M #-: Allow all traffic on EC2 instances (#922)

Set a Security Group to allow all ingress and egress traffic on AWS EC2 instances for oneprovision. Now, only iptables is in charge of filtering the traffic on hosts. Signed-off-by: Ricardo Diaz <rdiaz@opennebula.io>
2025-03-21 14:50:08 +03:00 · 2021-03-05 12:42:47 +01:00 · 2021-03-05 12:42:47 +01:00 · 05e4a60541
commit 05e4a60541
parent 537b073050
2 changed files with 93 additions and 60 deletions
--- a/src/oneprovision/lib/terraform/providers/templates/aws/cluster.erb
+++ b/src/oneprovision/lib/terraform/providers/templates/aws/cluster.erb
@ -31,16 +31,15 @@ resource "aws_route" "device_<%= obj['ID'] %>" {
    gateway_id             = aws_internet_gateway.device_<%= obj['ID'] %>.id
 }

-resource "aws_security_group" "device_<%= obj['ID'] %>_ssh" {
-  name        = "allow_ssh"
-  description = "Allow SSH inbound traffic"
+resource "aws_security_group" "device_<%= obj['ID'] %>_all" {
+  name        = "allow_all"
+  description = "Allow all traffic"
  vpc_id     = aws_vpc.device_<%= c['ID'] %>.id

  ingress {
-    description = "TLS from all"
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

@ -52,57 +51,86 @@ resource "aws_security_group" "device_<%= obj['ID'] %>_ssh" {
  }

  tags = {
-    Name = "device_<%= obj['ID'] %>_ssh"
+    Name = "device_<%= obj['ID'] %>_all"
  }
 }

-resource "aws_security_group" "device_<%= obj['ID'] %>_bgp" {
-  name        = "allow_bgp"
-  description = "Allow BGP inbound traffic"
-  vpc_id     = aws_vpc.device_<%= c['ID'] %>.id
-
-  ingress {
-    description = "BGP from <%= provision['CIDR'] ? provision['CIDR'] : '10.0.0.0/16'%>"
-    from_port   = 179
-    to_port     = 179
-    protocol    = "tcp"
-    cidr_blocks = ["<%= provision['CIDR'] ? provision['CIDR'] : '10.0.0.0/16'%>"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "device_<%= obj['ID'] %>_bgp"
-  }
-}
-
-resource "aws_security_group" "device_<%= obj['ID'] %>_vxlan" {
-  name        = "allow_vxlan"
-  description = "Allow VXLAN inbound traffic"
-  vpc_id     = aws_vpc.device_<%= c['ID'] %>.id
-
-  ingress {
-    description = "VXLAN from <%= provision['CIDR'] ? provision['CIDR'] : '10.0.0.0/16'%>"
-    from_port   = 8472
-    to_port     = 8472
-    protocol    = "udp"
-    cidr_blocks = ["<%= provision['CIDR'] ? provision['CIDR'] : '10.0.0.0/16'%>"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "device_<%= obj['ID'] %>_vxlan"
-  }
-}
+#
+# Find below how to provision Security Groups on AWS
+# (see host.rb how to apply them to instances)
+#
+#resource "aws_security_group" "device_<%= obj['ID'] %>_ssh" {
+#  name        = "allow_ssh"
+#  description = "Allow SSH inbound traffic"
+#  vpc_id     = aws_vpc.device_<%= c['ID'] %>.id
+#
+#  ingress {
+#    description = "SSH from all"
+#    from_port   = 22
+#    to_port     = 22
+#    protocol    = "tcp"
+#    cidr_blocks = ["0.0.0.0/0"]
+#  }
+#
+#  egress {
+#    from_port   = 0
+#    to_port     = 0
+#    protocol    = "-1"
+#    cidr_blocks = ["0.0.0.0/0"]
+#  }
+#
+#  tags = {
+#    Name = "device_<%= obj['ID'] %>_ssh"
+#  }
+#}
+#
+#resource "aws_security_group" "device_<%= obj['ID'] %>_bgp" {
+#  name        = "allow_bgp"
+#  description = "Allow BGP inbound traffic"
+#  vpc_id     = aws_vpc.device_<%= c['ID'] %>.id
+#
+#  ingress {
+#    description = "BGP from <%= provision['CIDR'] ? provision['CIDR'] : '10.0.0.0/16'%>"
+#    from_port   = 179
+#    to_port     = 179
+#    protocol    = "tcp"
+#    cidr_blocks = ["<%= provision['CIDR'] ? provision['CIDR'] : '10.0.0.0/16'%>"]
+#  }
+#
+#  egress {
+#    from_port   = 0
+#    to_port     = 0
+#    protocol    = "-1"
+#    cidr_blocks = ["0.0.0.0/0"]
+#  }
+#
+#  tags = {
+#    Name = "device_<%= obj['ID'] %>_bgp"
+#  }
+#}
+#
+#resource "aws_security_group" "device_<%= obj['ID'] %>_vxlan" {
+#  name        = "allow_vxlan"
+#  description = "Allow VXLAN inbound traffic"
+#  vpc_id     = aws_vpc.device_<%= c['ID'] %>.id
+#
+#  ingress {
+#    description = "VXLAN from <%= provision['CIDR'] ? provision['CIDR'] : '10.0.0.0/16'%>"
+#    from_port   = 8472
+#    to_port     = 8472
+#    protocol    = "udp"
+#    cidr_blocks = ["<%= provision['CIDR'] ? provision['CIDR'] : '10.0.0.0/16'%>"]
+#  }
+#
+#  egress {
+#    from_port   = 0
+#    to_port     = 0
+#    protocol    = "-1"
+#    cidr_blocks = ["0.0.0.0/0"]
+#  }
+#
+#  tags = {
+#    Name = "device_<%= obj['ID'] %>_vxlan"
+#  }
+#}

--- a/src/oneprovision/lib/terraform/providers/templates/aws/host.erb
+++ b/src/oneprovision/lib/terraform/providers/templates/aws/host.erb
@ -2,9 +2,14 @@ resource "aws_instance" "device_<%= obj['ID'] %>" {
    ami                    = "<%= provision['AMI'] %>"
    instance_type          = "<%= provision['INSTANCETYPE'] %>"

-    vpc_security_group_ids = [aws_security_group.device_<%= c['ID'] %>_ssh.id,
-                              aws_security_group.device_<%= c['ID'] %>_bgp.id,
-                              aws_security_group.device_<%= c['ID'] %>_vxlan.id]
+    vpc_security_group_ids = [ aws_security_group.device_<%= c['ID'] %>_all.id ]
+
+    #
+    # Find below how to apply on instances the SGs provisioned in host.rb
+    #
+    #vpc_security_group_ids = [aws_security_group.device_<%= c['ID'] %>_ssh.id,
+    #                          aws_security_group.device_<%= c['ID'] %>_bgp.id,
+    #                          aws_security_group.device_<%= c['ID'] %>_vxlan.id]

    subnet_id              = aws_subnet.device_<%= c['ID'] %>.id