-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protocol Security group for AWS #538
base: next_gen
Are you sure you want to change the base?
Conversation
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
@@ -15,6 +15,72 @@ locals { | |||
instance_storage_device_names = ["/dev/nvme0n1", "/dev/nvme1n1", "/dev/nvme2n1", "/dev/nvme3n1", "/dev/nvme4n1", "/dev/nvme5n1", "/dev/nvme6n1", "/dev/nvme7n1", "/dev/nvme8n1", "/dev/nvme9n1", "/dev/nvme10n1", "/dev/nvme11n1", "/dev/nvme12n1", "/dev/nvme13n1", "/dev/nvme14n1", "/dev/nvme15n1", "/dev/nvme16n1"] | |||
gpfs_base_rpm_path = var.spectrumscale_rpms_path != null ? fileset(var.spectrumscale_rpms_path, "gpfs.base-*") : null | |||
scale_version = local.gpfs_base_rpm_path != null ? regex("gpfs.base-(.*).x86_64.rpm", tolist(local.gpfs_base_rpm_path)[0])[0] : null | |||
|
|||
traffic_protocol_bi = ["icmp", "TCP", "TCP", "TCP", "TCP", "UDP", "TCP", "TCP", "UDP", "TCP", "TCP", "TCP", "TCP", "icmp", "TCP", "TCP", "TCP", "TCP", "UDP", "TCP", "TCP", "UDP", "TCP", "TCP", "TCP", "TCP"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consolidate the security groups b/w compute, storage and protocol nodes
|
||
traffic_protocol_bi = ["icmp", "TCP", "TCP", "TCP", "TCP", "UDP", "TCP", "TCP", "UDP", "TCP", "TCP", "TCP", "TCP", "icmp", "TCP", "TCP", "TCP", "TCP", "UDP", "TCP", "TCP", "UDP", "TCP", "TCP", "TCP", "TCP"] | ||
traffic_protocol_from_port_bi = [-1, 22, 1191, 60000, 47080, 47443, 4444, 4739, 4739, 9080, 9081, 80, 443, -1, 22, 1191, 60000, 47080, 47443, 4444, 4739, 4739, 9080, 9081, 80, 443] | ||
traffic_protocol_to_port_bi = [-1, 22, 1191, 61000, 47080, 47443, 4444, 4739, 4739, 9080, 9081, 80, 443, -1, 22, 1191, 60000, 47080, 47443, 4444, 4739, 4739, 9080, 9081, 80, 443] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check the ports with the latest security port definitions and separate them as the base and extended. (Base is limited to storage only) and extended to protocol
sec_group_description = ["Enable SSH access to the compute cluster hosts"] | ||
turn_on = true | ||
sec_group_name = ["scale-sec-group-"] | ||
sec_group_description = ["Scale cluster sec group"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sec -> security
# Create Scale cluster security group | ||
module "protocol_security_group" { | ||
source = "../../../resources/aws/security/security_group" | ||
turn_on = length(local.protocol_vm_subnet_map) > 0 ? true : false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change to len of protocol nodes rather than subnet map
ami = var.ami_id | ||
instance_type = var.instance_type | ||
key_name = var.user_public_key | ||
#security_groups = var.security_groups |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the security group commented ?
vpc_id = var.vpc_id | ||
revoke_rules_on_delete = true | ||
|
||
lifecycle { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is lifecycle required, by default it is create before destroy true.
@@ -32,7 +32,7 @@ output "compute_cluster_instance_details" { | |||
} | |||
|
|||
output "compute_cluster_security_group_id" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
once consolidation is complete, both security groups will merge and causes changes in terms of edit, remote mount
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
|
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
|
|
||
## Extended ports | ||
# Protocol ports | ||
protocol_traffic_ports = [4379, 11211, 11211, 6200, 5431] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please remove the openstack swift ports and add nooba ports
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
Added nooba ports and removed swift port |
Signed-off-by: Praveen Ramu <praveen.ramu@ibm.com>
No description provided.