Open lb port to source ip during setup and hardening

2024-10-30 12:25:44 +01:00 · 2024-10-30 12:25:44 +01:00 · 840af98c51
parent b497844e59
commit 840af98c51
2 changed files with 21 additions and 1 deletions
--- a/IaC-test/lb.tf
+++ b/IaC-test/lb.tf
@ -6,6 +6,7 @@ resource "openstack_networking_port_v2" "lb1-port-dco" {
  # A list of security group ID
  security_group_ids  = [
                          resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id,
+                          resource.openstack_networking_secgroup_v2.lb-dco.id
                        ]
  admin_state_up      = "true"
  provider            = openstack.dco
@ -28,7 +29,8 @@ resource "openstack_compute_instance_v2" "lb1-node-dco" {
  key_pair        = "${var.keynameworkers}"
  provider        = openstack.dco
  security_groups = [
-                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name
+                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.name,
+                      resource.openstack_networking_secgroup_v2.lb-dco.name
                    ]

  block_device {
--- a/IaC-test/securitygroups-lb.tf
+++ b/IaC-test/securitygroups-lb.tf
@ -0,0 +1,18 @@
+# Security groups lb-frontend
+resource "openstack_networking_secgroup_v2" "lb-dco" {
+  name        = "lb-frontend"
+  description = "Ingress lb traffic to allow."
+  provider=openstack.dco
+}
+
+resource "openstack_networking_secgroup_rule_v2" "lb_ingress_rule_v4_dco" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = "8443"
+  port_range_max    = "8443"
+  provider          = openstack.dco
+  remote_ip_prefix  = "87.251.31.153/32"
+  security_group_id = openstack_networking_secgroup_v2.lb-dco.id
+}
+