Fancy firewall rules with description

2699fc77 · František Dvořák · e959efeb · 2699fc77 · 2699fc77
Commit 2699fc77 authored 7 months ago by František Dvořák
--- a/common/terraform/firewall.tf
+++ b/common/terraform/firewall.tf
@@ -13,32 +13,24 @@ resource "openstack_networking_secgroup_v2" "http" {
  description = "http/https"
 }

-resource "openstack_networking_secgroup_rule_v2" "ping4" {
-  for_each          = var.security_public_cidr4
+resource "openstack_networking_secgroup_rule_v2" "ping" {
+  for_each          = var.security_public_cidr
+  description       = each.value
  direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 8
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
+  port_range_min    = strcontains(each.key, ":") ? 128 : 8
  port_range_max    = 0
+  # protocol          = strcontains(each.key, ":") ? "ipv6-icmp" : "icmp"
  protocol          = "icmp"
  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ping.id
 }

-resource "openstack_networking_secgroup_rule_v2" "ping6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "ssh" {
+  for_each          = var.security_public_cidr
+  description       = each.value
  direction         = "ingress"
-  ethertype         = "IPv6"
-  port_range_min    = 128
-  port_range_max    = 0
-  protocol          = "icmp"  # icmp / ipv6-icmp
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
  port_range_min    = 22
  port_range_max    = 22
  protocol          = "tcp"
@@ -46,32 +38,11 @@ resource "openstack_networking_secgroup_rule_v2" "ssh4" {
  security_group_id = openstack_networking_secgroup_v2.ssh.id
 }

-resource "openstack_networking_secgroup_rule_v2" "ssh6" {
-  for_each          = var.security_public_cidr6
-  direction         = "ingress"
-  ethertype         = "IPv6"
-  port_range_min    = 22
-  port_range_max    = 22
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 80
-  port_range_max    = 80
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "http" {
+  for_each          = var.security_public_cidr
+  description       = each.value
  direction         = "ingress"
-  ethertype         = "IPv6"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
  port_range_min    = 80
  port_range_max    = 80
  protocol          = "tcp"
@@ -79,21 +50,11 @@ resource "openstack_networking_secgroup_rule_v2" "http6" {
  security_group_id = openstack_networking_secgroup_v2.http.id
 }

-resource "openstack_networking_secgroup_rule_v2" "https4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 443
-  port_range_max    = 443
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "https" {
+  for_each          = var.security_public_cidr
+  description       = each.value
  direction         = "ingress"
-  ethertype         = "IPv6"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
  port_range_min    = 443
  port_range_max    = 443
  protocol          = "tcp"

--- a/common/terraform/vars.tf
+++ b/common/terraform/vars.tf
@@ -63,18 +63,11 @@ variable "squid_volume_size" {
  description = "Size of volume for squid proxy, CVMFS cache (GB)"
 }

-variable "security_public_cidr4" {
-  type = set(string)
-  description = "Enabled IPv4 ranges"
-  default = [
-    "0.0.0.0/0",
-  ]
-}
-
-variable "security_public_cidr6" {
-  type = set(string)
-  description = "Enabled IPv6 ranges"
-  default = [
-    "::/0",
-  ]
+variable "security_public_cidr" {
+  type = map(string)
+  description = "Enabled IP ranges"
+  default = {
+    "0.0.0.0/0": "Public access",
+    "::/0":      "Public access",
+  }
 }