matrix-ops/IaC-test/securitygroups-k8s-sto4.tf

170 lines
11 KiB
Terraform
Raw Permalink Normal View History

2024-10-18 15:02:29 +00:00
# Security groups sto4
resource "openstack_networking_secgroup_v2" "microk8s-sto4" {
name = "microk8s"
description = "Traffic to allow between microk8s hosts"
provider=openstack.sto4
}
2024-10-18 15:02:29 +00:00
resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto4" {
name = "ssh-from-jumphosts"
description = "Allow ssh traffic from sunet jumphosts."
provider=openstack.sto4
}
#
# Security group rules for microk8s
#
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto4" {
count = length(var.k8sports)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
port_range_min = keys(var.k8sports[count.index])[0]
port_range_max = keys(var.k8sports[count.index])[0]
provider = openstack.sto4
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_sto4" {
count = length(var.k8sports)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
port_range_min = keys(var.k8sports[count.index])[0]
port_range_max = keys(var.k8sports[count.index])[0]
provider = openstack.sto4
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_dco_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes[count.index % length(resource.openstack_compute_instance_v2.controller-nodes)].access_ip_v4, "32"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_dco_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/", [ replace(resource.openstack_compute_instance_v2.controller-nodes[count.index % length(resource.openstack_compute_instance_v2.controller-nodes)].access_ip_v6, "/[\\[\\]']/",""),"128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
#resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto4" {
# count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes)
# direction = "ingress"
# ethertype = "IPv4"
# protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]]
# port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]
# port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]
# provider = openstack.sto4
# remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes[count.index % length(resource.openstack_compute_instance_v2.worker-nodes)].access_ip_v4, "32" ])
# security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
#}
#
#resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto4" {
# count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes)
# direction = "ingress"
# ethertype = "IPv6"
# protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]]
# port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]
# port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]
# provider = openstack.sto4
# remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes[count.index % length(resource.openstack_compute_instance_v2.worker-nodes)].access_ip_v6, "/[\\[\\]']/",""), "128"])
# security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
#}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
2024-10-18 15:02:29 +00:00
2024-10-19 20:11:41 +00:00
#
# From STO3 to STO4
#
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto3_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
direction = "ingress"
ethertype = "IPv4"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v4, "32" ])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto3_to_sto4" {
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3)
direction = "ingress"
ethertype = "IPv6"
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]]
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]
provider = openstack.sto4
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"])
security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
}
2024-10-18 15:02:29 +00:00
#
# Security group rules for ssh-from-jump-hosts
#
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-sto4" {
2024-10-18 15:02:29 +00:00
count = length(var.jumphostv4-ips)
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
provider = openstack.sto4
remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32"
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id
}
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-sto4" {
2024-10-18 15:02:29 +00:00
count = length(var.jumphostv6-ips)
direction = "ingress"
ethertype = "IPv6"
protocol = "tcp"
port_range_min = "22"
port_range_max = "22"
provider = openstack.sto4
remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128"
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id
}