Skip to content

Instantly share code, notes, and snippets.

@hazcod

hazcod/docker-swarm-security-groups.tf

Last active October 15, 2019 05:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hazcod/01048e92e7e9ff84bfa08bf452131885 to your computer and use it in GitHub Desktop.
Save hazcod/01048e92e7e9ff84bfa08bf452131885 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
docker-swarm-security-groups.tf
locals {
instanceTcpPorts = ["${var.ssh_port}", 80, 433, 7946]
instanceUdpPorts = [7946, 4789]
managerTcpPorts = ["${var.ssh_port}", 80, 433, 2377, 7946]
managerUdpPorts = [7946, 4789]
}
resource "scaleway_security_group" "swarm_instance" {
name = "swarm_instances"
description = "Allow SSH, HTTP(S) and internal Swarm traffic"
inbound_default_policy = "drop"
outbound_default_policy = "accept"
stateful = true
dynamic "inbound_rule" {
for_each = local.tcpPorts
content {
action = "accept"
port = inbound_rule.value
protocol = "TCP"
}
}
dynamic "inbound_rule" {
for_each = local.udpPorts
content {
action = "accept"
port = inbound_rule.value
protocol = "UDP"
}
}
}
resource "scaleway_security_group" "swarm_manager" {
name = "swarm_managers"
description = "Allow SSH, HTTP(S) and internal Swarm traffic"
inbound_default_policy = "drop"
outbound_default_policy = "accept"
stateful = true
dynamic "inbound_rule" {
for_each = local.managerTcpPorts
content {
action = "accept"
port = inbound_rule.value
protocol = "TCP"
}
}
dynamic "inbound_rule" {
for_each = local.managerUdpPorts
content {
action = "accept"
port = inbound_rule.value
protocol = "UDP"
}
}
}
@kindermoumoute
Copy link

kindermoumoute commented Oct 14, 2019
edited

Hi, I recommend you to use the latest Scaleway terraform plugin (1.11+), because the security group resource was reworked in this version. Now if you combine it with terraform for_each feature you can get a very clean config for you use case:

provider "scaleway" {
  region  = "fr-par"
  zone    = "fr-par-1"
  version = "~> 1.11"
}

locals {
  tcpPorts = [22, 80, 433, 2377, 7946]
  udpPorts = [7946, 4789]
}

resource "scaleway_instance_security_group" "swarm_managers" {
  name                    = "swarm_managers"
  description            = "Whitelist HTTP(S) and SSH traffic"
  inbound_default_policy = "drop"
  outbound_default_policy = "accept"

    dynamic "inbound_rule" {
    for_each = local.tcpPorts

    content {
      action = "accept"
      port   = inbound_rule.value
      protocol  = "TCP"
    }
  }

    dynamic "inbound_rule" {
    for_each = local.udpPorts

    content {
      action = "accept"
      port   = inbound_rule.value
      protocol  = "UDP"
    }
  }
}

See the security group rules generated by this config (from the console):
image

@hazcod
Copy link
Author

hazcod commented Oct 15, 2019
edited

That's indeed a really clean way to do that @kindermoumoute! Thanks!
I will adapt this gist and my code at https://github.com/ironPeakServices/infrastructure/blob/feat/dockersecurity/modules/node/security-groups.tf
I might split it up so the swarm manager ports are not being exposed on regular swarm instances.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment