From e959efebeb59fca8ffbc126a5fb7599866e15797 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Sat, 3 Aug 2024 00:46:43 +0000
Subject: [PATCH] Make firewall in terraform configurable
---
common/terraform/firewall.tf | 24 ++++++++++++++++--------
common/terraform/vars.tf | 16 ++++++++++++++++
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/common/terraform/firewall.tf b/common/terraform/firewall.tf
index 1a3262c..b35d242 100644
--- a/common/terraform/firewall.tf
+++ b/common/terraform/firewall.tf
@@ -14,81 +14,89 @@ resource "openstack_networking_secgroup_v2" "http" {
}
resource "openstack_networking_secgroup_rule_v2" "ping4" {
+ for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 8
port_range_max = 0
protocol = "icmp"
- remote_ip_prefix = "0.0.0.0/0"
+ remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ping.id
}
resource "openstack_networking_secgroup_rule_v2" "ping6" {
+ for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 128
port_range_max = 0
protocol = "icmp" # icmp / ipv6-icmp
- remote_ip_prefix = "::/0"
+ remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ping.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh4" {
+ for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 22
port_range_max = 22
protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
+ remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ssh.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh6" {
+ for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 22
port_range_max = 22
protocol = "tcp"
- remote_ip_prefix = "::/0"
+ remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.ssh.id
}
resource "openstack_networking_secgroup_rule_v2" "http4" {
+ for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 80
port_range_max = 80
protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
+ remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "http6" {
+ for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 80
port_range_max = 80
protocol = "tcp"
- remote_ip_prefix = "::/0"
+ remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "https4" {
+ for_each = var.security_public_cidr4
direction = "ingress"
ethertype = "IPv4"
port_range_min = 443
port_range_max = 443
protocol = "tcp"
- remote_ip_prefix = "0.0.0.0/0"
+ remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
resource "openstack_networking_secgroup_rule_v2" "https6" {
+ for_each = var.security_public_cidr6
direction = "ingress"
ethertype = "IPv6"
port_range_min = 443
port_range_max = 443
protocol = "tcp"
- remote_ip_prefix = "::/0"
+ remote_ip_prefix = each.key
security_group_id = openstack_networking_secgroup_v2.http.id
}
diff --git a/common/terraform/vars.tf b/common/terraform/vars.tf
index 25f0b32..54d05b2 100644
--- a/common/terraform/vars.tf
+++ b/common/terraform/vars.tf
@@ -62,3 +62,19 @@ variable "squid_volume_size" {
type = number
description = "Size of volume for squid proxy, CVMFS cache (GB)"
}
+
+variable "security_public_cidr4" {
+ type = set(string)
+ description = "Enabled IPv4 ranges"
+ default = [
+ "0.0.0.0/0",
+ ]
+}
+
+variable "security_public_cidr6" {
+ type = set(string)
+ description = "Enabled IPv6 ranges"
+ default = [
+ "::/0",
+ ]
+}
--
GitLab