From 7deabd2633259352657045b4dcac1e8663629b40 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 17 Jul 2024 12:25:11 +0200 Subject: [PATCH] prod basic infrastructure: egress security group to reach postgresql. --- .../basic-infrastructure/terraform.tfstate | 126 +++++++++++++++++- .../d4science_infra_setup/postgresql.tf | 35 +++++ 2 files changed, 160 insertions(+), 1 deletion(-) diff --git a/openstack-tf/d4s-production/basic-infrastructure/terraform.tfstate b/openstack-tf/d4s-production/basic-infrastructure/terraform.tfstate index 72903c5..15481c1 100644 --- a/openstack-tf/d4s-production/basic-infrastructure/terraform.tfstate +++ b/openstack-tf/d4s-production/basic-infrastructure/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.7.5", - "serial": 589, + "serial": 593, "lineage": "954b57a1-c68e-fa2b-cf2f-79cc54aea13e", "outputs": { "access_postgresql_security_group": { @@ -5029,6 +5029,44 @@ "map", "string" ] + }, + "vm_access_to_the_shared_postgresql_server": { + "value": { + "all_tags": [], + "delete_default_rules": true, + "description": "Access to the shared PostgreSQL service from the port in the dedicated network", + "id": "10c993ac-ffc0-404f-892c-45d061dc073f", + "name": "vm_access_to_the_shared_postgresql_server", + "region": "isti_area_pi_1", + "tags": null, + "tenant_id": "1b45adf388934758b56d0dfdb4bfacf3", + "timeouts": null + }, + "type": [ + "object", + { + "all_tags": [ + "set", + "string" + ], + "delete_default_rules": "bool", + "description": "string", + "id": "string", + "name": "string", + "region": "string", + "tags": [ + "set", + "string" + ], + "tenant_id": "string", + "timeouts": [ + "object", + { + "delete": "string" + } + ] + } + ] } }, "resources": [ @@ -11417,6 +11455,37 @@ } ] }, + { + "mode": "managed", + "type": "openstack_networking_secgroup_rule_v2", + "name": "psql_egress_icmp", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "description": "Allow ICMP to the postgresql server", + "direction": "egress", + "ethertype": "IPv4", + "id": "a4a9e4ad-7044-4a9d-8476-40fa895da18f", + "port_range_max": 0, + "port_range_min": 0, + "protocol": "icmp", + "region": "isti_area_pi_1", + "remote_group_id": "", + "remote_ip_prefix": "192.168.0.5/22", + "security_group_id": "10c993ac-ffc0-404f-892c-45d061dc073f", + "tenant_id": "1b45adf388934758b56d0dfdb4bfacf3", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server" + ] + } + ] + }, { "mode": "managed", "type": "openstack_networking_secgroup_rule_v2", @@ -11882,6 +11951,37 @@ } ] }, + { + "mode": "managed", + "type": "openstack_networking_secgroup_rule_v2", + "name": "vm_port_access_to_the_shared_postgresql_server", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "description": "Allow connections to port 5432 of the postgresql server", + "direction": "egress", + "ethertype": "IPv4", + "id": "5b602eab-9555-419c-bf23-d1f0f61143a6", + "port_range_max": 5432, + "port_range_min": 5432, + "protocol": "tcp", + "region": "isti_area_pi_1", + "remote_group_id": "", + "remote_ip_prefix": "192.168.0.5/22", + "security_group_id": "10c993ac-ffc0-404f-892c-45d061dc073f", + "tenant_id": "1b45adf388934758b56d0dfdb4bfacf3", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==", + "dependencies": [ + "openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server" + ] + } + ] + }, { "mode": "managed", "type": "openstack_networking_secgroup_v2", @@ -12146,6 +12246,30 @@ } ] }, + { + "mode": "managed", + "type": "openstack_networking_secgroup_v2", + "name": "vm_access_to_the_shared_postgresql_server", + "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "all_tags": [], + "delete_default_rules": true, + "description": "Access to the shared PostgreSQL service from the port in the dedicated network", + "id": "10c993ac-ffc0-404f-892c-45d061dc073f", + "name": "vm_access_to_the_shared_postgresql_server", + "region": "isti_area_pi_1", + "tags": null, + "tenant_id": "1b45adf388934758b56d0dfdb4bfacf3", + "timeouts": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==" + } + ] + }, { "mode": "managed", "type": "openstack_networking_subnet_v2", diff --git a/openstack-tf/modules/d4science_infra_setup/postgresql.tf b/openstack-tf/modules/d4science_infra_setup/postgresql.tf index 8c3d7f8..bffc957 100644 --- a/openstack-tf/modules/d4science_infra_setup/postgresql.tf +++ b/openstack-tf/modules/d4science_infra_setup/postgresql.tf @@ -29,6 +29,8 @@ resource "openstack_networking_subnet_v2" "shared_postgresql_subnet" { } # Security group +# +# Ingress to the Postgresql port resource "openstack_networking_secgroup_v2" "shared_postgresql_access" { name = "access_to_the_shared_postgresql_service" delete_default_rules = "true" @@ -46,6 +48,35 @@ resource "openstack_networking_secgroup_rule_v2" "shared_postgresql_access_from_ remote_ip_prefix = var.shared_postgresql_server_data.network_cidr } +# Security group +# +# Egress, from the VM port to the postgresql IP +resource "openstack_networking_secgroup_v2" "vm_access_to_the_shared_postgresql_server" { + name = "vm_access_to_the_shared_postgresql_server" + delete_default_rules = "true" + description = "Access to the shared PostgreSQL service from the port in the dedicated network" +} + +resource "openstack_networking_secgroup_rule_v2" "vm_port_access_to_the_shared_postgresql_server" { + security_group_id = openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server.id + description = "Allow connections to port 5432 of the postgresql server" + direction = "egress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 5432 + port_range_max = 5432 + remote_ip_prefix = var.shared_postgresql_server_data.server_cidr +} + +resource "openstack_networking_secgroup_rule_v2" "psql_egress_icmp" { + security_group_id = openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server.id + description = "Allow ICMP to the postgresql server" + direction = "egress" + ethertype = "IPv4" + protocol = "icmp" + remote_ip_prefix = var.shared_postgresql_server_data.server_cidr +} + # Block device resource "openstack_blockstorage_volume_v3" "shared_postgresql_data_vol" { name = var.shared_postgresql_server_data.vol_data_name @@ -103,3 +134,7 @@ output "shared_postgresql_subnet_data" { value = openstack_networking_subnet_v2.shared_postgresql_subnet } +output "vm_access_to_the_shared_postgresql_server" { + value = openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server +} +