scottk/terraform-talos
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/terraform-talos.git synced 2025-11-02 11:18:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
37cea512d32d672e8f9611d356259b9bb15b9deb
terraform-talos/oracle/prepare/network-secgroup.tf
Serge Logvinov 53cee62505 Images and first run
2021-12-18 21:40:27 +02:00

343 lines
9.2 KiB
HCL
Raw Blame History

resource "oci_core_default_security_list" "main" {
compartment_id = var.compartment_ocid
manage_default_resource_id = oci_core_vcn.main.default_security_list_id
display_name = "DefaultSecurityList"
egress_security_rules {
protocol = 1
destination = oci_core_vcn.main.cidr_block
stateless = true
}
egress_security_rules {
protocol = 58
destination = oci_core_vcn.main.ipv6cidr_blocks[0]
stateless = true
}
dynamic "egress_security_rules" {
for_each = ["0.0.0.0/0", "::/0"]
content {
protocol = "all"
destination = egress_security_rules.value
stateless = false
}
}
ingress_security_rules {
protocol = 1
source = oci_core_vcn.main.cidr_block
stateless = true
}
ingress_security_rules {
protocol = 58
source = oci_core_vcn.main.ipv6cidr_blocks[0]
stateless = true
}
ingress_security_rules {
protocol = 1
source = "0.0.0.0/0"
stateless = false
icmp_options {
type = 3
code = 4
}
}
}
resource "oci_core_network_security_group" "cilium" {
display_name = "${var.project}-cilium"
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id
}
resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_in" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.cilium.id
protocol = "17"
direction = "INGRESS"
source = each.value
stateless = true
udp_options {
source_port_range {
min = 8472
max = 8472
}
destination_port_range {
min = 8472
max = 8472
}
}
}
resource "oci_core_network_security_group_security_rule" "cilium_vxvlan_out" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.cilium.id
protocol = "17"
direction = "EGRESS"
destination = each.value
stateless = true
udp_options {
source_port_range {
min = 8472
max = 8472
}
destination_port_range {
min = 8472
max = 8472
}
}
}
resource "oci_core_network_security_group_security_rule" "cilium_health" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.cilium.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 4240
max = 4240
}
}
}
resource "oci_core_network_security_group" "talos" {
display_name = "${var.project}-talos"
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id
}
resource "oci_core_network_security_group_security_rule" "talos" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.talos.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 50000
max = 50001
}
}
}
resource "oci_core_network_security_group_security_rule" "talos_admin" {
for_each = toset(var.whitelist_admins)
network_security_group_id = oci_core_network_security_group.talos.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 50000
max = 50001
}
}
}
resource "oci_core_network_security_group_security_rule" "ntp" {
for_each = toset(["0.0.0.0/0", "::/0"])
network_security_group_id = oci_core_network_security_group.talos.id
protocol = "17"
direction = "EGRESS"
destination = each.value
stateless = false
udp_options {
destination_port_range {
min = 123
max = 123
}
}
}
resource "oci_core_network_security_group" "contolplane_lb" {
display_name = "${var.project}-contolplane-lb"
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id
}
resource "oci_core_network_security_group_security_rule" "kubernetes" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.contolplane_lb.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 6443
max = 6443
}
}
}
resource "oci_core_network_security_group_security_rule" "kubernetes_admin" {
for_each = toset(var.whitelist_admins)
network_security_group_id = oci_core_network_security_group.contolplane_lb.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 6443
max = 6443
}
}
}
resource "oci_core_network_security_group_security_rule" "kubernetes_talos_admin" {
for_each = toset(var.whitelist_admins)
network_security_group_id = oci_core_network_security_group.contolplane_lb.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 50000
max = 50000
}
}
}
resource "oci_core_network_security_group" "contolplane" {
display_name = "${var.project}-contolplane"
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id
}
resource "oci_core_network_security_group_security_rule" "contolplane_kubernetes" {
for_each = toset([oci_core_vcn.main.cidr_block, oci_core_vcn.main.ipv6cidr_blocks[0]])
network_security_group_id = oci_core_network_security_group.contolplane.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 6443
max = 6443
}
}
}
resource "oci_core_network_security_group_security_rule" "contolplane_kubernetes_admin" {
for_each = toset(var.whitelist_admins)
network_security_group_id = oci_core_network_security_group.contolplane.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 6443
max = 6443
}
}
}
resource "oci_core_network_security_group_security_rule" "contolplane_etcd" {
for_each = toset([oci_core_vcn.main.cidr_block])
network_security_group_id = oci_core_network_security_group.contolplane.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 2379
max = 2380
}
}
}
resource "oci_core_network_security_group" "web" {
display_name = "${var.project}-web"
compartment_id = var.compartment_ocid
vcn_id = oci_core_vcn.main.id
}
resource "oci_core_network_security_group_security_rule" "web_http_health_check" {
for_each = toset([oci_core_vcn.main.cidr_block])
network_security_group_id = oci_core_network_security_group.web.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 80
max = 80
}
}
}
resource "oci_core_network_security_group_security_rule" "web_http_admin" {
for_each = toset(var.whitelist_admins)
network_security_group_id = oci_core_network_security_group.web.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 80
max = 80
}
}
}
resource "oci_core_network_security_group_security_rule" "web_http" {
for_each = toset(var.whitelist_web)
network_security_group_id = oci_core_network_security_group.web.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 80
max = 80
}
}
}
resource "oci_core_network_security_group_security_rule" "web_https" {
for_each = toset(var.whitelist_web)
network_security_group_id = oci_core_network_security_group.web.id
protocol = "6"
direction = "INGRESS"
source = each.value
stateless = false
tcp_options {
destination_port_range {
min = 443
max = 443
}
}
}
Reference in New Issue View Git Blame Copy Permalink