From 05821fa70693eb08d2319f0cf5c6664e268473d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz> Date: Mon, 1 Mar 2021 17:30:45 +0100 Subject: [PATCH] Add firewall rules for ssh admin access + refactoring --- README.md | 4 +--- deploy.tf | 5 ++++- firewall.tf | 63 +++++++++++++++++++++++----------------------------- variables.tf | 17 +++++++------- 4 files changed, 41 insertions(+), 48 deletions(-) diff --git a/README.md b/README.md index eede183..677fc89 100644 --- a/README.md +++ b/README.md @@ -51,10 +51,8 @@ For example (check also the other values used in *variables.tf*): cat <<EOF > mycluster.auto.tfvars domain = 'mydomain' n = 3 - security_trusted_cidr4 = [ + security_trusted_cidr = [ "0.0.0.0/0", - ] - security_trusted_cidr6 = [ "::/0", ] ssh = 'mykey' diff --git a/deploy.tf b/deploy.tf index 4b047ba..cc41409 100644 --- a/deploy.tf +++ b/deploy.tf @@ -101,7 +101,10 @@ resource "openstack_compute_instance_v2" "server" { flavor_name = var.flavor image_name = var.image key_pair = var.ssh - security_groups = [openstack_networking_secgroup_v2.secgroup.name] + security_groups = [ + openstack_networking_secgroup_v2.all.name, + openstack_networking_secgroup_v2.ssh.name, + ] user_data = data.template_cloudinit_config.ctx[count.index].rendered network { name = var.local_network diff --git a/firewall.tf b/firewall.tf index b0b9c77..0d0afe0 100644 --- a/firewall.tf +++ b/firewall.tf @@ -1,55 +1,48 @@ -resource "openstack_networking_secgroup_v2" "secgroup" { - name = var.domain - description = "${title(var.domain)} security group" +resource "openstack_networking_secgroup_v2" "all" { + name = format("%s.all", var.domain) + description = "${title(var.domain)} all security group" } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self4" { - direction = "ingress" - ethertype = "IPv4" - remote_group_id = openstack_networking_secgroup_v2.secgroup.id - security_group_id = openstack_networking_secgroup_v2.secgroup.id +resource "openstack_networking_secgroup_v2" "ssh" { + name = format("%s.ssh", var.domain) + description = "${title(var.domain)} ssh security group" } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self6" { +resource "openstack_networking_secgroup_rule_v2" "all_self" { + for_each = toset(["0.0.0.0/0", "::/0"]) direction = "ingress" - ethertype = "IPv6" - remote_group_id = openstack_networking_secgroup_v2.secgroup.id - security_group_id = openstack_networking_secgroup_v2.secgroup.id + ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6" + remote_group_id = openstack_networking_secgroup_v2.all.id + security_group_id = openstack_networking_secgroup_v2.all.id } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp4" { +resource "openstack_networking_secgroup_rule_v2" "all_icmp" { + for_each = toset(["0.0.0.0/0", "::/0"]) direction = "ingress" - ethertype = "IPv4" - protocol = "icmp" - security_group_id = openstack_networking_secgroup_v2.secgroup.id + ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6" + protocol = each.value == "0.0.0.0/0" ? "icmp" : "ipv6-icmp" + security_group_id = openstack_networking_secgroup_v2.all.id } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp6" { +resource "openstack_networking_secgroup_rule_v2" "all_other" { + for_each = var.security_trusted_cidr direction = "ingress" - ethertype = "IPv6" - protocol = "ipv6-icmp" - security_group_id = openstack_networking_secgroup_v2.secgroup.id + ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6" + remote_ip_prefix = each.key + security_group_id = openstack_networking_secgroup_v2.all.id } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other4" { - for_each = var.security_trusted_cidr4 +resource "openstack_networking_secgroup_rule_v2" "all_floatip" { direction = "ingress" ethertype = "IPv4" - remote_ip_prefix = each.key - security_group_id = openstack_networking_secgroup_v2.secgroup.id + remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32" + security_group_id = openstack_networking_secgroup_v2.all.id } -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other6" { - for_each = var.security_trusted_cidr6 +resource "openstack_networking_secgroup_rule_v2" "ssh" { + for_each = var.security_admin_cidr direction = "ingress" - ethertype = "IPv6" + ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6" remote_ip_prefix = each.key - security_group_id = openstack_networking_secgroup_v2.secgroup.id -} - -resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_floatip" { - direction = "ingress" - ethertype = "IPv4" - remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32" - security_group_id = openstack_networking_secgroup_v2.secgroup.id + security_group_id = openstack_networking_secgroup_v2.ssh.id } diff --git a/variables.tf b/variables.tf index 73fa064..1c1d1ca 100644 --- a/variables.tf +++ b/variables.tf @@ -49,8 +49,14 @@ variable "public_network" { # default = "public-cesnet-78-128-250-PERSONAL" } -variable "security_trusted_cidr4" { - description = "Trusted networks" +variable "security_admin_cidr" { + description = "Admin networks (ssh only)" + type = set(string) + default = [] +} + +variable "security_trusted_cidr" { + description = "Trusted networks (all, ssh included)" type = set(string) default = [ "78.128.128.0/17", # CESNET @@ -65,13 +71,6 @@ variable "security_trusted_cidr4" { "193.84.192.0/19", # SLU "195.113.0.0/16", # CESNET "195.178.64.0/19", # CESNET - ] -} - -variable "security_trusted_cidr6" { - description = "Trusted networks" - type = set(string) - default = [ "2001:718::/32", # CESNET ] } -- GitLab