From e263dbb32fbcaa282bd00db9a633c2ed078b8d04 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 9 Nov 2023 20:16:08 +0100 Subject: [PATCH] Fix the restricted_web security group. --- .../common_setups/15-security-groups.tf | 52 ++----------------- 1 file changed, 4 insertions(+), 48 deletions(-) diff --git a/openstack-tf/common_setups/15-security-groups.tf b/openstack-tf/common_setups/15-security-groups.tf index 9c7f8538..8eb1875c 100644 --- a/openstack-tf/common_setups/15-security-groups.tf +++ b/openstack-tf/common_setups/15-security-groups.tf @@ -286,29 +286,18 @@ resource "openstack_networking_secgroup_rule_v2" "public_https" { resource "openstack_networking_secgroup_v2" "restricted_web" { name = "restricted_web_service" delete_default_rules = "true" - description = "Security group that restricts HTTP and HTTPS sources to the VPN nodes and shell.d4science.org" + description = "Security group that restricts HTTPS sources to the VPN nodes and shell.d4science.org. HTTP is open to all, because letsencrypt" } -resource "openstack_networking_secgroup_rule_v2" "http_from_d4s_vpn_1" { +resource "openstack_networking_secgroup_rule_v2" "http_from_everywhere" { security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTP from D4Science VPN 1" + description = "Allow HTTP from everywhere" direction = "ingress" ethertype = "IPv4" protocol = "tcp" port_range_min = 80 port_range_max = 80 - remote_ip_prefix = var.ssh_sources.d4s_vpn_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "http_from_d4s_vpn_2" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTP from D4Science VPN 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr + remote_ip_prefix = "0.0.0.0/0" } resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_1" { @@ -333,28 +322,6 @@ resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_2" { remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr } -resource "openstack_networking_secgroup_rule_v2" "http_from_s2i2s_vpn_1" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTP from S2I2S VPN 1" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.ssh_sources.s2i2s_vpn_1_cidr -} - -resource "openstack_networking_secgroup_rule_v2" "http_from_s2i2s_vpn_2" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTP from S2I2S VPN 2" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr -} - resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_1" { security_group_id = openstack_networking_secgroup_v2.restricted_web.id description = "Allow HTTPS from S2I2S VPN 1" @@ -377,17 +344,6 @@ resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_2" { remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr } -resource "openstack_networking_secgroup_rule_v2" "http_from_shell_d4s" { - security_group_id = openstack_networking_secgroup_v2.restricted_web.id - description = "Allow HTTP from shell.d4science.org" - direction = "ingress" - ethertype = "IPv4" - protocol = "tcp" - port_range_min = 80 - port_range_max = 80 - remote_ip_prefix = var.ssh_sources.shell_d4s_cidr -} - resource "openstack_networking_secgroup_rule_v2" "https_from_shell_d4s" { security_group_id = openstack_networking_secgroup_v2.restricted_web.id description = "Allow HTTPS from shell.d4science.org"