Move port 80 on controlplane to its own security group (#100)

benbacon · web-flow · commit 8836023cc1f7 · 2019-04-23T17:38:27.000+01:00
* Remove port 80 from control_plane_ports
* Create new security group to facilitate certbot responding to http-01 challenge
* Rename sg to make it clearer it relates to controlplane
diff --git a/security_groups.yaml b/security_groups.yaml
@@ -173,6 +173,17 @@ resources:
             port_range_min: <%port%>
             port_range_max: <%port%>
 
+  controlplane_certbot_secgroup:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      name: controlplane_certbot_sg
+      rules:
+          - direction: ingress
+            protocol: tcp
+            remote_ip_prefix: 0.0.0.0/0
+            port_range_min: 80
+            port_range_max: 80
+
   proxy_controlplane_secgroup:
     type: OS::Neutron::SecurityGroup
     properties:
@@ -529,7 +540,6 @@ outputs:
   vrrp_nodes_security_group:
     description: VRRP access between tenant and net2 nodes
     value: { get_resource: vrrp_nodes_secgroup }
-
   bastion_external_security_group:
     description: Bastion external security group
     value: { get_resource: bastion_external_secgroup }
@@ -587,3 +597,6 @@ outputs:
   proxy_security_group:
     description: Net2 LB VRRP security group
     value: { get_resource: proxy_controlplane_secgroup }
+  controlplane_certbot_security_group:
+    description: Security group allowing http-01 challenge
+    value: { get_resource: controlplane_certbot_secgroup }
diff --git a/top-level-template.yaml b/top-level-template.yaml
@@ -172,7 +172,7 @@ resources:
     properties:
       template: { get_file: security_groups.yaml }
       parameters:
-        control_plane_ports: "80,443,8443"
+        control_plane_ports: "443,8443"
         data_plane_ports: "80,443"
         control_plane_sources: { get_param: control_plane_allowed_sources }
         data_plane_sources: { get_param: data_plane_allowed_sources }
@@ -224,6 +224,7 @@ resources:
           - { get_attr: [ security_groups, outputs, dns_forwarder_security_group ] }
           - { get_attr: [ security_groups, outputs, vrrp_controlplane_security_group ] }
           - { get_attr: [ security_groups, outputs, proxy_security_group ] }
+          - { get_attr: [ security_groups, outputs, controlplane_certbot_security_group ] }
 
   master_nodes_deployment:
     type: OS::Heat::Stack
