhanced"
  control_plane_is_public = false
  preferred_load_balancer = "internal"
  cni_type = var.enable_npn ? "npn" : "flannel"
  control_plane_nsg_ids = var.control_plane_nsg_ids

  # Workers
  worker_pools = local.worker_pools
  ssh_public_key = join("\n", var.ssh_public_keys)
  worker_nsg_ids = var.worker_nsg_ids

}```

### Debug Output

### Panic Output

### Expected Behavior

Security rules created in FSS NSG and Workers NSG should match the documentation: https://docs.oracle.com/en-us/iaas/Content/File/Tasks/securitylistsfilestorage.htm

### Actual Behavior

Generated rules are different from documentation in two ways:

### Steps to Reproduce

<!--- Please list the steps required to reproduce the issue. --->

1. `terraform apply`

### Important Factoids

<!--- Is there anything atypical about your environment that we should know? For example: Is the issue specific to a region? --->

### References

<!---
Information about referencing Github Issues: https://help.github.com/articles/basic-writing-and-formatting-syntax/#referencing-issues-and-pull-requests

Are there any other GitHub issues (open or closed) or pull requests that should be linked here? Vendor documentation? For example:
--->

[ppiechoc]

Submitted incomplete. I'll recreate this.