diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2017-07-12 20:49:58 +0100 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2017-07-13 16:57:36 +0100 |
commit | 37d25cfe74687c5529fd43f0010eda8363682cbc (patch) | |
tree | 2662d7b8039392a57bf1b1c931c29c909e336644 | |
parent | a50a743ca3e52e9b35ca63797c5b3e984ba2b8f0 (diff) | |
download | infrastructure-37d25cfe74687c5529fd43f0010eda8363682cbc.tar.gz |
firewall.yml: Update to use OpenStack modules from Ansible 2.0
Previously we depended on 3rd party openstack-ansible-modules.
-rw-r--r-- | README.mdwn | 7 | ||||
-rw-r--r-- | firewall.yaml | 606 |
2 files changed, 262 insertions, 351 deletions
diff --git a/README.mdwn b/README.mdwn index f653efaf..8841e255 100644 --- a/README.mdwn +++ b/README.mdwn @@ -278,12 +278,9 @@ the correct `$OS_AUTH_URL`. ### Firewall / Security Groups The instructions assume the presence of a set of security groups. You can -create these by running the following Ansible playbook. You'll need the -OpenStack Ansible modules cloned from -`https://github.com/openstack-ansible/openstack-ansible-modules/`. +create these by running the following Ansible playbook. - ANSIBLE_LIBRARY=../openstack-ansible-modules ansible-playbook -i hosts \ - firewall.yaml + ansible-playbook -i hosts firewall.yaml ### Placeholders diff --git a/firewall.yaml b/firewall.yaml index 64c9200c..800e7390 100644 --- a/firewall.yaml +++ b/firewall.yaml @@ -14,390 +14,304 @@ # <https://github.com/openstack-ansible/openstack-ansible-modules/>. - hosts: localhost + gather_facts: false tasks: - name: default security group - neutron_sec_group: + os_security_group: name: default description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - - rules: - - direction: egress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - - # ICMP: allow ping! - - direction: ingress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - # 22: Allow SSH access to all instances. - - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # This group is an alternative to 'default' for machines that should be - # prevented from connecting to the outside world. - - name: internal-only security group - neutron_sec_group: - name: internal-only - description: Allow outgoing connections only to local network, and incoming ICMP and SSH - state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - - rules: - - direction: egress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 192.168.222.0/24 - - - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 192.168.222.0/24 - - - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 192.168.222.0/24 - - # ICMP: allow ping! - - direction: ingress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - # 22: Allow SSH access to all instances. - - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 + + - name: default security group - allow outgoing ICMP + os_security_group_rule: + security_group: default + direction: egress + port_range_min: 0 + port_range_max: 255 + ethertype: IPv4 + protocol: icmp + remote_ip_prefix: 0.0.0.0/0 + + - name: default security group - allow outgoing TCP + os_security_group_rule: + security_group: default + direction: egress + port_range_min: 1 + port_range_max: 65535 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: default security group -- allow outgoing UDP + os_security_group_rule: + security_group: default + direction: egress + port_range_min: 1 + port_range_max: 65535 + ethertype: IPv4 + protocol: udp + remote_ip_prefix: 0.0.0.0/0 + + - name: default security group -- allow incoming ICMP + os_security_group_rule: + security_group: default + direction: ingress + port_range_min: 0 + port_range_max: 255 + ethertype: IPv4 + protocol: icmp + remote_ip_prefix: 0.0.0.0/0 + + - name: default security group -- allow incoming TCP on port 22 for SSH + os_security_group_rule: + security_group: default + direction: ingress + port_range_min: 22 + port_range_max: 22 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 - name: open security group - neutron_sec_group: + os_security_group: name: open description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!! state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - - rules: - - direction: ingress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - direction: ingress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 + + - name: open security group -- allow incoming TCP + os_security_group_rule: + security_group: open + direction: ingress + port_range_min: 1 + port_range_max: 65535 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: open security group -- allow incoming UDP + os_security_group_rule: + security_group: open + direction: ingress + port_range_min: 1 + port_range_max: 65535 + ethertype: IPv4 + protocol: udp + remote_ip_prefix: 0.0.0.0/0 - name: database-mysql security group - neutron_sec_group: + os_security_group: name: database-mysql description: Allow internal machines to access MariaDB database. state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - rules: - # 3306: MariaDB - - direction: ingress - port_range_min: 3306 - port_range_max: 3306 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 + + - name: database security group -- allow incoming TCP on port 3306 for MariaDB connections + os_security_group_rule: + security_group: database-mysql + direction: ingress + port_range_min: 3306 + port_range_max: 3306 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 - name: gerrit security group - neutron_sec_group: + os_security_group: name: gerrit description: Allow access to Gerrit SSH daemon port 29418, plus HTTP, HTTPS and Git protocol. state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - rules: - # 80: HTTP, for browsing repos with cgit, and Git-over-HTTP. - - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 443: HTTPS, for browsing repos with cgit, and Git-over-HTTPS. - - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 8080: HTTP, for Gerrit web frontend - - direction: ingress - port_range_min: 8080 - port_range_max: 8080 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 9418: Git. - - direction: ingress - port_range_min: 9418 - port_range_max: 9418 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 29418: Gerrit SSH daemon. - - direction: ingress - port_range_min: 29418 - port_range_max: 29418 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 + + - name: gerrit security group -- allow incoming TCP on port 80 or cgit and Git-over-HTTP + os_security_group_rule: + security_group: gerrit + direction: ingress + port_range_min: 80 + port_range_max: 80 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: gerrit security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS + os_security_group_rule: + security_group: gerrit + direction: ingress + port_range_min: 443 + port_range_max: 443 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: gerrit security group -- allow incoming TCP on port 8080 for Gerrit web frontend + os_security_group_rule: + security_group: gerrit + direction: ingress + port_range_min: 8080 + port_range_max: 8080 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: gerrit security group -- allow incoming TCP on port 9148 for git protocol + os_security_group_rule: + security_group: gerrit + direction: ingress + port_range_min: 9418 + port_range_max: 9418 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: gerrit security group -- allow incoming TCP on port 29148 for Gerrit SSH daemon + os_security_group_rule: + security_group: gerrit + direction: ingress + port_range_min: 29418 + port_range_max: 29418 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 - name: git-server security group - neutron_sec_group: + os_security_group: name: git-server description: Allow inbound SSH, HTTP, HTTPS and Git. state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - rules: - # 22: SSH, for Git-over-SSH access. - - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 80: HTTP, for browsing repos with cgit, and Git-over-HTTP. - - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 443: HTTPS, for browsing repos with cgit, and Git-over-HTTPS. - - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 9418: Git. - - direction: ingress - port_range_min: 9418 - port_range_max: 9418 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 + + - name: git-server security group -- allow incoming TCP on port 22 for Git-over-SSH + os_security_group_rule: + security_group: git-server + direction: ingress + port_range_min: 22 + port_range_max: 22 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: git-server security group -- allow incoming TCP on port 80 for cgit and Git-over-HTTP + os_security_group_rule: + security_group: git-server + direction: ingress + port_range_min: 80 + port_range_max: 80 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: git-server security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS + os_security_group_rule: + security_group: git-server + direction: ingress + port_range_min: 443 + port_range_max: 443 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: git-server security group -- allow incoming TCP on port 9418 for git protocol + os_security_group_rule: + security_group: git-server + direction: ingress + port_range_min: 9418 + port_range_max: 9418 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 - name: internal mail relay security group - neutron_sec_group: + os_security_group: name: internal-mail-relay description: Allow receiving internal-only connections on port 25 for SMTP state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - - rules: - # 25: SMTP, for sending emails. - - direction: ingress - port_range_min: 25 - port_range_max: 25 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 192.168.222.0/24 - - - name: Mason x86 security group - neutron_sec_group: - name: mason-x86 - description: Allow inbound HTTP and HTTPS, and cache server fetches from port 8080. - state: present - - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - - rules: - # 80: HTTP - - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 443: HTTPS - - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 7878: morph distbuild controller port. This rule allows a devel - # system inside the Baserock cloud to use the Mason instances for - # distbuilding, which is useful when building a Baserock release - # among other things. - - direction: ingress - port_range_min: 7878 - port_range_max: 7878 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 192.168.222.0/24 - - # 8080: morph-cache-server server port. The x86 Masons use - # cache.baserock.org as the cache server for their distbuild - # networks. So cache.baserock.org needs to be able to connect to - # them on this port to fetch artifacts. - - direction: ingress - port_range_min: 8080 - port_range_max: 8080 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 185.43.218.0/0 - # It'd be nice to limit access by security group, but it doesn't - # seem to actually work. Perhaps because we use external IP to - # access instead of internal IP. - #remote_group_id: "{{ default_group.sec_group.id }}" + - name: internal mail relay security group -- allow incoming TCP from internal hosts on port 25 for SMTP + os_security_group_rule: + security_group: internal-mail-relay + direction: ingress + port_range_min: 25 + port_range_max: 25 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 192.168.222.0/24 - name: shared-artifact-cache security group - neutron_sec_group: + os_security_group: name: shared-artifact-cache description: Allow inbound HTTP, HTTPS and read-only Morph artifact cache access. Allow writable Morph artifact cache access from internal IPs. state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - rules: - # 80: HTTP for cache server web frontend (at the time of writing, this - # is a useless and empty cgit page, but we may improve it in future). - - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 443: HTTPS. - - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 8080: Read-only Morph artifact cache server. - - direction: ingress - port_range_min: 8080 - port_range_max: 8080 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 8081: 'writable cache server' port. Anyone who can connect - # to this port can delete or overwrite cached artifacts. - # - # FIXME: because the Masons use cache.baserock.org instead of - # 192.168.0.16 to access the shared artifact cache, we need to - # permit traffic from our public IP range. This provides a - # theoritical attack vector from other tenancies, so we should - # fix the Masons and remove this rule. - - direction: ingress - port_range_min: 8081 - port_range_max: 8081 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 185.43.218.0/0 - # It'd be nice to limit access by security group, but it doesn't - # seem to actually work. Perhaps because we use external IP to - # access instead of internal IP. - #remote_group_id: "{{ default_group.sec_group.id }}" + + - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for cache server web frontend + os_security_group_rule: + security_group: shared-artifact-cache + direction: ingress + port_range_min: 80 + port_range_max: 80 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for cache server web frontend + os_security_group_rule: + security_group: shared-artifact-cache + direction: ingress + port_range_min: 443 + port_range_max: 443 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: shared-artifact-cache security group -- allow incoming TCP on port 8080 for cache server read access + os_security_group_rule: + security_group: shared-artifact-cache + direction: ingress + port_range_min: 8080 + port_range_max: 8080 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + # 8081: 'writable cache server' port. Anyone who can connect + # to this port can delete or overwrite cached artifacts. + # + # FIXME: because the Masons use cache.baserock.org instead of + # 192.168.0.16 to access the shared artifact cache, we need to + # permit traffic from our public IP range. This provides a + # theoritical attack vector from other tenancies, so we should + # fix the Masons and remove this rule. + - name: shared-artifact-cache security group -- allow incoming internal-only TCP on port 8081 for cache server write access + os_security_group_rule: + security_group: shared-artifact-cache + direction: ingress + port_range_min: 8081 + port_range_max: 8081 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 185.43.218.0/0 + # It'd be nice to limit access by security group, but it doesn't + # seem to actually work. Perhaps because we use external IP to + # access instead of internal IP. + #remote_group_id: "{{ default_group.sec_group.id }}" - name: web-server security group - neutron_sec_group: + os_security_group: name: web-server description: Allow inbound HTTP and HTTPS. state: present - auth_url: "{{ ansible_env.OS_AUTH_URL }}" - login_username: "{{ ansible_env.OS_USERNAME }}" - login_password: "{{ ansible_env.OS_PASSWORD }}" - login_tenant_name: "{{ ansible_env.OS_TENANT_NAME }}" - rules: - # 80: HTTP - - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # 443: HTTPS - - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 + + - name: web-server security group -- allow incoming TCP on port 80 for HTTP + os_security_group_rule: + security_group: web-server + direction: ingress + port_range_min: 80 + port_range_max: 80 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + + - name: web-server security group -- allow incoming TCP on port 443 for HTTPS + os_security_group_rule: + security_group: web-server + direction: ingress + port_range_min: 443 + port_range_max: 443 + ethertype: IPv4 + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 |