prod basic infrastructure: egress security group to reach postgresql.

2024-07-17 12:25:11 +02:00 · 2024-07-17 12:25:11 +02:00 · 7deabd2633
parent 4980f0ca33
commit 7deabd2633
2 changed files with 160 additions and 1 deletions
--- a/openstack-tf/d4s-production/basic-infrastructure/terraform.tfstate
+++ b/openstack-tf/d4s-production/basic-infrastructure/terraform.tfstate
@ -1,7 +1,7 @@
 {
  "version": 4,
  "terraform_version": "1.7.5",
-  "serial": 589,
+  "serial": 593,
  "lineage": "954b57a1-c68e-fa2b-cf2f-79cc54aea13e",
  "outputs": {
    "access_postgresql_security_group": {
@ -5029,6 +5029,44 @@
        "map",
        "string"
      ]
+    },
+    "vm_access_to_the_shared_postgresql_server": {
+      "value": {
+        "all_tags": [],
+        "delete_default_rules": true,
+        "description": "Access to the shared PostgreSQL service from the port in the dedicated network",
+        "id": "10c993ac-ffc0-404f-892c-45d061dc073f",
+        "name": "vm_access_to_the_shared_postgresql_server",
+        "region": "isti_area_pi_1",
+        "tags": null,
+        "tenant_id": "1b45adf388934758b56d0dfdb4bfacf3",
+        "timeouts": null
+      },
+      "type": [
+        "object",
+        {
+          "all_tags": [
+            "set",
+            "string"
+          ],
+          "delete_default_rules": "bool",
+          "description": "string",
+          "id": "string",
+          "name": "string",
+          "region": "string",
+          "tags": [
+            "set",
+            "string"
+          ],
+          "tenant_id": "string",
+          "timeouts": [
+            "object",
+            {
+              "delete": "string"
+            }
+          ]
+        }
+      ]
    }
  },
  "resources": [
@ -11417,6 +11455,37 @@
        }
      ]
    },
+    {
+      "mode": "managed",
+      "type": "openstack_networking_secgroup_rule_v2",
+      "name": "psql_egress_icmp",
+      "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "description": "Allow ICMP to the postgresql server",
+            "direction": "egress",
+            "ethertype": "IPv4",
+            "id": "a4a9e4ad-7044-4a9d-8476-40fa895da18f",
+            "port_range_max": 0,
+            "port_range_min": 0,
+            "protocol": "icmp",
+            "region": "isti_area_pi_1",
+            "remote_group_id": "",
+            "remote_ip_prefix": "192.168.0.5/22",
+            "security_group_id": "10c993ac-ffc0-404f-892c-45d061dc073f",
+            "tenant_id": "1b45adf388934758b56d0dfdb4bfacf3",
+            "timeouts": null
+          },
+          "sensitive_attributes": [],
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==",
+          "dependencies": [
+            "openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server"
+          ]
+        }
+      ]
+    },
    {
      "mode": "managed",
      "type": "openstack_networking_secgroup_rule_v2",
@ -11882,6 +11951,37 @@
        }
      ]
    },
+    {
+      "mode": "managed",
+      "type": "openstack_networking_secgroup_rule_v2",
+      "name": "vm_port_access_to_the_shared_postgresql_server",
+      "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "description": "Allow connections to port 5432 of the postgresql server",
+            "direction": "egress",
+            "ethertype": "IPv4",
+            "id": "5b602eab-9555-419c-bf23-d1f0f61143a6",
+            "port_range_max": 5432,
+            "port_range_min": 5432,
+            "protocol": "tcp",
+            "region": "isti_area_pi_1",
+            "remote_group_id": "",
+            "remote_ip_prefix": "192.168.0.5/22",
+            "security_group_id": "10c993ac-ffc0-404f-892c-45d061dc073f",
+            "tenant_id": "1b45adf388934758b56d0dfdb4bfacf3",
+            "timeouts": null
+          },
+          "sensitive_attributes": [],
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ==",
+          "dependencies": [
+            "openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server"
+          ]
+        }
+      ]
+    },
    {
      "mode": "managed",
      "type": "openstack_networking_secgroup_v2",
@ -12146,6 +12246,30 @@
        }
      ]
    },
+    {
+      "mode": "managed",
+      "type": "openstack_networking_secgroup_v2",
+      "name": "vm_access_to_the_shared_postgresql_server",
+      "provider": "provider[\"registry.terraform.io/terraform-provider-openstack/openstack\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "all_tags": [],
+            "delete_default_rules": true,
+            "description": "Access to the shared PostgreSQL service from the port in the dedicated network",
+            "id": "10c993ac-ffc0-404f-892c-45d061dc073f",
+            "name": "vm_access_to_the_shared_postgresql_server",
+            "region": "isti_area_pi_1",
+            "tags": null,
+            "tenant_id": "1b45adf388934758b56d0dfdb4bfacf3",
+            "timeouts": null
+          },
+          "sensitive_attributes": [],
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjo2MDAwMDAwMDAwMDB9fQ=="
+        }
+      ]
+    },
    {
      "mode": "managed",
      "type": "openstack_networking_subnet_v2",
--- a/openstack-tf/modules/d4science_infra_setup/postgresql.tf
+++ b/openstack-tf/modules/d4science_infra_setup/postgresql.tf
@ -29,6 +29,8 @@ resource "openstack_networking_subnet_v2" "shared_postgresql_subnet" {
 }

 # Security group
+#
+# Ingress to the Postgresql port
 resource "openstack_networking_secgroup_v2" "shared_postgresql_access" {
  name                 = "access_to_the_shared_postgresql_service"
  delete_default_rules = "true"
@ -46,6 +48,35 @@ resource "openstack_networking_secgroup_rule_v2" "shared_postgresql_access_from_
  remote_ip_prefix  = var.shared_postgresql_server_data.network_cidr
 }

+# Security group
+#
+# Egress, from the VM port to the postgresql IP 
+resource "openstack_networking_secgroup_v2" "vm_access_to_the_shared_postgresql_server" {
+  name                 = "vm_access_to_the_shared_postgresql_server"
+  delete_default_rules = "true"
+  description          = "Access to the shared PostgreSQL service from the port in the dedicated network"
+}
+
+resource "openstack_networking_secgroup_rule_v2" "vm_port_access_to_the_shared_postgresql_server" {
+  security_group_id = openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server.id
+  description       = "Allow connections to port 5432 of the postgresql server"
+  direction         = "egress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 5432
+  port_range_max    = 5432
+  remote_ip_prefix  = var.shared_postgresql_server_data.server_cidr
+}
+
+resource "openstack_networking_secgroup_rule_v2" "psql_egress_icmp" {
+  security_group_id = openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server.id
+  description       = "Allow ICMP to the postgresql server"
+  direction         = "egress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_ip_prefix  = var.shared_postgresql_server_data.server_cidr
+}
+
 # Block device
 resource "openstack_blockstorage_volume_v3" "shared_postgresql_data_vol" {
  name = var.shared_postgresql_server_data.vol_data_name
@ -103,3 +134,7 @@ output "shared_postgresql_subnet_data" {
  value = openstack_networking_subnet_v2.shared_postgresql_subnet
 }

+output "vm_access_to_the_shared_postgresql_server" {
+  value = openstack_networking_secgroup_v2.vm_access_to_the_shared_postgresql_server
+}
+