Add support to customize subnet name and extend rules on the pods and cp NSG

Author: robo-cap

module-network.tf

@@ -113,7 +113,9 @@ module "network" {
 
   allow_node_port_access       = var.allow_node_port_access
   allow_pod_internet_access    = var.allow_pod_internet_access
+  allow_rules_cp               = var.allow_rules_cp
   allow_rules_internal_lb      = var.allow_rules_internal_lb
+  allow_rules_pods             = var.allow_rules_pods
   allow_rules_public_lb        = var.allow_rules_public_lb
   allow_rules_workers          = var.allow_rules_workers
   allow_worker_internet_access = var.allow_worker_internet_access

modules/network/nsg-controlplane.tf

@@ -74,6 +74,7 @@ locals {
         protocol = local.tcp_protocol, port = local.apiserver_port, source = allowed_cidr, source_type = local.rule_type_cidr
       }
     },
+    var.allow_rules_cp
   ) : {}
 }
 

modules/network/nsg-pods.tf

@@ -53,6 +53,7 @@ locals {
         protocol = local.all_protocols, port = local.all_ports, destination = local.anywhere, destination_type = local.rule_type_cidr,
       }
     } : {},
+    var.allow_rules_pods
   ) : {}
 }
 

modules/network/subnets.tf

@@ -126,7 +126,13 @@ resource "oci_core_subnet" "oke" {
   compartment_id             = var.compartment_id
   vcn_id                     = var.vcn_id
   cidr_block                 = lookup(local.subnet_cidrs_all, each.key)
-  display_name               = format("%v-%v", each.key, var.state_id)
+  display_name               = ( lookup(var.subnets, each.key, null) != null ? 
+    ( lookup(var.subnets[each.key], "display_name", null) != null ?
+        var.subnets[each.key]["display_name"] :
+        format("%v-%v", each.key, var.state_id) 
+    ) :
+    format("%v-%v", each.key, var.state_id)
+  )
   dns_label                  = lookup(local.subnet_dns_labels, each.key, null)
   prohibit_public_ip_on_vnic = !tobool(lookup(each.value, "is_public", false))
   route_table_id             = !tobool(lookup(each.value, "is_public", false)) ? var.nat_route_table_id : var.ig_route_table_id
@@ -136,7 +142,7 @@ resource "oci_core_subnet" "oke" {
 
   lifecycle {
     ignore_changes = [
-      freeform_tags, defined_tags, display_name,
+      freeform_tags, defined_tags,
       cidr_block, dns_label, security_list_ids, vcn_id, route_table_id,
     ]
   }

modules/network/variables.tf

@@ -14,7 +14,9 @@ variable "use_defined_tags" { type = bool }
 # Network
 variable "allow_node_port_access" { type = bool }
 variable "allow_pod_internet_access" { type = bool }
+variable "allow_rules_cp" { type = any }
 variable "allow_rules_internal_lb" { type = any }
+variable "allow_rules_pods" { type = any }
 variable "allow_rules_public_lb" { type = any }
 variable "allow_rules_workers" { type = any }
 variable "allow_worker_internet_access" { type = bool }
@@ -40,12 +42,13 @@ variable "worker_is_public" { type = bool }
 
 variable "subnets" {
   type = map(object({
-    create    = optional(string)
-    id        = optional(string)
-    newbits   = optional(string)
-    netnum    = optional(string)
-    cidr      = optional(string)
-    dns_label = optional(string)
+    create       = optional(string)
+    id           = optional(string)
+    newbits      = optional(string)
+    netnum       = optional(string)
+    cidr         = optional(string)
+    display_name = optional(string)
+    dns_label    = optional(string)
   }))
 }
 

variables-network.tf

@@ -139,12 +139,13 @@ variable "subnets" {
   }
   description = "Configuration for standard subnets. The 'create' parameter of each entry defaults to 'auto', creating subnets when other enabled components are expected to utilize them, and may be configured with 'never' or 'always' to force disabled/enabled."
   type = map(object({
-    create    = optional(string)
-    id        = optional(string)
-    newbits   = optional(string)
-    netnum    = optional(string)
-    cidr      = optional(string)
-    dns_label = optional(string)
+    create       = optional(string)
+    id           = optional(string)
+    newbits      = optional(string)
+    netnum       = optional(string)
+    cidr         = optional(string)
+    display_name = optional(string)
+    dns_label    = optional(string)
   }))
   validation {
     condition = alltrue([
@@ -154,10 +155,10 @@ variable "subnets" {
   }
   validation {
     condition = alltrue([
-      for v in flatten([for k, v in var.subnets : keys(v)]) : contains(["create", "id", "cidr", "netnum", "newbits", "dns_label"], v)
+      for v in flatten([for k, v in var.subnets : keys(v)]) : contains(["create", "id", "cidr", "netnum", "newbits", "display_name", "dns_label"], v)
     ])
     error_message = format("Invalid subnet configuration keys: %s", jsonencode(distinct([
-      for v in flatten([for k, v in var.subnets : keys(v)]) : v if !contains(["create", "id", "cidr", "netnum", "newbits", "dns_label"], v)
+      for v in flatten([for k, v in var.subnets : keys(v)]) : v if !contains(["create", "id", "cidr", "netnum", "newbits", "display_name", "dns_label"], v)
     ])))
   }
 }
@@ -250,12 +251,24 @@ variable "allow_bastion_cluster_access" {
   type        = bool
 }
 
+variable "allow_rules_cp" {
+  default     = {}
+  description = "A map of additional rules to allow traffic for the OKE control plane."
+  type        = any
+}
+
 variable "allow_rules_internal_lb" {
   default     = {}
   description = "A map of additional rules to allow incoming traffic for internal load balancers."
   type        = any
 }
 
+variable "allow_rules_pods" {
+  default     = {}
+  description = "A map of additional rules to allow traffic for the pods."
+  type        = any
+}
+
 variable "allow_rules_public_lb" {
   default     = {}
   description = "A map of additional rules to allow incoming traffic for public load balancers."