Example of building infrastructure with a cloud firewall via Terraform
This is an example of building infrastructure that consists of:
- from the private subnet
192.168.199.0/24, where the cloud firewall assigned to the cloud router port192.168.199.1is located; - private subnet
10.20.30.0/24, not protected by a firewall; - an allow rule on the firewall for egress traffic from subnet
192.168.199.0/24to10.20.30.0/24; - a cloud server in the
192.168.199.0/24subnet; - a cloud server in the
10.20.30.0/24subnet.
We recommend creating resources in order. If you create all resources at once, Terraform will account for dependencies between resources that you specified in the configuration file. If dependencies are not specified, resources will be created in parallel, which may lead to errors. For instance, a resource required for creating another resource might not have been created yet.
- Optional: configure providers.
- Create private networks and subnets.
- Create a cloud router connected to the internet.
- Create a cloud firewall.
- Create a cloud server in a private subnet protected by a firewall.
- Create a cloud server in a private subnet not protected by a firewall.
Configuration files
Example file for configuring providers
terraform {
required_providers {
selectel = {
source = "selectel/selectel"
version = "~> 6.0"
}
openstack = {
source = "terraform-provider-openstack/openstack"
version = "2.1.0"
}
}
}
provider "selectel" {
domain_name = "123456"
username = "user"
password = "password"
auth_region = "ru-9"
auth_url = "https://cloud.api.selcloud.ru/identity/v3/"
}
resource "selectel_vpc_project_v2" "project_1" {
name = "project"
}
resource "selectel_iam_serviceuser_v1" "serviceuser_1" {
name = "username"
password = "password"
role {
role_name = "member"
scope = "project"
project_id = selectel_vpc_project_v2.project_1.id
}
}
provider "openstack" {
auth_url = "https://cloud.api.selcloud.ru/identity/v3"
domain_name = "123456"
tenant_id = selectel_vpc_project_v2.project_1.id
user_name = selectel_iam_serviceuser_v1.serviceuser_1.name
password = selectel_iam_serviceuser_v1.serviceuser_1.password
region = "ru-9"
}
Example file for building infrastructure with a cloud firewall
resource "openstack_networking_network_v2" "protected_network_1" {
name = "protected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "protected_subnet_1" {
name = "protected-subnet"
network_id = openstack_networking_network_v2.protected_network_1.id
cidr = "192.168.199.0/24"
}
resource "openstack_networking_network_v2" "unprotected_network_1" {
name = "unprotected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "unprotected_subnet_1" {
name = "unprotected-subnet"
network_id = openstack_networking_network_v2.unprotected_network_1.id
cidr = "10.20.30.0/24"
}
data "openstack_networking_network_v2" "external_network_1" {
external = true
}
resource "openstack_networking_router_v2" "router_1" {
name = "router"
admin_state_up = true
external_network_id = data.openstack_networking_network_v2.external_network_1.id
}
resource "openstack_networking_router_interface_v2" "protected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
resource "openstack_networking_router_interface_v2" "unprotected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
resource "openstack_fw_rule_v2" "rule_1" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "icmp"
}
resource "openstack_fw_rule_v2" "rule_2" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "tcp"
source_ip_address = "192.168.199.0/24"
destination_ip_address = "10.20.30.0/24"
}
resource "openstack_fw_policy_v2" "firewall_policy_1" {
name = "ingress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_1.id,
]
}
resource "openstack_fw_policy_v2" "firewall_policy_2" {
name = "egress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_2.id,
]
}
resource "openstack_fw_group_v2" "group_1" {
name = "group"
admin_state_up = true
ingress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_1.id
egress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_2.id
ports = [
openstack_networking_router_interface_v2.protected_router_interface_1.port_id,
]
}
resource "selectel_vpc_keypair_v2" "keypair_protected_1" {
name = "keypair-protected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = selectel_iam_serviceuser_v1.serviceuser_1.id
}
resource "openstack_networking_port_v2" "port_protected_1" {
name = "port-protected"
network_id = openstack_networking_network_v2.protected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
}
data "openstack_images_image_v2" "image_protected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
resource "openstack_blockstorage_volume_v3" "volume_protected_1" {
name = "boot-volume-for-protected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_protected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
resource "openstack_compute_instance_v2" "protected_server_1" {
name = "protected-server"
flavor_id = "1015"
key_pair = selectel_vpc_keypair_v2.keypair_protected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_protected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_protected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
resource "selectel_vpc_keypair_v2" "keypair_unprotected_1" {
name = "keypair-unprotected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = selectel_iam_serviceuser_v1.serviceuser_1.id
}
resource "openstack_networking_port_v2" "port_unprotected_1" {
name = "port-unprotected"
network_id = openstack_networking_network_v2.unprotected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
}
data "openstack_images_image_v2" "image_unprotected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
resource "openstack_blockstorage_volume_v3" "volume_unprotected_1" {
name = "boot-volume-for-unprotected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_unprotected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
resource "openstack_compute_instance_v2" "unprotected_server_1" {
name = "unprotected-server"
flavor_id = "1015"
key_pair = selectel_vpc_keypair_v2.keypair_unprotected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_unprotected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_unprotected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
1. Optional: configure providers
If you have configured the Selectel and OpenStack providers, skip this step.
-
Make sure that in the control panel you have created a service user with the
memberrole in the Account access scope andiam.admin. -
Create a directory to store configuration files and a separate file with the
.tfextension to configure providers. -
Add the Selectel and OpenStack providers to the file for provider configuration:
terraform {required_providers {selectel = {source = "selectel/selectel"version = "~> 7.1.0"}openstack = {source = "terraform-provider-openstack/openstack"version = "2.1.0"}}}Here
versionis the provider version. The current version can be found in the Selectel documentation (in Terraform Registry and GitHub) and OpenStack (in Terraform Registry and GitHub).For more information about products, services, and features that can be managed using providers, see the Selectel and OpenStack Providers guide.
-
Initialize the Selectel provider:
provider "selectel" {domain_name = "123456"username = "user"password = "password"auth_region = "ru-9"auth_url = "https://cloud.api.selcloud.ru/identity/v3/"}Where:
domain_name— Selectel account number. You can find it in the control panel in the top-right corner;username— name of the service user with thememberrole in the Account access scope andiam.admin. You can view it in the control panel: in the top menu, click IAM → Service Users section (the section is only available to the Account Owner and a user with theiam.adminrole);password— service user password. You can view it when creating the user or change it to a new one;auth_region— pool for authorization, for example,ru-9. You can create resources in other pools. A list of available pools can be found in the Availability Matrix guide.
-
Create a project:
resource "selectel_vpc_project_v2" "project_1" {name = "project"}See a detailed description of the selectel_vpc_project_v2 resource.
-
Create a service user to access the project and assign them the
memberrole in the Project access scope:resource "selectel_iam_serviceuser_v1" "serviceuser_1" {name = "username"password = "password"role {role_name = "member"scope = "project"project_id = selectel_vpc_project_v2.project_1.id}}Where:
-
username— username; -
password— user password. The password must be at least 20 characters long and include at least:- one uppercase and one lowercase Latin letter (
A-Z,a-z); - one digit (
0-9); - one special character from the ASCII Printable 7-Bit Special Characters list:
!"#$%&'()*+,-./:;<=>?@[]^_{|}~;
- one uppercase and one lowercase Latin letter (
-
project_id— project ID. You can find it in the control panel: in the top menu, click Products and select Cloud Servers → open the projects menu → in the row of the target project, click .
See a detailed description of the selectel_iam_serviceuser_v1 resource.
-
-
Initialize the OpenStack provider:
provider "openstack" {auth_url = "https://cloud.api.selcloud.ru/identity/v3"domain_name = "123456"tenant_id = selectel_vpc_project_v2.project_1.iduser_name = selectel_iam_serviceuser_v1.serviceuser_1.namepassword = selectel_iam_serviceuser_v1.serviceuser_1.passwordregion = "ru-9"}Where:
domain_name— Selectel account number. You can find it in the control panel in the top-right corner;region— pool, for example,ru-9. All resources will be created in this pool. A list of available pools can be found in the Availability Matrix guide.
-
If you are creating resources while configuring providers, add the
depends_onargument for OpenStack resources. For example, for the openstack_networking_network_v2 resource:resource "openstack_networking_network_v2" "network_1" {name = "private-network"admin_state_up = "true"depends_on = [selectel_vpc_project_v2.project_1,selectel_iam_serviceuser_v1.serviceuser_1]} -
Optional: if you want to use a mirror, create a separate Terraform CLI configuration file and add the following block to it:
provider_installation {network_mirror {url = "https://tf-proxy.selectel.ru/mirror/v1/"include = ["registry.terraform.io/*/*"]}direct {exclude = ["registry.terraform.io/*/*"]}}Read more about mirror settings in the CLI Configuration File guide in the HashiCorp documentation.
-
Open the CLI.
-
Initialize the Terraform configuration in the directory:
terraform init -
Verify that the configuration files are syntactically correct:
terraform validate -
Format the configuration files:
terraform fmt -
Check which resources will be created:
terraform plan -
Apply the changes and create the resources:
terraform apply -
Confirm creation — enter yes and press Enter. The created resources will appear in the control panel.
-
If quotas were insufficient to create the resources, increase the quotas.
2. Create private networks and subnets
- Create a network and subnet that will be protected by a firewall.
- Create a network and subnet that will not be protected by a firewall.
1. Create a network and subnet that will be protected by a firewall
resource "openstack_networking_network_v2" "protected_network_1" {
name = "protected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "protected_subnet_1" {
name = "protected-subnet"
network_id = openstack_networking_network_v2.protected_network_1.id
cidr = "192.168.199.0/24"
}
Where cidr is the CIDR of the private subnet that will be protected by a firewall, for example 192.168.199.0/24.
See the detailed resource description:
2. Create a network and subnet that will not be protected by a firewall
resource "openstack_networking_network_v2" "unprotected_network_1" {
name = "unprotected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "unprotected_subnet_1" {
name = "unprotected-subnet"
network_id = openstack_networking_network_v2.unprotected_network_1.id
cidr = "10.20.30.0/24"
}
Where cidr is the CIDR of the private subnet that will not be protected by a firewall, for example 10.20.30.0/24.
See the detailed resource description:
3. Create a cloud router connected to the internet
The cloud router connected to the internet performs 1:1 NAT for accessing the internet from a private network using the router's public IP address.
data "openstack_networking_network_v2" "external_network_1" {
external = true
}
resource "openstack_networking_router_v2" "router_1" {
name = "router"
admin_state_up = true
external_network_id = data.openstack_networking_network_v2.external_network_1.id
}
resource "openstack_networking_router_interface_v2" "protected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
resource "openstack_networking_router_interface_v2" "unprotected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
See the detailed resource description:
- openstack_networking_network_v2;
- openstack_networking_router_v2;
- openstack_networking_router_interface_v2.
4. Create a cloud firewall
- Create rules.
- Create an ingress traffic policy.
- Create an egress traffic policy.
- Create a cloud firewall.
1. Create rules
A cloud firewall has a basic property: all incoming and outgoing traffic that is not allowed is blocked.
Until you add allow rules, the following will be blocked:
- traffic entering the private subnet that is connected to the router;
- traffic exiting this subnet.
resource "openstack_fw_rule_v2" "rule_1" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "icmp"
}
resource "openstack_fw_rule_v2" "rule_2" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "tcp"
source_ip_address = "192.168.199.0/24"
destination_ip_address = "10.20.30.0/24"
}
See the detailed description of the openstack_fw_rule_v2 resource.
2. Create an ingress traffic policy
resource "openstack_fw_policy_v2" "firewall_policy_1" {
name = "ingress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_1.id,
]
}
See a detailed description of the openstack_fw_policy_v2 resource.
3. Create an egress traffic policy
resource "openstack_fw_policy_v2" "firewall_policy_2" {
name = "egress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_2.id,
]
}
See the detailed description of the openstack_fw_policy_v2 resource.
4. Create a cloud firewall
resource "openstack_fw_group_v2" "group_1" {
name = "group"
admin_state_up = true
ingress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_1.id
egress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_2.id
ports = [
openstack_networking_router_interface_v2.protected_router_interface_1.port_id,
]
}
See the detailed description of the openstack_fw_group_v2 resource.
5. Create a cloud server in a private subnet protected by a firewall
- Create an SSH key pair.
- Create a port for the cloud server.
- Get an image.
- Create a boot network volume.
- Create a cloud server.
1. Create an SSH key pair
resource "selectel_vpc_keypair_v2" "keypair_protected_1" {
name = "keypair-protected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = selectel_iam_serviceuser_v1.serviceuser_1.id
}
Where public_key is the path to the public SSH key. If SSH keys are not created, generate them.
See the detailed description of the selectel_vpc_keypair_v2 resource.
2. Create a port for the cloud server
resource "openstack_networking_port_v2" "port_protected_1" {
name = "port-protected"
network_id = openstack_networking_network_v2.protected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
}
See the detailed description of the openstack_networking_port_v2 resource.
3. Get an image
data "openstack_images_image_v2" "image_protected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
See the detailed description of the openstack_images_image_v2 data source.
4. Create a boot network volume
resource "openstack_blockstorage_volume_v3" "volume_protected_1" {
name = "boot-volume-for-protected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_protected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
Where:
sizeis the volume size in GB. Observe the limits of the network volumes for maximum size;volume_typeis the ID or name of the network volume type. For example,fast.ru-9ais the name to create a network volume with the Fast SSD type in the pool segment ru-9a. The list of types can be viewed in the table List of network volume types in all pool segments.
See the detailed description of the openstack_blockstorage_volume_v3 resource.
5. Create a cloud server
resource "openstack_compute_instance_v2" "protected_server_1" {
name = "protected-server"
flavor_id = "1015"
key_pair = selectel_vpc_keypair_v2.keypair_protected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_protected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_protected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
Where:
availability_zone— pool segment, in which the cloud server will be created, for exampleru-9a. The list of available pool segments can be viewed in the Availability Matrix instruction;flavor_idis the flavor ID. Flavors correspond to cloud server configurations and specify the amount of vCPU, RAM, and local disk size (optional) of the server. You can use fixed configuration flavors. For example,1015is the ID to create a server with a fixed configuration of the Standard line with 4 vCPU, 16 GB RAM in the ru-9 pool. The list of flavors can be viewed in the table List of fixed configuration flavors in all pools.
See the detailed description of the openstack_compute_instance_v2 resource.
6. Create a cloud server in a private subnet not protected by a firewall
- Create an SSH key pair.
- Create a port for the cloud server.
- Get an image.
- Create a boot network volume.
- Create a cloud server.
1. Create an SSH key pair
resource "selectel_vpc_keypair_v2" "keypair_unprotected_1" {
name = "keypair-unprotected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = selectel_iam_serviceuser_v1.serviceuser_1.id
}
Where public_key is the path to the public SSH key. If SSH keys are not created, generate them.
See the detailed description of the selectel_vpc_keypair_v2 resource.
2. Create a port for the cloud server
resource "openstack_networking_port_v2" "port_unprotected_1" {
name = "port-unprotected"
network_id = openstack_networking_network_v2.unprotected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
}
See the detailed description of the openstack_networking_port_v2 resource.
3. Get an image
data "openstack_images_image_v2" "image_unprotected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
See the detailed description of the openstack_images_image_v2 data source.
4. Create a boot network volume
resource "openstack_blockstorage_volume_v3" "volume_unprotected_1" {
name = "boot-volume-for-unprotected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_unprotected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
Where:
sizeis the volume size in GB. Observe the limits of the network volumes for maximum size;volume_typeis the ID or name of the network volume type. For example,fast.ru-9ais the name to create a network volume with the Fast SSD type in the pool segment ru-9a. The list of types can be viewed in the table List of network volume types in all pool segments.
See the detailed description of the openstack_blockstorage_volume_v3 resource.
5. Create a cloud server
resource "openstack_compute_instance_v2" "unprotected_server_1" {
name = "unprotected-server"
flavor_id = "1015"
key_pair = selectel_vpc_keypair_v2.keypair_unprotected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_unprotected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_unprotected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
Where:
availability_zone— pool segment, in which the cloud server will be created, for exampleru-9a. The list of available pool segments can be viewed in the Availability Matrix instruction;flavor_idis the flavor ID. Flavors correspond to cloud server configurations and specify the amount of vCPU, RAM, and local disk size (optional) of the server. You can use fixed configuration flavors. For example,1015is the ID to create a server with a fixed configuration of the Standard line with 4 vCPU, 16 GB RAM in the ru-9 pool. The list of flavors can be viewed in the table List of fixed configuration flavors in all pools.
See the detailed description of the openstack_compute_instance_v2 resource.