diff --git a/README.md b/README.md index eede183a9ba6a62ad2f649846a7f1e4f2bc86f31..677fc898e47a14e19049d7b87fe8e285378d14d8 100644 --- a/README.md +++ b/README.md @@ -51,10 +51,8 @@ For example (check also the other values used in *variables.tf*): cat <<EOF > mycluster.auto.tfvars domain = 'mydomain' n = 3 - security_trusted_cidr4 = [ + security_trusted_cidr = [ "0.0.0.0/0", - ] - security_trusted_cidr6 = [ "::/0", ] ssh = 'mykey' diff --git a/deploy.tf b/deploy.tf index 4b047ba5a47ffd503c70099022b9b06a548ad399..cc4140905d27a5802e722d049ded961917c9862e 100644 --- a/deploy.tf +++ b/deploy.tf @@ -101,7 +101,10 @@ resource "openstack_compute_instance_v2" "server" { flavor_name = var.flavor image_name = var.image key_pair = var.ssh - security_groups = [openstack_networking_secgroup_v2.secgroup.name] + security_groups = [ + openstack_networking_secgroup_v2.all.name, + openstack_networking_secgroup_v2.ssh.name, + ] user_data = data.template_cloudinit_config.ctx[count.index].rendered network { name = var.local_network diff --git a/firewall.tf b/firewall.tf index b0b9c770cbf566ba75ab1f73248da37ac55b63a0..0d0afe0b53791656eff27a827d961a6d5cafc8d3 100644 --- a/firewall.tf +++ b/firewall.tf @@ -1,55 +1,48 @@ -resource "openstack_networking_secgroup_v2" "secgroup" { - name = var.domain - description = "${title(var.domain)} security group" +resource "openstack_networking_secgroup_v2" "all" { + name = format("%s.all", var.domain) + description = "${title(var.domain)} all security group" } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self4" { - direction = "ingress" - ethertype = "IPv4" - remote_group_id = openstack_networking_secgroup_v2.secgroup.id - security_group_id = openstack_networking_secgroup_v2.secgroup.id +resource "openstack_networking_secgroup_v2" "ssh" { + name = format("%s.ssh", var.domain) + description = "${title(var.domain)} ssh security group" } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self6" { +resource "openstack_networking_secgroup_rule_v2" "all_self" { + for_each = toset(["0.0.0.0/0", "::/0"]) direction = "ingress" - ethertype = "IPv6" - remote_group_id = openstack_networking_secgroup_v2.secgroup.id - security_group_id = openstack_networking_secgroup_v2.secgroup.id + ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6" + remote_group_id = openstack_networking_secgroup_v2.all.id + security_group_id = openstack_networking_secgroup_v2.all.id } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp4" { +resource "openstack_networking_secgroup_rule_v2" "all_icmp" { + for_each = toset(["0.0.0.0/0", "::/0"]) direction = "ingress" - ethertype = "IPv4" - protocol = "icmp" - security_group_id = openstack_networking_secgroup_v2.secgroup.id + ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6" + protocol = each.value == "0.0.0.0/0" ? "icmp" : "ipv6-icmp" + security_group_id = openstack_networking_secgroup_v2.all.id } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp6" { +resource "openstack_networking_secgroup_rule_v2" "all_other" { + for_each = var.security_trusted_cidr direction = "ingress" - ethertype = "IPv6" - protocol = "ipv6-icmp" - security_group_id = openstack_networking_secgroup_v2.secgroup.id + ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6" + remote_ip_prefix = each.key + security_group_id = openstack_networking_secgroup_v2.all.id } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other4" { - for_each = var.security_trusted_cidr4 +resource "openstack_networking_secgroup_rule_v2" "all_floatip" { direction = "ingress" ethertype = "IPv4" - remote_ip_prefix = each.key - security_group_id = openstack_networking_secgroup_v2.secgroup.id + remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32" + security_group_id = openstack_networking_secgroup_v2.all.id } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other6" { - for_each = var.security_trusted_cidr6 +resource "openstack_networking_secgroup_rule_v2" "ssh" { + for_each = var.security_admin_cidr direction = "ingress" - ethertype = "IPv6" + ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6" remote_ip_prefix = each.key - security_group_id = openstack_networking_secgroup_v2.secgroup.id -} - -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_floatip" { - direction = "ingress" - ethertype = "IPv4" - remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32" - security_group_id = openstack_networking_secgroup_v2.secgroup.id + security_group_id = openstack_networking_secgroup_v2.ssh.id } diff --git a/variables.tf b/variables.tf index 73fa064bb9d48e2dd7d8f254dd22c3231ddc8bc0..1c1d1ca075676085ba63543d49e7669e6731cbbe 100644 --- a/variables.tf +++ b/variables.tf @@ -49,8 +49,14 @@ variable "public_network" { # default = "public-cesnet-78-128-250-PERSONAL" } -variable "security_trusted_cidr4" { - description = "Trusted networks" +variable "security_admin_cidr" { + description = "Admin networks (ssh only)" + type = set(string) + default = [] +} + +variable "security_trusted_cidr" { + description = "Trusted networks (all, ssh included)" type = set(string) default = [ "78.128.128.0/17", # CESNET @@ -65,13 +71,6 @@ variable "security_trusted_cidr4" { "193.84.192.0/19", # SLU "195.113.0.0/16", # CESNET "195.178.64.0/19", # CESNET - ] -} - -variable "security_trusted_cidr6" { - description = "Trusted networks" - type = set(string) - default = [ "2001:718::/32", # CESNET ] }