firewall.tf

resource "openstack_networking_secgroup_v2" "ping" {
  name        = "ping"
  description = "ICMP for ping"
}

resource "openstack_networking_secgroup_v2" "ssh" {
  name        = "ssh"
  description = "ssh connection"
}

resource "openstack_networking_secgroup_v2" "http" {
  name        = "http"
  description = "http/https"
}

resource "openstack_networking_secgroup_rule_v2" "ping4" {
  for_each          = var.security_public_cidr4
  direction         = "ingress"
  ethertype         = "IPv4"
  port_range_min    = 8
  port_range_max    = 0
  protocol          = "icmp"
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ping.id
}

resource "openstack_networking_secgroup_rule_v2" "ping6" {
  for_each          = var.security_public_cidr6
  direction         = "ingress"
  ethertype         = "IPv6"
  port_range_min    = 128
  port_range_max    = 0
  protocol          = "icmp"  # icmp / ipv6-icmp
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ping.id
}

resource "openstack_networking_secgroup_rule_v2" "ssh4" {
  for_each          = var.security_public_cidr4
  direction         = "ingress"
  ethertype         = "IPv4"
  port_range_min    = 22
  port_range_max    = 22
  protocol          = "tcp"
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ssh.id
}

resource "openstack_networking_secgroup_rule_v2" "ssh6" {
  for_each          = var.security_public_cidr6
  direction         = "ingress"
  ethertype         = "IPv6"
  port_range_min    = 22
  port_range_max    = 22
  protocol          = "tcp"
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ssh.id
}

resource "openstack_networking_secgroup_rule_v2" "http4" {
  for_each          = var.security_public_cidr4
  direction         = "ingress"
  ethertype         = "IPv4"
  port_range_min    = 80
  port_range_max    = 80
  protocol          = "tcp"
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.http.id
}

resource "openstack_networking_secgroup_rule_v2" "http6" {
  for_each          = var.security_public_cidr6
  direction         = "ingress"
  ethertype         = "IPv6"
  port_range_min    = 80
  port_range_max    = 80
  protocol          = "tcp"
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.http.id
}

resource "openstack_networking_secgroup_rule_v2" "https4" {
  for_each          = var.security_public_cidr4
  direction         = "ingress"
  ethertype         = "IPv4"
  port_range_min    = 443
  port_range_max    = 443
  protocol          = "tcp"
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.http.id
}

resource "openstack_networking_secgroup_rule_v2" "https6" {
  for_each          = var.security_public_cidr6
  direction         = "ingress"
  ethertype         = "IPv6"
  port_range_min    = 443
  port_range_max    = 443
  protocol          = "tcp"
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.http.id
}