Allow public ingress from anywhere to ports 80 and 443 (#205)

* Allow public ingress from anywhere to ports 80 and 443

Signed-off-by: Noel Dcosta <[email protected]>

* Support to specify custom list of destination ports for public LB security list

Signed-off-by: Noel Dcosta <[email protected]>

* updated docs for public_lb_ports

Signed-off-by: Noel Dcosta <[email protected]>

* Updated order of variables

Signed-off-by: Noel Dcosta <[email protected]>

* Set variable type for public_lb_ports

Signed-off-by: Noel Dcosta <[email protected]>

* Updated terraform options doc

Signed-off-by: Noel Dcosta <[email protected]>

Author: Noel Dcosta

docs/configuration.adoc

@@ -195,6 +195,7 @@ The OKE Load Balancer parameters concern mainly the following:
 
 . the preferred Availability Domain you want to place the load balancers
 . the type of load balancer (public/internal)
+. the list of destination ports to allow for public ingress
 
 Even if you set the load balancer subnets to be internal, you still need to set the correct {uri-oci-loadbalancer-annotations}[annotations] when creating internal load balancers. Just setting the subnet to be private is *_not_* sufficient.
 

docs/terraformoptions.adoc

@@ -205,7 +205,7 @@ newbits = {
 
 |`bastion_access`
 |CIDR block in the form of a string to which ssh access to the bastion must be restricted to. *_ANYWHERE_* is equivalent to 0.0.0.0/0 and allows ssh access from anywhere.
-|XXX.XXX.XXX.XXX/YY
+|XYZ.XYZ.XYZ.XYZ/YZ
 |ANYWHERE
 
 |`bastion_enabled`
@@ -555,6 +555,11 @@ Refer to {uri-topology}[topology] for more thorough examples.
 |internal/public
 |public
 
+|`public_lb_ports`
+|The list of destination ports to allow for public ingress.
+|`e.g.: [80,443,8080]`
+|`[80, 443]`
+
 |`waf_enabled`
 |Whether to enable WAF monitoring and protection of public load balancers.
 |true/false

main.tf

@@ -68,8 +68,12 @@ module "network" {
   # oke load balancer network parameters
   lb_subnet_type = var.lb_subnet_type
 
+  # oke load balancer ports
+  public_lb_ports = var.public_lb_ports
+
   # waf integration
   waf_enabled = var.waf_enabled
+
 }
 
 # cluster creation for oke

modules/okenetwork/security.tf

@@ -233,11 +233,20 @@ resource "oci_core_security_list" "pub_lb_seclist_wo_waf" {
     stateless   = false
   }
 
-  ingress_security_rules {
-    description = "allow public ingress from anywhere"
-    protocol    = local.tcp_protocol
-    source      = local.anywhere
-    stateless   = false
+  dynamic "ingress_security_rules" {
+    iterator = pub_lb_ingress_iterator
+    for_each = var.public_lb_ports
+
+    content {
+      description = "allow public ingress from anywhere on specified ports"
+      protocol    = local.tcp_protocol
+      source      = local.anywhere
+      tcp_options {
+        min = pub_lb_ingress_iterator.value
+        max = pub_lb_ingress_iterator.value
+      }
+      stateless   = false
+    }
   }
 
   count = ((var.lb_subnet_type == "public" || var.lb_subnet_type == "both") && var.waf_enabled == false) ? 1 : 0

modules/okenetwork/variables.tf

@@ -35,6 +35,11 @@ variable "lb_subnet_type" {
   type = string
 }
 
+variable "public_lb_ports" {
+  type = list(number)
+}
+
 variable "waf_enabled" {
   type = bool
 }
+

terraform.tfvars.example

@@ -164,6 +164,8 @@ lb_subnet_type = "public"
 
 preferred_lb_subnets = "public"
 
+public_lb_ports = [80, 443]
+
 waf_enabled = false
 
 # ocir

variables.tf

@@ -367,6 +367,12 @@ variable "preferred_lb_subnets" {
   type        = string
 }
 
+variable "public_lb_ports" {
+  default     = [80, 443]
+  description = "List of destination ports for public LB security list."
+  type        = list(number)
+}
+
 # ocir
 variable "secret_id" {
   description = "OCID of Oracle Vault Secret"