SUNET/rut-prod-ops
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

updated firewall rules for naemon

Browse source
This commit is contained in:
Rasmus Thorslund 2025-02-07 14:10:13 +01:00
parent 04a8104515
commit 954a2d70a8
No known key found for this signature in database
GPG key ID: 502D33332E9E305D
1 changed files with 73 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
main.tf
View file

@ -13,6 +13,77 @@ required_version = ">= 0.14.0"
provider "openstack" {
cloud = "sto4-rut"
}
resource "openstack_networking_secgroup_v2" "naemon" {
name = "naemon"
description = "Rule to allow naemon traffic"
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule1" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 4317
port_range_max = 4318
remote_group_id = openstack_networking_secgroup_v2.naemon.id
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule2" {
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 4317
port_range_max = 4318
remote_group_id = openstack_networking_secgroup_v2.naemon.id
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule3" {
direction = "ingress"
ethertype = "IPv4"
protocol = "icmp"
remote_group_id = openstack_networking_secgroup_v2.naemon.id
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule4" {
direction = "ingress"
ethertype = "IPv6"
protocol = "icmp"
remote_group_id = openstack_networking_secgroup_v2.naemon.id
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule5" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
remote_ip_prefix = "109.105.111.111/32"
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule6" {
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
remote_ip_prefix = "2001:948:4:6::111/128"
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule7" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 5666
port_range_max = 5666
remote_ip_prefix = "89.46.21.190/32"
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule8" {
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = 5666
port_range_max = 5666
remote_ip_prefix = "2001:6b0:6c::37f/128"
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_v2" "https" {
name = "https"
description = "Traffic to allow between microk8s hosts"
@ -97,7 +168,7 @@ resource "openstack_compute_instance_v2" "monitor-node" {
name = "internal-sto4-prod-monitor-1.${var.dns_suffix}"
flavor_name = "${var.monitor_instance_type}"
key_pair = "thorslund"
security_groups = ["https", "Allow SSH from SUNET jumphosts",]
security_groups = ["https", "Allow SSH from SUNET jumphosts", "naemon"]
block_device {
@ -120,7 +191,7 @@ resource "openstack_compute_instance_v2" "satosa-node" {
name = "internal-sto4-prod-satosa-1.${var.dns_suffix}"
flavor_name = "${var.monitor_instance_type}"
key_pair = "thorslund"
security_groups = ["https", "Allow SSH from SUNET jumphosts",]
security_groups = ["https", "Allow SSH from SUNET jumphosts", "naemon"]
block_device {