DEV-687 aachen ip hcloud fw

.gitlab-ci.yml

@@ -18,6 +18,7 @@ stages:
   - run-kubernetes
   - run-management-update
   - run-patchday
+  - run-hcloud-firewall
 
 lint-job:
   stage: lint
@@ -363,3 +364,70 @@ run-patchday-prodwork01:
 
 
 
+########
+###   http://patorjk.com/software/taag/#p=display&f=Doom&t=patchday.yml
+###
+###    _          _                 _    __ _                        _ _                  _
+###   | |        | |               | |  / _(_)                      | | |                | |
+###   | |__   ___| | ___  _   _  __| | | |_ _ _ __ _____      ____ _| | | _   _ _ __ ___ | |
+###   | '_ \ / __| |/ _ \| | | |/ _` | |  _| | '__/ _ \ \ /\ / / _` | | || | | | '_ ` _ \| |
+###   | | | | (__| | (_) | |_| | (_| | | | | | | |  __/\ V  V / (_| | | || |_| | | | | | | |
+###   |_| |_|\___|_|\___/ \__,_|\__,_| |_| |_|_|  \___| \_/\_/ \__,_|_|_(_)__, |_| |_| |_|_|
+###                                ______                                  __/ |
+###                               |______|                                |___/
+###
+
+.run-hcloud-firewall:
+  extends: .run-ansible
+  stage: run-hcloud-firewall
+  script:
+    - ansible-playbook -e "stage=${STAGE}" hcloud_firewall.yml --vault-password-file /tmp/vault-pass
+  after_script:
+    - rm /tmp/vault-pass
+  except:
+    - schedules
+
+run-hcloud-firewall-dev:
+  extends: .run-hcloud-firewall
+  resource_group: dev
+  before_script:
+    - export STAGE=dev
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  only:
+    - main
+
+run-hcloud-firewall-devscr:
+  extends: .run-hcloud-firewall
+  resource_group: devscr
+  before_script:
+    - export STAGE=devscr
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  only:
+    - main
+
+run-hcloud-firewall-qa:
+  extends: .run-hcloud-firewall
+  resource_group: qa
+  before_script:
+    - export STAGE=qa
+    - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass
+  only:
+    - qa
+
+run-hcloud-firewall-prodnso:
+  extends: .run-hcloud-firewall
+  resource_group: prodnso
+  before_script:
+    - export STAGE=prodnso
+    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
+  only:
+    - prodnso
+
+run-hcloud-firewall-prodwork01:
+  extends: .run-hcloud-firewall
+  resource_group: prodwork01
+  before_script:
+    - export STAGE=prodwork01
+    - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
+  only:
+    - prodnso

group_vars/all/firewall.yml

@@ -119,7 +119,7 @@ hcloud_firewall_objects_awx:
      -
        type: label_selector
        label_selector:
-         selector: 'stage={{ stage }},service=awx'
+         selector: 'stage={{ stage }},service'
 
 hcloud_firewall_objects_backup:
    -

group_vars/stage_prodwork01/firewall.yml

@@ -0,0 +1,53 @@
+---
+hcloud_firewall_objects:
+   -
+     name: "{{ stage }}-default"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: icmp
+        port: ''
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: ICMP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: SSH allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '80'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: HTTP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: '{{ ip_whitelist }}'
+        destination_ips: []
+        description: HTTPS allowed
+     -
+        direction: in
+        protocol: tcp
+        port: 'any'
+        source_ips: '{{ ip_whitelist_admins }}'
+        destination_ips: []
+        description: TCP - allow work from home without VPN
+     -
+        direction: in
+        protocol: udp
+        port: 'any'
+        source_ips: '{{ ip_whitelist_admins }}'
+        destination_ips: []
+        description: UDP - allow work from home without VPN
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'

group_vars/stage_prodwork01/plain.yml

@@ -1,6 +1,7 @@
 ---
 
 stage: "prodwork01"
+hcloud_firewall_app_specific_stuff: False
 
 default_plattform_users:
   - 'friedrich.goerz'
@@ -11,7 +12,7 @@ default_plattform_users:
   - '{{ gitlab_ansible_user_name }}'
 
 # TODO read configuration with hetzner rest api
-shared_service_network: "10.1.0.0/16"
+shared_service_network: "10.3.0.0/16"
 shared_service_kube_cpl_01: "{{ stage_server_infos
   | selectattr('name', 'match', stage + '-kube-cpl-01' )
   | map(attribute='private_ip')

roles/hcloud/tasks/configure-firewall2.yml

@@ -55,7 +55,6 @@
   when:
     - total_server_pages != '1'
 
-
 - name: "Create firewall rule for <<{{ firewall_object.name }}>>"
   uri:
     method: POST
@@ -74,6 +73,9 @@
     - lookup_fw_obj | length == 0
 
 - name: "Update firewall rule for <<{{ firewall_object.name }}>>"
+  block:
+
+    - name: "Step_1: update FW rule <<{{ firewall_object.name }}>>"
       uri:
         method: PUT
         url: "https://api.hetzner.cloud/v1/firewalls/{{ lookup_fw_obj.0.id }}"
@@ -84,8 +86,55 @@
         body: "{{ firewall_object | to_json }}"
         return_content: yes
         status_code: [200]
+      register: fw_update_step1
+      delegate_to: 127.0.0.1
+      become: false
+
+    - name: "Setting VAR"
+      set_fact:
+        rules_obj:
+          rules: "{{ firewall_object.rules }}"
+        applyto_obj:
+          apply_to: "{{ firewall_object.apply_to }}"
+
+    - name: "Step_2: update FW rule - update rules"
+      uri:
+        method: POST
+        url: "https://api.hetzner.cloud/v1/firewalls/{{ lookup_fw_obj.0.id }}/actions/set_rules"
+        body_format: json
+        headers:
+          Content-Type: application/json
+          authorization: Bearer {{ hetzner_authentication_ansible }}
+        body: "{{ rules_obj | to_json }}"
+        return_content: yes
+        status_code: [201]
+      register: fw_update_step2
       delegate_to: 127.0.0.1
       become: false
+
+    - name: "Step_3: update FW rule - apply-to-resources"
+      uri:
+        method: POST
+        url: "https://api.hetzner.cloud/v1/firewalls/{{ lookup_fw_obj.0.id }}/actions/apply_to_resources"
+        body_format: json
+        headers:
+          Content-Type: application/json
+          authorization: Bearer {{ hetzner_authentication_ansible }}
+        body: "{{ applyto_obj | to_json }}"
+        return_content: yes
+        status_code: [201]
+      register: fw_update_step2
+      delegate_to: 127.0.0.1
+      become: false
+
+  rescue:
+    - name: "Rescueing FW-apply-to part "
+      debug:
+        msg: "Everything fine - FW-apply-to part already applied"
+      when:
+        - fw_update_step2.status in [422]
+        - fw_update_step2.json.error.code == 'firewall_already_applied'
+
   when:
     - firewall_object.state == 'present'
     - lookup_fw_obj | length > 0