feat(firewall): add a security list for SSH and VScode

timoa · timoa · commit 14cf9a4aee11 · 2022-05-19T11:40:28.000+02:00
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -18,7 +18,8 @@ Terraform project that deploys VSCode Server on Oracle Cloud Infrastructure usin
 - [x] Create the instance on free tier (4 vCPU, 24GB memory)
 - [x] Configure the instance and install VSCode Server with Cloud Init
 - [x] Create automatically the SSH key pair
-- [x] Mount and format the block volume on `/data` (WIP)
+- [x] Mount and format the block volume on `/data`
+- [x] Restrict SSH and VS Code port access
 - [ ] Encrypt the block volume with a KMS key
 - [ ] Configure backups of the block volume only (WIP)
 - [ ] Configure Cloudflare Zero Trust to secure the instance access
diff --git a/firewall.tf b/firewall.tf
@@ -0,0 +1,76 @@
+locals {
+  security_list_ssh    = "${var.namespace}-seclist-ssh-${var.stage}"
+  security_list_vscode = "${var.namespace}-seclist-vscode-${var.stage}"
+}
+
+# Security List | SSH
+resource "oci_core_security_list" "security_list_ssh" {
+
+  # Global
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.vcn.id
+  display_name   = local.security_list_ssh
+
+  # Ingress
+  dynamic "ingress_security_rules" {
+    for_each = var.allowed_ingress_ssh
+
+    content {
+      description = "Allow traffic only from the SSH allowed IPs"
+      source      = ingress_security_rules.value
+      protocol    = "6" # TCP
+
+      tcp_options {
+        min = 22 # SSH
+        max = 22 # SSH
+      }
+    }
+  }
+
+  # Egress
+  dynamic "egress_security_rules" {
+    for_each = var.allowed_egress_ssh
+
+    content {
+      description = "Allow all outbound traffic from the SSH allowed IPs"
+      destination = egress_security_rules.value
+      protocol    = "all"
+    }
+  }
+}
+
+# Security List | VSCode
+resource "oci_core_security_list" "security_list_vscode" {
+
+  # Global
+  compartment_id = var.compartment_ocid
+  vcn_id         = oci_core_vcn.vcn.id
+  display_name   = local.security_list_vscode
+
+  # Ingress
+  dynamic "ingress_security_rules" {
+    for_each = var.allowed_ingress_vscode
+
+    content {
+      description = "Allow traffic only from the VSCode allowed IPs"
+      source      = ingress_security_rules.value
+      protocol    = "6" # TCP
+
+      tcp_options {
+        min = 443 # HTTPS
+        max = 443 # HTTPS
+      }
+    }
+  }
+
+  # Egress
+  dynamic "egress_security_rules" {
+    for_each = var.allowed_egress_vscode
+
+    content {
+      description = "Allow all outbound traffic from the VSCode allowed IPs"
+      destination = egress_security_rules.value
+      protocol    = "all"
+    }
+  }
+}
diff --git a/network.tf b/network.tf
@@ -4,6 +4,7 @@ locals {
   igw_name        = "${var.namespace}-igw-${var.stage}"
   default_rt_name = "${var.namespace}-default-rt-${var.stage}"
   subnet_name     = "${var.namespace}-subnet-${var.stage}"
+  seclist_name    = "${var.namespace}-seclist-${var.stage}"
 }
 
 # Virtual Cloud Network
@@ -69,7 +70,10 @@ resource "oci_core_subnet" "subnet" {
   dhcp_options_id     = oci_core_vcn.vcn.default_dhcp_options_id
 
   # Security
-  security_list_ids = [oci_core_vcn.vcn.default_security_list_id]
+  security_list_ids = [
+    oci_core_security_list.security_list_ssh.id,
+    oci_core_security_list.security_list_vscode.id,
+  ]
 
   # Labels
   freeform_tags = local.common_labels
diff --git a/variables.tf b/variables.tf
@@ -58,6 +58,34 @@ variable "region" {
   default     = "uk-london-1"
 }
 
+#############################
+# Security Lists
+#############################
+
+variable "allowed_ingress_ssh" {
+  type        = list(string)
+  description = "List of IPs allowed to SSH on the instance"
+  default     = []
+}
+
+variable "allowed_egress_ssh" {
+  type        = list(string)
+  description = "List of IPs the instance is allowed to connect"
+  default     = ["0.0.0.0/0"]
+}
+
+variable "allowed_ingress_vscode" {
+  type        = list(string)
+  description = "List of IPs allowed to access to VS Code Server"
+  default     = []
+}
+
+variable "allowed_egress_vscode" {
+  type        = list(string)
+  description = "List of IPs the instance is allowed to connect"
+  default     = ["0.0.0.0/0"]
+}
+
 #############################
 # Instance
 #############################
@@ -80,18 +108,6 @@ variable "instance_shape_config_memory_in_gbs" {
   default     = 24
 }
 
-variable "block_volume_size" {
-  type        = string
-  description = "Block Volume size in GBs (/data)"
-  default     = 100
-}
-
-variable "block_volume_device_name" {
-  type        = string
-  description = "Block Volume device name (/dev/oracleoci/oraclevdb)"
-  default     = "/dev/oracleoci/oraclevdb"
-}
-
 variable "instance_os" {
   type        = string
   description = "Instance OS"
@@ -110,6 +126,22 @@ variable "instance_os_user" {
   default     = "ubuntu" # opc if Oracle Linux
 }
 
+#############################
+# Block Volume (/data)
+#############################
+
+variable "block_volume_size" {
+  type        = string
+  description = "Block Volume size in GBs (/data)"
+  default     = 100
+}
+
+variable "block_volume_device_name" {
+  type        = string
+  description = "Block Volume device name (/dev/oracleoci/oraclevdb)"
+  default     = "/dev/oracleoci/oraclevdb"
+}
+
 #############################
 # VS Code Server
 #############################
