Fix the restricted_web security group.

2023-11-09 20:16:08 +01:00 · 2023-11-09 20:16:08 +01:00 · e263dbb32f
parent f8633aca0e
commit e263dbb32f
1 changed files with 4 additions and 48 deletions
--- a/openstack-tf/common_setups/15-security-groups.tf
+++ b/openstack-tf/common_setups/15-security-groups.tf
@ -286,29 +286,18 @@ resource "openstack_networking_secgroup_rule_v2" "public_https" {
 resource "openstack_networking_secgroup_v2" "restricted_web" {
        name = "restricted_web_service"
        delete_default_rules = "true"
-        description = "Security group that restricts HTTP and HTTPS sources to the VPN nodes and shell.d4science.org"
+        description = "Security group that restricts HTTPS sources to the VPN nodes and shell.d4science.org. HTTP is open to all, because letsencrypt"
 }

-resource "openstack_networking_secgroup_rule_v2" "http_from_d4s_vpn_1" {
+resource "openstack_networking_secgroup_rule_v2" "http_from_everywhere" {
        security_group_id = openstack_networking_secgroup_v2.restricted_web.id
-        description = "Allow HTTP from D4Science VPN 1"
+        description = "Allow HTTP from everywhere"
        direction = "ingress"
        ethertype = "IPv4"
        protocol = "tcp"
        port_range_min = 80
        port_range_max = 80
-        remote_ip_prefix = var.ssh_sources.d4s_vpn_1_cidr
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http_from_d4s_vpn_2" {
-        security_group_id = openstack_networking_secgroup_v2.restricted_web.id
-        description = "Allow HTTP from D4Science VPN 2"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        port_range_min = 80
-        port_range_max = 80
-        remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr
+        remote_ip_prefix = "0.0.0.0/0"
 }

 resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_1" {
@ -333,28 +322,6 @@ resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_2" {
        remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr
 }

-resource "openstack_networking_secgroup_rule_v2" "http_from_s2i2s_vpn_1" {
-        security_group_id = openstack_networking_secgroup_v2.restricted_web.id
-        description = "Allow HTTP from S2I2S VPN 1"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        port_range_min = 80
-        port_range_max = 80
-        remote_ip_prefix = var.ssh_sources.s2i2s_vpn_1_cidr
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http_from_s2i2s_vpn_2" {
-        security_group_id = openstack_networking_secgroup_v2.restricted_web.id
-        description = "Allow HTTP from S2I2S VPN 2"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        port_range_min = 80
-        port_range_max = 80
-        remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr
-}
-
 resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_1" {
        security_group_id = openstack_networking_secgroup_v2.restricted_web.id
        description = "Allow HTTPS from S2I2S VPN 1"
@ -377,17 +344,6 @@ resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_2" {
        remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr
 }

-resource "openstack_networking_secgroup_rule_v2" "http_from_shell_d4s" {
-        security_group_id = openstack_networking_secgroup_v2.restricted_web.id
-        description = "Allow HTTP from shell.d4science.org"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        port_range_min = 80
-        port_range_max = 80
-        remote_ip_prefix = var.ssh_sources.shell_d4s_cidr
-}
-
 resource "openstack_networking_secgroup_rule_v2" "https_from_shell_d4s" {
        security_group_id = openstack_networking_secgroup_v2.restricted_web.id
        description = "Allow HTTPS from shell.d4science.org"