forked from oracle-quickstart/oci-github-actions-runner
-
Notifications
You must be signed in to change notification settings - Fork 1
/
nsg.tf
executable file
·79 lines (65 loc) · 2.44 KB
/
nsg.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
resource "oci_core_network_security_group" "simple_nsg" {
#Required
compartment_id = var.network_compartment_ocid
vcn_id = local.use_existing_network ? var.vcn_id : oci_core_vcn.simple.0.id
#Optional
display_name = var.nsg_display_name
freeform_tags = tomap({ "${var.tag_key_name}" = "${var.tag_value}" })
}
# Allow Egress traffic to all networks
resource "oci_core_network_security_group_security_rule" "simple_rule_egress" {
network_security_group_id = oci_core_network_security_group.simple_nsg.id
direction = "EGRESS"
protocol = "all"
destination = "0.0.0.0/0"
}
# Allow SSH (TCP port 22) Ingress traffic from any network
resource "oci_core_network_security_group_security_rule" "simple_rule_ssh_ingress" {
network_security_group_id = oci_core_network_security_group.simple_nsg.id
protocol = "6"
direction = "INGRESS"
source = var.nsg_source_cidr
stateless = false
tcp_options {
destination_port_range {
min = var.nsg_ssh_port
max = var.nsg_ssh_port
}
}
}
# Allow HTTPS (TCP port 443) Ingress traffic from any network
resource "oci_core_network_security_group_security_rule" "simple_rule_https_ingress" {
network_security_group_id = oci_core_network_security_group.simple_nsg.id
protocol = "6"
direction = "INGRESS"
source = var.nsg_source_cidr
stateless = false
tcp_options {
destination_port_range {
min = var.nsg_https_port
max = var.nsg_https_port
}
}
}
# Allow HTTP (TCP port 80) Ingress traffic from any network
resource "oci_core_network_security_group_security_rule" "simple_rule_http_ingress" {
network_security_group_id = oci_core_network_security_group.simple_nsg.id
protocol = "6"
direction = "INGRESS"
source = var.nsg_source_cidr
stateless = false
tcp_options {
destination_port_range {
min = var.nsg_http_port
max = var.nsg_http_port
}
}
}
# Allow ANY Ingress traffic from within simple vcn
resource "oci_core_network_security_group_security_rule" "simple_rule_all_simple_vcn_ingress" {
network_security_group_id = oci_core_network_security_group.simple_nsg.id
protocol = "all"
direction = "INGRESS"
source = var.vcn_cidr_block
stateless = false
}