From ec07fae796625bd9e063070d93b1bb252fb46626 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 17 Aug 2021 15:19:00 +0200 Subject: Split tf files --- firewall.yaml | 57 ------------ terraform/base.tf | 39 ++++++++ terraform/infra.tf | 236 ------------------------------------------------ terraform/networking.tf | 193 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 232 insertions(+), 293 deletions(-) create mode 100644 terraform/base.tf create mode 100644 terraform/networking.tf diff --git a/firewall.yaml b/firewall.yaml index e06b12e1..0b24e174 100644 --- a/firewall.yaml +++ b/firewall.yaml @@ -16,63 +16,6 @@ - hosts: localhost gather_facts: false tasks: - - name: default security group - os_security_group: - name: default - description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections - state: present - - - name: default security group - allow outgoing ICMP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group - allow outgoing TCP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow outgoing UDP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow incoming ICMP - os_security_group_rule: - security_group: default - direction: ingress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow incoming TCP on port 22 for SSH - os_security_group_rule: - security_group: default - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: open security group os_security_group: name: open description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!! diff --git a/terraform/base.tf b/terraform/base.tf new file mode 100644 index 00000000..b8809f73 --- /dev/null +++ b/terraform/base.tf @@ -0,0 +1,39 @@ +# Define required providers +terraform { +required_version = ">= 0.14.0" + required_providers { + openstack = { + source = "terraform-provider-openstack/openstack" + version = "~> 1.35.0" + } + } +} + +# Configure the OpenStack Provider +provider "openstack" { + auth_url = "https://fra1.citycloud.com:5000" +} + + +data "openstack_images_image_v2" "ubuntu" { + name = "Ubuntu 20.04 Focal Fossa 20210616" + most_recent = true + + properties = { + key = "value" + } +} + +locals { + username = "cloud" + image_name = "Ubuntu 20.04 Focal Fossa 20210616" + name_prefix = "bazel-poc" + flavor_name_frontend = "1C-2GB-20GB" +} + + +# Create keypairs +resource "openstack_compute_keypair_v2" "pedro-keypair" { + name = "pedro-alvarez_latty" + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrfYhQAgqiwtcl37TfBR7N5Fq7ze17Cn4UUbz/Nuby/9qfypUp5Ir2x0P1otbQfozwWBOwmKCFRQMs+fZXFpWsvshNcmaw+rMI8wP1Bx2cqSuPusLPEYbvRbnfGo/E7aj/GvpSKRlBCGF3tORzGAmQsogUUXXcXP7PKIkPB3Jo04K8IeuSoRGd8cGfUWA6dcx9YuZHeJ3o/RzpV8UvU3Ge50mLf05cbrS2LlXgnG2PGbuBX5l87O6u3KUXq5zoafd0AtpSelNcVfAjpwdPokyuR1pXn+3q2w+l7ExmIAjwJV+QJeSSRMRfiHbk/+D3vYUlnqoarB0UrsTb2mY2tAPD" +} diff --git a/terraform/infra.tf b/terraform/infra.tf index f53fcaa4..8f30b30a 100644 --- a/terraform/infra.tf +++ b/terraform/infra.tf @@ -1,38 +1,3 @@ -# Define required providers -terraform { -required_version = ">= 0.14.0" - required_providers { - openstack = { - source = "terraform-provider-openstack/openstack" - version = "~> 1.35.0" - } - } -} - -# Configure the OpenStack Provider -provider "openstack" { - auth_url = "https://fra1.citycloud.com:5000" -} - - - -data "openstack_images_image_v2" "ubuntu" { - name = "Ubuntu 20.04 Focal Fossa 20210616" - most_recent = true - - properties = { - key = "value" - } -} - -locals { - username = "cloud" - image_name = "Ubuntu 20.04 Focal Fossa 20210616" - name_prefix = "bazel-poc" - flavor_name_frontend = "1C-2GB-20GB" -} - - data "openstack_compute_flavor_v2" "flavor_frontend" { name = local.flavor_name_frontend } @@ -42,207 +7,6 @@ data "openstack_images_image_v2" "image_id" { most_recent = true } -# Create keypairs -resource "openstack_compute_keypair_v2" "pedro-keypair" { - name = "pedro-alvarez_latty" - public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrfYhQAgqiwtcl37TfBR7N5Fq7ze17Cn4UUbz/Nuby/9qfypUp5Ir2x0P1otbQfozwWBOwmKCFRQMs+fZXFpWsvshNcmaw+rMI8wP1Bx2cqSuPusLPEYbvRbnfGo/E7aj/GvpSKRlBCGF3tORzGAmQsogUUXXcXP7PKIkPB3Jo04K8IeuSoRGd8cGfUWA6dcx9YuZHeJ3o/RzpV8UvU3Ge50mLf05cbrS2LlXgnG2PGbuBX5l87O6u3KUXq5zoafd0AtpSelNcVfAjpwdPokyuR1pXn+3q2w+l7ExmIAjwJV+QJeSSRMRfiHbk/+D3vYUlnqoarB0UrsTb2mY2tAPD" -} - -resource "openstack_networking_network_v2" "baserock_network" { - name = "Baserock Network" - admin_state_up = "true" -} - -resource "openstack_networking_subnet_v2" "baserock_subnet" { - name = "Baserock Subnet" - network_id = "${openstack_networking_network_v2.baserock_network.id}" - cidr = "10.3.0.0/24" - ip_version = 4 -} - -resource "openstack_networking_secgroup_v2" "sg_base" { - name = "base" - description = "Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections" - delete_default_rules = "true" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_icmp" { - direction = "egress" - ethertype = "IPv4" - protocol = "icmp" - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any" { - direction = "egress" - ethertype = "IPv4" - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any_v6" { - direction = "egress" - ethertype = "IPv6" - remote_ip_prefix = "::/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_icmp" { - direction = "ingress" - ethertype = "IPv4" - protocol = "icmp" - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" -} - - -resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_ssh" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22 - port_range_max = 22 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" -} - - - -resource "openstack_networking_secgroup_v2" "sg_haste_server" { - name = "haste-server" - description = "Allow incoming TCP requests for haste server" - delete_default_rules = "true" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_haste_server_main" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 7777 - port_range_max = 7777 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_haste_server.id}" -} - -resource "openstack_networking_secgroup_v2" "sg_gitlab_bot" { - name = "gitlab-bot" - description = "Allow incoming TCP requests for gitlab-bot" - delete_default_rules = "true" -} - - -resource "openstack_networking_secgroup_rule_v2" "sg_gitlab_bot_main" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 1337 - port_range_max = 1337 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_gitlab_bot.id}" -} - - -resource "openstack_networking_secgroup_v2" "sg_git_server" { - name = "git-server" - description = "Allow inbound SSH, HTTP, HTTPS and Git requests." - delete_default_rules = "true" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_git_server_http" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_git_server_https" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_git_server_git" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 9418 - port_range_max = 9418 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" -} - - - -resource "openstack_networking_secgroup_v2" "sg_shared_artifact_cache" { - name = "shared-artifact-cache" - description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)" - delete_default_rules = "true" -} - -resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_http" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" -} -resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_https" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" -} -resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_ssh" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 22200 - port_range_max = 22200 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" -} - - -resource "openstack_networking_secgroup_v2" "sg_web_server" { - name = "web-server" - description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)" - delete_default_rules = "true" -} - - -resource "openstack_networking_secgroup_rule_v2" "sg_web_server_http" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}" -} -resource "openstack_networking_secgroup_rule_v2" "sg_web_server_https" { - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 443 - port_range_max = 443 - remote_ip_prefix = "0.0.0.0/0" - security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}" -} - - resource "openstack_networking_port_v2" "frontend_port" { name = "port_1" network_id = "${openstack_networking_network_v2.baserock_network.id}" diff --git a/terraform/networking.tf b/terraform/networking.tf new file mode 100644 index 00000000..02ac82f4 --- /dev/null +++ b/terraform/networking.tf @@ -0,0 +1,193 @@ +resource "openstack_networking_network_v2" "baserock_network" { + name = "Baserock Network" + admin_state_up = "true" +} + +resource "openstack_networking_subnet_v2" "baserock_subnet" { + name = "Baserock Subnet" + network_id = "${openstack_networking_network_v2.baserock_network.id}" + cidr = "10.3.0.0/24" + ip_version = 4 +} + +resource "openstack_networking_secgroup_v2" "sg_base" { + name = "base" + description = "Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_icmp" { + direction = "egress" + ethertype = "IPv4" + protocol = "icmp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any" { + direction = "egress" + ethertype = "IPv4" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_egress_any_v6" { + direction = "egress" + ethertype = "IPv6" + remote_ip_prefix = "::/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_icmp" { + direction = "ingress" + ethertype = "IPv4" + protocol = "icmp" + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_base_ingress_ssh" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_base.id}" +} + + + +resource "openstack_networking_secgroup_v2" "sg_haste_server" { + name = "haste-server" + description = "Allow incoming TCP requests for haste server" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_haste_server_main" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 7777 + port_range_max = 7777 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_haste_server.id}" +} + +resource "openstack_networking_secgroup_v2" "sg_gitlab_bot" { + name = "gitlab-bot" + description = "Allow incoming TCP requests for gitlab-bot" + delete_default_rules = "true" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_gitlab_bot_main" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 1337 + port_range_max = 1337 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_gitlab_bot.id}" +} + + +resource "openstack_networking_secgroup_v2" "sg_git_server" { + name = "git-server" + description = "Allow inbound SSH, HTTP, HTTPS and Git requests." + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_git_server_git" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 9418 + port_range_max = 9418 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_git_server.id}" +} + + + +resource "openstack_networking_secgroup_v2" "sg_shared_artifact_cache" { + name = "shared-artifact-cache" + description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)" + delete_default_rules = "true" +} + +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_shared_artifact_cache_ssh" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22200 + port_range_max = 22200 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_shared_artifact_cache.id}" +} + + +resource "openstack_networking_secgroup_v2" "sg_web_server" { + name = "web-server" + description = "Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)" + delete_default_rules = "true" +} + + +resource "openstack_networking_secgroup_rule_v2" "sg_web_server_http" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 80 + port_range_max = 80 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}" +} +resource "openstack_networking_secgroup_rule_v2" "sg_web_server_https" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 443 + port_range_max = 443 + remote_ip_prefix = "0.0.0.0/0" + security_group_id = "${openstack_networking_secgroup_v2.sg_web_server.id}" +} -- cgit v1.2.1