From 05821fa70693eb08d2319f0cf5c6664e268473d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Mon, 1 Mar 2021 17:30:45 +0100
Subject: [PATCH] Add firewall rules for ssh admin access + refactoring

---
 README.md    |  4 +---
 deploy.tf    |  5 ++++-
 firewall.tf  | 63 +++++++++++++++++++++++-----------------------------
 variables.tf | 17 +++++++-------
 4 files changed, 41 insertions(+), 48 deletions(-)

diff --git a/README.md b/README.md
index eede183..677fc89 100644
--- a/README.md
+++ b/README.md
@@ -51,10 +51,8 @@ For example (check also the other values used in *variables.tf*):
     cat <<EOF > mycluster.auto.tfvars
     domain = 'mydomain'
     n = 3
-    security_trusted_cidr4 = [
+    security_trusted_cidr = [
         "0.0.0.0/0",
-    ]
-    security_trusted_cidr6 = [
         "::/0",
     ]
     ssh = 'mykey'
diff --git a/deploy.tf b/deploy.tf
index 4b047ba..cc41409 100644
--- a/deploy.tf
+++ b/deploy.tf
@@ -101,7 +101,10 @@ resource "openstack_compute_instance_v2" "server" {
 	flavor_name = var.flavor
 	image_name = var.image
 	key_pair = var.ssh
-	security_groups = [openstack_networking_secgroup_v2.secgroup.name]
+	security_groups = [
+		openstack_networking_secgroup_v2.all.name,
+		openstack_networking_secgroup_v2.ssh.name,
+	]
 	user_data = data.template_cloudinit_config.ctx[count.index].rendered
 	network {
 		name = var.local_network
diff --git a/firewall.tf b/firewall.tf
index b0b9c77..0d0afe0 100644
--- a/firewall.tf
+++ b/firewall.tf
@@ -1,55 +1,48 @@
-resource "openstack_networking_secgroup_v2" "secgroup" {
-	name = var.domain
-	description = "${title(var.domain)} security group"
+resource "openstack_networking_secgroup_v2" "all" {
+	name = format("%s.all", var.domain)
+	description = "${title(var.domain)} all security group"
 }
 
-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self4" {
-	direction = "ingress"
-	ethertype = "IPv4"
-	remote_group_id = openstack_networking_secgroup_v2.secgroup.id
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+resource "openstack_networking_secgroup_v2" "ssh" {
+	name = format("%s.ssh", var.domain)
+	description = "${title(var.domain)} ssh security group"
 }
 
-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self6" {
+resource "openstack_networking_secgroup_rule_v2" "all_self" {
+	for_each = toset(["0.0.0.0/0", "::/0"])
 	direction = "ingress"
-	ethertype = "IPv6"
-	remote_group_id = openstack_networking_secgroup_v2.secgroup.id
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
+	remote_group_id = openstack_networking_secgroup_v2.all.id
+	security_group_id = openstack_networking_secgroup_v2.all.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp4" {
+resource "openstack_networking_secgroup_rule_v2" "all_icmp" {
+	for_each = toset(["0.0.0.0/0", "::/0"])
 	direction = "ingress"
-	ethertype = "IPv4"
-	protocol = "icmp"
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
+	protocol = each.value == "0.0.0.0/0" ? "icmp" : "ipv6-icmp"
+	security_group_id = openstack_networking_secgroup_v2.all.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp6" {
+resource "openstack_networking_secgroup_rule_v2" "all_other" {
+	for_each = var.security_trusted_cidr
 	direction = "ingress"
-	ethertype = "IPv6"
-	protocol = "ipv6-icmp"
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
+	remote_ip_prefix = each.key
+	security_group_id = openstack_networking_secgroup_v2.all.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other4" {
-	for_each = var.security_trusted_cidr4
+resource "openstack_networking_secgroup_rule_v2" "all_floatip" {
 	direction = "ingress"
 	ethertype = "IPv4"
-	remote_ip_prefix = each.key
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32"
+	security_group_id = openstack_networking_secgroup_v2.all.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other6" {
-	for_each = var.security_trusted_cidr6
+resource "openstack_networking_secgroup_rule_v2" "ssh" {
+	for_each = var.security_admin_cidr
 	direction = "ingress"
-	ethertype = "IPv6"
+	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
 	remote_ip_prefix = each.key
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_floatip" {
-	direction = "ingress"
-	ethertype = "IPv4"
-	remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32"
-	security_group_id = openstack_networking_secgroup_v2.secgroup.id
+	security_group_id = openstack_networking_secgroup_v2.ssh.id
 }
diff --git a/variables.tf b/variables.tf
index 73fa064..1c1d1ca 100644
--- a/variables.tf
+++ b/variables.tf
@@ -49,8 +49,14 @@ variable "public_network" {
 	# default = "public-cesnet-78-128-250-PERSONAL"
 }
 
-variable "security_trusted_cidr4" {
-	description = "Trusted networks"
+variable "security_admin_cidr" {
+	description = "Admin networks (ssh only)"
+	type = set(string)
+	default = []
+}
+
+variable "security_trusted_cidr" {
+	description = "Trusted networks (all, ssh included)"
 	type = set(string)
 	default = [
 		"78.128.128.0/17", # CESNET
@@ -65,13 +71,6 @@ variable "security_trusted_cidr4" {
 		"193.84.192.0/19", # SLU
 		"195.113.0.0/16",  # CESNET
 		"195.178.64.0/19", # CESNET
-	]
-}
-
-variable "security_trusted_cidr6" {
-	description = "Trusted networks"
-	type = set(string)
-	default = [
 		"2001:718::/32",   # CESNET
 	]
 }
-- 
GitLab