Add manual security group handling and expose SG ID #923

msk-stackit · 2025-07-22T12:54:49Z

Description

This PR enhances the stackit_loadbalancer resource by introducing advanced networking capabilities for managing security groups, particularly for cross-network and cross-project use cases.

Two new attributes have been added:

disable_security_group_assignment (Optional, Bool): This new root-level flag allows users to disable the automatic creation and assignment of security groups to the load balancer's targets. This is required when targets are located in a different network or project than the load balancer itself, giving users full control over the networking setup.

security_group_id (Computed, String): This new computed attribute exposes the ID of the load balancer's own internal egress security group. Users can reference this ID in their own security group rules (e.g., as the remote_security_group_id) to manually permit traffic from the load balancer to their targets.

Together, these features enable secure and explicit network configurations for complex architectures. This change includes updates to the resource and data source schemas, all necessary business logic, comprehensive unit and acceptance tests, and updated documentation to guide users through the new workflow.

relates to #1150

Checklist

Issue was linked above
Code format was applied: make fmt
Examples were added / adjusted (see examples/ directory)
Docs are up-to-date: make generate-docs (will be checked by CI)
Unit tests got implemented or updated
Acceptance tests got implemented or updated (see e.g. here)
Unit tests are passing: make test (will be checked by CI)
No linter issues: make lint (will be checked by CI)

… the load balancer resource. This allows disabling the automatic assignment of a security group to the targets.

This allows users to reference the ID in security group rules for targets in other networks, enabling cross-network traffic.

stackit/internal/services/loadbalancer/loadbalancer/resource.go

stackit/internal/services/loadbalancer/loadbalancer_acc_test.go

examples/resources/stackit_loadbalancer/resource.tf

docs/resources/loadbalancer.md

…es ready if disabletargetsecuritygroupassignment is true

stackit/internal/services/loadbalancer/loadbalancer/resource.go

docs/resources/loadbalancer.md

…es ready if disabletargetsecuritygroupassignment is true

…oceeding, updated docs

Fyusel

Hi @msk-stackit,
there is one linter issue left.

Additionally I executed the acceptance tests and they fail with the following:

=== NAME  TestAccLoadBalancerResourceMin
    loadbalancer_acc_test.go:99: Step 1/4 error: After applying this test step, the refresh plan was not empty.
        stdout
        
        
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        
        Terraform will perform the following actions:
        
          # stackit_network_interface.network_interface will be updated in-place
          ~ resource "stackit_network_interface" "network_interface" {
                id                   = "66b03760-125b-4c63-9624-741e8a418c02,1814ddb2-1cd6-45b1-aa08-9cfb1367e85b,373ea117-95f5-4a31-80bc-19dc473662ba"
                name                 = "name"
              ~ security_group_ids   = [
                  - "35e01159-0517-402a-b2cb-6a564918b026",
                ]
                # (8 unchanged attributes hidden)
            }
        
        Plan: 0 to add, 1 to change, 0 to destroy.

msk-stackit · 2025-08-19T13:12:03Z

Hi @msk-stackit, there is one linter issue left.

Additionally I executed the acceptance tests and they fail with the following:

=== NAME  TestAccLoadBalancerResourceMin
    loadbalancer_acc_test.go:99: Step 1/4 error: After applying this test step, the refresh plan was not empty.
        stdout
        
        
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        
        Terraform will perform the following actions:
        
          # stackit_network_interface.network_interface will be updated in-place
          ~ resource "stackit_network_interface" "network_interface" {
                id                   = "66b03760-125b-4c63-9624-741e8a418c02,1814ddb2-1cd6-45b1-aa08-9cfb1367e85b,373ea117-95f5-4a31-80bc-19dc473662ba"
                name                 = "name"
              ~ security_group_ids   = [
                  - "35e01159-0517-402a-b2cb-6a564918b026",
                ]
                # (8 unchanged attributes hidden)
            }
        
        Plan: 0 to add, 1 to change, 0 to destroy.

this is partially expected behavior, in the minimal configuration the LB controlplane will automatically create security groups and attaches them to the target servers network interface, to work around this we have added the new disable_security_group_assignment field.

I've updated the test cases to be correct.

rubenhoenle · 2025-08-25T08:18:07Z

Acc test run looks good now 😄

rubenhoenle · 2025-08-25T13:43:52Z

stackit/internal/services/loadbalancer/loadbalancer_acc_test.go

+	"target_display_name":               config.StringVariable("example-target"),
+	"listener_port":                     config.StringVariable("5432"),
+	"listener_protocol":                 config.StringVariable("PROTOCOL_TLS_PASSTHROUGH"),
+	"network_role":                      config.StringVariable("ROLE_LISTENERS_AND_TARGETS"),


Maybe also test the new security_group_id attribute here. Feel free to add additional resources you need for the implementation to resource-max.tf. See e.g. https://github.com/stackitcloud/terraform-provider-stackit/blob/4b670ee73fe86f698d41a04ca4f6d1b6561fb1d2/stackit/internal/services/iaasalpha/testdata/resource-routingtable-route-max.tf

h3adex · 2025-08-29T14:22:08Z

Examples in this PR are using outdated machine types like c1.1

msk-stackit added 4 commits July 21, 2025 15:02

Adds the new disable_security_group_assignment boolean attribute to…

bf64470

… the load balancer resource. This allows disabling the automatic assignment of a security group to the targets.

Exposes the ID of the Load Balancer's egress security group.

b0e1e52

This allows users to reference the ID in security group rules for targets in other networks, enabling cross-network traffic.

Exposes the ID of the Load Balancer's egress security group.

19e167f

This allows users to reference the ID in security group rules for targets in other networks, enabling cross-network traffic.

change order of imports

065cd04

msk-stackit requested a review from a team as a code owner July 22, 2025 12:54

msk-stackit added 4 commits July 22, 2025 14:59

added a example for the new feature

288cf75

update docs

8bafad8

terraform fmt

c22bacd

Merge branch 'main' into main

3b4ae4b

marceljk reviewed Jul 30, 2025

View reviewed changes

add PR feedback

895ac47

marceljk reviewed Aug 6, 2025

View reviewed changes

docs/resources/loadbalancer.md Outdated Show resolved Hide resolved

msk-stackit added 8 commits August 8, 2025 11:12

Merge branch 'main' into main

3b4b190

update stackit_loadbalancer resource to no longer wait until LB becom…

4f4aa53

…es ready if disabletargetsecuritygroupassignment is true

cleanup

d803bc7

update docs and example

545aabb

update docs and example

a30cead

update docs and example

e6d3654

update docs and example

180aa11

update docs and example

b4a9a7d