From b89ffb3f81f46197bdb7157d941ee5bd809e2069 Mon Sep 17 00:00:00 2001 From: Issam Date: Mon, 20 Nov 2023 15:38:47 -0500 Subject: [PATCH] feat: INFRA-504 Added lb tunnel sec group --- output.tf | 4 ++ security_groups.tf | 131 +++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 5 ++ 3 files changed, 140 insertions(+) diff --git a/output.tf b/output.tf index 80faf54..8bbbc06 100644 --- a/output.tf +++ b/output.tf @@ -4,4 +4,8 @@ output "member_group" { output "load_balancer_group" { value = openstack_networking_secgroup_v2.vault_load_balancer +} + +output "load_balancer_tunnel_security_group" { + value = openstack_networking_secgroup_v2.vault_load_balancer_tunnel } \ No newline at end of file diff --git a/security_groups.tf b/security_groups.tf index 2f4b739..6eeeea7 100644 --- a/security_groups.tf +++ b/security_groups.tf @@ -10,6 +10,12 @@ resource "openstack_networking_secgroup_v2" "vault_load_balancer" { delete_default_rules = true } +resource "openstack_networking_secgroup_v2" "vault_load_balancer_tunnel" { + name = var.load_balancer_tunnel_name + description = "Security group for vault tunneled load balancer" + delete_default_rules = true +} + //Allow all outbound traffic from vault members and load balancers resource "openstack_networking_secgroup_rule_v2" "vault_member_outgoing_v4" { direction = "egress" @@ -35,6 +41,18 @@ resource "openstack_networking_secgroup_rule_v2" "vault_load_balancer_outgoing_v security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id } +resource "openstack_networking_secgroup_rule_v2" "vault_load_balancer_tunnel_outgoing_v4" { + direction = "egress" + ethertype = "IPv4" + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + +resource "openstack_networking_secgroup_rule_v2" "vault_load_balancer_tunnel_outgoing_v6" { + direction = "egress" + ethertype = "IPv6" + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + //Allow port 8200, 4443, icmp traffic from other members and load balancers resource "openstack_networking_secgroup_rule_v2" "peer_member_vault_access" { direction = "ingress" @@ -88,6 +106,32 @@ resource "openstack_networking_secgroup_rule_v2" "load_balancer_member_icmp_acce security_group_id = openstack_networking_secgroup_v2.vault_member.id } +resource "openstack_networking_secgroup_rule_v2" "load_balancer_tunnel_member_vault_access" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 8200 + port_range_max = 8200 + remote_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id + security_group_id = openstack_networking_secgroup_v2.vault_member.id +} + +resource "openstack_networking_secgroup_rule_v2" "load_balancer_tunnel_member_icmp_access_v4" { + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + remote_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id + security_group_id = openstack_networking_secgroup_v2.vault_member.id +} + +resource "openstack_networking_secgroup_rule_v2" "load_balancer_tunnel_member_icmp_access_v6" { + direction = "ingress" + ethertype = "IPv6" + protocol = "ipv6-icmp" + remote_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id + security_group_id = openstack_networking_secgroup_v2.vault_member.id +} + //Allow vault and icmp traffic access on load balancers from the clients resource "openstack_networking_secgroup_rule_v2" "clients_vault_access" { for_each = { for idx, id in var.client_group_ids : idx => id } @@ -118,6 +162,35 @@ resource "openstack_networking_secgroup_rule_v2" "clients_icmp_access_v6" { security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id } +resource "openstack_networking_secgroup_rule_v2" "clients_vault_access_tunnel" { + for_each = { for idx, id in var.client_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 8200 + port_range_max = 8200 + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + +resource "openstack_networking_secgroup_rule_v2" "clients_icmp_access_tunnel_v4" { + for_each = { for idx, id in var.client_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + +resource "openstack_networking_secgroup_rule_v2" "clients_icmp_access_tunnel_v6" { + for_each = { for idx, id in var.client_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv6" + protocol = "ipv6-icmp" + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + //Allow port 22 and icmp traffic from the bastion resource "openstack_networking_secgroup_rule_v2" "bastion_member_ssh_access" { for_each = { for idx, id in var.bastion_group_ids : idx => id } @@ -177,6 +250,35 @@ resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_icmp_acc security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id } +resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_tunnel_ssh_access" { + for_each = { for idx, id in var.bastion_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + +resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_tunnel_icmp_access_v4" { + for_each = { for idx, id in var.bastion_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + +resource "openstack_networking_secgroup_rule_v2" "bastion_load_balancer_tunnel_icmp_access_v6" { + for_each = { for idx, id in var.bastion_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv6" + protocol = "ipv6-icmp" + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + //Allow port 9100 and icmp traffic from metrics server resource "openstack_networking_secgroup_rule_v2" "metrics_server_member_node_exporter_access" { for_each = { for idx, id in var.metrics_server_group_ids : idx => id } @@ -234,4 +336,33 @@ resource "openstack_networking_secgroup_rule_v2" "metrics_server_load_balancer_i protocol = "ipv6-icmp" remote_group_id = each.value security_group_id = openstack_networking_secgroup_v2.vault_load_balancer.id +} + +resource "openstack_networking_secgroup_rule_v2" "metrics_server_load_balancer_tunnel_node_exporter_access" { + for_each = { for idx, id in var.metrics_server_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 9100 + port_range_max = 9100 + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + +resource "openstack_networking_secgroup_rule_v2" "metrics_server_load_balancer_tunnel_icmp_access_v4" { + for_each = { for idx, id in var.metrics_server_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id +} + +resource "openstack_networking_secgroup_rule_v2" "metrics_server_load_balancer_tunnel_icmp_access_v6" { + for_each = { for idx, id in var.metrics_server_group_ids : idx => id } + direction = "ingress" + ethertype = "IPv6" + protocol = "ipv6-icmp" + remote_group_id = each.value + security_group_id = openstack_networking_secgroup_v2.vault_load_balancer_tunnel.id } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 6f644f7..ee7a2e1 100644 --- a/variables.tf +++ b/variables.tf @@ -9,6 +9,11 @@ variable "load_balancer_group_name" { type = string } +variable "load_balancer_tunnel_name" { + description = "Name for vault load balancer tunnel security group" + type = string +} + variable "client_group_ids" { description = "Id of client security groups" type = list(string)