Skip to content

STACKITLB-1981 | fix: NLB backend nic security group reference and docs #1493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
david-mey-STACKIT wants to merge 1 commit into
base: main
Choose a base branch
from
Open

STACKITLB-1981 | fix: NLB backend nic security group reference and docs #1493

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/data-sources/loadbalancer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,12 @@ data "stackit_loadbalancer" "example" {
- `external_address` (String) External Load Balancer IP address where this Load Balancer is exposed.
- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`","region","`name`".
- `listeners` (Attributes List) List of all listeners which will accept traffic. Limited to 20. (see [below for nested schema](#nestedatt--listeners))
- `load_balancer_security_group_id` (String) The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.
- `networks` (Attributes List) List of networks that listeners and targets reside in. (see [below for nested schema](#nestedatt--networks))
- `options` (Attributes) Defines any optional functionality you want to have enabled on your load balancer. (see [below for nested schema](#nestedatt--options))
- `plan_id` (String) The service plan ID. If not defined, the default service plan is `p10`. Possible values are: `p10`, `p50`, `p250`, `p750`.
- `private_address` (String) Transient private Load Balancer IP address. It can change any time.
- `security_group_id` (String) The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT Network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.
- `security_group_id` (String) The ID of the automatically created security group that allows the targets to receive traffic from the LoadBalancer. Useful when disableTargetSecurityGroupAssignment=true to manually assign this security groups to targets.
- `target_pools` (Attributes List) List of all target pools which will be used in the Load Balancer. Limited to 20. (see [below for nested schema](#nestedatt--target_pools))
- `version` (String) Load balancer resource version.

Expand Down
52 changes: 33 additions & 19 deletions docs/resources/loadbalancer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,21 @@ The example below creates the supporting infrastructure using the STACKIT Terraf
## Example Usage

```terraform
variable "project_id" {
description = "The STACKIT Project ID"
type = string
default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

variable "image_id" {
description = "A valid Debian 12 Image ID available in all projects"
type = string
default = "939249d1-6f48-4ab7-929b-95170728311a"
}

# Create a network
resource "stackit_network" "example_network" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-network"
ipv4_nameservers = ["8.8.8.8"]
ipv4_prefix = "192.168.0.0/25"
Expand All @@ -31,13 +43,13 @@ resource "stackit_network" "example_network" {

# Create a network interface
resource "stackit_network_interface" "nic" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
network_id = stackit_network.example_network.network_id
}

# Create a public IP for the load balancer
resource "stackit_public_ip" "public-ip" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
lifecycle {
ignore_changes = [network_interface_id]
}
Expand All @@ -51,7 +63,7 @@ resource "stackit_key_pair" "keypair" {

# Create a server instance
resource "stackit_server" "boot-from-image" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-server"
boot_volume = {
size = 64
Expand All @@ -68,7 +80,7 @@ resource "stackit_server" "boot-from-image" {

# Create a load balancer
resource "stackit_loadbalancer" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-load-balancer"
plan_id = "p10"
target_pools = [
Expand Down Expand Up @@ -116,29 +128,30 @@ resource "stackit_loadbalancer" "example" {
# This example demonstrates an advanced setup where the Load Balancer is in one
# network and the target server is in another. This requires manual
# security group configuration using the `disable_security_group_assignment`
# and `security_group_id` attributes.
# and `load_balancer_security_group_id` attributes.

# We create two separate networks: one for the load balancer and one for the target.
resource "stackit_network" "lb_network" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "lb-network-example"
ipv4_prefix = "192.168.10.0/25"
ipv4_nameservers = ["8.8.8.8"]
routed = true
}

resource "stackit_network" "target_network" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "target-network-example"
ipv4_prefix = "192.168.10.0/25"
ipv4_prefix = "192.168.15.0/25"
ipv4_nameservers = ["8.8.8.8"]
}

resource "stackit_public_ip" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
}

resource "stackit_loadbalancer" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-advanced-lb"
external_address = stackit_public_ip.example.ip

Expand Down Expand Up @@ -168,23 +181,23 @@ resource "stackit_loadbalancer" "example" {

# Create a new security group to be assigned to the target server.
resource "stackit_security_group" "target_sg" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "target-sg-for-lb-access"
description = "Allows ingress traffic from the example load balancer."
}

# Create a rule to allow traffic FROM the load balancer.
# This rule uses the computed `security_group_id` of the load balancer.
# This rule uses the computed `load_balancer_security_group_id` of the load balancer.
resource "stackit_security_group_rule" "allow_lb_ingress" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
security_group_id = stackit_security_group.target_sg.security_group_id
direction = "ingress"
protocol = {
name = "tcp"
}

# This is the crucial link: it allows traffic from the LB's security group.
remote_security_group_id = stackit_loadbalancer.example.security_group_id
remote_security_group_id = stackit_loadbalancer.example.load_balancer_security_group_id

port_range = {
min = 80
Expand All @@ -193,14 +206,14 @@ resource "stackit_security_group_rule" "allow_lb_ingress" {
}

resource "stackit_server" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-remote-target"
machine_type = "g2i.2"
availability_zone = "eu01-1"

boot_volume = {
source_type = "image"
source_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
source_id = var.image_id
size = 10
}

Expand All @@ -210,7 +223,7 @@ resource "stackit_server" "example" {
}

resource "stackit_network_interface" "nic" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
network_id = stackit_network.target_network.network_id
security_group_ids = [stackit_security_group.target_sg.security_group_id]
}
Expand Down Expand Up @@ -245,8 +258,9 @@ import {
### Read-Only

- `id` (String) Terraform's internal resource ID. It is structured as "`project_id`","region","`name`".
- `load_balancer_security_group_id` (String) The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.
- `private_address` (String) Transient private Load Balancer IP address. It can change any time.
- `security_group_id` (String) The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.
- `security_group_id` (String) The ID of the automatically created security group that allows the targets to receive traffic from the LoadBalancer. Useful when disableTargetSecurityGroupAssignment=true to manually assign this security groups to targets.
- `version` (String) Load balancer resource version. This is needed to have concurrency safe updates.

<a id="nestedatt--listeners"></a>
Expand Down
49 changes: 31 additions & 18 deletions examples/resources/stackit_loadbalancer/resource.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
variable "project_id" {
description = "The STACKIT Project ID"
type = string
default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

variable "image_id" {
description = "A valid Debian 12 Image ID available in all projects"
type = string
default = "939249d1-6f48-4ab7-929b-95170728311a"
}

# Create a network
resource "stackit_network" "example_network" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-network"
ipv4_nameservers = ["8.8.8.8"]
ipv4_prefix = "192.168.0.0/25"
Expand All @@ -12,13 +24,13 @@ resource "stackit_network" "example_network" {

# Create a network interface
resource "stackit_network_interface" "nic" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
network_id = stackit_network.example_network.network_id
}

# Create a public IP for the load balancer
resource "stackit_public_ip" "public-ip" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
lifecycle {
ignore_changes = [network_interface_id]
}
Expand All @@ -32,7 +44,7 @@ resource "stackit_key_pair" "keypair" {

# Create a server instance
resource "stackit_server" "boot-from-image" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-server"
boot_volume = {
size = 64
Expand All @@ -49,7 +61,7 @@ resource "stackit_server" "boot-from-image" {

# Create a load balancer
resource "stackit_loadbalancer" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-load-balancer"
plan_id = "p10"
target_pools = [
Expand Down Expand Up @@ -97,29 +109,30 @@ resource "stackit_loadbalancer" "example" {
# This example demonstrates an advanced setup where the Load Balancer is in one
# network and the target server is in another. This requires manual
# security group configuration using the `disable_security_group_assignment`
# and `security_group_id` attributes.
# and `load_balancer_security_group_id` attributes.

# We create two separate networks: one for the load balancer and one for the target.
resource "stackit_network" "lb_network" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "lb-network-example"
ipv4_prefix = "192.168.10.0/25"
ipv4_nameservers = ["8.8.8.8"]
routed = true
}

resource "stackit_network" "target_network" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "target-network-example"
ipv4_prefix = "192.168.10.0/25"
ipv4_prefix = "192.168.15.0/25"
ipv4_nameservers = ["8.8.8.8"]
}

resource "stackit_public_ip" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
}

resource "stackit_loadbalancer" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-advanced-lb"
external_address = stackit_public_ip.example.ip

Expand Down Expand Up @@ -149,23 +162,23 @@ resource "stackit_loadbalancer" "example" {

# Create a new security group to be assigned to the target server.
resource "stackit_security_group" "target_sg" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "target-sg-for-lb-access"
description = "Allows ingress traffic from the example load balancer."
}

# Create a rule to allow traffic FROM the load balancer.
# This rule uses the computed `security_group_id` of the load balancer.
# This rule uses the computed `load_balancer_security_group_id` of the load balancer.
resource "stackit_security_group_rule" "allow_lb_ingress" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
security_group_id = stackit_security_group.target_sg.security_group_id
direction = "ingress"
protocol = {
name = "tcp"
}

# This is the crucial link: it allows traffic from the LB's security group.
remote_security_group_id = stackit_loadbalancer.example.security_group_id
remote_security_group_id = stackit_loadbalancer.example.load_balancer_security_group_id

port_range = {
min = 80
Expand All @@ -174,14 +187,14 @@ resource "stackit_security_group_rule" "allow_lb_ingress" {
}

resource "stackit_server" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
name = "example-remote-target"
machine_type = "g2i.2"
availability_zone = "eu01-1"

boot_volume = {
source_type = "image"
source_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
source_id = var.image_id
size = 10
}

Expand All @@ -191,7 +204,7 @@ resource "stackit_server" "example" {
}

resource "stackit_network_interface" "nic" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
project_id = var.project_id
network_id = stackit_network.target_network.network_id
security_group_ids = [stackit_security_group.target_sg.security_group_id]
}
Expand Down
7 changes: 6 additions & 1 deletion stackit/internal/services/loadbalancer/loadbalancer/datasource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,8 @@ func (r *loadBalancerDataSource) Schema(_ context.Context, _ datasource.SchemaRe
"project_id": "STACKIT project ID to which the Load Balancer is associated.",
"external_address": "External Load Balancer IP address where this Load Balancer is exposed.",
"disable_security_group_assignment": "If set to true, this will disable the automatic assignment of a security group to the load balancer's targets. This option is primarily used to allow targets that are not within the load balancer's own network or SNA (STACKIT Network area). When this is enabled, you are fully responsible for ensuring network connectivity to the targets, including managing all routing and security group rules manually. This setting cannot be changed after the load balancer is created.",
"security_group_id": "The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT Network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.",
"security_group_id": "The ID of the automatically created security group that allows the targets to receive traffic from the LoadBalancer. Useful when disableTargetSecurityGroupAssignment=true to manually assign this security groups to targets.",
"load_balancer_security_group_id": "The ID of the egress security group assigned to the Load Balancer's internal machines. This ID is essential for allowing traffic from the Load Balancer to targets in different networks or STACKIT network areas (SNA). To enable this, create a security group rule for your target VMs and set the `remote_security_group_id` of that rule to this value. This is typically used when `disable_security_group_assignment` is set to `true`.",
"listeners": "List of all listeners which will accept traffic. Limited to 20.",
"port": "Port number where we listen for traffic.",
"protocol": "Protocol is the highest network protocol we understand to load balance.",
Expand Down Expand Up @@ -374,6 +375,10 @@ func (r *loadBalancerDataSource) Schema(_ context.Context, _ datasource.SchemaRe
Description: descriptions["security_group_id"],
Computed: true,
},
"load_balancer_security_group_id": schema.StringAttribute{
Description: descriptions["load_balancer_security_group_id"],
Computed: true,
},
"version": schema.StringAttribute{
Description: descriptions["version"],
Computed: true,
Expand Down
Loading
Loading