Add firewall rules for ssh admin access + refactoring

05821fa7 · František Dvořák · d7510249 · 05821fa7 · 05821fa7 · 05821fa7
Commit 05821fa7 authored Mar 1, 2021 by František Dvořák
--- a/README.md
+++ b/README.md
@@ -51,10 +51,8 @@ For example (check also the other values used in *variables.tf*):
    cat <<EOF > mycluster.auto.tfvars
    domain = 'mydomain'
    n = 3
-    security_trusted_cidr4 = [
+    security_trusted_cidr = [
        "0.0.0.0/0",
-    ]
-    security_trusted_cidr6 = [
        "::/0",
    ]
    ssh = 'mykey'

--- a/deploy.tf
+++ b/deploy.tf
@@ -101,7 +101,10 @@ resource "openstack_compute_instance_v2" "server" {
 	flavor_name = var.flavor
 	image_name = var.image
 	key_pair = var.ssh
-	security_groups = [openstack_networking_secgroup_v2.secgroup.name]
+	security_groups = [
+		openstack_networking_secgroup_v2.all.name,
+		openstack_networking_secgroup_v2.ssh.name,
+	]
 	user_data = data.template_cloudinit_config.ctx[count.index].rendered
 	network {
 		name = var.local_network

--- a/firewall.tf
+++ b/firewall.tf
-resource "openstack_networking_secgroup_v2" "secgroup" {
-	name = var.domain
-	description = "${title(var.domain)} security group"
+resource "openstack_networking_secgroup_v2" "all" {
+	name = format("%s.all", var.domain)
+	description = "${title(var.domain)} all security group"
 }

-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self4" {
-	direction = "ingress"
-	ethertype = "IPv4"
-	remote_group_id = openstack_networking_secgroup_v2.secgroup.id
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+resource "openstack_networking_secgroup_v2" "ssh" {
+	name = format("%s.ssh", var.domain)
+	description = "${title(var.domain)} ssh security group"
 }

-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self6" {
+resource "openstack_networking_secgroup_rule_v2" "all_self" {
+	for_each = toset(["0.0.0.0/0", "::/0"])
 	direction = "ingress"
-	ethertype = "IPv6"
-	remote_group_id = openstack_networking_secgroup_v2.secgroup.id
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
+	remote_group_id = openstack_networking_secgroup_v2.all.id
+	security_group_id = openstack_networking_secgroup_v2.all.id
 }

-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp4" {
+resource "openstack_networking_secgroup_rule_v2" "all_icmp" {
+	for_each = toset(["0.0.0.0/0", "::/0"])
 	direction = "ingress"
-	ethertype = "IPv4"
-	protocol = "icmp"
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
+	protocol = each.value == "0.0.0.0/0" ? "icmp" : "ipv6-icmp"
+	security_group_id = openstack_networking_secgroup_v2.all.id
 }

-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp6" {
+resource "openstack_networking_secgroup_rule_v2" "all_other" {
+	for_each = var.security_trusted_cidr
 	direction = "ingress"
-	ethertype = "IPv6"
-	protocol = "ipv6-icmp"
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
+	remote_ip_prefix = each.key
+	security_group_id = openstack_networking_secgroup_v2.all.id
 }

-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other4" {
-	for_each = var.security_trusted_cidr4
+resource "openstack_networking_secgroup_rule_v2" "all_floatip" {
 	direction = "ingress"
 	ethertype = "IPv4"
-	remote_ip_prefix = each.key
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32"
+	security_group_id = openstack_networking_secgroup_v2.all.id
 }

-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other6" {
-	for_each = var.security_trusted_cidr6
+resource "openstack_networking_secgroup_rule_v2" "ssh" {
+	for_each = var.security_admin_cidr
 	direction = "ingress"
-	ethertype = "IPv6"
+	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
 	remote_ip_prefix = each.key
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_floatip" {
-	direction = "ingress"
-	ethertype = "IPv4"
-	remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32"
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	security_group_id = openstack_networking_secgroup_v2.ssh.id
 }
--- a/variables.tf
+++ b/variables.tf
@@ -49,8 +49,14 @@ variable "public_network" {
 	# default = "public-cesnet-78-128-250-PERSONAL"
 }

-variable "security_trusted_cidr4" {
-	description = "Trusted networks"
+variable "security_admin_cidr" {
+	description = "Admin networks (ssh only)"
+	type = set(string)
+	default = []
+}
+
+variable "security_trusted_cidr" {
+	description = "Trusted networks (all, ssh included)"
 	type = set(string)
 	default = [
 		"78.128.128.0/17", # CESNET
@@ -65,13 +71,6 @@ variable "security_trusted_cidr4" {
 		"193.84.192.0/19", # SLU
 		"195.113.0.0/16",  # CESNET
 		"195.178.64.0/19", # CESNET
-	]
-}
-
-variable "security_trusted_cidr6" {
-	description = "Trusted networks"
-	type = set(string)
-	default = [
 		"2001:718::/32",   # CESNET
 	]
 }