Restrict SSH access to cluster VMs

We remove the SSH access from anywhere for the cluster VMs by updating the `all_machines` security group to only allow SSH from other machines in the `all_machines` security group. This PR requires appuio/terraform-modules#51 in order to ensure that the LBs remain accessible from anywhere via SSH and can act as SSH jumphosts for SSH access to the cluster VMs.
appuio · Feb 15, 2024 · 1762293 · 1762293
1 parent 0cfe477
commit 1762293
Showing 1 changed file with 3 additions and 13 deletions.
diff --git a/security_groups.tf b/security_groups.tf
@@ -65,26 +65,16 @@ resource "exoscale_security_group_rule" "all_machines_icmp" {
   cidr        = "0.0.0.0/0"
 }
 
-resource "exoscale_security_group_rule" "all_machines_ssh_v4" {
+resource "exoscale_security_group_rule" "all_machines_ssh" {
   security_group_id = exoscale_security_group.all_machines.id
 
-  description = "SSH Access"
+  description = "SSH Access from cluster VMs and LBs"
   type        = "INGRESS"
   protocol    = "TCP"
   start_port  = "22"
   end_port    = "22"
-  cidr        = "0.0.0.0/0"
-}
 
-resource "exoscale_security_group_rule" "all_machines_ssh_v6" {
-  security_group_id = exoscale_security_group.all_machines.id
-
-  description = "SSH Access"
-  type        = "INGRESS"
-  protocol    = "TCP"
-  start_port  = "22"
-  end_port    = "22"
-  cidr        = "::/0"
+  user_security_group_id = exoscale_security_group.all_machines.id
 }
 
 resource "exoscale_security_group" "control_plane" {