Skip to content
Snippets Groups Projects
Commit 2699fc77 authored by František Dvořák's avatar František Dvořák
Browse files

Fancy firewall rules with description

parent e959efeb
No related branches found
No related tags found
No related merge requests found
......@@ -13,32 +13,24 @@ resource "openstack_networking_secgroup_v2" "http" {
description = "http/https"
}
resource "openstack_networking_secgroup_rule_v2" "ping4" {
for_each = var.security_public_cidr4
resource "openstack_networking_secgroup_rule_v2" "ping" {
for_each = var.security_public_cidr
description = each.value
direction = "ingress"
ethertype = "IPv4"
port_range_min = 8
ethertype = strcontains(each.key, ":") ? "IPv6" : "IPv4"
port_range_min = strcontains(each.key, ":") ? 128 : 8
port_range_max = 0
# protocol = strcontains(each.key, ":") ? "ipv6-icmp" : "icmp"
protocol = "icmp"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ping.id
}
resource "openstack_networking_secgroup_rule_v2" "ping6" {
for_each = var.security_public_cidr6
resource "openstack_networking_secgroup_rule_v2" "ssh" {
for_each = var.security_public_cidr
description = each.value
direction = "ingress"
ethertype = "IPv6"
port_range_min = 128
port_range_max = 0
protocol = "icmp" # icmp / ipv6-icmp
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ping.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
ethertype = strcontains(each.key, ":") ? "IPv6" : "IPv4"
port_range_min = 22
port_range_max = 22
protocol = "tcp"
......@@ -46,32 +38,11 @@ resource "openstack_networking_secgroup_rule_v2" "ssh4" {
security_group_id = openstack_networking_secgroup_v2.ssh.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh6" {
for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 22
port_range_max = 22
protocol = "tcp"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ssh.id
}
resource "openstack_networking_secgroup_rule_v2" "http4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 80
port_range_max = 80
protocol = "tcp"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "http6" {
for_each = var.security_public_cidr6
resource "openstack_networking_secgroup_rule_v2" "http" {
for_each = var.security_public_cidr
description = each.value
direction = "ingress"
ethertype = "IPv6"
ethertype = strcontains(each.key, ":") ? "IPv6" : "IPv4"
port_range_min = 80
port_range_max = 80
protocol = "tcp"
......@@ -79,21 +50,11 @@ resource "openstack_networking_secgroup_rule_v2" "http6" {
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "https4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 443
port_range_max = 443
protocol = "tcp"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "https6" {
for_each = var.security_public_cidr6
resource "openstack_networking_secgroup_rule_v2" "https" {
for_each = var.security_public_cidr
description = each.value
direction = "ingress"
ethertype = "IPv6"
ethertype = strcontains(each.key, ":") ? "IPv6" : "IPv4"
port_range_min = 443
port_range_max = 443
protocol = "tcp"
......
......@@ -63,18 +63,11 @@ variable "squid_volume_size" {
description = "Size of volume for squid proxy, CVMFS cache (GB)"
}
variable "security_public_cidr4" {
type = set(string)
description = "Enabled IPv4 ranges"
default = [
"0.0.0.0/0",
]
}
variable "security_public_cidr6" {
type = set(string)
description = "Enabled IPv6 ranges"
default = [
"::/0",
]
variable "security_public_cidr" {
type = map(string)
description = "Enabled IP ranges"
default = {
"0.0.0.0/0": "Public access",
"::/0": "Public access",
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment