# Security groups sto3 resource "openstack_networking_secgroup_v2" "microk8s-sto3" { name = "microk8s" description = "Traffic to allow between microk8s hosts" provider=openstack.sto3 } resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto3" { name = "ssh-from-jumphosts" description = "Allow ssh traffic from sunet jumphosts." provider=openstack.sto3 } # # Security group rules for microk8s # resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto3" { count = length(var.k8sports) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]] port_range_min = keys(var.k8sports[count.index])[0] port_range_max = keys(var.k8sports[count.index])[0] provider = openstack.sto3 remote_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_sto3" { count = length(var.k8sports) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]] port_range_min = keys(var.k8sports[count.index])[0] port_range_max = keys(var.k8sports[count.index])[0] provider = openstack.sto3 remote_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } # # From DCO to STO3 # resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_dco_to_sto3" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0] provider = openstack.sto3 remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes[count.index % length(resource.openstack_compute_instance_v2.controller-nodes)].access_ip_v4, "32"]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_dco_to_sto3" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes))])[0] provider = openstack.sto3 remote_ip_prefix = join("/", [ replace(resource.openstack_compute_instance_v2.controller-nodes[count.index % length(resource.openstack_compute_instance_v2.controller-nodes)].access_ip_v6, "/[\\[\\]']/",""),"128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } #resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto3" { # count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes) # direction = "ingress" # ethertype = "IPv4" # protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]] # port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0] # port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0] # provider = openstack.sto3 # remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes[count.index % length(resource.openstack_compute_instance_v2.worker-nodes)].access_ip_v4, "32" ]) # security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id #} # #resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto3" { # count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes) # direction = "ingress" # ethertype = "IPv6" # protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0]] # port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0] # port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes))])[0] # provider = openstack.sto3 # remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes[count.index % length(resource.openstack_compute_instance_v2.worker-nodes)].access_ip_v6, "/[\\[\\]']/",""), "128"]) # security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id #} resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto3" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0] provider = openstack.sto3 remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v4, "32" ]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto3" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0] provider = openstack.sto3 remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } # # From STO4 to STO3 # # Controllers resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_sto3" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0] provider = openstack.sto3 remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_sto3" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0] provider = openstack.sto3 remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } # Workers resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_sto3" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0] provider = openstack.sto3 remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v4, "32" ]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto4_to_sto3" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0] provider = openstack.sto3 remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id } # # Security group rules for ssh-from-jump-hosts # resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-sto3" { count = length(var.jumphostv4-ips) direction = "ingress" ethertype = "IPv4" protocol = "tcp" port_range_min = "22" port_range_max = "22" provider = openstack.sto3 remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32" security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id } resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-sto3" { count = length(var.jumphostv6-ips) direction = "ingress" ethertype = "IPv6" protocol = "tcp" port_range_min = "22" port_range_max = "22" provider = openstack.sto3 remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128" security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id }