From 9d498cb95f538c2e285e01d64a502f95d9b4d311 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Sat, 3 Aug 2024 00:17:54 +0000
Subject: [PATCH] Terraform security groups in separate file and symlinks
---
common/terraform/firewall.tf | 94 ++++++++++++++++++++++++++++++++
staging1/terraform/firewall.tf | 1 +
staging1/terraform/vms.tf | 97 ----------------------------------
staging2/terraform/firewall.tf | 1 +
staging2/terraform/vms.tf | 97 ----------------------------------
testing/terraform/firewall.tf | 1 +
testing/terraform/vms.tf | 97 ----------------------------------
7 files changed, 97 insertions(+), 291 deletions(-)
create mode 100644 common/terraform/firewall.tf
create mode 120000 staging1/terraform/firewall.tf
create mode 120000 staging2/terraform/firewall.tf
create mode 120000 testing/terraform/firewall.tf
diff --git a/common/terraform/firewall.tf b/common/terraform/firewall.tf
new file mode 100644
index 0000000..1a3262c
--- /dev/null
+++ b/common/terraform/firewall.tf
@@ -0,0 +1,94 @@
+resource "openstack_networking_secgroup_v2" "ping" {
+ name = "ping"
+ description = "ICMP for ping"
+}
+
+resource "openstack_networking_secgroup_v2" "ssh" {
+ name = "ssh"
+ description = "ssh connection"
+}
+
+resource "openstack_networking_secgroup_v2" "http" {
+ name = "http"
+ description = "http/https"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "ping4" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ port_range_min = 8
+ port_range_max = 0
+ protocol = "icmp"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = openstack_networking_secgroup_v2.ping.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "ping6" {
+ direction = "ingress"
+ ethertype = "IPv6"
+ port_range_min = 128
+ port_range_max = 0
+ protocol = "icmp" # icmp / ipv6-icmp
+ remote_ip_prefix = "::/0"
+ security_group_id = openstack_networking_secgroup_v2.ping.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "ssh4" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ port_range_min = 22
+ port_range_max = 22
+ protocol = "tcp"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = openstack_networking_secgroup_v2.ssh.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "ssh6" {
+ direction = "ingress"
+ ethertype = "IPv6"
+ port_range_min = 22
+ port_range_max = 22
+ protocol = "tcp"
+ remote_ip_prefix = "::/0"
+ security_group_id = openstack_networking_secgroup_v2.ssh.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "http4" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ port_range_min = 80
+ port_range_max = 80
+ protocol = "tcp"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = openstack_networking_secgroup_v2.http.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "http6" {
+ direction = "ingress"
+ ethertype = "IPv6"
+ port_range_min = 80
+ port_range_max = 80
+ protocol = "tcp"
+ remote_ip_prefix = "::/0"
+ security_group_id = openstack_networking_secgroup_v2.http.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "https4" {
+ direction = "ingress"
+ ethertype = "IPv4"
+ port_range_min = 443
+ port_range_max = 443
+ protocol = "tcp"
+ remote_ip_prefix = "0.0.0.0/0"
+ security_group_id = openstack_networking_secgroup_v2.http.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "https6" {
+ direction = "ingress"
+ ethertype = "IPv6"
+ port_range_min = 443
+ port_range_max = 443
+ protocol = "tcp"
+ remote_ip_prefix = "::/0"
+ security_group_id = openstack_networking_secgroup_v2.http.id
+}
diff --git a/staging1/terraform/firewall.tf b/staging1/terraform/firewall.tf
new file mode 120000
index 0000000..0088c12
--- /dev/null
+++ b/staging1/terraform/firewall.tf
@@ -0,0 +1 @@
+../../common/terraform/firewall.tf
\ No newline at end of file
diff --git a/staging1/terraform/vms.tf b/staging1/terraform/vms.tf
index c7fdcda..b196eda 100644
--- a/staging1/terraform/vms.tf
+++ b/staging1/terraform/vms.tf
@@ -10,103 +10,6 @@ locals {
gpu_ips = [for s in openstack_compute_instance_v2.gpu[*].network[0].fixed_ip_v4 : s]
}
-# Security groups
-
-resource "openstack_networking_secgroup_v2" "ping" {
- name = "ping"
- description = "ICMP for ping"
-}
-
-resource "openstack_networking_secgroup_v2" "ssh" {
- name = "ssh"
- description = "ssh connection"
-}
-
-resource "openstack_networking_secgroup_v2" "http" {
- name = "http"
- description = "http/https"
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ping4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 8
- port_range_max = 0
- protocol = "icmp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ping6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 128
- port_range_max = 0
- protocol = "icmp" # icmp / ipv6-icmp
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 22
- port_range_max = 22
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 22
- port_range_max = 22
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 80
- port_range_max = 80
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 80
- port_range_max = 80
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 443
- port_range_max = 443
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 443
- port_range_max = 443
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
resource "openstack_networking_floatingip_v2" "public_ip" {
pool = var.ip_pool
}
diff --git a/staging2/terraform/firewall.tf b/staging2/terraform/firewall.tf
new file mode 120000
index 0000000..0088c12
--- /dev/null
+++ b/staging2/terraform/firewall.tf
@@ -0,0 +1 @@
+../../common/terraform/firewall.tf
\ No newline at end of file
diff --git a/staging2/terraform/vms.tf b/staging2/terraform/vms.tf
index d46b46e..c631465 100644
--- a/staging2/terraform/vms.tf
+++ b/staging2/terraform/vms.tf
@@ -10,103 +10,6 @@ locals {
gpu_ips = [for s in openstack_compute_instance_v2.gpu[*].network[0].fixed_ip_v6 : replace(s, "/\\[(.*)\\]/", "$1")]
}
-# Security groups
-
-resource "openstack_networking_secgroup_v2" "ping" {
- name = "ping"
- description = "ICMP for ping"
-}
-
-resource "openstack_networking_secgroup_v2" "ssh" {
- name = "ssh"
- description = "ssh connection"
-}
-
-resource "openstack_networking_secgroup_v2" "http" {
- name = "http"
- description = "http/https"
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ping4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 8
- port_range_max = 0
- protocol = "icmp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ping6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 128
- port_range_max = 0
- protocol = "icmp" # icmp / ipv6-icmp
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 22
- port_range_max = 22
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 22
- port_range_max = 22
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 80
- port_range_max = 80
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 80
- port_range_max = 80
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 443
- port_range_max = 443
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 443
- port_range_max = 443
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
data "openstack_images_image_v2" "ubuntu" {
name = "ubuntu-22.04"
}
diff --git a/testing/terraform/firewall.tf b/testing/terraform/firewall.tf
new file mode 120000
index 0000000..0088c12
--- /dev/null
+++ b/testing/terraform/firewall.tf
@@ -0,0 +1 @@
+../../common/terraform/firewall.tf
\ No newline at end of file
diff --git a/testing/terraform/vms.tf b/testing/terraform/vms.tf
index 6003936..0c5751c 100644
--- a/testing/terraform/vms.tf
+++ b/testing/terraform/vms.tf
@@ -10,103 +10,6 @@ locals {
gpu_ips = [for s in openstack_compute_instance_v2.gpu[*].network[1].fixed_ip_v6 : replace(s, "/\\[(.*)\\]/", "$1")]
}
-# Security groups
-
-resource "openstack_networking_secgroup_v2" "ping" {
- name = "ping"
- description = "ICMP for ping"
-}
-
-resource "openstack_networking_secgroup_v2" "ssh" {
- name = "ssh"
- description = "ssh connection"
-}
-
-resource "openstack_networking_secgroup_v2" "http" {
- name = "http"
- description = "http/https"
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ping4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 8
- port_range_max = 0
- protocol = "icmp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ping6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 128
- port_range_max = 0
- protocol = "icmp" # icmp / ipv6-icmp
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 22
- port_range_max = 22
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 22
- port_range_max = 22
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 80
- port_range_max = 80
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 80
- port_range_max = 80
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https4" {
- direction = "ingress"
- ethertype = "IPv4"
- port_range_min = 443
- port_range_max = 443
- protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https6" {
- direction = "ingress"
- ethertype = "IPv6"
- port_range_min = 443
- port_range_max = 443
- protocol = "tcp"
- remote_ip_prefix = "::/0"
- security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
resource "openstack_networking_floatingip_v2" "public_ip" {
pool = var.ip_pool
}
--
GitLab