infrastructure-as-code/openstack-shell-scripts/d4s-preprod/10-security-groups.sh

#!/usr/bin/env bash

. ./variables.sh
#
# Part of the security groups
#
# Remove the ingress rules from the default group
# openstack --os-cloud d4s-pre security group show default
rules_to_delete=
rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules default | grep ingress | grep -v protocol | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }')
if [ -n "$rules_to_delete" ] ; then
  for r in $(echo $rules_to_delete) ; do
    openstack --os-cloud d4s-pre security group rule delete $r
  done
fi
openstack --os-cloud d4s-pre security group rule create \
  --description "Allow ICMP" --ingress --protocol icmp \
  --remote-ip 0.0.0.0/0 default
openstack --os-cloud d4s-pre security group rule create \
  --description "Prometheus node exporter" --ingress --protocol icmp \
  --dst-port "9100" \
  --remote-ip 10.1.32.0/22 default

# SSH access
openstack --os-cloud d4s-pre security group create \
  --description "Access to the SSH Proxy Jump server" \
  "Limited SSH access"
rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules "Limited SSH access" | grep egress | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }')
if [ -n "$rules_to_delete" ] ; then
  for r in $(echo $rules_to_delete) ; do
    openstack --os-cloud d4s-pre security group rule delete $r
  done
fi
openstack --os-cloud d4s-pre security group rule create \
  --description "Access from S2I2S vpn 1" --ingress --protocol tcp --dst-port "22" \
  --remote-ip 146.48.28.10/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
  --description "Access from S2I2S vpn 2" --ingress --protocol tcp --dst-port "22" \
  --remote-ip 146.48.28.11/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
  --description "Access from D4Science VPN 1" --ingress --protocol tcp --dst-port "22" \
  --remote-ip 146.48.122.27/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
  --description "Access from D4Science VPN 2" --ingress --protocol tcp --dst-port "22" \
  --remote-ip 146.48.122.49/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
  --description "Access from shell.d4science.org" --ingress --protocol tcp --dst-port "22" \
  --remote-ip 146.48.122.95/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
  --description "SSH from the InfraScience Network (because masquerade on the Xen hypervisors)" --ingress --protocol tcp --dst-port "22" \
  --remote-ip 146.48.122.0/23 "Limited SSH access"
# Limited HTTPS access
openstack --os-cloud d4s-pre security group create \
  --description "Limited HTTPs and public HTTP. For servers with public IP addresses that can be accessed from our VPN only" \
  "Limited HTTPS access"
rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules "Limited HTTPS access" | grep egress | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }')
if [ -n "$rules_to_delete" ] ; then
  for r in $(echo $rules_to_delete) ; do
    openstack --os-cloud d4s-pre security group rule delete $r
  done
fi

# HAPROXY, Prometheus, shell-jump: create VM with a fixed IP address so that we can statically define the security groups
# HAPROXY L7 security group id: 20ff5149-54d6-49b4-b7e4-31fef6f08b3f

dest_ports="8880 9999"
for port in $dest_ports ; do
  openstack --os-cloud ${os_infra} security group rule create --ingress --protocol tcp --dst-port "$port" --remote-ip 10.1.30.180/32 20ff5149-54d6-49b4-b7e4-31fef6f08b3f
  openstack --os-cloud ${os_infra} security group rule create --ingress --protocol tcp --dst-port "$port" --remote-ip 10.1.29.161/32 20ff5149-54d6-49b4-b7e4-31fef6f08b3f
done
First commit of dev and preprod scripts. 2023-10-24 12:50:35 +02:00			`#!/usr/bin/env bash`

			`. ./variables.sh`
			`#`
			`# Part of the security groups`
			`#`
			`# Remove the ingress rules from the default group`
			`# openstack --os-cloud d4s-pre security group show default`
			`rules_to_delete=`
			`rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules default \| grep ingress \| grep -v protocol \| awk -F id= '{ print $2 }' \| awk -F \' '{ print $2 }')`
			`if [ -n "$rules_to_delete" ] ; then`
			`for r in $(echo $rules_to_delete) ; do`
			`openstack --os-cloud d4s-pre security group rule delete $r`
			`done`
			`fi`
			`openstack --os-cloud d4s-pre security group rule create \`
			`--description "Allow ICMP" --ingress --protocol icmp \`
			`--remote-ip 0.0.0.0/0 default`
			`openstack --os-cloud d4s-pre security group rule create \`
			`--description "Prometheus node exporter" --ingress --protocol icmp \`
			`--dst-port "9100" \`
			`--remote-ip 10.1.32.0/22 default`

			`# SSH access`
			`openstack --os-cloud d4s-pre security group create \`
			`--description "Access to the SSH Proxy Jump server" \`
			`"Limited SSH access"`
			`rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules "Limited SSH access" \| grep egress \| awk -F id= '{ print $2 }' \| awk -F \' '{ print $2 }')`
			`if [ -n "$rules_to_delete" ] ; then`
			`for r in $(echo $rules_to_delete) ; do`
			`openstack --os-cloud d4s-pre security group rule delete $r`
			`done`
			`fi`
			`openstack --os-cloud d4s-pre security group rule create \`
			`--description "Access from S2I2S vpn 1" --ingress --protocol tcp --dst-port "22" \`
			`--remote-ip 146.48.28.10/32 "Limited SSH access"`
			`openstack --os-cloud d4s-pre security group rule create \`
			`--description "Access from S2I2S vpn 2" --ingress --protocol tcp --dst-port "22" \`
			`--remote-ip 146.48.28.11/32 "Limited SSH access"`
			`openstack --os-cloud d4s-pre security group rule create \`
			`--description "Access from D4Science VPN 1" --ingress --protocol tcp --dst-port "22" \`
			`--remote-ip 146.48.122.27/32 "Limited SSH access"`
			`openstack --os-cloud d4s-pre security group rule create \`
			`--description "Access from D4Science VPN 2" --ingress --protocol tcp --dst-port "22" \`
			`--remote-ip 146.48.122.49/32 "Limited SSH access"`
			`openstack --os-cloud d4s-pre security group rule create \`
			`--description "Access from shell.d4science.org" --ingress --protocol tcp --dst-port "22" \`
			`--remote-ip 146.48.122.95/32 "Limited SSH access"`
			`openstack --os-cloud d4s-pre security group rule create \`
			`--description "SSH from the InfraScience Network (because masquerade on the Xen hypervisors)" --ingress --protocol tcp --dst-port "22" \`
			`--remote-ip 146.48.122.0/23 "Limited SSH access"`
			`# Limited HTTPS access`
			`openstack --os-cloud d4s-pre security group create \`
			`--description "Limited HTTPs and public HTTP. For servers with public IP addresses that can be accessed from our VPN only" \`
			`"Limited HTTPS access"`
			`rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules "Limited HTTPS access" \| grep egress \| awk -F id= '{ print $2 }' \| awk -F \' '{ print $2 }')`
			`if [ -n "$rules_to_delete" ] ; then`
			`for r in $(echo $rules_to_delete) ; do`
			`openstack --os-cloud d4s-pre security group rule delete $r`
			`done`
			`fi`

			`# HAPROXY, Prometheus, shell-jump: create VM with a fixed IP address so that we can statically define the security groups`
			`# HAPROXY L7 security group id: 20ff5149-54d6-49b4-b7e4-31fef6f08b3f`

			`dest_ports="8880 9999"`
			`for port in $dest_ports ; do`
			`openstack --os-cloud ${os_infra} security group rule create --ingress --protocol tcp --dst-port "$port" --remote-ip 10.1.30.180/32 20ff5149-54d6-49b4-b7e4-31fef6f08b3f`
			`openstack --os-cloud ${os_infra} security group rule create --ingress --protocol tcp --dst-port "$port" --remote-ip 10.1.29.161/32 20ff5149-54d6-49b4-b7e4-31fef6f08b3f`
			`done`