firewall.tf

resource "openstack_networking_secgroup_v2" "all" {
	name = format("%s.all", var.domain)
	description = "${title(var.domain)} all security group"
}

resource "openstack_networking_secgroup_v2" "ssh" {
	name = format("%s.ssh", var.domain)
	description = "${title(var.domain)} ssh security group"
}

resource "openstack_networking_secgroup_rule_v2" "all_self" {
	for_each = toset(["0.0.0.0/0", "::/0"])
	direction = "ingress"
	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
	remote_group_id = openstack_networking_secgroup_v2.all.id
	security_group_id = openstack_networking_secgroup_v2.all.id
}

resource "openstack_networking_secgroup_rule_v2" "all_icmp" {
	for_each = toset(["0.0.0.0/0", "::/0"])
	direction = "ingress"
	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
	protocol = each.value == "0.0.0.0/0" ? "icmp" : "ipv6-icmp"
	security_group_id = openstack_networking_secgroup_v2.all.id
}

resource "openstack_networking_secgroup_rule_v2" "all_other" {
	for_each = var.security_trusted_cidr
	direction = "ingress"
	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
	remote_ip_prefix = each.key
	security_group_id = openstack_networking_secgroup_v2.all.id
}

resource "openstack_networking_secgroup_rule_v2" "all_floatip" {
	direction = "ingress"
	ethertype = "IPv4"
	remote_ip_prefix = "${openstack_networking_floatingip_v2.floatip_1.address}/32"
	security_group_id = openstack_networking_secgroup_v2.all.id
}

resource "openstack_networking_secgroup_rule_v2" "ssh" {
	for_each = var.security_admin_cidr
	direction = "ingress"
	ethertype = length(regexall(":", each.value)) == 0 ? "IPv4" : "IPv6"
	remote_ip_prefix = each.key
	security_group_id = openstack_networking_secgroup_v2.ssh.id
}