feat: INFRA-504 Update ingress sec group on port 22

Ferlab-Ste-Justine · Nov 21, 2023 · 6fde5f5 · 6fde5f5
1 parent 7794168
commit 6fde5f5
Showing 1 changed file with 15 additions and 26 deletions.
diff --git a/security_groups.tf b/security_groups.tf
@@ -16,6 +16,14 @@ resource "openstack_networking_secgroup_v2" "vault_load_balancer_tunnel" {
   delete_default_rules = true
 }
 
+locals {
+  bastion_ssh_accessible_group_ids = [
+    openstack_networking_secgroup_v2.vault_member.id,
+    openstack_networking_secgroup_v2.vault_load_balancer.id,
+    openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
+  ]
+}
+
 //Allow all outbound traffic from vault members and load balancers
 resource "openstack_networking_secgroup_rule_v2" "vault_member_outgoing_v4" {
   direction         = "egress"
@@ -192,15 +200,18 @@ resource "openstack_networking_secgroup_rule_v2" "clients_icmp_access_tunnel_v6"
 }
 
 //Allow port 22 and icmp traffic from the bastion
-resource "openstack_networking_secgroup_rule_v2" "bastion_member_ssh_access" {
-  for_each          = { for idx, id in var.bastion_group_ids : idx => id }
+resource "openstack_networking_secgroup_rule_v2" "bastion_ssh_accessible_groups_ssh_access" {
+  for_each = {
+    for pair in setproduct(local.bastion_ssh_accessible_group_ids, var.bastion_group_ids) : "${pair[0].name}-${pair[1].name}" => { sg = pair[0], remote = pair[1] }
+  }
+
   direction         = "ingress"
   ethertype         = "IPv4"
   protocol          = "tcp"
   port_range_min    = 22
   port_range_max    = 22
-  remote_group_id   = each.value
-  security_group_id = openstack_networking_secgroup_v2.vault_member.id
+  security_group_id = each.value.sg
+  remote_group_id   = each.value.remote
 }
 
 resource "openstack_networking_secgroup_rule_v2" "bastion_member_icmp_access_v4" {
@@ -221,17 +232,6 @@ resource "openstack_networking_secgroup_rule_v2" "bastion_member_icmp_access_v6"
   security_group_id = openstack_networking_secgroup_v2.vault_member.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_ssh_access" {
-  for_each          = { for idx, id in var.bastion_group_ids : idx => id }
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 22
-  port_range_max    = 22
-  remote_group_id   = each.value
-  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id
-}
-
 resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_icmp_access_v4" {
   for_each          = { for idx, id in var.bastion_group_ids : idx => id }
   direction         = "ingress"
@@ -250,17 +250,6 @@ resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_icmp_acc
   security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_tunnel_ssh_access" {
-  for_each          = { for idx, id in var.bastion_group_ids : idx => id }
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  protocol          = "tcp"
-  port_range_min    = 22
-  port_range_max    = 22
-  remote_group_id   = each.value
-  security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id
-}
-
 resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_tunnel_icmp_access_v4" {
   for_each          = { for idx, id in var.bastion_group_ids : idx => id }
   direction         = "ingress"