zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add firewall mgmt on simple-nva module

This commit is contained in:
bruzzechesse 2023-03-27 09:54:01 +02:00
parent 987ea34d93
commit 021fb84765
3 changed files with 37 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
modules/cloud-config-container/simple-nva/cloud-config.yaml
View File

@ -54,6 +54,9 @@ write_files:
%{ for route in interface.routes ~} %{ for route in interface.routes ~}
ip route add ${route} via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/${interface.number}/gateway -H "Metadata-Flavor:Google"` dev ${interface.name} ip route add ${route} via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/${interface.number}/gateway -H "Metadata-Flavor:Google"` dev ${interface.name}
%{ endfor ~} %{ endfor ~}
%{ for port in firewall_open_ports ~}
iptables -A INPUT -p all --dport ${port} -j ACCEPT
%{ endfor ~}
%{ endfor ~} %{ endfor ~}
bootcmd: bootcmd:

48
modules/cloud-config-container/simple-nva/main.tf
View File

@ -67,32 +67,39 @@ locals {
} : {} } : {}
) )
_frr_daemons = [ _frr_daemons = {
"zebra", "zebra": []
"bgpd", "bgpd": ["179"]
"ospfd", "ospfd": []
"ospf6d", "ospf6d": []
"ripd", "ripd": ["520"]
"ripngd", "ripngd": ["521"]
"isisd", "isisd": []
"pimd", "pimd": []
"ldpd", "ldpd": ["646"]
"nhrpd", "nhrpd": []
"eigrpd", "eigrpd" : []
"babeld", "babeld": []
"sharpd", "sharpd": []
"staticd", "staticd": []
"pbrd", "pbrd": []
"bfdd", "bfdd": ["3784"]
"fabricd" "fabricd": []
] }
_frr_daemons_enabled = try( _frr_daemons_enabled = try(
{ {
for daemon in local._frr_daemons : for daemon in keys(local._frr_daemons) :
"${daemon}_enabled" => contains(var.frr_config.daemons_enabled, daemon) ? "yes" : "no" "${daemon}_enabled" => contains(var.frr_config.daemons_enabled, daemon) ? "yes" : "no"
}, {}) }, {})
_frr_required_ports = try(
[
for daemon, ports in local._frr_daemons : contains(var.frr_config.daemons_enabled, daemon) ? ports : []
], [])
_local_firewall_ports = concat(var.optional_firewall_open_ports, flatten(local._frr_required_ports))
_network_interfaces = [ _network_interfaces = [
for index, interface in var.network_interfaces : { for index, interface in var.network_interfaces : {
name = "eth${index}" name = "eth${index}"
@ -118,6 +125,7 @@ locals {
cloud_config = templatefile(local._template, { cloud_config = templatefile(local._template, {
enable_health_checks = var.enable_health_checks enable_health_checks = var.enable_health_checks
files = local._files files = local._files
firewall_open_ports = local._local_firewall_ports
network_interfaces = local._network_interfaces network_interfaces = local._network_interfaces
optional_run_cmds = local._optional_run_cmds optional_run_cmds = local._optional_run_cmds
}) })

6
modules/cloud-config-container/simple-nva/variables.tf
View File

@ -86,3 +86,9 @@ variable "optional_run_cmds" {
type = list(string) type = list(string)
default = [] default = []
} }
variable "optional_firewall_open_ports" {
description = "Optional Ports to be opened on the local firewall."
type = list(string)
default = []
}