Custom firewall rules¶
Cloudboostr deployment comes with the predefined set of firewall (security groups) rules. This default set can be extended to match company policies.
Prequsities¶
- Cloudboostr packages matching the infrastrcuture
- Bucket with packages with read/write access
- Basic knolwedge of terraform
- Utilitiy which allows to unarchive and archive
tgz
files
Required stesp¶
- Download
cb-opscontrol
package - Unpack the package, navigate to
terraform/_INFRASTRUCTURE_PROVIDER_/modules/security_groups/
, observe the directory content:
Example for AWS:
drwxr-xr-x@ 12 adko AD\Domain Users 384 Jun 18 14:56 .
drwxr-xr-x@ 8 adko AD\Domain Users 256 Jun 18 14:56 ..
-rw-r--r--@ 1 adko AD\Domain Users 275 Jun 18 14:46 bosh.tf
-rw-r--r--@ 1 adko AD\Domain Users 48 Jun 18 14:46 concourse.tf
-rw-r--r--@ 1 adko AD\Domain Users 244 Jun 18 13:10 default.tf
-rw-r--r--@ 1 adko AD\Domain Users 255 Jun 18 14:46 dns.tf
-rw-r--r--@ 1 adko AD\Domain Users 254 Jun 18 14:46 elk.tf
-rw-r--r--@ 1 adko AD\Domain Users 279 Jun 18 14:46 grafana.tf
-rw-r--r--@ 1 adko AD\Domain Users 279 Jun 18 14:46 jumpbox.tf
-rw-r--r--@ 1 adko AD\Domain Users 273 Jun 18 14:46 public.tf
-rw-r--r--@ 1 adko AD\Domain Users 324 Jun 18 13:10 vars_in.tf
-rw-r--r--@ 1 adko AD\Domain Users 1292 Jun 18 13:10 vars_out.tf
And vSphere:
-rw-r--r-- 1 adko AD\Domain Users 762 May 27 14:39 bosh.tf
-rw-r--r-- 1 adko AD\Domain Users 792 May 27 14:39 concourse.tf
-rw-r--r-- 1 adko AD\Domain Users 756 May 27 14:39 dns.tf
-rw-r--r-- 1 adko AD\Domain Users 754 May 27 14:39 elk.tf
-rw-r--r-- 1 adko AD\Domain Users 778 May 27 14:39 grafana.tf
-rw-r--r-- 1 adko AD\Domain Users 2337 May 27 14:39 jumpbox.tf
Each file except vars_in.tf
and vars_out.tf
can be modified. The exact set of files differ depending on the cloud infrastructure provider.
The name of the file matches the subnet the security group is associated with.
- Pick the file that has to be changed and open in the text editor.
Format of the security group object is described in the terraform documentation:
- AWS: https://www.terraform.io/docs/providers/aws/r/security_group_rule.html
- vSphere NSX-T: https://www.terraform.io/docs/providers/nsxt/r/firewall_section.html
- OpenStack Neutron: https://www.terraform.io/docs/providers/openstack/r/networking_secgroup_rule_v2.html
- Azure: https://www.terraform.io/docs/providers/azurerm/r/network_security_rule.html
The default set of rules will be already available in the file.
Unnecessary modification
Do not modify security group name, id, region or any fields that are not strictly associated with firewall rules and may lead to deployment/upgrade failure.
- Create a path in the packages bucket for the firewall rules:
/config/_INFRASTRCTURE_PROVIDER_/firewall
and put there files that should be replaces.
Example:
aws s3 sync ./custom_firewall_files s3://cloudboostr-build-packages/config/aws/firewall
- Run the
install.sh
script fromcb-installer
package.
Example:
./install.sh -c aws -v latest -b cloudboostr-build-packages -d /tmp/cloudboostr -e "http://minio.local:9000"
It should visible in the script output that files are being downloaded and replaced:
Downloading firewall rules
download: s3://cloudboostr-build-packages/config/aws/firewall/bosh.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/bosh.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/concourse.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/concourse.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/dns.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/dns.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/public.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/public.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/grafana.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/grafana.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/jumpbox.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/jumpbox.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/elk.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/elk.tf
- Run
terraform init
andterraform apply
as you would without customizing the firewall rules.