Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patching firewall rules #216

Draft
wants to merge 24 commits into
base: main
Choose a base branch
from
Draft

Patching firewall rules #216

wants to merge 24 commits into from

Conversation

tbroden84
Copy link
Contributor

@tbroden84 tbroden84 commented Aug 2, 2023

WHY are these changes introduced?

Original firewall resource replaced all firewall rules during create/update. Meaning all rules used in the resource always overwrite the current rule set. Enable utilization of the PACTH endpoint in API backend, to change the behaviour for the resource with new argument patch. This will instead append or update the rules present in the resource and leave all other firewall rules intact.

WHAT is this pull request doing?

  • Adds new data source for firewall settings, keeping track on all firewall rules enabled.
  • Adds patch argument to cloudamqp_security_firewall. When set to true, use PATCH API endpoint and only affect rules in the resource.
  • Update docs.

Require:

HOW can this pull request be tested?

Test scenarios used with managed VPC and instance.

  1. Multiple patched firewall rules requests being executed. Will trigger after post.bootstrap finished, in the end firewall rule set contains both.

  2. Enabled PrivateLink and multiple patched firewall rules resources requests being executed. Will trigger after post.bootstrap finished. PrivateLink gets enabled, automatic PrivateLink rule set activated and both firewall resource rule sets gets activated.

resource "cloudamqp_security_firewall" "mgmt_int" {
  instance_id = cloudamqp_instance.instance.id
  patch = true
  rules {
      ip = "0.0.0.0/0"
      description = "MGMT interface"
      ports       = []
      services    = ["HTTPS"]
  }
}

resource "cloudamqp_security_firewall" "extra_rules" {
  instance_id = cloudamqp_instance.instance.id
  patch = true

  rules {
    ip          = "10.1.0.0/16"
    ports       = []
    services    = ["AMQPS"]
  }

  rules {
    ip          = "10.2.0.0/16"
    ports       = []
    services    = ["AMQPS"]
  }
}

With resource data schema, check if rules have any changes that
require API backend request. Otherwise just update state file.
@dentarg
Copy link
Member

dentarg commented Aug 2, 2023

Do we need to add the new resource cloudamqp_security_firewall_rules? How is it different from resource_cloudamqp_security_firewall?

cloudamqp_security_firewall_rules will always append and cloudamqp_security_firewall will always replace?

@tbroden84
Copy link
Contributor Author

Basically just that I tried out difference between single/multi rules when doing the patching.

  • cloudamqp_security_firewall will always replace everything
  • cloudamqp_security_firewall_rule append/patch single rule
  • cloudamqp_security_firewall_rules append/patch single or multiple rules

With this in place then have something to discuss around.

Did also do some test runs when using cloudamqp_security_firewall_rule and enable PrivateLink and how it would affect things.

@dentarg
Copy link
Member

dentarg commented Aug 2, 2023

Had another thought, do we need cloudamqp_security_firewall_rule or could that be covered by cloudamqp_security_firewall_rules with just one element? As you just wrote it can be used to patch (add) a single rule

Going further, could we instead of adding these two new resources, extend the existing cloudamqp_security_firewall resource? Giving it an option controlling the behavior (replace vs append, defaulting to replace to not break anything)

@tbroden84
Copy link
Contributor Author

Yes possible to use cloudamqp_security_firewall_rules resource for both single and multiple.

But your idea about add it to cloudamqp_security_firewall would definitely be preferable. Will check it out.

Get changes between old vs. new configuration with d.GetChanges("rules").
Then determine which rules should be removed or updated based on the difference
between the two configurations.
@tbroden84 tbroden84 force-pushed the single-firewall-rule branch from 3d69307 to ec7654e Compare August 3, 2023 12:08
@tbroden84 tbroden84 requested a review from dentarg September 4, 2023 13:04
@kristianschneider
Copy link

This one seems to have gone stale. Whats the status on this ?

@dentarg
Copy link
Member

dentarg commented Jul 10, 2024

It is held up but sorting out issues in the backend, that we haven't been able to prioritise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants