Skip to content
Snippets Groups Projects
Commit 2699fc77 authored by František Dvořák's avatar František Dvořák
Browse files

Fancy firewall rules with description

parent e959efeb
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
common/terraform/firewall.tf
+ 18
57
View file @ 2699fc77
...@@ -13,32 +13,24 @@ resource "openstack_networking_secgroup_v2" "http" { ...@@ -13,32 +13,24 @@ resource "openstack_networking_secgroup_v2" "http" {
description = "http/https" description = "http/https"
} }
resource "openstack_networking_secgroup_rule_v2" "ping4" { resource "openstack_networking_secgroup_rule_v2" "ping" {
for_each = var.security_public_cidr4 for_each = var.security_public_cidr
description = each.value
direction = "ingress" direction = "ingress"
ethertype = "IPv4" ethertype = strcontains(each.key, ":") ? "IPv6" : "IPv4"
port_range_min = 8 port_range_min = strcontains(each.key, ":") ? 128 : 8
port_range_max = 0 port_range_max = 0
# protocol = strcontains(each.key, ":") ? "ipv6-icmp" : "icmp"
protocol = "icmp" protocol = "icmp"
remote_ip_prefix = each.key remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ping.id security_group_id = openstack_networking_secgroup_v2.ping.id
} }
resource "openstack_networking_secgroup_rule_v2" "ping6" { resource "openstack_networking_secgroup_rule_v2" "ssh" {
for_each = var.security_public_cidr6 for_each = var.security_public_cidr
description = each.value
direction = "ingress" direction = "ingress"
ethertype = "IPv6" ethertype = strcontains(each.key, ":") ? "IPv6" : "IPv4"
port_range_min = 128
port_range_max = 0
protocol = "icmp" # icmp / ipv6-icmp
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ping.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 22 port_range_min = 22
port_range_max = 22 port_range_max = 22
protocol = "tcp" protocol = "tcp"
...@@ -46,32 +38,11 @@ resource "openstack_networking_secgroup_rule_v2" "ssh4" { ...@@ -46,32 +38,11 @@ resource "openstack_networking_secgroup_rule_v2" "ssh4" {
security_group_id = openstack_networking_secgroup_v2.ssh.id security_group_id = openstack_networking_secgroup_v2.ssh.id
} }
resource "openstack_networking_secgroup_rule_v2" "ssh6" { resource "openstack_networking_secgroup_rule_v2" "http" {
for_each = var.security_public_cidr6 for_each = var.security_public_cidr
direction = "ingress" description = each.value
ethertype = "IPv6"
port_range_min = 22
port_range_max = 22
protocol = "tcp"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ssh.id
}
resource "openstack_networking_secgroup_rule_v2" "http4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 80
port_range_max = 80
protocol = "tcp"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "http6" {
for_each = var.security_public_cidr6
direction = "ingress" direction = "ingress"
ethertype = "IPv6" ethertype = strcontains(each.key, ":") ? "IPv6" : "IPv4"
port_range_min = 80 port_range_min = 80
port_range_max = 80 port_range_max = 80
protocol = "tcp" protocol = "tcp"
...@@ -79,21 +50,11 @@ resource "openstack_networking_secgroup_rule_v2" "http6" { ...@@ -79,21 +50,11 @@ resource "openstack_networking_secgroup_rule_v2" "http6" {
security_group_id = openstack_networking_secgroup_v2.http.id security_group_id = openstack_networking_secgroup_v2.http.id
} }
resource "openstack_networking_secgroup_rule_v2" "https4" { resource "openstack_networking_secgroup_rule_v2" "https" {
for_each = var.security_public_cidr4 for_each = var.security_public_cidr
direction = "ingress" description = each.value
ethertype = "IPv4"
port_range_min = 443
port_range_max = 443
protocol = "tcp"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "https6" {
for_each = var.security_public_cidr6
direction = "ingress" direction = "ingress"
ethertype = "IPv6" ethertype = strcontains(each.key, ":") ? "IPv6" : "IPv4"
port_range_min = 443 port_range_min = 443
port_range_max = 443 port_range_max = 443
protocol = "tcp" protocol = "tcp"
......
common/terraform/vars.tf
+ 7
14
View file @ 2699fc77
...@@ -63,18 +63,11 @@ variable "squid_volume_size" { ...@@ -63,18 +63,11 @@ variable "squid_volume_size" {
description = "Size of volume for squid proxy, CVMFS cache (GB)" description = "Size of volume for squid proxy, CVMFS cache (GB)"
} }
variable "security_public_cidr4" { variable "security_public_cidr" {
type = set(string) type = map(string)
description = "Enabled IPv4 ranges" description = "Enabled IP ranges"
default = [ default = {
"0.0.0.0/0", "0.0.0.0/0": "Public access",
] "::/0": "Public access",
} }
variable "security_public_cidr6" {
type = set(string)
description = "Enabled IPv6 ranges"
default = [
"::/0",
]
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment