Skip to content
Snippets Groups Projects
Commit e959efeb authored by František Dvořák's avatar František Dvořák
Browse files

Make firewall in terraform configurable

parent 9d498cb9
No related branches found
No related tags found
No related merge requests found
......@@ -14,81 +14,89 @@ resource "openstack_networking_secgroup_v2" "http" {
}
resource "openstack_networking_secgroup_rule_v2" "ping4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 8
port_range_max = 0
protocol = "icmp"
remote_ip_prefix = "0.0.0.0/0"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ping.id
}
resource "openstack_networking_secgroup_rule_v2" "ping6" {
for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 128
port_range_max = 0
protocol = "icmp" # icmp / ipv6-icmp
remote_ip_prefix = "::/0"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ping.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 22
port_range_max = 22
protocol = "tcp"
remote_ip_prefix = "0.0.0.0/0"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ssh.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh6" {
for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 22
port_range_max = 22
protocol = "tcp"
remote_ip_prefix = "::/0"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ssh.id
}
resource "openstack_networking_secgroup_rule_v2" "http4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 80
port_range_max = 80
protocol = "tcp"
remote_ip_prefix = "0.0.0.0/0"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "http6" {
for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 80
port_range_max = 80
protocol = "tcp"
remote_ip_prefix = "::/0"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "https4" {
for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 443
port_range_max = 443
protocol = "tcp"
remote_ip_prefix = "0.0.0.0/0"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "https6" {
for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 443
port_range_max = 443
protocol = "tcp"
remote_ip_prefix = "::/0"
remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
......@@ -62,3 +62,19 @@ variable "squid_volume_size" {
type = number
description = "Size of volume for squid proxy, CVMFS cache (GB)"
}
variable "security_public_cidr4" {
type = set(string)
description = "Enabled IPv4 ranges"
default = [
"0.0.0.0/0",
]
}
variable "security_public_cidr6" {
type = set(string)
description = "Enabled IPv6 ranges"
default = [
"::/0",
]
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment