From a180810f4ea43b771530537f5c2b48431aad0204 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz> Date: Wed, 9 Dec 2020 20:43:01 +0100 Subject: [PATCH] Custom security groups --- deploy.tf | 1 + firewall.tf | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 27 +++++++++++++++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 firewall.tf diff --git a/deploy.tf b/deploy.tf index 0ae89d5..ada9f02 100644 --- a/deploy.tf +++ b/deploy.tf @@ -31,6 +31,7 @@ resource "openstack_compute_instance_v2" "server" { flavor_name = "standard.medium" image_name = var.image key_pair = var.ssh + security_groups = [openstack_networking_secgroup_v2.secgroup.name] user_data = data.template_cloudinit_config.user_data[count.index].rendered network { name = var.local_network diff --git a/firewall.tf b/firewall.tf new file mode 100644 index 0000000..fc88506 --- /dev/null +++ b/firewall.tf @@ -0,0 +1,48 @@ +resource "openstack_networking_secgroup_v2" "secgroup" { + name = var.domain + description = "${title(var.domain)} security group" +} + +resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self4" { + direction = "ingress" + ethertype = "IPv4" + remote_group_id = openstack_networking_secgroup_v2.secgroup.id + security_group_id = openstack_networking_secgroup_v2.secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_self6" { + direction = "ingress" + ethertype = "IPv6" + remote_group_id = openstack_networking_secgroup_v2.secgroup.id + security_group_id = openstack_networking_secgroup_v2.secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp4" { + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + security_group_id = openstack_networking_secgroup_v2.secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp6" { + direction = "ingress" + ethertype = "IPv6" + protocol = "ipv6-icmp" + security_group_id = openstack_networking_secgroup_v2.secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other4" { + for_each = var.security_trusted_cidr4 + direction = "ingress" + ethertype = "IPv4" + remote_ip_prefix = each.key + security_group_id = openstack_networking_secgroup_v2.secgroup.id +} + +resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_other6" { + for_each = var.security_trusted_cidr6 + direction = "ingress" + ethertype = "IPv6" + remote_ip_prefix = each.key + security_group_id = openstack_networking_secgroup_v2.secgroup.id +} diff --git a/variables.tf b/variables.tf index 5bf6f8e..8df7619 100644 --- a/variables.tf +++ b/variables.tf @@ -44,6 +44,33 @@ variable "public_network" { # default = "public-cesnet-78-128-250-PERSONAL" } +variable "security_trusted_cidr4" { + description = "Trusted networks" + type = set(string) + default = [ + "78.128.128.0/17", # CESNET + "116.216.0.0/15", # UNOB, JČU + "146.102.0.0/16", # VŠE + "147.32.0.0/15", # ČVUT, VSCHT + "147.228.0.0/14", # ZČU, VUT, TUL, AVČR + "147.251.0.0/16", # MUNI + "158.194.0.0/16", # UPOL + "158.196.0.0/16", # VŠB + "193.84.32.0/20", # ČZU + "193.84.192.0/19", # SLU + "195.113.0.0/16", # CESNET + "195.178.64.0/19", # CESNET + ] +} + +variable "security_trusted_cidr6" { + description = "Trusted networks" + type = set(string) + default = [ + "2001:718::/32", # CESNET + ] +} + variable "ssh" { description = "SSH key name" default = "openstack" -- GitLab