direction hande cybersecurity incidents within metacentrum cloud

clouds/g1/brno/security_incidents/.gitignore

+terraform/.terraform
+terraform/*.auto.tfvars
+terraform/*.tfoverride
+terraform/.terraformrc
+terraform/terraform.rc
+terraform/.terraform.lock.hcl
+terraform/*.plan
+terraform/*.tfplan
+terraform/*.tfstate
+terraform/*.tfstate.backup

clouds/g1/brno/security_incidents/README.md

+# Security incidents in e-INFRA / MetaCentrum Cloud 
+This document describes details of process when CyberSecurity incidents is detected in the MetaCentrum Cloud.
+
+## Workflow
+
+![metacentrum_cloud_incidents.drawio.png](images/metacentrum_cloud_incidents.drawio.png)
+
+
+The MetaCentrum Security team detects suspicious VM and creates ticket in the RT instance `rt.cesnet.cz`, queue `cloud` and specifies actions to be taken by the MetaCentrum Cloud team including
+  - provide identity of the VM owner  
+  - share snapshot of the VM
+  - instruction how to address the VM further (stop, keep, etc)
+
+MetaCentrum Security handles communication with the user - owner of the Openstack project where the VM originates from. 
+
+Cloud team transfers the VM snapshot into Openstack project `meta-cloud-metac_sec-cerit_sec`. Access to this project is granted via Perun groups `meta-cloud-admins` (Cloud team) and `meta-sec` (Security team). [Available automation](https://gitlab.ics.muni.cz/cloud/g2/openstack-infrastructure-as-code-automation/clouds/g1/brno/security-incidents):
+
+  - `acquire_snapshot_and_create_volume_transfer.sh <THE_ORIGINAL_VM_VOLUME_ID>`
+  - `accept_volume_transfer.sh <VOLUME_TRANSFER_ID>` => results in a new volume with id shared with the Security team. 
+
+MetaCentrum Security runs a new VM with the new volume attached (not mounted). The VM can be accessed by a private key which is complementary to the provided public key passed in. 
+ - `run_vm_with_attached_volume.sh <VOLUME_ID> <SSH_PUB_KEY_LOCATION>`
+
+MetaCentrum Security cleans up the resources
+- `destroy_the_vm.sh`
+
+
+#### The provided automation requires following to be in place
+| Script                                           | Requires                                                                                                                               |
+|--------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
+| `acquire_snapshot_and_create_volume_transfer.sh` | bash, [openstack-cli](https://docs.openstack.org/ocata/user-guide/cli.html), Application credentials (`admin`)                         |
+| `accept_volume_transfer.sh`                      | bash, [openstack-cli](https://docs.openstack.org/ocata/user-guide/cli.html), Application credentials (`meta-cloud-metac_sec-cerit_sec`)|
+| `run_vm_with_attached_volume.sh`                 | bash, [terraform](https://www.terraform.io), Application credentials (`meta-cloud-metac_sec-cerit_sec`)                                |      
+| `destroy_the_vm.sh`                              | bash, [terraform](https://www.terraform.io), Application credentials (`meta-cloud-metac_sec-cerit_sec`)                                |

clouds/g1/brno/security_incidents/accept_volume_transfer.sh

+#!/bin/bash
+set -e
+
+### USAGE: accept_volume_transfer.sh <LOCATION_OF_VOLUME_TRANSFER_DESCRIPTOR>
+
+THIS_SCRIPT_LOCATION=$(dirname "$(realpath -s "$0")")
+
+read -p "Ensure that Application Credentials for target Openstack project have been sourced. Press ENTER to continue."
+
+VOLUME_TRANSFER_DETAILS=$(cat "$1" | jq -r '.id + "," + .auth_key')
+VOLUME_TRANSFER_ID=$(echo $VOLUME_TRANSFER_DETAILS | awk -F ',' '{print $1}')
+VOLUME_TRANSFER_SECRET=$(echo $VOLUME_TRANSFER_DETAILS | awk -F ',' '{print $2}')
+
+echo $VOLUME_TRANSFER_ID
+echo $VOLUME_TRANSFER_SECRET
+
+VOLUME_ID=$(openstack volume transfer request accept \
+  --auth-key ${VOLUME_TRANSFER_SECRET} \
+  ${VOLUME_TRANSFER_ID} -c volume_id -f value)
+
+echo "Transfer ${VOLUME_TRANSFER_ID} completed. The volume id ${VOLUME_ID} can be attached to a VM"

clouds/g1/brno/security_incidents/acquire_snapshot_and_create_volume_transfer.sh

+#!/bin/bash
+set -eo pipefail
+
+###
+### This script acquires snapshot of given volume (VOLUME_ID) and initiates transfer so users of a project who get the
+### transfer details (transfer id, transfer secret) can accept the transfer and place the snapshot into their project.
+### Volume transfer details are written in json file and will be used at the moment of snapshot transfer acceptance.
+###
+### Usage: acquire_snapshot_and_create_volume_transfer.sh <VOLUME_ID>
+###
+### Links: https://openmetal.io/docs/manuals/users-manual/managing-backups-in-openstack
+###
+###
+
+function check_and_wait_until_available() {
+  local OPERATION_NAME="$1"
+  local CHECK_COMMAND="$2"
+
+  while true; do
+    STATE=$(eval $CHECK_COMMAND)
+    if [ "$STATE" != "available" ]; then
+      echo "$OPERATION_NAME in progress"
+      sleep 10
+      continue
+    else
+      echo "$OPERATION_NAME completed"
+      break;
+    fi
+  done
+}
+
+VOLUME_ID="$1"
+THIS_SCRIPT_DIR=$(dirname "$(realpath -s "$0")")
+
+TIMESTAMP=$(date +%s)
+SNAPSHOT_NAME="snapshot_${TIMESTAMP}"
+
+# let fail the script at this moment in case no app credentials are sourced or the subjected volume does not exist
+openstack volume show $VOLUME_ID > /dev/null
+
+echo "Starting snapshot creation of volume $VOLUME_ID"
+SNAPSHOT_ID=$(openstack volume snapshot create \
+    --volume ${VOLUME_ID} \
+    --force \
+    -f json \
+    ${SNAPSHOT_NAME}_${TIMESTAMP} | jq -r ".id")
+
+check_and_wait_until_available "Snapshot creation ($SNAPSHOT_ID)" "openstack volume snapshot show $SNAPSHOT_ID -f value -c status"
+
+echo "Starting volume creation based on snapshot $SNAPSHOT_ID"
+VOLUME_ID=$(openstack volume create \
+    --snapshot ${SNAPSHOT_ID} \
+    -f json \
+    ${SNAPSHOT_NAME}_${TIMESTAMP} | jq -r ".id")
+
+check_and_wait_until_available "Volume creation ($VOLUME_ID)" "openstack volume show ${VOLUME_ID} -f value -c status"
+
+echo "Creating volume transfer request for volume creation of volume $VOLUME_ID"
+VOLUME_TRANSFER_DETAILS=$(openstack volume transfer request create \
+    --name ${SNAPSHOT_NAME}_transfer_${TIMESTAMP} \
+    -f json \
+    ${VOLUME_ID})
+
+VOLUME_TRANSFER_ID=$(echo "${VOLUME_TRANSFER_DETAILS}" | jq -r '.id')
+VOLUME_TRANSFER_DETAILS_LOCATION=${THIS_SCRIPT_DIR}/volume-transfer_${VOLUME_TRANSFER_ID}.json
+echo ${VOLUME_TRANSFER_DETAILS} > ${VOLUME_TRANSFER_DETAILS_LOCATION}
+
+echo "Volume transfer has been initiated. Details needed to complete the transfer are found in $VOLUME_TRANSFER_DETAILS_LOCATION"

clouds/g1/brno/security_incidents/destroy_the_vm.sh

+#!/bin/bash
+set -e
+THIS_SCRIPT_LOCATION=$(dirname "$(realpath -s "$0")")
+TEMP_FILE_LOCATION=${THIS_SCRIPT_LOCATION}/whatever_delme
+
+terraform -chdir=${THIS_SCRIPT_LOCATION}/terraform init
+echo "Running Terraform plan to destroy"
+
+terraform -chdir=${THIS_SCRIPT_LOCATION}/terraform plan -destroy -out destroy.tfplan \
+  -var "volume_id_to_attach=" \
+  -var "ssh_public_key_location=$(mktemp)"
+printf "\n\n*********************************************************************************************************\n"
+read -p "PRESS ENTER once you are OK with whatever Terraform planned above ...:"
+
+terraform -chdir=${THIS_SCRIPT_LOCATION}/terraform apply destroy.tfplan

clouds/g1/brno/security_incidents/images/metacentrum_cloud_incidents.drawio

+<mxfile host="Electron" modified="2023-10-20T10:46:04.493Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/22.0.3 Chrome/114.0.5735.289 Electron/25.8.4 Safari/537.36" etag="ARmRQ70ry5-QWqQeqKaA" version="22.0.3" type="device">
+  <diagram name="Page-1" id="8lcTHrtBwOFWnczI7y1D">
+    <mxGraphModel dx="1434" dy="838" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-36" value="" style="whiteSpace=wrap;html=1;dashed=1;" parent="1" vertex="1">
+          <mxGeometry x="270" y="100" width="740" height="200" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-1" value="CESNET&lt;br&gt;CERTS" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
+          <mxGeometry x="350" y="120" width="120" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-3" value="MetaCentrum&lt;br&gt;Security team" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
+          <mxGeometry x="360" y="235" width="100" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-4" value="CSIRT-MU" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
+          <mxGeometry x="585" y="120" width="120" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-5" value="MUNI" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
+          <mxGeometry x="585" y="10" width="120" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-6" value="" style="endArrow=none;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitX=0.5;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-3" target="Bkc7fFFbiiHV9RRgbnzn-1" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="310" y="365" as="sourcePoint" />
+            <mxPoint x="360" y="315" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-8" value="" style="endArrow=none;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-4" target="Bkc7fFFbiiHV9RRgbnzn-5" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="565" y="250" as="sourcePoint" />
+            <mxPoint x="635" y="75" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-9" value="Computer Security Incident Response Teams" style="text;whiteSpace=wrap;" parent="1" vertex="1">
+          <mxGeometry x="740" y="100" width="270" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-10" value="Cloud User&lt;br&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-size: 11px; text-align: right; background-color: rgb(255, 255, 255);&quot;&gt;&amp;nbsp;&lt;/span&gt;" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;fillColor=#232F3D;strokeColor=none;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;pointerEvents=1;shape=mxgraph.aws4.user;" parent="1" vertex="1">
+          <mxGeometry x="69" y="375" width="78" height="78" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-11" value="e-INFRA CZ / MetaCentrum Cloud" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;labelPosition=center;verticalLabelPosition=bottom;align=center;verticalAlign=top;" parent="1" vertex="1">
+          <mxGeometry x="260" y="339" width="520" height="181" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-12" value="" style="endArrow=none;html=1;rounded=0;labelPosition=left;verticalLabelPosition=middle;align=right;verticalAlign=middle;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-10" target="Bkc7fFFbiiHV9RRgbnzn-21" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="440" y="360" as="sourcePoint" />
+            <mxPoint x="575.1005050633883" y="360.67766952966394" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-21" value="compromised device" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;strokeColor=#FF3333;fillColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.traditional_server;" parent="1" vertex="1">
+          <mxGeometry x="470" y="377" width="60" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-23" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;strokeColor=#232F3E;fillColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.traditional_server;" parent="1" vertex="1">
+          <mxGeometry x="655" y="414" width="60" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-24" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;strokeColor=#232F3E;fillColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.traditional_server;" parent="1" vertex="1">
+          <mxGeometry x="610" y="415" width="60" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-22" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;strokeColor=#232F3E;fillColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.traditional_server;" parent="1" vertex="1">
+          <mxGeometry x="565" y="415" width="60" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-27" value="CESNET" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
+          <mxGeometry x="350" y="10" width="120" height="60" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-28" value="" style="endArrow=none;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitX=0.5;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-1" target="Bkc7fFFbiiHV9RRgbnzn-27" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="410" y="120" as="sourcePoint" />
+            <mxPoint x="409.5" y="85" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-29" value="CERIT&lt;br&gt;Security team" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
+          <mxGeometry x="595" y="235" width="100" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-30" value="" style="endArrow=none;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitX=0.5;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-29" target="Bkc7fFFbiiHV9RRgbnzn-4" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="644.5" y="237.5" as="sourcePoint" />
+            <mxPoint x="644.5" y="187.5" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Bkc7fFFbiiHV9RRgbnzn-31" value="" style="shape=link;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;labelBackgroundColor=none;strokeColor=#FF0000;" parent="1" target="Bkc7fFFbiiHV9RRgbnzn-3" edge="1">
+          <mxGeometry width="100" relative="1" as="geometry">
+            <mxPoint x="158" y="260" as="sourcePoint" />
+            <mxPoint x="280" y="250" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="DyMJc3rCh__bVUlWjL28-1" value="&lt;br&gt;&lt;br&gt;communication" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];labelBackgroundColor=none;fontColor=#FF0000;" parent="Bkc7fFFbiiHV9RRgbnzn-31" vertex="1" connectable="0">
+          <mxGeometry x="-0.0099" y="-1" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="qtpG4-VI09MVl3qjrZwv-1" value="MetaCentrum Cloud team" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
+          <mxGeometry x="58" y="235" width="100" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="2C7tkXWoS5lswqi7GxpK-4" value="" style="shape=link;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;labelBackgroundColor=none;strokeColor=#FF0000;exitX=1;exitY=0.5;exitDx=0;exitDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-3" target="Bkc7fFFbiiHV9RRgbnzn-29" edge="1">
+          <mxGeometry width="100" relative="1" as="geometry">
+            <mxPoint x="140" y="560" as="sourcePoint" />
+            <mxPoint x="342" y="560" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="2C7tkXWoS5lswqi7GxpK-5" value="&lt;br&gt;&lt;br&gt;communication" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];labelBackgroundColor=none;fontColor=#FF0000;" parent="2C7tkXWoS5lswqi7GxpK-4" vertex="1" connectable="0">
+          <mxGeometry x="-0.0099" y="-1" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="2C7tkXWoS5lswqi7GxpK-6" value="" style="shape=link;html=1;rounded=0;entryX=0;entryY=1;entryDx=0;entryDy=0;labelBackgroundColor=none;strokeColor=#FF0000;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-10" target="Bkc7fFFbiiHV9RRgbnzn-3" edge="1">
+          <mxGeometry width="100" relative="1" as="geometry">
+            <mxPoint x="178" y="280" as="sourcePoint" />
+            <mxPoint x="380" y="280" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="2C7tkXWoS5lswqi7GxpK-7" value="&lt;br&gt;&lt;br&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;communication" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];labelBackgroundColor=none;fontColor=#FF0000;" parent="2C7tkXWoS5lswqi7GxpK-6" vertex="1" connectable="0">
+          <mxGeometry x="-0.0099" y="-1" relative="1" as="geometry">
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>

clouds/g1/brno/security_incidents/run_vm_with_attached_volume.sh

+#!/bin/bash
+set -e
+
+### USAGE: run_vm_with_attached_volume.sh <VOLUME_TO_ATTACH_ID> <SSH_PUB_KEY_LOCATION>
+
+THIS_SCRIPT_DIR=$(dirname "$(realpath -s "$0")")
+
+VOLUME_TO_ATTACH_ID="$1"
+SSH_PUB_KEY_LOCATION="$2"
+
+echo "Running Terraform init"
+terraform -chdir=${THIS_SCRIPT_DIR}/terraform init
+
+echo "Running Terraform plan (volume id: $VOLUME_TO_ATTACH_ID, public key path: $SSH_PUB_KEY_LOCATION)"
+terraform -chdir=${THIS_SCRIPT_DIR}/terraform plan -out create.tfplan \
+  -var "volume_id_to_attach=$VOLUME_TO_ATTACH_ID" \
+  -var "ssh_public_key_location=$SSH_PUB_KEY_LOCATION"
+printf "\n\n*********************************************************************************************************\n"
+
+read -p "PRESS ENTER once you are OK with whatever Terraform planned above ...: "
+terraform -chdir=${THIS_SCRIPT_DIR}/terraform apply create.tfplan
+
+printf "\n\n*********************************************************************************************************\n"
+echo "New VM was created with the requested volume ($VOLUME_TO_ATTACH_ID) attached"
+echo "VM name is: $(terraform -chdir=terraform output vm_name)"

clouds/g1/brno/security_incidents/terraform/instances.tf

+####################
+# Define instances #
+####################
+
+data "openstack_images_image_v2" "nodes_image" {
+  name        = var.nodes_image
+}
+
+locals {
+  vm_name = format("%s-%s__%s", var.infra_name, var.nodes_name, formatdate("YYYYMMDDhhmm", timestamp()))
+}
+
+output "vm_name" {
+  value = local.vm_name
+}
+
+
+resource "openstack_compute_instance_v2" "nodes" {
+  count           = 1
+  name            = local.vm_name
+  image_name      = var.nodes_image
+  flavor_name     = var.nodes_flavor
+  key_pair        = openstack_compute_keypair_v2.ssh_key_pair.name
+  security_groups = [openstack_networking_secgroup_v2.secgroup_default.name]
+
+  network {
+    uuid = var.internal_network_creation_enable ? openstack_networking_network_v2.network_default[0].id : data.openstack_networking_network_v2.internal_shared_personal_network[0].id
+    port = element(openstack_networking_port_v2.nodes_ports.*.id, count.index)
+  }
+
+  block_device {
+    uuid                  = data.openstack_images_image_v2.nodes_image.id
+    source_type           = "image"
+    volume_size           = var.nodes_volume_size
+    destination_type      = "local"
+    boot_index            = 0
+    delete_on_termination = true
+  }
+
+  block_device {
+    uuid                  = "${var.volume_id_to_attach}"
+    source_type           = "volume"
+    destination_type      = "volume"
+    boot_index            = -1
+  }
+}
+
+output "server_instance_id" {
+  value = openstack_compute_instance_v2.nodes[0].id
+}

clouds/g1/brno/security_incidents/terraform/keypair.tf

+
+resource "openstack_compute_keypair_v2" "ssh_key_pair" {
+  name       = "${var.infra_name}-keypair"
+  public_key = file(var.ssh_public_key_location)
+}

clouds/g1/brno/security_incidents/terraform/main.tf

+terraform {
+  backend "local" {}
+}

clouds/g1/brno/security_incidents/terraform/networks.tf

+resource "openstack_networking_network_v2" "network_default" {
+  count          = var.internal_network_creation_enable ? 1 : 0
+  name           = "${var.infra_name}_network"
+  admin_state_up = "true"
+}
+
+resource "openstack_networking_subnet_v2" "subnet_default" {
+  count           = var.internal_subnet_creation_enable ? 1 : 0
+  name            = "${var.infra_name}_subnet"
+  network_id      = openstack_networking_network_v2.network_default[0].id
+  cidr            = var.internal_network_cidr
+  ip_version      = 4
+  dns_nameservers = ["1.1.1.1", "8.8.8.8"]
+}
+
+data "openstack_networking_network_v2" "external_network" {
+  name = var.public_external_network
+}
+
+data "openstack_networking_network_v2" "internal_shared_personal_network" {
+  count = var.internal_network_creation_enable == false ? 1 : 0
+  name = var.internal_network_name
+}
+
+data "openstack_networking_subnet_v2" "internal_shared_personal_subnet" {
+  count = var.internal_subnet_creation_enable == false ? 1 : 0
+  name  = var.internal_subnet_name
+}
+
+resource "openstack_networking_router_v2" "router_default" {
+  count               = var.router_creation_enable ? 1 : 0
+  name                = "${var.infra_name}_infra-test"
+  admin_state_up      = "true"
+  external_network_id = data.openstack_networking_network_v2.external_network.id
+}
+
+resource "openstack_networking_router_interface_v2" "router_default_interface" {
+  count     = var.router_creation_enable ? 1 : 0
+  router_id = openstack_networking_router_v2.router_default[0].id
+  subnet_id = openstack_networking_subnet_v2.subnet_default[0].id
+}
+
+resource "openstack_networking_port_v2" "nodes_ports" {
+  count              = 1
+  name               = "${var.infra_name}_${var.nodes_name}_port_${count.index+1}"
+  network_id         = var.internal_network_creation_enable ? openstack_networking_network_v2.network_default[0].id : data.openstack_networking_network_v2.internal_shared_personal_network[0].id
+  admin_state_up     = "true"
+  security_group_ids = [openstack_networking_secgroup_v2.secgroup_default.id]
+  fixed_ip {
+    subnet_id = var.internal_subnet_creation_enable ? openstack_networking_subnet_v2.subnet_default[0].id : data.openstack_networking_subnet_v2.internal_shared_personal_subnet[0].id
+  }
+}

clouds/g1/brno/security_incidents/terraform/nodes-networks.tf

+# Floating IPs
+resource "openstack_networking_floatingip_v2" "nodes_fips" {
+  count    = 1
+  pool     = var.public_external_network
+}
+
+resource "openstack_compute_floatingip_associate_v2" "nodes_fips_associations" {
+  count       = 1
+  floating_ip = element(openstack_networking_floatingip_v2.nodes_fips.*.address, count.index)
+  instance_id = element(openstack_compute_instance_v2.nodes.*.id, count.index)
+}

clouds/g1/brno/security_incidents/terraform/providers.tf

+terraform {
+  required_providers {
+    openstack = {
+      source  = "terraform-provider-openstack/openstack"
+      version = "~> 1.52.1"
+    }
+  }
+}

clouds/g1/brno/security_incidents/terraform/secgroup_rules.tf

+##################################
+# Define Network Security Groups #
+##################################
+
+
+resource "openstack_networking_secgroup_v2" "secgroup_default" {
+  name        = "${var.infra_name}_security_group"
+  description = "${var.infra_name} Security group"
+}
+
+# ICMP
+
+resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp4" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  port_range_min    = 0
+  port_range_max    = 0
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.secgroup_default.id
+}
+
+# SSH
+
+resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_ssh4" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.secgroup_default.id
+}

clouds/g1/brno/security_incidents/terraform/variables.tf

+#########################################################
+# general configuration (defaults on G1 production cloud)
+#########################################################
+
+
+variable "infra_name" {
+  description = "Infrastructure (profile) name. Used as a name prefix. Must match [a-zA-Z0-9-]+ regexp."
+  default     = "meta-cloud-security-artifact-share"
+}
+
+variable "internal_network_cidr" {
+  description = "Internal network address, use CIDR notation"
+  default     = "10.10.10.0/24"
+}
+
+variable "public_external_network" {
+  description = "Cloud public external network pool"
+  default     = "public-cesnet-195-113-167-GROUP"
+}
+
+variable "router_creation_enable" {
+  description = "Create dedicated router instance. true/false ~ create new / reuse existing personal router"
+  default     = true
+}
+
+variable "internal_network_creation_enable" {
+  description = "Create dedicated internal network. true/false ~ create new / reuse existing personal network"
+  default     = true
+}
+
+variable "internal_network_name" {
+  description = "Internal network name. Either dedicated new network or existing personal network name"
+  default     = "<var.infra_name>_network"
+}
+
+variable "internal_subnet_creation_enable" {
+  description = "Create dedicated subnet instance. true/false ~ create new / reuse existing personal subnet"
+  default     = true
+}
+
+variable "internal_subnet_name" {
+  description = "Internal network subnet name. Either dedicated new subnet or existing personal subnet name"
+  default     = "<var.infra_name>_subnet"
+}
+
+variable "nodes_name" {
+  description = "Name of the nodes. Must match [a-zA-Z0-9-]+ regexp."
+  default = "nodes"
+}
+
+variable "nodes_flavor" {
+  default = "standard.large"
+}
+
+variable "nodes_image" {
+  description = "nodes OS: Image name"
+  default     = "ubuntu-jammy-x86_64"
+}
+
+variable "nodes_ssh_user_name" {
+  default = "ubuntu"
+}
+
+variable "nodes_volume_size" {
+  description = "The size of the volume to create (in gigabytes) for root filesystem. "
+  default     = "10"
+}
+
+variable "ssh_public_key_location" {
+  description = "Provide location of public key for which its complementary private key shall allow ssh access"
+  type = string
+}
+
+variable "volume_id_to_attach" {
+  description = "Provide volume ID"
+  type = string
+}