Move port 80 on controlplane to its own security group (#100)

* Remove port 80 from control_plane_ports * Create new security group to facilitate certbot responding to http-01 challenge * Rename sg to make it clearer it relates to controlplane
UKCloud · Apr 23, 2019 · 8836023 · 8836023
1 parent 35d91d2
commit 8836023
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/security_groups.yaml b/security_groups.yaml
@@ -173,6 +173,17 @@ resources:
             port_range_min: <%port%>
             port_range_max: <%port%>
 
+  controlplane_certbot_secgroup:
+    type: OS::Neutron::SecurityGroup
+    properties:
+      name: controlplane_certbot_sg
+      rules:
+          - direction: ingress
+            protocol: tcp
+            remote_ip_prefix: 0.0.0.0/0
+            port_range_min: 80
+            port_range_max: 80
+
   proxy_controlplane_secgroup:
     type: OS::Neutron::SecurityGroup
     properties:
@@ -529,7 +540,6 @@ outputs:
   vrrp_nodes_security_group:
     description: VRRP access between tenant and net2 nodes
     value: { get_resource: vrrp_nodes_secgroup }
-
   bastion_external_security_group:
     description: Bastion external security group
     value: { get_resource: bastion_external_secgroup }
@@ -587,3 +597,6 @@ outputs:
   proxy_security_group:
     description: Net2 LB VRRP security group
     value: { get_resource: proxy_controlplane_secgroup }
+  controlplane_certbot_security_group:
+    description: Security group allowing http-01 challenge
+    value: { get_resource: controlplane_certbot_secgroup }
diff --git a/top-level-template.yaml b/top-level-template.yaml
@@ -172,7 +172,7 @@ resources:
     properties:
       template: { get_file: security_groups.yaml }
       parameters:
-        control_plane_ports: "80,443,8443"
+        control_plane_ports: "443,8443"
         data_plane_ports: "80,443"
         control_plane_sources: { get_param: control_plane_allowed_sources }
         data_plane_sources: { get_param: data_plane_allowed_sources }
@@ -224,6 +224,7 @@ resources:
           - { get_attr: [ security_groups, outputs, dns_forwarder_security_group ] }
           - { get_attr: [ security_groups, outputs, vrrp_controlplane_security_group ] }
           - { get_attr: [ security_groups, outputs, proxy_security_group ] }
+          - { get_attr: [ security_groups, outputs, controlplane_certbot_security_group ] }
 
   master_nodes_deployment:
     type: OS::Heat::Stack