Fix the restricted_web security group.

This commit is contained in:
Andrea Dell'Amico 2023-11-09 20:16:08 +01:00
parent f8633aca0e
commit e263dbb32f
Signed by untrusted user: andrea.dellamico
GPG Key ID: 147ABE6CEB9E20FF
1 changed files with 4 additions and 48 deletions

View File

@ -286,29 +286,18 @@ resource "openstack_networking_secgroup_rule_v2" "public_https" {
resource "openstack_networking_secgroup_v2" "restricted_web" { resource "openstack_networking_secgroup_v2" "restricted_web" {
name = "restricted_web_service" name = "restricted_web_service"
delete_default_rules = "true" delete_default_rules = "true"
description = "Security group that restricts HTTP and HTTPS sources to the VPN nodes and shell.d4science.org" description = "Security group that restricts HTTPS sources to the VPN nodes and shell.d4science.org. HTTP is open to all, because letsencrypt"
} }
resource "openstack_networking_secgroup_rule_v2" "http_from_d4s_vpn_1" { resource "openstack_networking_secgroup_rule_v2" "http_from_everywhere" {
security_group_id = openstack_networking_secgroup_v2.restricted_web.id security_group_id = openstack_networking_secgroup_v2.restricted_web.id
description = "Allow HTTP from D4Science VPN 1" description = "Allow HTTP from everywhere"
direction = "ingress" direction = "ingress"
ethertype = "IPv4" ethertype = "IPv4"
protocol = "tcp" protocol = "tcp"
port_range_min = 80 port_range_min = 80
port_range_max = 80 port_range_max = 80
remote_ip_prefix = var.ssh_sources.d4s_vpn_1_cidr remote_ip_prefix = "0.0.0.0/0"
}
resource "openstack_networking_secgroup_rule_v2" "http_from_d4s_vpn_2" {
security_group_id = openstack_networking_secgroup_v2.restricted_web.id
description = "Allow HTTP from D4Science VPN 2"
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr
} }
resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_1" { resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_1" {
@ -333,28 +322,6 @@ resource "openstack_networking_secgroup_rule_v2" "https_from_d4s_vpn_2" {
remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr remote_ip_prefix = var.ssh_sources.d4s_vpn_2_cidr
} }
resource "openstack_networking_secgroup_rule_v2" "http_from_s2i2s_vpn_1" {
security_group_id = openstack_networking_secgroup_v2.restricted_web.id
description = "Allow HTTP from S2I2S VPN 1"
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = var.ssh_sources.s2i2s_vpn_1_cidr
}
resource "openstack_networking_secgroup_rule_v2" "http_from_s2i2s_vpn_2" {
security_group_id = openstack_networking_secgroup_v2.restricted_web.id
description = "Allow HTTP from S2I2S VPN 2"
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr
}
resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_1" { resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_1" {
security_group_id = openstack_networking_secgroup_v2.restricted_web.id security_group_id = openstack_networking_secgroup_v2.restricted_web.id
description = "Allow HTTPS from S2I2S VPN 1" description = "Allow HTTPS from S2I2S VPN 1"
@ -377,17 +344,6 @@ resource "openstack_networking_secgroup_rule_v2" "https_from_s2i2s_vpn_2" {
remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr remote_ip_prefix = var.ssh_sources.s2i2s_vpn_2_cidr
} }
resource "openstack_networking_secgroup_rule_v2" "http_from_shell_d4s" {
security_group_id = openstack_networking_secgroup_v2.restricted_web.id
description = "Allow HTTP from shell.d4science.org"
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 80
port_range_max = 80
remote_ip_prefix = var.ssh_sources.shell_d4s_cidr
}
resource "openstack_networking_secgroup_rule_v2" "https_from_shell_d4s" { resource "openstack_networking_secgroup_rule_v2" "https_from_shell_d4s" {
security_group_id = openstack_networking_secgroup_v2.restricted_web.id security_group_id = openstack_networking_secgroup_v2.restricted_web.id
description = "Allow HTTPS from shell.d4science.org" description = "Allow HTTPS from shell.d4science.org"