Merge pull request #16 from tmckayus/createsg

Add option to disable creation of the cuopt security group
NVIDIA · Nov 30, 2022 · 89de9d3 · 89de9d3
2 parents 132bfd2 + 61fc48d
commit 89de9d3
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/cloud-scripts/aws/main.tf b/cloud-scripts/aws/main.tf
@@ -53,6 +53,7 @@ resource "aws_default_vpc" "default" {
 }
 
 resource "aws_security_group" "cuopt-server" {
+  count = var.create_security_group ? 1 : 0
   name = lower(random_pet.pet.id)
   vpc_id = "${aws_default_vpc.default.id}"
 
@@ -94,6 +95,11 @@ data "aws_security_groups" "additional-security-groups" {
   }
 }
 
+locals {
+  security_groups = var.create_security_group ? concat([aws_security_group.cuopt-server[0].id],
+                                                        data.aws_security_groups.additional-security-groups.ids) : data.aws_security_groups.additional-security-groups.ids
+}
+
 data "aws_ami" "osimage" {
   most_recent = true
 
@@ -125,7 +131,7 @@ resource "aws_instance" "cuopt_server" {
   instance_type = var.instance_type
   key_name = aws_key_pair.cuopt.key_name
 
-  vpc_security_group_ids = concat([aws_security_group.cuopt-server.id], data.aws_security_groups.additional-security-groups.ids)
+  vpc_security_group_ids = local.security_groups
   root_block_device {
     volume_size = var.instance_root_volume_size 
   } 

diff --git a/cloud-scripts/aws/terraform.tfvars b/cloud-scripts/aws/terraform.tfvars
@@ -26,26 +26,45 @@
 
 # Optional settings
 
+# Whether or not to create a new security group for the cuOpt server
+# Port 22 for ssh and ports 30000 and/or 30001 for the cuOpt API and Jupyter servers must be reachable.
+# If your default network has default rules to allow access to these ports, this value may be set to false.
+# If your account has existing security groups that allow access to these ports, this value may be set to false
+# if you also set additional_security_groups to include those existing security groups.
+# If your account does not have permission to create new security groups, then set this value to false and
+# ask an admin to create default network rules or additional security groups to allow these ports.
+#create_security_group = false
+
+# Has no effect if create_security_group = false
 # List of CIDR block values for addresses allowed to connect to the ssh port.
 # If installing from a cloud shell, the public IP address of the cloud shell must be included here
 # Individual IP addresses must be expressed as CIDRs in the form 1.2.3.4/32
 #ssh_cidr_blocks = ["0.0.0.0/0"]
 
+# Has no effect if create_security_group = false
 # List of CIDR block values for addresses allowed to connect to the cuOpt server.
 # Individual IP addresses must be expressed as CIDRs in the form 1.2.3.4/32
-# More info at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
 #cuopt_server_cidr_blocks = ["0.0.0.0/0"]
 
+# Has no effect if create_security_group = false
+# List of CIDR block values for outgoing traffic on all ports.
+# Individual IP addresses must be expressed as CIDRs in the form 1.2.3.4/32
+#outgoing_cidr_blocks = ["0.0.0.0/0"]
+
 # Additional notes on CIDR blocks
+# More info at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
 
+# Has no effect if create_security_group = false
 # If your default network has default rules for port 22 that you would like to use instead,
 # set this value to [] to prevent creation of the rule for port 22.
 #ssh_cidr_blocks = []
 
+# Has no effect if create_security_group = false
 # If your default network has default rules for ports 30000-30001 that you would like to use instead,
 # set this value to [] to prevent creation of the rule for ports 30000-30001
 #cuopt_server_cidr_blocks = []
 
+# Has no effect if create_security_group = false
 # If your default network has default rules for outgoing traffic that you would like to use instead,
 # set this value to [] to prevent creation of the rule for outgoing traffic (default unrestricted)
 #outgoing_cidr_blocks = []

diff --git a/cloud-scripts/aws/variables.tf b/cloud-scripts/aws/variables.tf
@@ -67,6 +67,12 @@ variable "additional_security_groups" {
   default     = []
 }
 
+variable "create_security_group" {
+  description = "Whether or not to create a new security group for cuOpt. Security groups created outside of Terraform may be listed in additional_security_groups."
+  type = bool
+  default = true
+}
+
 variable "instance_ami_name" {
   description = "The pattern(s) used to filter available AMIs by name to select an image for the instance. May include wildcards."
   type        = list