mharb
d54f008c62
This is a quality of life fix. A single boolean controls whether public HTTP(S) traffic reaches your infrastructure.
159 lines
4.2 KiB
HCL
159 lines
4.2 KiB
HCL
resource "oci_core_subnet" "vcn-public-subnet" {
|
|
compartment_id = oci_identity_compartment.tf-playground.id
|
|
vcn_id = module.vcn.vcn_id
|
|
cidr_block = "10.0.0.0/28"
|
|
freeform_tags = var.tags
|
|
|
|
route_table_id = module.vcn.ig_route_id
|
|
security_list_ids = [
|
|
oci_core_security_list.public-security-list.id,
|
|
]
|
|
|
|
display_name = "public-subnet"
|
|
dhcp_options_id = oci_core_dhcp_options.dhcp-options.id
|
|
dns_label = "publicsubnet"
|
|
}
|
|
|
|
resource "oci_core_security_list" "public-security-list" {
|
|
compartment_id = oci_identity_compartment.tf-playground.id
|
|
vcn_id = module.vcn.vcn_id
|
|
display_name = "security-list-public"
|
|
freeform_tags = var.tags
|
|
|
|
egress_security_rules {
|
|
stateless = false
|
|
destination = "0.0.0.0/0"
|
|
destination_type = "CIDR_BLOCK"
|
|
protocol = "all"
|
|
}
|
|
|
|
ingress_security_rules {
|
|
stateless = false
|
|
source = var.ssh_allow_range
|
|
source_type = "CIDR_BLOCK"
|
|
protocol = "6"
|
|
description = "SSH traffic"
|
|
|
|
tcp_options {
|
|
min = 22
|
|
max = 22
|
|
}
|
|
}
|
|
|
|
## If you wish to open further network ports to the internet,
|
|
## add your firewall ACLs as the following:
|
|
|
|
ingress_security_rules {
|
|
stateless = false
|
|
source = var.go_live ? "0.0.0.0/0" : var.ssh_allow_range
|
|
source_type = "CIDR_BLOCK"
|
|
protocol = "6"
|
|
description = "HTTPs traffic"
|
|
|
|
tcp_options {
|
|
min = 443
|
|
max = 443
|
|
}
|
|
}
|
|
|
|
ingress_security_rules {
|
|
stateless = false
|
|
source = var.go_live ? "0.0.0.0/0" : var.ssh_allow_range
|
|
source_type = "CIDR_BLOCK"
|
|
protocol = "6"
|
|
description = "HTTP traffic"
|
|
|
|
tcp_options {
|
|
min = 80
|
|
max = 80
|
|
}
|
|
}
|
|
|
|
|
|
# ingress_security_rules {
|
|
# stateless = false
|
|
# source = "0.0.0.0/0"
|
|
# source_type = "CIDR_BLOCK"
|
|
# protocol = "6"
|
|
# description = "HTTPS traffic"
|
|
|
|
# tcp_options {
|
|
# min = 443
|
|
# max = 443
|
|
# }
|
|
|
|
# ingress_security_rules {
|
|
# stateless = false
|
|
# source = "0.0.0.0/0"
|
|
# source_type = "CIDR_BLOCK"
|
|
# protocol = "1"
|
|
# description = "ICMP Port Unreachable"
|
|
#
|
|
# icmp_options {
|
|
# type = 3
|
|
# code = 4
|
|
# }
|
|
# }
|
|
#
|
|
# ingress_security_rules {
|
|
# stateless = false
|
|
# source = "10.0.0.0/16"
|
|
# source_type = "CIDR_BLOCK"
|
|
# protocol = "1"
|
|
# description = "ICMP Destination Unreachable"
|
|
#
|
|
# icmp_options {
|
|
# type = 3
|
|
# }
|
|
# }
|
|
#
|
|
# ingress_security_rules {
|
|
# stateless = false
|
|
# source = "10.0.0.0/16"
|
|
# source_type = "CIDR_BLOCK"
|
|
# protocol = "1"
|
|
# description = "ICMP Echo Reply"
|
|
#
|
|
# icmp_options {
|
|
# type = 0
|
|
# }
|
|
# }
|
|
#
|
|
# ingress_security_rules {
|
|
# stateless = false
|
|
# source = "10.0.0.0/16"
|
|
# source_type = "CIDR_BLOCK"
|
|
# protocol = "1"
|
|
# description = "ICMP Echo"
|
|
#
|
|
# icmp_options {
|
|
# type = 8
|
|
# }
|
|
# }
|
|
}
|
|
|
|
resource "oci_core_network_security_group" "tf-playground-network-security-group" {
|
|
compartment_id = oci_identity_compartment.tf-playground.id
|
|
vcn_id = module.vcn.vcn_id
|
|
display_name = "network-security-group-tf-playground"
|
|
freeform_tags = var.tags
|
|
}
|
|
|
|
resource "oci_core_network_security_group_security_rule" "tf-playground-network-security-group-list-ingress" {
|
|
network_security_group_id = oci_core_network_security_group.tf-playground-network-security-group.id
|
|
direction = "INGRESS"
|
|
source = oci_core_network_security_group.tf-playground-network-security-group.id
|
|
source_type = "NETWORK_SECURITY_GROUP"
|
|
protocol = "all"
|
|
stateless = true
|
|
}
|
|
|
|
resource "oci_core_network_security_group_security_rule" "tf-playground-network-security-group-list-egress" {
|
|
network_security_group_id = oci_core_network_security_group.tf-playground-network-security-group.id
|
|
direction = "EGRESS"
|
|
destination = oci_core_network_security_group.tf-playground-network-security-group.id
|
|
destination_type = "NETWORK_SECURITY_GROUP"
|
|
protocol = "all"
|
|
stateless = true
|
|
}
|