Custom firewall rules

Cloudboostr deployment comes with the predefined set of firewall (security groups) rules. This default set can be extended to match company policies.

Prequsities

  • Cloudboostr packages matching the infrastrcuture
  • Bucket with packages with read/write access
  • Basic knolwedge of terraform
  • Utilitiy which allows to unarchive and archive tgz files

Required stesp

  1. Download cb-opscontrol package
  2. Unpack the package, navigate to terraform/_INFRASTRUCTURE_PROVIDER_/modules/security_groups/, observe the directory content:

Example for AWS:

drwxr-xr-x@ 12 adko  AD\Domain Users   384 Jun 18 14:56 .
drwxr-xr-x@  8 adko  AD\Domain Users   256 Jun 18 14:56 ..
-rw-r--r--@  1 adko  AD\Domain Users   275 Jun 18 14:46 bosh.tf
-rw-r--r--@  1 adko  AD\Domain Users    48 Jun 18 14:46 concourse.tf
-rw-r--r--@  1 adko  AD\Domain Users   244 Jun 18 13:10 default.tf
-rw-r--r--@  1 adko  AD\Domain Users   255 Jun 18 14:46 dns.tf
-rw-r--r--@  1 adko  AD\Domain Users   254 Jun 18 14:46 elk.tf
-rw-r--r--@  1 adko  AD\Domain Users   279 Jun 18 14:46 grafana.tf
-rw-r--r--@  1 adko  AD\Domain Users   279 Jun 18 14:46 jumpbox.tf
-rw-r--r--@  1 adko  AD\Domain Users   273 Jun 18 14:46 public.tf
-rw-r--r--@  1 adko  AD\Domain Users   324 Jun 18 13:10 vars_in.tf
-rw-r--r--@  1 adko  AD\Domain Users  1292 Jun 18 13:10 vars_out.tf

And vSphere:

-rw-r--r--   1 adko  AD\Domain Users   762 May 27 14:39 bosh.tf
-rw-r--r--   1 adko  AD\Domain Users   792 May 27 14:39 concourse.tf
-rw-r--r--   1 adko  AD\Domain Users   756 May 27 14:39 dns.tf
-rw-r--r--   1 adko  AD\Domain Users   754 May 27 14:39 elk.tf
-rw-r--r--   1 adko  AD\Domain Users   778 May 27 14:39 grafana.tf
-rw-r--r--   1 adko  AD\Domain Users  2337 May 27 14:39 jumpbox.tf

Each file except vars_in.tf and vars_out.tf can be modified. The exact set of files differ depending on the cloud infrastructure provider.

The name of the file matches the subnet the security group is associated with.

  1. Pick the file that has to be changed and open in the text editor.

Format of the security group object is described in the terraform documentation:

  • AWS: https://www.terraform.io/docs/providers/aws/r/security_group_rule.html
  • vSphere NSX-T: https://www.terraform.io/docs/providers/nsxt/r/firewall_section.html
  • OpenStack Neutron: https://www.terraform.io/docs/providers/openstack/r/networking_secgroup_rule_v2.html
  • Azure: https://www.terraform.io/docs/providers/azurerm/r/network_security_rule.html

The default set of rules will be already available in the file.

Unnecessary modification

Do not modify security group name, id, region or any fields that are not strictly associated with firewall rules and may lead to deployment/upgrade failure.

  1. Create a path in the packages bucket for the firewall rules:

/config/_INFRASTRCTURE_PROVIDER_/firewall and put there files that should be replaces.

Example:

aws s3 sync ./custom_firewall_files s3://cloudboostr-build-packages/config/aws/firewall
  1. Run the install.sh script from cb-installer package.

Example:

./install.sh -c aws -v latest -b cloudboostr-build-packages -d /tmp/cloudboostr -e "http://minio.local:9000"

It should visible in the script output that files are being downloaded and replaced:

Downloading firewall rules
download: s3://cloudboostr-build-packages/config/aws/firewall/bosh.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/bosh.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/concourse.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/concourse.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/dns.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/dns.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/public.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/public.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/grafana.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/grafana.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/jumpbox.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/jumpbox.tf
download: s3://cloudboostr-build-packages/config/aws/firewall/elk.tf to ../../tmp/cb-opscontrol/terraform/aws/modules/security_groups/elk.tf
  1. Run terraform init and terraform apply as you would without customizing the firewall rules.