infrastructure-as-code/openstack-shell-scripts/d4s-preprod/10-security-groups.sh

71 lines
3.6 KiB
Bash

#!/usr/bin/env bash
. ./variables.sh
#
# Part of the security groups
#
# Remove the ingress rules from the default group
# openstack --os-cloud d4s-pre security group show default
rules_to_delete=
rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules default | grep ingress | grep -v protocol | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }')
if [ -n "$rules_to_delete" ] ; then
for r in $(echo $rules_to_delete) ; do
openstack --os-cloud d4s-pre security group rule delete $r
done
fi
openstack --os-cloud d4s-pre security group rule create \
--description "Allow ICMP" --ingress --protocol icmp \
--remote-ip 0.0.0.0/0 default
openstack --os-cloud d4s-pre security group rule create \
--description "Prometheus node exporter" --ingress --protocol icmp \
--dst-port "9100" \
--remote-ip 10.1.32.0/22 default
# SSH access
openstack --os-cloud d4s-pre security group create \
--description "Access to the SSH Proxy Jump server" \
"Limited SSH access"
rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules "Limited SSH access" | grep egress | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }')
if [ -n "$rules_to_delete" ] ; then
for r in $(echo $rules_to_delete) ; do
openstack --os-cloud d4s-pre security group rule delete $r
done
fi
openstack --os-cloud d4s-pre security group rule create \
--description "Access from S2I2S vpn 1" --ingress --protocol tcp --dst-port "22" \
--remote-ip 146.48.28.10/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
--description "Access from S2I2S vpn 2" --ingress --protocol tcp --dst-port "22" \
--remote-ip 146.48.28.11/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
--description "Access from D4Science VPN 1" --ingress --protocol tcp --dst-port "22" \
--remote-ip 146.48.122.27/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
--description "Access from D4Science VPN 2" --ingress --protocol tcp --dst-port "22" \
--remote-ip 146.48.122.49/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
--description "Access from shell.d4science.org" --ingress --protocol tcp --dst-port "22" \
--remote-ip 146.48.122.95/32 "Limited SSH access"
openstack --os-cloud d4s-pre security group rule create \
--description "SSH from the InfraScience Network (because masquerade on the Xen hypervisors)" --ingress --protocol tcp --dst-port "22" \
--remote-ip 146.48.122.0/23 "Limited SSH access"
# Limited HTTPS access
openstack --os-cloud d4s-pre security group create \
--description "Limited HTTPs and public HTTP. For servers with public IP addresses that can be accessed from our VPN only" \
"Limited HTTPS access"
rules_to_delete=$(openstack --os-cloud d4s-pre security group show -c rules "Limited HTTPS access" | grep egress | awk -F id= '{ print $2 }' | awk -F \' '{ print $2 }')
if [ -n "$rules_to_delete" ] ; then
for r in $(echo $rules_to_delete) ; do
openstack --os-cloud d4s-pre security group rule delete $r
done
fi
# HAPROXY, Prometheus, shell-jump: create VM with a fixed IP address so that we can statically define the security groups
# HAPROXY L7 security group id: 20ff5149-54d6-49b4-b7e4-31fef6f08b3f
dest_ports="8880 9999"
for port in $dest_ports ; do
openstack --os-cloud ${os_infra} security group rule create --ingress --protocol tcp --dst-port "$port" --remote-ip 10.1.30.180/32 20ff5149-54d6-49b4-b7e4-31fef6f08b3f
openstack --os-cloud ${os_infra} security group rule create --ingress --protocol tcp --dst-port "$port" --remote-ip 10.1.29.161/32 20ff5149-54d6-49b4-b7e4-31fef6f08b3f
done