Example of building an infrastructure with a cloud firewall
This is an example of building an infrastructure that consists of:
- from the private subnet
192.168.199.0/24
, which contains the cloud firewall assigned to the cloud router port192.168.199.1
; 10.20.30.0/24
private subnet10.20.30.0/24
, not closed by a firewall;- Enabling rule on the firewall for outgoing traffic from subnet
192.168.199.0/24
to10.20.30.0/24
; - cloud server on the
192.168.199.0/24
subnet; - cloud server on the
10.20.30.0/24
subnet.
We recommend that you create resources in order. If you create all resources at once, Terraform will take into account the dependencies between resources that you specify in the configuration file. If dependencies are not specified, resources will be created in parallel, which can cause errors. For example, a resource that is required to create another resource may not have been created yet.
- Optional: configure the providers.
- Create private networks and subnets.
- Create a cloud router connected to an external network.
- Create a cloud firewall.
- Create a cloud server on a private subnet that is closed by a firewall.
- Create a cloud server on a private subnet that is not blocked by a firewall.
Configuration files
Example file for configuring providers
terraform {
required_providers {
servercore = {
source = "terraform.servercore.com/servercore/servercore"
version = "~> 6.0"
}
openstack = {
source = "terraform-provider-openstack/openstack"
version = "2.1.0"
}
}
}
provider "servercore" {
domain_name = "123456"
username = "user"
password = "password"
auth_region = "ru-9"
auth_url = "https://cloud.api.selcloud.ru/identity/v3/"
}
resource "servercore_project_v2" "project_1" {
name = "project"
}
resource "servercore_iam_serviceuser_v1" "serviceuser_1" {
name = "username"
password = "password"
role {
role_name = "member"
scope = "project"
project_id = servercore_project_v2.project_1.id
}
}
provider "openstack" {
auth_url = "https://cloud.api.selcloud.ru/identity/v3"
domain_name = "123456"
tenant_id = servercore_project_v2.project_1.id
user_name = servercore_iam_serviceuser_v1.serviceuser_1.name
password = servercore_iam_serviceuser_v1.serviceuser_1.password
region = "ru-9"
}
Sample file for creating an infrastructure with a cloud firewall
resource "openstack_networking_network_v2" "protected_network_1" {
name = "protected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "protected_subnet_1" {
name = "protected-subnet"
network_id = openstack_networking_network_v2.protected_network_1.id
cidr = "192.168.199.0/24"
}
resource "openstack_networking_network_v2" "unprotected_network_1" {
name = "unprotected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "unprotected_subnet_1" {
name = "unprotected-subnet"
network_id = openstack_networking_network_v2.unprotected_network_1.id
cidr = "10.20.30.0/24"
}
data "openstack_networking_network_v2" "external_network_1" {
external = true
}
resource "openstack_networking_router_v2" "router_1" {
name = "router"
admin_state_up = true
external_network_id = data.openstack_networking_network_v2.external_network_1.id
}
resource "openstack_networking_router_interface_v2" "protected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
resource "openstack_networking_router_interface_v2" "unprotected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
resource "openstack_fw_rule_v2" "rule_1" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "icmp"
}
resource "openstack_fw_rule_v2" "rule_2" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "tcp"
source_ip_address = "192.168.199.0/24"
destination_ip_address = "10.20.30.0/24"
}
resource "openstack_fw_policy_v2" "firewall_policy_1" {
name = "ingress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_1.id,
]
}
resource "openstack_fw_policy_v2" "firewall_policy_2" {
name = "egress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_2.id,
]
}
resource "openstack_fw_group_v2" "group_1" {
name = "group"
admin_state_up = true
ingress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_1.id
egress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_2.id
ports = [
openstack_networking_router_interface_v2.protected_router_interface_1.port_id,
]
}
resource "servercore_keypair_v2" "keypair_protected_1" {
name = "keypair-protected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = servercore_iam_serviceuser_v1.serviceuser_1.id
}
resource "openstack_networking_port_v2" "port_protected_1" {
name = "port-protected"
network_id = openstack_networking_network_v2.protected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
}
data "openstack_images_image_v2" "image_protected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
resource "openstack_blockstorage_volume_v3" "volume_protected_1" {
name = "boot-volume-for-protected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_protected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
resource "openstack_compute_instance_v2" "protected_server_1" {
name = "protected-server"
flavor_id = "4011"
key_pair = servercore_keypair_v2.keypair_protected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_protected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_protected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
resource "servercore_keypair_v2" "keypair_unprotected_1" {
name = "keypair-unprotected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = servercore_iam_serviceuser_v1.serviceuser_1.id
}
resource "openstack_networking_port_v2" "port_unprotected_1" {
name = "port-unprotected"
network_id = openstack_networking_network_v2.unprotected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
}
data "openstack_images_image_v2" "image_unprotected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
resource "openstack_blockstorage_volume_v3" "volume_unprotected_1" {
name = "boot-volume-for-unprotected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_unprotected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
resource "openstack_compute_instance_v2" "unprotected_server_1" {
name = "unprotected-server"
flavor_id = "4011"
key_pair = servercore_keypair_v2.keypair_unprotected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_unprotected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_unprotected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
1. Optional: configure providers
If you have configured Servercore and OpenStack providers, skip this step.
-
Ensure that in the Control Panel you have created a service user with the Account Administrator and User Administrator roles.
-
Create a directory to store the configuration files and a separate file with a
.tf
extension to configure the providers. -
Add Servercore and OpenStack providers to the file to configure the providers:
terraform {
required_providers {
servercore = {
source = "terraform.servercore.com/servercore/servercore"
version = "~> 6.0"
}
openstack = {
source = "terraform-provider-openstack/openstack"
version = "2.1.0"
}
}
}Here
version
—versions of
providers. The current version of the Openstack provider can be found in Terraform Registry and GitHub.Learn more about the products, services, and services that can be managed with providers in the Servercore and OpenStack Providers instruction.
-
Initialize the Servercore provider:
provider "servercore" {
domain_name = "123456"
username = "user"
password = "password"
auth_region = "ru-9"
auth_url = "https://cloud.api.selcloud.ru/identity/v3/"
}Here:
domain_name
— Servercore account number. You can look it up in control panel in the upper right corner;username
— username service user with the roles Account Administrator and User Administrator. Can be viewed in the control panel section Access Control → User Management → tab Service Users (the section is available only to the Account Owner and User Administrator);password
— password of the service user. You can view it when creating a user or change it to a new one;auth_region
— pool for exampleru-9
. All resources will be created in this pool. The list of available pools can be found in the instructions Availability matrices.
-
Create a project:
resource "servercore_project_v2" "project_1" {
name = "project"
}View a detailed description of the servercore_vpc_project_v2 resource.
-
Create a service user to access the project and assign the Project Administrator role to it:
resource "servercore_iam_serviceuser_v1" "serviceuser_1" {
name = "username"
password = "password"
role {
role_name = "member"
scope = "project"
project_id = servercore_project_v2.project_1.id
}
}Here:
username
— username;password
— user password. The password must be no shorter than eight characters and contain Latin letters of different cases and digits;project_id
— Project ID. You can view it in control panel: section Cloud Platform → open the projects menu (the name of the current project) → in the line of the required project press .
View a detailed description of the servercore_iam_serviceuser_v1 resource.
-
Initialize the OpenStack provider:
provider "openstack" {
auth_url = "https://cloud.api.selcloud.ru/identity/v3"
domain_name = "123456"
tenant_id = servercore_project_v2.project_1.id
user_name = servercore_iam_serviceuser_v1.serviceuser_1.name
password = servercore_iam_serviceuser_v1.serviceuser_1.password
region = "ru-9"
}Here:
domain_name
— Servercore account number. You can look it up in control panel in the upper right corner;region
— pool for exampleru-9
. All resources will be created in this pool. The list of available pools can be found in the instructions Availability matrices.
-
If you create resources at the same time as configuring providers, add the
depends_on
argument for OpenStack resources . For example, for the resource openstack_networking_network_v2:resource "openstack_networking_network_v2" "network_1" {
name = "private-network"
admin_state_up = "true"
depends_on = [
servercore_project_v2.project_1,
servercore_iam_serviceuser_v1.serviceuser_1
]
} -
Open the CLI.
-
Initialize the Terraform configuration in the directory:
terraform init
-
Check that the configuration files have been compiled without errors:
terraform validate
-
Format the configuration files:
terraform fmt
-
Check the resources that will be created:
terraform plan
-
Apply the changes and create the resources:
terraform apply
-
Confirm the creation — type yes and press Enter. The created resources are displayed in the control panel.
-
If there were not enough quotas to create resources, increase the quotas.
2. Create private networks and subnets
- Create a network and subnet that will be closed by the firewall.
- Create a network and subnet that will not be closed by the firewall.
1. Create a network and subnet that will be closed by the firewall
resource "openstack_networking_network_v2" "protected_network_1" {
name = "protected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "protected_subnet_1" {
name = "protected-subnet"
network_id = openstack_networking_network_v2.protected_network_1.id
cidr = "192.168.199.0/24"
}
Here cidr
is the CIDR of the private subnet that will be closed by the firewall, for example 192.168.199.0/24
.
See a detailed description of the resources:
2. Create a network and subnet that will not be closed by the firewall
resource "openstack_networking_network_v2" "unprotected_network_1" {
name = "unprotected-network"
admin_state_up = "true"
}
resource "openstack_networking_subnet_v2" "unprotected_subnet_1" {
name = "unprotected-subnet"
network_id = openstack_networking_network_v2.unprotected_network_1.id
cidr = "10.20.30.0/24"
}
Here cidr
is the CIDR of the private subnet that will not be closed by the firewall, e.g. 10.20.30.0/24
.
See a detailed description of the resources:
3. Create a cloud router connected to an external network
A cloud router connected to an external network acts as a 1:1 NAT for access from a private network to the Internet through the public IP address of the router.
data "openstack_networking_network_v2" "external_network_1" {
external = true
}
resource "openstack_networking_router_v2" "router_1" {
name = "router"
admin_state_up = true
external_network_id = data.openstack_networking_network_v2.external_network_1.id
}
resource "openstack_networking_router_interface_v2" "protected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
resource "openstack_networking_router_interface_v2" "unprotected_router_interface_1" {
router_id = openstack_networking_router_v2.router_1.id
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
See a detailed description of the resources:
- openstack_networking_network_v2;
- openstack_networking_router_v2;
- openstack_networking_router_interface_v2.
4. Create a cloud firewall
- Create rules.
- Create a policy for inbound traffic.
- Create a policy for outbound traffic.
- Create a cloud firewall.
1. Create rules
A cloud firewall has a basic property: all inbound and outbound traffic that is not allowed is denied.
Until you add allowing rules will be banned:
- traffic entering the private subnet that is connected to the router;
- traffic originating from this subnet.
resource "openstack_fw_rule_v2" "rule_1" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "icmp"
}
resource "openstack_fw_rule_v2" "rule_2" {
name = "allow-protected-network-traffic-rule"
action = "allow"
protocol = "tcp"
source_ip_address = "192.168.199.0/24"
destination_ip_address = "10.20.30.0/24"
}
View the detailed resource description of openstack_fw_rule_v2.
2. Create a policy for inbound traffic
resource "openstack_fw_policy_v2" "firewall_policy_1" {
name = "ingress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_1.id,
]
}
Check out the detailed resource description of openstack_fw_policy_v2.
3. Create a policy for outgoing traffic
resource "openstack_fw_policy_v2" "firewall_policy_2" {
name = "egress-firewall-policy"
audited = true
rules = [
openstack_fw_rule_v2.rule_2.id,
]
}
Check out the detailed resource description of openstack_fw_policy_v2.
4. Create a cloud firewall
resource "openstack_fw_group_v2" "group_1" {
name = "group"
admin_state_up = true
ingress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_1.id
egress_firewall_policy_id = openstack_fw_policy_v2.firewall_policy_2.id
ports = [
openstack_networking_router_interface_v2.protected_router_interface_1.port_id,
]
}
View a detailed description of the openstack_fw_group_v2 resource.
5. Create a cloud server on a private subnet that is closed by a firewall
- Create an SSH key pair.
- Create a port for the cloud server.
- Get an image.
- Create a bootable network disk.
- Create a cloud server.
1. Create an SSH key pair
resource "servercore_keypair_v2" "keypair_protected_1" {
name = "keypair-protected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = servercore_iam_serviceuser_v1.serviceuser_1.id
}
Here public_key
is the path to the public SSH key
. If SSH keys are not created, generate them.
View a detailed description of the servercore_vpc_keypair_v2 resource.
2. Create a port for the cloud server
resource "openstack_networking_port_v2" "port_protected_1" {
name = "port-protected"
network_id = openstack_networking_network_v2.protected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.protected_subnet_1.id
}
}
View a detailed description of the openstack_networking_port_v2 resource.
3. Get an image
data "openstack_images_image_v2" "image_protected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
See the detailed description of the openstack_images_image_v2 data source.
4. Create a bootable network disk
resource "openstack_blockstorage_volume_v3" "volume_protected_1" {
name = "boot-volume-for-protected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_protected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
Here:
size
— disk size in GB. Take into account network disk limits on the maximum size;volume_type
— ID or name of the network disk type. For example,fast.ru-9a
— name to create a network disk with the SSD type Fast in the pool segment ru-9a. The list of types can be viewed in the table List of network disk types in all pool segments.
View a detailed description of the openstack_blockstorage_volume_v3 resource.
5. Create a cloud server
resource "openstack_compute_instance_v2" "protected_server_1" {
name = "protected-server"
flavor_id = "4011"
key_pair = servercore_keypair_v2.keypair_protected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_protected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_protected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
Here:
availability_zone
— pool segment in which the cloud server will be created, e.g.ru-9a
. The list of available pool segments can be found in the instructions. Availability matrices;flavor_id
— Flavor ID. The flavors correspond to cloud server configurations and determine the number of vCPUs, RAM, and local disk size (optional) of the server. You can use flavorors of fixed configurations. For example,4011
— ID to create a Memory Line fixed configuration server with 2 vCPUs, 16 GB RAM in a ru-9 pool. The list of flavors can be viewed in the table List of fixed configuration flavors in all pools.
View the detailed resource description of openstack_compute_instance_v2.
6. Create a cloud server on a private subnet that is not blocked by a firewall
- Create an SSH key pair.
- Create a port for the cloud server.
- Get an image.
- Create a bootable network disk.
- Create a cloud server.
1. Create an SSH key pair
resource "servercore_keypair_v2" "keypair_unprotected_1" {
name = "keypair-unprotected"
public_key = file("~/.ssh/id_rsa.pub")
user_id = servercore_iam_serviceuser_v1.serviceuser_1.id
}
Here public_key
is the path to the public SSH key
. If SSH keys are not created, generate them.
View a detailed description of the servercore_vpc_keypair_v2 resource.
2. Create a port for the cloud server
resource "openstack_networking_port_v2" "port_unprotected_1" {
name = "port-unprotected"
network_id = openstack_networking_network_v2.unprotected_network_1.id
fixed_ip {
subnet_id = openstack_networking_subnet_v2.unprotected_subnet_1.id
}
}
View a detailed description of the openstack_networking_port_v2 resource.
3. Get an image
data "openstack_images_image_v2" "image_unprotected_1" {
name = "Ubuntu 20.04 LTS 64-bit"
most_recent = true
visibility = "public"
}
See the detailed description of the openstack_images_image_v2 data source.
4. Create a bootable network disk
resource "openstack_blockstorage_volume_v3" "volume_unprotected_1" {
name = "boot-volume-for-unprotected-server"
size = "5"
image_id = data.openstack_images_image_v2.image_unprotected_1.id
volume_type = "fast.ru-9a"
availability_zone = "ru-9a"
enable_online_resize = true
lifecycle {
ignore_changes = [image_id]
}
}
Here:
size
— disk size in GB. Take into account network disk limits on the maximum size;volume_type
— ID or name of the network disk type. For example,fast.ru-9a
— name to create a network disk with the SSD type Fast in the pool segment ru-9a. The list of types can be viewed in the table List of network disk types in all pool segments.
View a detailed description of the openstack_blockstorage_volume_v3 resource.
5. Create a cloud server
resource "openstack_compute_instance_v2" "unprotected_server_1" {
name = "unprotected-server"
flavor_id = "4011"
key_pair = servercore_keypair_v2.keypair_unprotected_1.name
availability_zone = "ru-9a"
network {
port = openstack_networking_port_v2.port_unprotected_1.id
}
lifecycle {
ignore_changes = [image_id]
}
block_device {
uuid = openstack_blockstorage_volume_v3.volume_unprotected_1.id
source_type = "volume"
destination_type = "volume"
boot_index = 0
}
vendor_options {
ignore_resize_confirmation = true
}
}
Here:
availability_zone
— pool segment in which the cloud server will be created, e.g.ru-9a
. The list of available pool segments can be found in the instructions. Availability matrices;flavor_id
— Flavor ID. The flavors correspond to cloud server configurations and determine the number of vCPUs, RAM, and local disk size (optional) of the server. You can use flavorors of fixed configurations. For example,4011
— ID to create a Memory Line fixed configuration server with 2 vCPUs, 16 GB RAM in a ru-9 pool. The list of flavors can be viewed in the table List of fixed configuration flavors in all pools.
View the detailed resource description of openstack_compute_instance_v2.