Make firewall in terraform configurable

e959efeb · František Dvořák · 9d498cb9 · e959efeb · e959efeb
Commit e959efeb authored 7 months ago by František Dvořák
--- a/common/terraform/firewall.tf
+++ b/common/terraform/firewall.tf
@@ -14,81 +14,89 @@ resource "openstack_networking_secgroup_v2" "http" {
 }

 resource "openstack_networking_secgroup_rule_v2" "ping4" {
+  for_each          = var.security_public_cidr4
  direction         = "ingress"
  ethertype         = "IPv4"
  port_range_min    = 8
  port_range_max    = 0
  protocol          = "icmp"
-  remote_ip_prefix  = "0.0.0.0/0"
+  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ping.id
 }

 resource "openstack_networking_secgroup_rule_v2" "ping6" {
+  for_each          = var.security_public_cidr6
  direction         = "ingress"
  ethertype         = "IPv6"
  port_range_min    = 128
  port_range_max    = 0
  protocol          = "icmp"  # icmp / ipv6-icmp
-  remote_ip_prefix  = "::/0"
+  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ping.id
 }

 resource "openstack_networking_secgroup_rule_v2" "ssh4" {
+  for_each          = var.security_public_cidr4
  direction         = "ingress"
  ethertype         = "IPv4"
  port_range_min    = 22
  port_range_max    = 22
  protocol          = "tcp"
-  remote_ip_prefix  = "0.0.0.0/0"
+  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ssh.id
 }

 resource "openstack_networking_secgroup_rule_v2" "ssh6" {
+  for_each          = var.security_public_cidr6
  direction         = "ingress"
  ethertype         = "IPv6"
  port_range_min    = 22
  port_range_max    = 22
  protocol          = "tcp"
-  remote_ip_prefix  = "::/0"
+  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.ssh.id
 }

 resource "openstack_networking_secgroup_rule_v2" "http4" {
+  for_each          = var.security_public_cidr4
  direction         = "ingress"
  ethertype         = "IPv4"
  port_range_min    = 80
  port_range_max    = 80
  protocol          = "tcp"
-  remote_ip_prefix  = "0.0.0.0/0"
+  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.http.id
 }

 resource "openstack_networking_secgroup_rule_v2" "http6" {
+  for_each          = var.security_public_cidr6
  direction         = "ingress"
  ethertype         = "IPv6"
  port_range_min    = 80
  port_range_max    = 80
  protocol          = "tcp"
-  remote_ip_prefix  = "::/0"
+  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.http.id
 }

 resource "openstack_networking_secgroup_rule_v2" "https4" {
+  for_each          = var.security_public_cidr4
  direction         = "ingress"
  ethertype         = "IPv4"
  port_range_min    = 443
  port_range_max    = 443
  protocol          = "tcp"
-  remote_ip_prefix  = "0.0.0.0/0"
+  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.http.id
 }

 resource "openstack_networking_secgroup_rule_v2" "https6" {
+  for_each          = var.security_public_cidr6
  direction         = "ingress"
  ethertype         = "IPv6"
  port_range_min    = 443
  port_range_max    = 443
  protocol          = "tcp"
-  remote_ip_prefix  = "::/0"
+  remote_ip_prefix  = each.key
  security_group_id = openstack_networking_secgroup_v2.http.id
 }
--- a/common/terraform/vars.tf
+++ b/common/terraform/vars.tf
@@ -62,3 +62,19 @@ variable "squid_volume_size" {
  type        = number
  description = "Size of volume for squid proxy, CVMFS cache (GB)"
 }
+
+variable "security_public_cidr4" {
+  type = set(string)
+  description = "Enabled IPv4 ranges"
+  default = [
+    "0.0.0.0/0",
+  ]
+}
+
+variable "security_public_cidr6" {
+  type = set(string)
+  description = "Enabled IPv6 ranges"
+  default = [
+    "::/0",
+  ]
+}