Skip to content
This repository was archived by the owner on Aug 12, 2024. It is now read-only.

Commit fb9e976

Browse files
author
Sean Sundberg
committed
Adds rules for subnet acl and security group (#35)
- Allows inbound and outbound acl traffic to the internet - Allows inbound ping, http, and https traffic Signed-off-by: Sean Sundberg <[email protected]>
1 parent 8b54173 commit fb9e976

File tree

2 files changed

+56
-1
lines changed

2 files changed

+56
-1
lines changed

main.tf

Lines changed: 48 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,9 +124,56 @@ data ibm_is_subnet vpc_subnet {
124124
identifier = local.vpc_subnets[count.index].id
125125
}
126126

127+
resource null_resource open_acl_rules {
128+
count = !var.exists && var.vpc_subnet_count > 0 ? 1 : 0
129+
130+
provisioner "local-exec" {
131+
command = "${path.module}/scripts/open-acl-rules.sh ${data.ibm_is_subnet.vpc_subnet[0].network_acl}"
132+
}
133+
}
134+
135+
# from https://cloud.ibm.com/docs/vpc?topic=vpc-service-endpoints-for-vpc
136+
resource ibm_is_security_group_rule default_inbound_ping {
137+
count = !var.exists ? 1 : 0
138+
139+
group = local.security_group_id
140+
direction = "inbound"
141+
remote = "0.0.0.0/0"
142+
143+
icmp {
144+
type = 8
145+
}
146+
}
147+
148+
resource ibm_is_security_group_rule default_inbound_http {
149+
count = !var.exists ? 1 : 0
150+
151+
group = local.security_group_id
152+
direction = "inbound"
153+
remote = "0.0.0.0/0"
154+
155+
tcp {
156+
port_min = 80
157+
port_max = 80
158+
}
159+
}
160+
161+
resource ibm_is_security_group_rule default_inbound_https {
162+
count = !var.exists ? 1 : 0
163+
164+
group = local.security_group_id
165+
direction = "inbound"
166+
remote = "0.0.0.0/0"
167+
168+
tcp {
169+
port_min = 443
170+
port_max = 443
171+
}
172+
}
173+
127174
resource ibm_container_vpc_cluster cluster {
128175
count = !var.exists ? 1 : 0
129-
depends_on = [null_resource.print_resources]
176+
depends_on = [null_resource.print_resources, null_resource.open_acl_rules]
130177

131178
name = local.cluster_name
132179
vpc_id = local.vpc_id

scripts/open-acl-rules.sh

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#!/usr/bin/env bash
2+
3+
NETWORK_ACL="$1"
4+
5+
## TODO more sophisiticated logic needed to 1) test for existing rules and 2) place this rule in the right order
6+
7+
ibmcloud is network-acl-rule-add "${NETWORK_ACL}" allow inbound all "0.0.0.0/0" "0.0.0.0/0" --name allow-all-ingress
8+
ibmcloud is network-acl-rule-add "${NETWORK_ACL}" allow outbound all "0.0.0.0/0" "0.0.0.0/0" --name allow-all-egress

0 commit comments

Comments
 (0)