Add ssh security group

IaC-test/k8snodes-sto4.tf

@@ -15,8 +15,8 @@ resource "openstack_networking_port_v2" "kubewport-sto4" {
   network_id          = data.openstack_networking_network_v2.public-sto4.id
   # A list of security group ID
   security_group_ids  = [ 
-#                          data.openstack_networking_secgroup_v2.sshfromjumphosts.id, 
+                          resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id,
-                          resource.openstack_networking_secgroup_v2.microk8s-sto4.id,
+                          resource.openstack_networking_secgroup_v2.microk8s-sto4.id
                         ]
   admin_state_up      = "true"
   provider            = openstack.sto4
@@ -49,7 +49,8 @@ resource "openstack_compute_instance_v2" "worker-nodes-sto4" {
   key_pair        = "${var.keynameworkers}"
   provider        = openstack.sto4
   security_groups = [
-                      resource.openstack_networking_secgroup_v2.microk8s-sto4.name
+                      resource.openstack_networking_secgroup_v2.microk8s-sto4.name,
+                      resource.openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.name
                     ]
 
   block_device {

IaC-test/securitygroups-k8s-sto4.tf

@@ -1,9 +1,20 @@
+
+# Security groups sto4
 resource "openstack_networking_secgroup_v2" "microk8s-sto4" {
   name        = "microk8s"
   description = "Traffic to allow between microk8s hosts"
   provider=openstack.sto4
 }
 
+resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto4" {
+  name        = "ssh-from-jumphosts"
+  description = "Allow ssh traffic from sunet jumphosts."
+  provider=openstack.sto4
+}
+
+#
+# Security group rules for microk8s
+#
 resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto4" {
   count             =  length(var.k8sports)
   direction         = "ingress"
@@ -75,3 +86,33 @@ resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco" {
   remote_ip_prefix  = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes[count.index % length(resource.openstack_compute_instance_v2.worker-nodes)].access_ip_v6, "/[\\[\\]']/",""), "128"])
   security_group_id = openstack_networking_secgroup_v2.microk8s-sto4.id
 }
+
+
+#
+# Security group rules for ssh-from-jump-hosts
+#
+
+
+resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules" {
+  count             =  length(var.jumphostv4-ips)
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = "22"
+  port_range_max    = "22"
+  provider          = openstack.sto4
+  remote_ip_prefix  = "${var.jumphostv4-ips[count.index]}/32"
+  security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules" {
+  count             =  length(var.jumphostv6-ips)
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = "22"
+  port_range_max    = "22"
+  provider          = openstack.sto4
+  remote_ip_prefix  = "${var.jumphostv6-ips[count.index]}/128"
+  security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto4.id
+}

IaC-test/vars.tf

@@ -91,3 +91,13 @@ variable "k8sports" {
     {"51820" = "udp"}
   ]
 }
+
+variable jumphostv4-ips {
+  type    = list(string)
+  default = []
+}
+
+variable jumphostv6-ips {
+  type    = list(string)
+  default = []
+}