add firewall mgmt on simple-nva module

2023-03-27 09:54:01 +02:00 · 2023-03-27 09:54:01 +02:00 · 021fb84765
parent 987ea34d93
commit 021fb84765
3 changed files with 37 additions and 20 deletions
--- a/modules/cloud-config-container/simple-nva/cloud-config.yaml
+++ b/modules/cloud-config-container/simple-nva/cloud-config.yaml
@ -54,6 +54,9 @@ write_files:
 %{ for route in interface.routes ~}
      ip route add ${route} via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/${interface.number}/gateway -H "Metadata-Flavor:Google"` dev ${interface.name}
 %{ endfor ~}
+%{ for port in firewall_open_ports ~}
+      iptables -A INPUT -p all --dport ${port} -j ACCEPT
+%{ endfor ~}
 %{ endfor ~}

 bootcmd:
--- a/modules/cloud-config-container/simple-nva/main.tf
+++ b/modules/cloud-config-container/simple-nva/main.tf
@ -67,32 +67,39 @@ locals {
    } : {}
  )

-  _frr_daemons = [
-    "zebra",
-    "bgpd",
-    "ospfd",
-    "ospf6d",
-    "ripd",
-    "ripngd",
-    "isisd",
-    "pimd",
-    "ldpd",
-    "nhrpd",
-    "eigrpd",
-    "babeld",
-    "sharpd",
-    "staticd",
-    "pbrd",
-    "bfdd",
-    "fabricd"
-  ]
+  _frr_daemons = {
+    "zebra": []
+    "bgpd": ["179"]
+    "ospfd": []
+    "ospf6d": []
+    "ripd": ["520"]
+    "ripngd": ["521"]
+    "isisd": []
+    "pimd": []
+    "ldpd": ["646"]
+    "nhrpd": []
+    "eigrpd" : []
+    "babeld": []
+    "sharpd": []
+    "staticd": []
+    "pbrd": []
+    "bfdd": ["3784"]
+    "fabricd": []
+  }

  _frr_daemons_enabled = try(
    {
-      for daemon in local._frr_daemons :
+      for daemon in keys(local._frr_daemons) :
      "${daemon}_enabled" => contains(var.frr_config.daemons_enabled, daemon) ? "yes" : "no"
  }, {})

+  _frr_required_ports = try(
+    [
+      for daemon, ports in local._frr_daemons : contains(var.frr_config.daemons_enabled, daemon) ? ports : []
+    ], [])
+
+  _local_firewall_ports = concat(var.optional_firewall_open_ports, flatten(local._frr_required_ports))
+
  _network_interfaces = [
    for index, interface in var.network_interfaces : {
      name                = "eth${index}"
@ -118,6 +125,7 @@ locals {
  cloud_config = templatefile(local._template, {
    enable_health_checks = var.enable_health_checks
    files                = local._files
+    firewall_open_ports  = local._local_firewall_ports
    network_interfaces   = local._network_interfaces
    optional_run_cmds    = local._optional_run_cmds
  })
--- a/modules/cloud-config-container/simple-nva/variables.tf
+++ b/modules/cloud-config-container/simple-nva/variables.tf
@ -86,3 +86,9 @@ variable "optional_run_cmds" {
  type        = list(string)
  default     = []
 }
+
+variable "optional_firewall_open_ports" {
+  description = "Optional Ports to be opened on the local firewall."
+  type        = list(string)
+  default     = []
+}