Skip to content
Snippets Groups Projects
Commit 6d054b07 authored by Jan Kryštof's avatar Jan Kryštof
Browse files

direction hande cybersecurity incidents within metacentrum cloud

parent 39b2e098
No related branches found
No related tags found
1 merge request!5direction hande cybersecurity incidents within metacentrum cloud
Showing
with 530 additions and 0 deletions
terraform/.terraform
terraform/*.auto.tfvars
terraform/*.tfoverride
terraform/.terraformrc
terraform/terraform.rc
terraform/.terraform.lock.hcl
terraform/*.plan
terraform/*.tfplan
terraform/*.tfstate
terraform/*.tfstate.backup
# Security incidents in e-INFRA / MetaCentrum Cloud
This document describes details of process when CyberSecurity incidents is detected in the MetaCentrum Cloud.
## Workflow
![metacentrum_cloud_incidents.drawio.png](images/metacentrum_cloud_incidents.drawio.png)
The MetaCentrum Security team detects suspicious VM and creates ticket in the RT instance `rt.cesnet.cz`, queue `cloud` and specifies actions to be taken by the MetaCentrum Cloud team including
- provide identity of the VM owner
- share snapshot of the VM
- instruction how to address the VM further (stop, keep, etc)
MetaCentrum Security handles communication with the user - owner of the Openstack project where the VM originates from.
Cloud team transfers the VM snapshot into Openstack project `meta-cloud-metac_sec-cerit_sec`. Access to this project is granted via Perun groups `meta-cloud-admins` (Cloud team) and `meta-sec` (Security team). [Available automation](https://gitlab.ics.muni.cz/cloud/g2/openstack-infrastructure-as-code-automation/clouds/g1/brno/security-incidents):
- `acquire_snapshot_and_create_volume_transfer.sh <THE_ORIGINAL_VM_VOLUME_ID>`
- `accept_volume_transfer.sh <VOLUME_TRANSFER_ID>` => results in a new volume with id shared with the Security team.
MetaCentrum Security runs a new VM with the new volume attached (not mounted). The VM can be accessed by a private key which is complementary to the provided public key passed in.
- `run_vm_with_attached_volume.sh <VOLUME_ID> <SSH_PUB_KEY_LOCATION>`
MetaCentrum Security cleans up the resources
- `destroy_the_vm.sh`
#### The provided automation requires following to be in place
| Script | Requires |
|--------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
| `acquire_snapshot_and_create_volume_transfer.sh` | bash, [openstack-cli](https://docs.openstack.org/ocata/user-guide/cli.html), Application credentials (`admin`) |
| `accept_volume_transfer.sh` | bash, [openstack-cli](https://docs.openstack.org/ocata/user-guide/cli.html), Application credentials (`meta-cloud-metac_sec-cerit_sec`)|
| `run_vm_with_attached_volume.sh` | bash, [terraform](https://www.terraform.io), Application credentials (`meta-cloud-metac_sec-cerit_sec`) |
| `destroy_the_vm.sh` | bash, [terraform](https://www.terraform.io), Application credentials (`meta-cloud-metac_sec-cerit_sec`) |
#!/bin/bash
set -e
### USAGE: accept_volume_transfer.sh <LOCATION_OF_VOLUME_TRANSFER_DESCRIPTOR>
THIS_SCRIPT_LOCATION=$(dirname "$(realpath -s "$0")")
read -p "Ensure that Application Credentials for target Openstack project have been sourced. Press ENTER to continue."
VOLUME_TRANSFER_DETAILS=$(cat "$1" | jq -r '.id + "," + .auth_key')
VOLUME_TRANSFER_ID=$(echo $VOLUME_TRANSFER_DETAILS | awk -F ',' '{print $1}')
VOLUME_TRANSFER_SECRET=$(echo $VOLUME_TRANSFER_DETAILS | awk -F ',' '{print $2}')
echo $VOLUME_TRANSFER_ID
echo $VOLUME_TRANSFER_SECRET
VOLUME_ID=$(openstack volume transfer request accept \
--auth-key ${VOLUME_TRANSFER_SECRET} \
${VOLUME_TRANSFER_ID} -c volume_id -f value)
echo "Transfer ${VOLUME_TRANSFER_ID} completed. The volume id ${VOLUME_ID} can be attached to a VM"
#!/bin/bash
set -eo pipefail
###
### This script acquires snapshot of given volume (VOLUME_ID) and initiates transfer so users of a project who get the
### transfer details (transfer id, transfer secret) can accept the transfer and place the snapshot into their project.
### Volume transfer details are written in json file and will be used at the moment of snapshot transfer acceptance.
###
### Usage: acquire_snapshot_and_create_volume_transfer.sh <VOLUME_ID>
###
### Links: https://openmetal.io/docs/manuals/users-manual/managing-backups-in-openstack
###
###
function check_and_wait_until_available() {
local OPERATION_NAME="$1"
local CHECK_COMMAND="$2"
while true; do
STATE=$(eval $CHECK_COMMAND)
if [ "$STATE" != "available" ]; then
echo "$OPERATION_NAME in progress"
sleep 10
continue
else
echo "$OPERATION_NAME completed"
break;
fi
done
}
VOLUME_ID="$1"
THIS_SCRIPT_DIR=$(dirname "$(realpath -s "$0")")
TIMESTAMP=$(date +%s)
SNAPSHOT_NAME="snapshot_${TIMESTAMP}"
# let fail the script at this moment in case no app credentials are sourced or the subjected volume does not exist
openstack volume show $VOLUME_ID > /dev/null
echo "Starting snapshot creation of volume $VOLUME_ID"
SNAPSHOT_ID=$(openstack volume snapshot create \
--volume ${VOLUME_ID} \
--force \
-f json \
${SNAPSHOT_NAME}_${TIMESTAMP} | jq -r ".id")
check_and_wait_until_available "Snapshot creation ($SNAPSHOT_ID)" "openstack volume snapshot show $SNAPSHOT_ID -f value -c status"
echo "Starting volume creation based on snapshot $SNAPSHOT_ID"
VOLUME_ID=$(openstack volume create \
--snapshot ${SNAPSHOT_ID} \
-f json \
${SNAPSHOT_NAME}_${TIMESTAMP} | jq -r ".id")
check_and_wait_until_available "Volume creation ($VOLUME_ID)" "openstack volume show ${VOLUME_ID} -f value -c status"
echo "Creating volume transfer request for volume creation of volume $VOLUME_ID"
VOLUME_TRANSFER_DETAILS=$(openstack volume transfer request create \
--name ${SNAPSHOT_NAME}_transfer_${TIMESTAMP} \
-f json \
${VOLUME_ID})
VOLUME_TRANSFER_ID=$(echo "${VOLUME_TRANSFER_DETAILS}" | jq -r '.id')
VOLUME_TRANSFER_DETAILS_LOCATION=${THIS_SCRIPT_DIR}/volume-transfer_${VOLUME_TRANSFER_ID}.json
echo ${VOLUME_TRANSFER_DETAILS} > ${VOLUME_TRANSFER_DETAILS_LOCATION}
echo "Volume transfer has been initiated. Details needed to complete the transfer are found in $VOLUME_TRANSFER_DETAILS_LOCATION"
#!/bin/bash
set -e
THIS_SCRIPT_LOCATION=$(dirname "$(realpath -s "$0")")
TEMP_FILE_LOCATION=${THIS_SCRIPT_LOCATION}/whatever_delme
terraform -chdir=${THIS_SCRIPT_LOCATION}/terraform init
echo "Running Terraform plan to destroy"
terraform -chdir=${THIS_SCRIPT_LOCATION}/terraform plan -destroy -out destroy.tfplan \
-var "volume_id_to_attach=" \
-var "ssh_public_key_location=$(mktemp)"
printf "\n\n*********************************************************************************************************\n"
read -p "PRESS ENTER once you are OK with whatever Terraform planned above ...:"
terraform -chdir=${THIS_SCRIPT_LOCATION}/terraform apply destroy.tfplan
<mxfile host="Electron" modified="2023-10-20T10:46:04.493Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/22.0.3 Chrome/114.0.5735.289 Electron/25.8.4 Safari/537.36" etag="ARmRQ70ry5-QWqQeqKaA" version="22.0.3" type="device">
<diagram name="Page-1" id="8lcTHrtBwOFWnczI7y1D">
<mxGraphModel dx="1434" dy="838" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0">
<root>
<mxCell id="0" />
<mxCell id="1" parent="0" />
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-36" value="" style="whiteSpace=wrap;html=1;dashed=1;" parent="1" vertex="1">
<mxGeometry x="270" y="100" width="740" height="200" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-1" value="CESNET&lt;br&gt;CERTS" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
<mxGeometry x="350" y="120" width="120" height="60" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-3" value="MetaCentrum&lt;br&gt;Security team" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
<mxGeometry x="360" y="235" width="100" height="50" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-4" value="CSIRT-MU" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
<mxGeometry x="585" y="120" width="120" height="60" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-5" value="MUNI" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
<mxGeometry x="585" y="10" width="120" height="60" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-6" value="" style="endArrow=none;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitX=0.5;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-3" target="Bkc7fFFbiiHV9RRgbnzn-1" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="310" y="365" as="sourcePoint" />
<mxPoint x="360" y="315" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-8" value="" style="endArrow=none;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-4" target="Bkc7fFFbiiHV9RRgbnzn-5" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="565" y="250" as="sourcePoint" />
<mxPoint x="635" y="75" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-9" value="Computer Security Incident Response Teams" style="text;whiteSpace=wrap;" parent="1" vertex="1">
<mxGeometry x="740" y="100" width="270" height="40" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-10" value="Cloud User&lt;br&gt;&lt;span style=&quot;color: rgb(0, 0, 0); font-size: 11px; text-align: right; background-color: rgb(255, 255, 255);&quot;&gt;&amp;nbsp;&lt;/span&gt;" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;fillColor=#232F3D;strokeColor=none;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;pointerEvents=1;shape=mxgraph.aws4.user;" parent="1" vertex="1">
<mxGeometry x="69" y="375" width="78" height="78" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-11" value="e-INFRA CZ / MetaCentrum Cloud" style="ellipse;shape=cloud;whiteSpace=wrap;html=1;labelPosition=center;verticalLabelPosition=bottom;align=center;verticalAlign=top;" parent="1" vertex="1">
<mxGeometry x="260" y="339" width="520" height="181" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-12" value="" style="endArrow=none;html=1;rounded=0;labelPosition=left;verticalLabelPosition=middle;align=right;verticalAlign=middle;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-10" target="Bkc7fFFbiiHV9RRgbnzn-21" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="440" y="360" as="sourcePoint" />
<mxPoint x="575.1005050633883" y="360.67766952966394" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-21" value="compromised device" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;strokeColor=#FF3333;fillColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.traditional_server;" parent="1" vertex="1">
<mxGeometry x="470" y="377" width="60" height="60" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-23" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;strokeColor=#232F3E;fillColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.traditional_server;" parent="1" vertex="1">
<mxGeometry x="655" y="414" width="60" height="60" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-24" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;strokeColor=#232F3E;fillColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.traditional_server;" parent="1" vertex="1">
<mxGeometry x="610" y="415" width="60" height="60" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-22" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;strokeColor=#232F3E;fillColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.traditional_server;" parent="1" vertex="1">
<mxGeometry x="565" y="415" width="60" height="60" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-27" value="CESNET" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
<mxGeometry x="350" y="10" width="120" height="60" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-28" value="" style="endArrow=none;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitX=0.5;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-1" target="Bkc7fFFbiiHV9RRgbnzn-27" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="410" y="120" as="sourcePoint" />
<mxPoint x="409.5" y="85" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-29" value="CERIT&lt;br&gt;Security team" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
<mxGeometry x="595" y="235" width="100" height="50" as="geometry" />
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-30" value="" style="endArrow=none;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitX=0.5;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-29" target="Bkc7fFFbiiHV9RRgbnzn-4" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="644.5" y="237.5" as="sourcePoint" />
<mxPoint x="644.5" y="187.5" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="Bkc7fFFbiiHV9RRgbnzn-31" value="" style="shape=link;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;labelBackgroundColor=none;strokeColor=#FF0000;" parent="1" target="Bkc7fFFbiiHV9RRgbnzn-3" edge="1">
<mxGeometry width="100" relative="1" as="geometry">
<mxPoint x="158" y="260" as="sourcePoint" />
<mxPoint x="280" y="250" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="DyMJc3rCh__bVUlWjL28-1" value="&lt;br&gt;&lt;br&gt;communication" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];labelBackgroundColor=none;fontColor=#FF0000;" parent="Bkc7fFFbiiHV9RRgbnzn-31" vertex="1" connectable="0">
<mxGeometry x="-0.0099" y="-1" relative="1" as="geometry">
<mxPoint as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="qtpG4-VI09MVl3qjrZwv-1" value="MetaCentrum Cloud team" style="rounded=1;whiteSpace=wrap;html=1;strokeWidth=2;" parent="1" vertex="1">
<mxGeometry x="58" y="235" width="100" height="50" as="geometry" />
</mxCell>
<mxCell id="2C7tkXWoS5lswqi7GxpK-4" value="" style="shape=link;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;labelBackgroundColor=none;strokeColor=#FF0000;exitX=1;exitY=0.5;exitDx=0;exitDy=0;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-3" target="Bkc7fFFbiiHV9RRgbnzn-29" edge="1">
<mxGeometry width="100" relative="1" as="geometry">
<mxPoint x="140" y="560" as="sourcePoint" />
<mxPoint x="342" y="560" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="2C7tkXWoS5lswqi7GxpK-5" value="&lt;br&gt;&lt;br&gt;communication" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];labelBackgroundColor=none;fontColor=#FF0000;" parent="2C7tkXWoS5lswqi7GxpK-4" vertex="1" connectable="0">
<mxGeometry x="-0.0099" y="-1" relative="1" as="geometry">
<mxPoint as="offset" />
</mxGeometry>
</mxCell>
<mxCell id="2C7tkXWoS5lswqi7GxpK-6" value="" style="shape=link;html=1;rounded=0;entryX=0;entryY=1;entryDx=0;entryDy=0;labelBackgroundColor=none;strokeColor=#FF0000;" parent="1" source="Bkc7fFFbiiHV9RRgbnzn-10" target="Bkc7fFFbiiHV9RRgbnzn-3" edge="1">
<mxGeometry width="100" relative="1" as="geometry">
<mxPoint x="178" y="280" as="sourcePoint" />
<mxPoint x="380" y="280" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="2C7tkXWoS5lswqi7GxpK-7" value="&lt;br&gt;&lt;br&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp; &amp;nbsp;communication" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];labelBackgroundColor=none;fontColor=#FF0000;" parent="2C7tkXWoS5lswqi7GxpK-6" vertex="1" connectable="0">
<mxGeometry x="-0.0099" y="-1" relative="1" as="geometry">
<mxPoint as="offset" />
</mxGeometry>
</mxCell>
</root>
</mxGraphModel>
</diagram>
</mxfile>
clouds/g1/brno/security_incidents/images/metacentrum_cloud_incidents.drawio.png

68.5 KiB

#!/bin/bash
set -e
### USAGE: run_vm_with_attached_volume.sh <VOLUME_TO_ATTACH_ID> <SSH_PUB_KEY_LOCATION>
THIS_SCRIPT_DIR=$(dirname "$(realpath -s "$0")")
VOLUME_TO_ATTACH_ID="$1"
SSH_PUB_KEY_LOCATION="$2"
echo "Running Terraform init"
terraform -chdir=${THIS_SCRIPT_DIR}/terraform init
echo "Running Terraform plan (volume id: $VOLUME_TO_ATTACH_ID, public key path: $SSH_PUB_KEY_LOCATION)"
terraform -chdir=${THIS_SCRIPT_DIR}/terraform plan -out create.tfplan \
-var "volume_id_to_attach=$VOLUME_TO_ATTACH_ID" \
-var "ssh_public_key_location=$SSH_PUB_KEY_LOCATION"
printf "\n\n*********************************************************************************************************\n"
read -p "PRESS ENTER once you are OK with whatever Terraform planned above ...: "
terraform -chdir=${THIS_SCRIPT_DIR}/terraform apply create.tfplan
printf "\n\n*********************************************************************************************************\n"
echo "New VM was created with the requested volume ($VOLUME_TO_ATTACH_ID) attached"
echo "VM name is: $(terraform -chdir=terraform output vm_name)"
####################
# Define instances #
####################
data "openstack_images_image_v2" "nodes_image" {
name = var.nodes_image
}
locals {
vm_name = format("%s-%s__%s", var.infra_name, var.nodes_name, formatdate("YYYYMMDDhhmm", timestamp()))
}
output "vm_name" {
value = local.vm_name
}
resource "openstack_compute_instance_v2" "nodes" {
count = 1
name = local.vm_name
image_name = var.nodes_image
flavor_name = var.nodes_flavor
key_pair = openstack_compute_keypair_v2.ssh_key_pair.name
security_groups = [openstack_networking_secgroup_v2.secgroup_default.name]
network {
uuid = var.internal_network_creation_enable ? openstack_networking_network_v2.network_default[0].id : data.openstack_networking_network_v2.internal_shared_personal_network[0].id
port = element(openstack_networking_port_v2.nodes_ports.*.id, count.index)
}
block_device {
uuid = data.openstack_images_image_v2.nodes_image.id
source_type = "image"
volume_size = var.nodes_volume_size
destination_type = "local"
boot_index = 0
delete_on_termination = true
}
block_device {
uuid = "${var.volume_id_to_attach}"
source_type = "volume"
destination_type = "volume"
boot_index = -1
}
}
output "server_instance_id" {
value = openstack_compute_instance_v2.nodes[0].id
}
resource "openstack_compute_keypair_v2" "ssh_key_pair" {
name = "${var.infra_name}-keypair"
public_key = file(var.ssh_public_key_location)
}
terraform {
backend "local" {}
}
resource "openstack_networking_network_v2" "network_default" {
count = var.internal_network_creation_enable ? 1 : 0
name = "${var.infra_name}_network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "subnet_default" {
count = var.internal_subnet_creation_enable ? 1 : 0
name = "${var.infra_name}_subnet"
network_id = openstack_networking_network_v2.network_default[0].id
cidr = var.internal_network_cidr
ip_version = 4
dns_nameservers = ["1.1.1.1", "8.8.8.8"]
}
data "openstack_networking_network_v2" "external_network" {
name = var.public_external_network
}
data "openstack_networking_network_v2" "internal_shared_personal_network" {
count = var.internal_network_creation_enable == false ? 1 : 0
name = var.internal_network_name
}
data "openstack_networking_subnet_v2" "internal_shared_personal_subnet" {
count = var.internal_subnet_creation_enable == false ? 1 : 0
name = var.internal_subnet_name
}
resource "openstack_networking_router_v2" "router_default" {
count = var.router_creation_enable ? 1 : 0
name = "${var.infra_name}_infra-test"
admin_state_up = "true"
external_network_id = data.openstack_networking_network_v2.external_network.id
}
resource "openstack_networking_router_interface_v2" "router_default_interface" {
count = var.router_creation_enable ? 1 : 0
router_id = openstack_networking_router_v2.router_default[0].id
subnet_id = openstack_networking_subnet_v2.subnet_default[0].id
}
resource "openstack_networking_port_v2" "nodes_ports" {
count = 1
name = "${var.infra_name}_${var.nodes_name}_port_${count.index+1}"
network_id = var.internal_network_creation_enable ? openstack_networking_network_v2.network_default[0].id : data.openstack_networking_network_v2.internal_shared_personal_network[0].id
admin_state_up = "true"
security_group_ids = [openstack_networking_secgroup_v2.secgroup_default.id]
fixed_ip {
subnet_id = var.internal_subnet_creation_enable ? openstack_networking_subnet_v2.subnet_default[0].id : data.openstack_networking_subnet_v2.internal_shared_personal_subnet[0].id
}
}
# Floating IPs
resource "openstack_networking_floatingip_v2" "nodes_fips" {
count = 1
pool = var.public_external_network
}
resource "openstack_compute_floatingip_associate_v2" "nodes_fips_associations" {
count = 1
floating_ip = element(openstack_networking_floatingip_v2.nodes_fips.*.address, count.index)
instance_id = element(openstack_compute_instance_v2.nodes.*.id, count.index)
}
terraform {
required_providers {
openstack = {
source = "terraform-provider-openstack/openstack"
version = "~> 1.52.1"
}
}
}
##################################
# Define Network Security Groups #
##################################
resource "openstack_networking_secgroup_v2" "secgroup_default" {
name = "${var.infra_name}_security_group"
description = "${var.infra_name} Security group"
}
# ICMP
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_icmp4" {
direction = "ingress"
ethertype = "IPv4"
protocol = "icmp"
port_range_min = 0
port_range_max = 0
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.secgroup_default.id
}
# SSH
resource "openstack_networking_secgroup_rule_v2" "secgroup_rule_ssh4" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.secgroup_default.id
}
#########################################################
# general configuration (defaults on G1 production cloud)
#########################################################
variable "infra_name" {
description = "Infrastructure (profile) name. Used as a name prefix. Must match [a-zA-Z0-9-]+ regexp."
default = "meta-cloud-security-artifact-share"
}
variable "internal_network_cidr" {
description = "Internal network address, use CIDR notation"
default = "10.10.10.0/24"
}
variable "public_external_network" {
description = "Cloud public external network pool"
default = "public-cesnet-195-113-167-GROUP"
}
variable "router_creation_enable" {
description = "Create dedicated router instance. true/false ~ create new / reuse existing personal router"
default = true
}
variable "internal_network_creation_enable" {
description = "Create dedicated internal network. true/false ~ create new / reuse existing personal network"
default = true
}
variable "internal_network_name" {
description = "Internal network name. Either dedicated new network or existing personal network name"
default = "<var.infra_name>_network"
}
variable "internal_subnet_creation_enable" {
description = "Create dedicated subnet instance. true/false ~ create new / reuse existing personal subnet"
default = true
}
variable "internal_subnet_name" {
description = "Internal network subnet name. Either dedicated new subnet or existing personal subnet name"
default = "<var.infra_name>_subnet"
}
variable "nodes_name" {
description = "Name of the nodes. Must match [a-zA-Z0-9-]+ regexp."
default = "nodes"
}
variable "nodes_flavor" {
default = "standard.large"
}
variable "nodes_image" {
description = "nodes OS: Image name"
default = "ubuntu-jammy-x86_64"
}
variable "nodes_ssh_user_name" {
default = "ubuntu"
}
variable "nodes_volume_size" {
description = "The size of the volume to create (in gigabytes) for root filesystem. "
default = "10"
}
variable "ssh_public_key_location" {
description = "Provide location of public key for which its complementary private key shall allow ssh access"
type = string
}
variable "volume_id_to_attach" {
description = "Provide volume ID"
type = string
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment