178 lines
11 KiB
HCL
178 lines
11 KiB
HCL
|
|
# Security groups sto3
|
|
resource "openstack_networking_secgroup_v2" "microk8s-sto3" {
|
|
name = "microk8s"
|
|
description = "Traffic to allow between microk8s hosts"
|
|
provider=openstack.sto3
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_v2" "ssh-from-jump-hosts-sto3" {
|
|
name = "ssh-from-jumphosts"
|
|
description = "Allow ssh traffic from sunet jumphosts."
|
|
provider=openstack.sto3
|
|
}
|
|
|
|
#
|
|
# Security group rules for microk8s
|
|
#
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v4_sto3" {
|
|
count = length(var.k8sports)
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
|
|
port_range_min = keys(var.k8sports[count.index])[0]
|
|
port_range_max = keys(var.k8sports[count.index])[0]
|
|
provider = openstack.sto3
|
|
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_rule_v6_sto3" {
|
|
count = length(var.k8sports)
|
|
direction = "ingress"
|
|
ethertype = "IPv6"
|
|
protocol = var.k8sports[count.index][keys(var.k8sports[count.index])[0]]
|
|
port_range_min = keys(var.k8sports[count.index])[0]
|
|
port_range_max = keys(var.k8sports[count.index])[0]
|
|
provider = openstack.sto3
|
|
remote_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
#
|
|
# From DCO to STO3
|
|
#
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_dco_to_sto3" {
|
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
|
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v4, "32" ])
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_dco_to_sto3" {
|
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-dco)
|
|
direction = "ingress"
|
|
ethertype = "IPv6"
|
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]]
|
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-dco))])[0]
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
# Worker nodes
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_dco_to_sto3" {
|
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
|
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v4, "32" ])
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_dco_to_sto3" {
|
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-dco)
|
|
direction = "ingress"
|
|
ethertype = "IPv6"
|
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]]
|
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-dco))])[0]
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-dco[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-dco)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
#
|
|
# From STO4 to STO3
|
|
#
|
|
|
|
# Controllers
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v4_sto4_to_sto3" {
|
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
|
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v4, "32" ])
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_controller_rule_v6_sto4_to_sto3" {
|
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.controller-nodes-sto4)
|
|
direction = "ingress"
|
|
ethertype = "IPv6"
|
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]]
|
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.controller-nodes-sto4))])[0]
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.controller-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.controller-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
|
|
# Workers
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v4_sto4_to_sto3" {
|
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
|
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = join("/", [ resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v4, "32" ])
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "microk8s_worker_rule_v6_sto4_to_sto3" {
|
|
count = length(var.k8sports) * length(resource.openstack_compute_instance_v2.worker-nodes-sto4)
|
|
direction = "ingress"
|
|
ethertype = "IPv6"
|
|
protocol = var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))][keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]]
|
|
port_range_min = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
|
port_range_max = keys(var.k8sports[floor(count.index/length(resource.openstack_compute_instance_v2.worker-nodes-sto4))])[0]
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = join("/",[ replace(resource.openstack_compute_instance_v2.worker-nodes-sto4[count.index % length(resource.openstack_compute_instance_v2.worker-nodes-sto4)].access_ip_v6, "/[\\[\\]']/",""), "128"])
|
|
security_group_id = openstack_networking_secgroup_v2.microk8s-sto3.id
|
|
}
|
|
|
|
#
|
|
# Security group rules for ssh-from-jump-hosts
|
|
#
|
|
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v4rules-sto3" {
|
|
count = length(var.jumphostv4-ips)
|
|
direction = "ingress"
|
|
ethertype = "IPv4"
|
|
protocol = "tcp"
|
|
port_range_min = "22"
|
|
port_range_max = "22"
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = "${var.jumphostv4-ips[count.index]}/32"
|
|
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id
|
|
}
|
|
|
|
resource "openstack_networking_secgroup_rule_v2" "ssh-from-jumphosts-v6rules-sto3" {
|
|
count = length(var.jumphostv6-ips)
|
|
direction = "ingress"
|
|
ethertype = "IPv6"
|
|
protocol = "tcp"
|
|
port_range_min = "22"
|
|
port_range_max = "22"
|
|
provider = openstack.sto3
|
|
remote_ip_prefix = "${var.jumphostv6-ips[count.index]}/128"
|
|
security_group_id = openstack_networking_secgroup_v2.ssh-from-jump-hosts-sto3.id
|
|
}
|