From 2699fc77647f559d1317ae4cf4f8cab99bfd363d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Sat, 3 Aug 2024 01:22:32 +0000
Subject: [PATCH] Fancy firewall rules with description

---
 common/terraform/firewall.tf | 75 +++++++++---------------------------
 common/terraform/vars.tf     | 21 ++++------
 2 files changed, 25 insertions(+), 71 deletions(-)

diff --git a/common/terraform/firewall.tf b/common/terraform/firewall.tf
index b35d242..7e332d0 100644
--- a/common/terraform/firewall.tf
+++ b/common/terraform/firewall.tf
@@ -13,32 +13,24 @@ resource "openstack_networking_secgroup_v2" "http" {
   description = "http/https"
 }
 
-resource "openstack_networking_secgroup_rule_v2" "ping4" {
-  for_each          = var.security_public_cidr4
+resource "openstack_networking_secgroup_rule_v2" "ping" {
+  for_each          = var.security_public_cidr
+  description       = each.value
   direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 8
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
+  port_range_min    = strcontains(each.key, ":") ? 128 : 8
   port_range_max    = 0
+  # protocol          = strcontains(each.key, ":") ? "ipv6-icmp" : "icmp"
   protocol          = "icmp"
   remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.ping.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "ping6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "ssh" {
+  for_each          = var.security_public_cidr
+  description       = each.value
   direction         = "ingress"
-  ethertype         = "IPv6"
-  port_range_min    = 128
-  port_range_max    = 0
-  protocol          = "icmp"  # icmp / ipv6-icmp
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
   port_range_min    = 22
   port_range_max    = 22
   protocol          = "tcp"
@@ -46,32 +38,11 @@ resource "openstack_networking_secgroup_rule_v2" "ssh4" {
   security_group_id = openstack_networking_secgroup_v2.ssh.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "ssh6" {
-  for_each          = var.security_public_cidr6
-  direction         = "ingress"
-  ethertype         = "IPv6"
-  port_range_min    = 22
-  port_range_max    = 22
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 80
-  port_range_max    = 80
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "http" {
+  for_each          = var.security_public_cidr
+  description       = each.value
   direction         = "ingress"
-  ethertype         = "IPv6"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
   port_range_min    = 80
   port_range_max    = 80
   protocol          = "tcp"
@@ -79,21 +50,11 @@ resource "openstack_networking_secgroup_rule_v2" "http6" {
   security_group_id = openstack_networking_secgroup_v2.http.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "https4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 443
-  port_range_max    = 443
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "https" {
+  for_each          = var.security_public_cidr
+  description       = each.value
   direction         = "ingress"
-  ethertype         = "IPv6"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
   port_range_min    = 443
   port_range_max    = 443
   protocol          = "tcp"
diff --git a/common/terraform/vars.tf b/common/terraform/vars.tf
index 54d05b2..4c83a79 100644
--- a/common/terraform/vars.tf
+++ b/common/terraform/vars.tf
@@ -63,18 +63,11 @@ variable "squid_volume_size" {
   description = "Size of volume for squid proxy, CVMFS cache (GB)"
 }
 
-variable "security_public_cidr4" {
-  type = set(string)
-  description = "Enabled IPv4 ranges"
-  default = [
-    "0.0.0.0/0",
-  ]
-}
-
-variable "security_public_cidr6" {
-  type = set(string)
-  description = "Enabled IPv6 ranges"
-  default = [
-    "::/0",
-  ]
+variable "security_public_cidr" {
+  type = map(string)
+  description = "Enabled IP ranges"
+  default = {
+    "0.0.0.0/0": "Public access",
+    "::/0":      "Public access",
+  }
 }
-- 
GitLab