diff --git a/IaC-test/k8snodes-sto4.tf b/IaC-test/k8snodes-sto4.tf index 7d2f3de..f313129 100644 --- a/IaC-test/k8snodes-sto4.tf +++ b/IaC-test/k8snodes-sto4.tf @@ -15,8 +15,8 @@ resource "openstack_networking_port_v2" "kubewport-sto4" { network_id = data.openstack_networking_network_v2.public-sto4.id # A list of security group ID security_group_ids = [ -# data.openstack_networking_secgroup_v2.sshfromjumphosts.id, - resource.openstack_networking_secgroup_v2.microk8s-sto4.id, + resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id, + resource.openstack_networking_secgroup_v2.microk8s-sto4.id ] admin_state_up = "true" provider = openstack.sto4 @@ -49,7 +49,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto4" { key_pair = "${var.keynameworkers}" provider = openstack.sto4 security_groups = [ - resource.openstack_networking_secgroup_v2.microk8s-sto4.name + resource.openstack_networking_secgroup_v2.microk8s-sto4.name, + resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name ] block_device { diff --git a/IaC-test/securitygroups-k8s-sto4.tf b/IaC-test/securitygroups-k8s-sto4.tf index 26f49b1..6013a46 100644 --- a/IaC-test/securitygroups-k8s-sto4.tf +++ b/IaC-test/securitygroups-k8s-sto4.tf @@ -1,9 +1,20 @@ + +# Security groups sto4 resource "openstack_networking_secgroup_v2" "microk8s-sto4" { name = "microk8s" description = "Traffic to allow between microk8s hosts" provider=openstack.sto4 } +resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto4" { + name = "ssh-from-jumphosts" + description = "Allow ssh traffic from sunet jumphosts." + provider=openstack.sto4 +} + +# +# Security group rules for microk8s +# resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto4" { count = length(var.k8sports) direction = "ingress" @@ -75,3 +86,33 @@ resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco" { remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes[count.index % length(resource.openstack_compute_instance_v2.worker-nodes)].access_ip_v6, "/[\\[\\]']/",""), "128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id } + + +# +# Security group rules for ssh-from-jump-hosts +# + + +resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules" { + count = length(var.jumphostv4-ips) + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = "22" + port_range_max = "22" + provider = openstack.sto4 + remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32" + security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id +} + +resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules" { + count = length(var.jumphostv6-ips) + direction = "ingress" + ethertype = "IPv6" + protocol = "tcp" + port_range_min = "22" + port_range_max = "22" + provider = openstack.sto4 + remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128" + security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id +} diff --git a/IaC-test/vars.tf b/IaC-test/vars.tf index 05340e8..da1bad8 100644 --- a/IaC-test/vars.tf +++ b/IaC-test/vars.tf @@ -91,3 +91,13 @@ variable "k8sports" { {"51820" = "udp"} ] } + +variable jumphostv4-ips { + type = list(string) + default = [] +} + +variable jumphostv6-ips { + type = list(string) + default = [] +}