# Security groups dco resource "openstack_networking_secgroup_v2" "microk8s-dco" { name = "microk8s" description = "Traffic to allow between microk8s hosts" provider=openstack.dco } resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-dco" { name = "ssh-from-jumphosts" description = "Allow ssh traffic from sunet jumphosts." provider=openstack.dco } # # Security group rules for microk8s # resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_dco" { count = length(var.k8sports) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]] port_range_min = keys(var.k8sports[count.index])[0] port_range_max = keys(var.k8sports[count.index])[0] provider = openstack.dco remote_group_id = openstack_networking_secgroup_v2.microk8s-dco.id security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_dco" { count = length(var.k8sports) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]] port_range_min = keys(var.k8sports[count.index])[0] port_range_max = keys(var.k8sports[count.index])[0] provider = openstack.dco remote_group_id = openstack_networking_secgroup_v2.microk8s-dco.id security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } # # From STO3 to DCO # # Control nodes resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto3_to_dco" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0] provider = openstack.dco remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v4, "32" ]) security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto3_to_dco" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto3) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto3))])[0] provider = openstack.dco remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } # Worker nodes resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto3_to_dco" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0] provider = openstack.dco remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v4, "32" ]) security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto3_to_dco" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto3) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto3))])[0] provider = openstack.dco remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto3[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto3)].access_ip_v6, "/[\\[\\]']/",""), "128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } # # From STO4 to DCO # #Controllers resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_dco" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0] provider = openstack.dco remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ]) security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_dco" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0] provider = openstack.dco remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } # Workers resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_dco" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4) direction = "ingress" ethertype = "IPv4" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0] provider = openstack.dco remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v4, "32" ]) security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto4_to_dco" { count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4) direction = "ingress" ethertype = "IPv6" protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]] port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0] port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0] provider = openstack.dco remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"]) security_group_id = openstack_networking_secgroup_v2.microk8s-dco.id } # # Security group rules for ssh-from-jump-hosts # resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-dco" { count = length(var.jumphostv4-ips) direction = "ingress" ethertype = "IPv4" protocol = "tcp" port_range_min = "22" port_range_max = "22" provider = openstack.dco remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32" security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id } resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-dco" { count = length(var.jumphostv6-ips) direction = "ingress" ethertype = "IPv6" protocol = "tcp" port_range_min = "22" port_range_max = "22" provider = openstack.dco remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128" security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-dco.id }