Skip to content
Snippets Groups Projects
Commit 05821fa7 authored by František Dvořák's avatar František Dvořák
Browse files

Add firewall rules for ssh admin access + refactoring

parent d7510249
No related branches found
No related tags found
No related merge requests found
Pipeline #569 passed
......@@ -51,10 +51,8 @@ For example (check also the other values used in *variables.tf*):
cat <<EOF > mycluster.auto.tfvars
domain = 'mydomain'
n = 3
security_trusted_cidr4 = [
security_trusted_cidr = [
"0.0.0.0/0",
]
security_trusted_cidr6 = [
"::/0",
]
ssh = 'mykey'
......
......@@ -101,7 +101,10 @@ resource "openstack_compute_instance_v2" "server" {
flavor_name = var.flavor
image_name = var.image
key_pair = var.ssh
security_groups = [openstack_networking_secgroup_v2.secgroup.name]
security_groups = [
openstack_networking_secgroup_v2.all.name,
openstack_networking_secgroup_v2.ssh.name,
]
user_data = data.template_cloudinit_config.ctx[count.index].rendered
network {
name = var.local_network
......
resource "openstack_networking_secgroup_v2" "secgroup" {
name = var.domain
description = "${title(var.domain)} security group"
resource "openstack_networking_secgroup_v2" "all" {
name = format("%s.all", var.domain)
description = "${title(var.domain)} all security group"
}
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self4" {
direction = "ingress"
ethertype = "IPv4"
remote_group_id = openstack_networking_secgroup_v2.secgroup.id
security_group_id = openstack_networking_secgroup_v2.secgroup.id
resource "openstack_networking_secgroup_v2" "ssh" {
name = format("%s.ssh", var.domain)
description = "${title(var.domain)} ssh security group"
}
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self6" {
resource "openstack_networking_secgroup_rule_v2" "all_self" {
for_each = toset(["0.0.0.0/0", "::/0"])
direction = "ingress"
ethertype = "IPv6"
remote_group_id = openstack_networking_secgroup_v2.secgroup.id
security_group_id = openstack_networking_secgroup_v2.secgroup.id
ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
remote_group_id = openstack_networking_secgroup_v2.all.id
security_group_id = openstack_networking_secgroup_v2.all.id
}
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp4" {
resource "openstack_networking_secgroup_rule_v2" "all_icmp" {
for_each = toset(["0.0.0.0/0", "::/0"])
direction = "ingress"
ethertype = "IPv4"
protocol = "icmp"
security_group_id = openstack_networking_secgroup_v2.secgroup.id
ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
protocol = each.value == "0.0.0.0/0" ? "icmp" : "ipv6-icmp"
security_group_id = openstack_networking_secgroup_v2.all.id
}
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp6" {
resource "openstack_networking_secgroup_rule_v2" "all_other" {
for_each = var.security_trusted_cidr
direction = "ingress"
ethertype = "IPv6"
protocol = "ipv6-icmp"
security_group_id = openstack_networking_secgroup_v2.secgroup.id
ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.all.id
}
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other4" {
for_each = var.security_trusted_cidr4
resource "openstack_networking_secgroup_rule_v2" "all_floatip" {
direction = "ingress"
ethertype = "IPv4"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.secgroup.id
remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32"
security_group_id = openstack_networking_secgroup_v2.all.id
}
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other6" {
for_each = var.security_trusted_cidr6
resource "openstack_networking_secgroup_rule_v2" "ssh" {
for_each = var.security_admin_cidr
direction = "ingress"
ethertype = "IPv6"
ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.secgroup.id
}
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_floatip" {
direction = "ingress"
ethertype = "IPv4"
remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32"
security_group_id = openstack_networking_secgroup_v2.secgroup.id
security_group_id = openstack_networking_secgroup_v2.ssh.id
}
......@@ -49,8 +49,14 @@ variable "public_network" {
# default = "public-cesnet-78-128-250-PERSONAL"
}
variable "security_trusted_cidr4" {
description = "Trusted networks"
variable "security_admin_cidr" {
description = "Admin networks (ssh only)"
type = set(string)
default = []
}
variable "security_trusted_cidr" {
description = "Trusted networks (all, ssh included)"
type = set(string)
default = [
"78.128.128.0/17", # CESNET
......@@ -65,13 +71,6 @@ variable "security_trusted_cidr4" {
"193.84.192.0/19", # SLU
"195.113.0.0/16", # CESNET
"195.178.64.0/19", # CESNET
]
}
variable "security_trusted_cidr6" {
description = "Trusted networks"
type = set(string)
default = [
"2001:718::/32", # CESNET
]
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment