Example of building an infrastructure with a cloud firewall
Example of building an infrastructure with a cloud firewall
This is an example of building an infrastructure that consists of:
- from a private subnet
192.168.199.0/24which contains a cloud firewall assigned to a port on the cloud router192.168.199.1; - private subnet
10.20.30.0/24that's not covered by a firewall; - of an allow rule on the firewall for outgoing traffic from the subnetwork
192.168.199.0/24in the10.20.30.0/24; - a cloud server on a subnet
192.168.199.0/24; - a cloud server on a subnet
10.20.30.0/24.
We recommend create resources in order. If you create all the resources that are described in the configuration file The Terraform creates resources regardless of the order in which they are listed in the file.
- Optional: configure your ISPs.
- Create private networks and subnets.
- Create a cloud router connected to an external network.
- Create a cloud firewall.
- Create a cloud server on a private subnet closed by a firewall.
- Create a cloud server on a private subnet that is not blocked by a firewall.
Configuration files
Example file for configuring providers
terraform {
required_providers {
selectel = {
source = "selectel/selectel"
version = "6.0.0"
}
openstack = {
source = "terraform-provider-openstack/openstack"
version = "2.1.0"
}
}
}
provider "selectel" {
domain_name = "123456"
username = "user"
password = "password"
}
resource "selectel_vpc_project_v2" "project_1" {
name = "project"
}
resource "selectel_iam_serviceuser_v1" "serviceuser_1" {
name = "username"
password = "password"
role {
role_name = "member"
scope = "project"
project_id = selectel_vpc_project_v2.project_1.id
}
}
provider "openstack" {
auth_url = "https://cloud.api.selcloud.ru/identity/v3"
domain_name = "123456"
tenant_id = selectel_vpc_project_v2.project_1.id
user_name = selectel_iam_serviceuser_v1.serviceuser_1.name
password = selectel_iam_serviceuser_v1.serviceuser_1.password
region = "ru-9"
}
Пример файла для создания инфраструктуры с облачным файрволом
resource "openstack_networking_network_v2" "protected_network_1" {
name = "protected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "protected_subnet_1" {
name = "protected-subnet"
network_id = openstack_networking_network_v2.protected_network_1.id
cidr = "192.168.199.0/24"
}
resource "openstack_networking_network_v2" "unprotected_network_1" {
name = "unprotected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "unprotected_subnet_1" {
name = "unprotected-subnet"
network_id = openstack_networking_network_v2.unprotected_network_1.id
cidr = "10.20.30.0/24"
}
data "openstack_networking_network_v2" "external_network_1" {
external = true
}
resource "openstack_networking_router_v2" "router_1" {
name = "router"
admin_state_up = true
external_network_id = data.openstack_networking_network_v2.external_network_1.id
}
resource "openstack_networking_router_interface_v2" "protected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
resource "openstack_networking_router_interface_v2" "unprotected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
resource "openstack_fw_rule_v2" "rule_1" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "icmp"
}
resource "openstack_fw_rule_v2" "rule_2" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "tcp"
source_ip_address = "192.168.199.0/24"
destination_ip_address = "10.20.30.0/24"
}
resource "openstack_fw_policy_v2" "firewall_policy_1" {
name = "ingress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_1.id,
]
}
resource "openstack_fw_policy_v2" "firewall_policy_2" {
name = "egress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_2.id,
]
}
resource "openstack_fw_group_v2" "group_1" {
name = "group"
admin_state_up = true
ingress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_1.id
egress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_2.id
ports = [
openstack_networking_router_interface_v2.protected_router_interface_1.port_id,
]
}
resource "selectel_vpc_keypair_v2" "keypair_protected_1" {
name = "keypair-protected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = selectel_iam_serviceuser_v1.serviceuser_1.id
}
resource "openstack_networking_port_v2" "port_protected_1" {
name = "port-protected"
network_id = openstack_networking_network_v2.protected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
}
data "openstack_images_image_v2" "image_protected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
resource "openstack_blockstorage_volume_v3" "volume_protected_1" {
name = "boot-volume-for-protected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_protected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
resource "openstack_compute_instance_v2" "protected_server_1" {
name = "protected-server"
flavor_id = "4011"
key_pair = selectel_vpc_keypair_v2.keypair_protected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_protected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_protected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
resource "selectel_vpc_keypair_v2" "keypair_unprotected_1" {
name = "keypair-unprotected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = selectel_iam_serviceuser_v1.serviceuser_1.id
}
resource "openstack_networking_port_v2" "port_unprotected_1" {
name = "port-unprotected"
network_id = openstack_networking_network_v2.unprotected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
}
data "openstack_images_image_v2" "image_unprotected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
resource "openstack_blockstorage_volume_v3" "volume_unprotected_1" {
name = "boot-volume-for-unprotected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_unprotected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
resource "openstack_compute_instance_v2" "unprotected_server_1" {
name = "unprotected-server"
flavor_id = "4011"
key_pair = selectel_vpc_keypair_v2.keypair_unprotected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_unprotected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_unprotected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
optional: configure providers
If you're set up the ISPs Selectel and OpenStack, skip this step.
-
Make sure that in the control panel you created a service user with the Account Administrator and User Administrator roles.
-
Create a directory to store the configuration files and a separate file with the extension
.tfto configure the ISPs. -
Add Selectel and OpenStack providers to the file to configure the providers:
terraform {
required_providers {
selectel = {
source = "selectel/selectel"
version = "6.0.0"
}
openstack = {
source = "terraform-provider-openstack/openstack"
version = "2.1.0"
}
}
}Here
version— версии провайдеров. Актуальную версию можно посмотреть в документации Selectel (в Terraform Registry и GitHub) и OpenStack (в Terraform Registry и GitHub).Подробнее о продуктах, услугах и сервисах, которыми можно управлять с помощью провайдеров, в инструкции Провайдеры Selectel и OpenStack.
-
Инициализируйте провайдер Selectel:
provider "selectel" {
domain_name = "123456"
username = "user"
password = "password"
}Здесь:
domain_name— номер аккаунта Selectel. Можно посмотреть в панели управления в правом верхнем углу;username— имя сервисного пользователя с ролями Администратор аккаунта и Администратор пользователей. Можно посмотреть в панели управления: раздел Управление доступом → Управление пользователями → вкладка Сервисные пользователи (раздел доступен только Владельцу аккаунта и Администратору пользователей);password— пароль сервисного пользователя. Можно посмотреть при создании пользователя или изменить на новый.
-
Создайте проект:
resource "selectel_vpc_project_v2" "project_1" {
name = "project"
}Посмотрите подробное описание ресурса selectel_vpc_project_v2.
-
Создайте сервисного пользователя для доступа к проекту и назначьте ему роль Администратор проекта:
resource "selectel_iam_serviceuser_v1" "serviceuser_1" {
name = "username"
password = "password"
role {
role_name = "member"
scope = "project"
project_id = selectel_vpc_project_v2.project_1.id
}
}Здесь:
username— имя пользователя;password— пароль пользователя. Пароль должен быть не короче восьми символов и содержать латинские буквы разных регистров и цифры;project_id— ID проекта. Можно посмотреть в панели управления: раздел Облачная платформа → откройте меню проектов (название текущего проекта) → в строке нужного проекта нажмите .
Посмотрите подробное описание ресурса selectel_iam_serviceuser_v1.
-
Инициализируйте провайдер OpenStack:
provider "openstack" {
auth_url = "https://cloud.api.selcloud.ru/identity/v3"
domain_name = "123456"
tenant_id = selectel_vpc_project_v2.project_1.id
user_name = selectel_iam_serviceuser_v1.serviceuser_1.name
password = selectel_iam_serviceuser_v1.serviceuser_1.password
region = "ru-9"
}Здесь:
domain_name— номер аккаунта Selectel. Можно посмотреть в панели управления в правом верхнем углу;region— пул, напримерru-9. Все ресурсы будут создаваться в этом пуле. Список доступных пулов можно посмотреть в инструкции Матрицы доступности.
-
Если одновременно с настройкой провайдеров вы создаете ресурсы, то для ресурсов OpenStack добавьте аргумент
depends_on. Например, для ресурса openstack_networking_network_v2:resource "openstack_networking_network_v2" "network_1" {
name = "private-network"
admin_state_up = "true"
depends_on = [
selectel_vpc_project_v2.project_1,
selectel_iam_serviceuser_v1.serviceuser_1
]
} -
Опционально: если вы хотите испол�ьзовать зеркало, создайте отдельный конфигурационный файл Terraform CLI и добавьте в него блок:
provider_installation {
network_mirror {
url = "https://tf-proxy.selectel.ru/mirror/v1/"
include = ["registry.terraform.io/*/*"]
}
direct {
exclude = ["registry.terraform.io/*/*"]
}
}Подробнее о настройках зеркал в инструкции CLI Configuration File документации HashiCorp.
-
Откройте CLI.
-
Инициализируйте конфигурацию Terraform в директории:
terraform init -
Проверьте, что конфигурационные файлы составлены без ошибок:
terraform validate -
Отформатируйте конфигурационные файлы:
terraform fmt -
Проверьте, какие ресурсы будут созданы:
terraform plan -
Примените изменения и создайте ресурсы:
terraform apply -
По�дтвердите создание — введите yes и нажмите Enter. Созданные ресурсы отобразятся в панели управления.
-
Если для создания ресурсов оказалось недостаточно квот, увеличьте квоты.
Create private networks and subnets
- Create a network and subnet to be closed by the firewall.
- Create a network and subnet that will not be closed by the firewall.
Create a network and subnet to be closed by the firewall
resource "openstack_networking_network_v2" "protected_network_1" {
name = "protected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "protected_subnet_1" {
name = "protected-subnet"
network_id = openstack_networking_network_v2.protected_network_1.id
cidr = "192.168.199.0/24"
}
Here. cidr — CIDR of the private subnet that will be closed by the firewall, e.g. 192.168.199.0/24.
See a detailed description of the resources:
Create a network and subnet that will not be closed by the firewall
resource "openstack_networking_network_v2" "unprotected_network_1" {
name = "unprotected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "unprotected_subnet_1" {
name = "unprotected-subnet"
network_id = openstack_networking_network_v2.unprotected_network_1.id
cidr = "10.20.30.0/24"
}
Here. cidr — CIDR of a private subnet that will not be closed by the firewall, e.g. 10.20.30.0/24.
See a detailed description of the resources:
Create a cloud router connected to an external network
A cloud router connected to an external network acts as a 1:1 NAT for access from a private network to the Internet through the public IP address of the router.
data "openstack_networking_network_v2" "external_network_1" {
external = true
}
resource "openstack_networking_router_v2" "router_1" {
name = "router"
admin_state_up = true
external_network_id = data.openstack_networking_network_v2.external_network_1.id
}
resource "openstack_networking_router_interface_v2" "protected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
resource "openstack_networking_router_interface_v2" "unprotected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
See a detailed description of the resources:
- openstack_networking_network_v2;
- openstack_networking_router_v2;
- openstack_networking_router_interface_v2.
Create a cloud firewall
- Create rules.
- Create a policy for inbound traffic.
- Create a policy for outbound traffic.
- Create a cloud firewall.
Create rules
A cloud firewall has a basic property: all inbound and outbound traffic that is not allowed is denied.
Until you add allowing rules will be banned:
- traffic entering the private subnet that is connected to the router;
- traffic originating from this subnet.
resource "openstack_fw_rule_v2" "rule_1" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "icmp"
}
resource "openstack_fw_rule_v2" "rule_2" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "tcp"
source_ip_address = "192.168.199.0/24"
destination_ip_address = "10.20.30.0/24"
}
Check out the detailed description of the resource openstack_fw_rule_v2.
Create a policy for inbound traffic
resource "openstack_fw_policy_v2" "firewall_policy_1" {
name = "ingress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_1.id,
]
}
Check out the detailed description of the resource openstack_fw_policy_v2.
Create a policy for outgoing traffic
resource "openstack_fw_policy_v2" "firewall_policy_2" {
name = "egress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_2.id,
]
}
Check out the detailed description of the resource openstack_fw_policy_v2.
Create a cloud firewall
resource "openstack_fw_group_v2" "group_1" {
name = "group"
admin_state_up = true
ingress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_1.id
egress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_2.id
ports = [
openstack_networking_router_interface_v2.protected_router_interface_1.port_id,
]
}
Check out the detailed description of the resource openstack_fw_group_v2.
Create a cloud server on a private subnet that is closed by a firewall
- Create an SSH key pair.
- Create a port for the cloud server.
- Get an image.
- Create a bootable network disk.
- Create a cloud server.
Create an SSH key pair
resource "selectel_vpc_keypair_v2" "keypair_protected_1" {
name = "keypair-protected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = selectel_iam_serviceuser_v1.serviceuser_1.id
}
Here. public_key — path to the public SSH key. If SSH keys have not been created, generate them.
Check out the detailed description of the resource selectel_vpc_keypair_v2.
Create a port for the cloud server
resource "openstack_networking_port_v2" "port_protected_1" {
name = "port-protected"
network_id = openstack_networking_network_v2.protected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
}
Check out the detailed description of the resource openstack_networking_port_v2.
Get an image
data "openstack_images_image_v2" "image_protected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
Check out the detailed description of the data source openstack_images_image_v2.
Create a bootable network disk
resource "openstack_blockstorage_volume_v3" "volume_protected_1" {
name = "boot-volume-for-protected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_protected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
Here:
size— disk size in GB. Consider network disk limits to the maximum size;volume_type— ID or name network drive type. For example,fast.ru-9a— name to create a network drive with the SSD type Fast in the pool segment ru-9a. The list of types can be seen in the table List of network disk types in all pool segments.
Check out the detailed description of the resource openstack_blockstorage_volume_v3.
Create a cloud server
resource "openstack_compute_instance_v2" "protected_server_1" {
name = "protected-server"
flavor_id = "4011"
key_pair = selectel_vpc_keypair_v2.keypair_protected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_protected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_protected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
Here:
availability_zone— pool segment where the cloud server will be created, e.g.ru-9a. The list of available pool segments can be found in the instructions Availability matrix;flavor_id— Flavor ID. The flavors correspond to cloud server configurations and determine the number of vCPUs, RAM and local disk size (optional) of the server. You can use fixed configuration flavors. For example,4011— ID to create a Memory Line fixed-configuration server with 2 vCPUs, 16 GB RAM in a ru-9 pool. The list of flavors can be viewed in the table List of fixed-configuration flavorings in all pools.
Check out the detailed description of the resource openstack_compute_instance_v2.
Create a cloud server on a private subnet that is not blocked by a firewall
- Create an SSH key pair.
- Create a port for the cloud server.
- Get an image.
- Create a bootable network disk.
- Create a cloud server.
Create an SSH key pair
resource "selectel_vpc_keypair_v2" "keypair_unprotected_1" {
name = "keypair-unprotected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = selectel_iam_serviceuser_v1.serviceuser_1.id
}
Here. public_key — path to the public SSH key. If SSH keys have not been created, generate them.
Check out the detailed description of the resource selectel_vpc_keypair_v2.
Create a port for the cloud server
resource "openstack_networking_port_v2" "port_unprotected_1" {
name = "port-unprotected"
network_id = openstack_networking_network_v2.unprotected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
}
Check out the detailed description of the resource openstack_networking_port_v2.
Get an image
data "openstack_images_image_v2" "image_unprotected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
Check out the detailed description of the data source openstack_images_image_v2.
Create a bootable network disk
resource "openstack_blockstorage_volume_v3" "volume_unprotected_1" {
name = "boot-volume-for-unprotected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_unprotected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
Here:
size— disk size in GB. Consider network disk limits to the maximum size;volume_type— ID or name network drive type. For example,fast.ru-9a— name to create a network drive with the SSD type Fast in the pool segment ru-9a. The list of types can be seen in the table List of network disk types in all pool segments.
Check out the detailed description of the resource openstack_blockstorage_volume_v3.
Create a cloud server
resource "openstack_compute_instance_v2" "unprotected_server_1" {
name = "unprotected-server"
flavor_id = "4011"
key_pair = selectel_vpc_keypair_v2.keypair_unprotected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_unprotected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_unprotected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
Here:
availability_zone— pool segment where the cloud server will be created, e.g.ru-9a. The list of available pool segments can be found in the instructions Availability matrix;flavor_id— Flavor ID. The flavors correspond to cloud server configurations and determine the number of vCPUs, RAM and local disk size (optional) of the server. You can use fixed configuration flavors. For example,4011— ID to create a Memory Line fixed configuration server with 2 vCPUs, 16 GB RAM in a ru-9 pool. The list of flavors can be viewed in the table List of fixed-configuration flavorings in all pools.
Check out the detailed description of the resource openstack_compute_instance_v2.