Skip to content
Permalink
Browse files
Merge pull request #84 from dinukadesilva/enable-iu-vpn-based-security
Adding firewall rules to enable VPN based security
  • Loading branch information
DImuthuUpe committed May 5, 2022
2 parents a2ed20d + 89fd360 commit 4b57253e33f64b34c58e68076dcac1f264c12715
Showing 6 changed files with 139 additions and 29 deletions.
@@ -133,4 +133,18 @@ workflow_manager_custos_host: services.usecustos.org
workflow_manager_custos_port: 31161
workflow_manager_custos_id: "{{ vault_workflow_manager_custos_id }}"
workflow_manager_custos_secret: "{{ vault_workflow_manager_custos_secret }}"
workflow_manager_work_dir: /home/airavata/tmp_data
workflow_manager_work_dir: /home/airavata/tmp_data

iu_subnets:
- "149.163.0.0/16"
- "140.182.0.0/16"
- "149.165.0.0/16"
- "192.68.133.0/24"
- "192.12.206.0/24"
- "149.159.0.0/16"
- "156.56.0.0/16"
- "149.161.0.0/16"
- "149.160.0.0/16"
- "149.166.0.0/16"
- "134.68.0.0/16"
- "129.79.0.0/16"
@@ -4,9 +4,15 @@
become: yes

- name: open firewall port 7070 for DRMS Grpc connections
firewalld: port="7070/tcp"
zone=public permanent=true state=enabled immediate=yes
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="7070" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: open firewall port 80 for HTTP connections
firewalld: port="80/tcp"
@@ -19,24 +25,48 @@
become: yes

- name: open firewall port 9092 for Kafka connections
firewalld: port="9092/tcp"
zone=public permanent=true state=enabled immediate=yes
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="9092" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: open firewall port 6060 for Data Orchestrator Grpc connections
firewalld: port="6060/tcp"
zone=public permanent=true state=enabled immediate=yes
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="6060" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: open firewall port {{ datalake_data_orch_http_port }} for Data Orchestrator HTTP connections
firewalld: port="{{ datalake_data_orch_http_port }}/tcp"
zone=public permanent=true state=enabled immediate=yes
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ datalake_data_orch_http_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: open firewall port {{ datalake_data_orch_grpc_port }} for Data Orchestrator gRPC connections
firewalld: port="{{ datalake_data_orch_grpc_port }}/tcp"
zone=public permanent=true state=enabled immediate=yes
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ datalake_data_orch_grpc_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: Create Datalake deployment directory {{ datalake_deployment_dir }}
become: yes
@@ -54,9 +54,15 @@
become: yes

- name: open firewall port 22 for SSH connections
firewalld: port="22/tcp"
zone=public permanent=true state=enabled immediate=yes
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="22" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: Install Datalake pre-requireties (RedHat)
yum: name={{ item }} state=latest update_cache=yes
@@ -70,14 +70,26 @@
become: yes

- name: open kafka proxy port
firewalld: port="{{ kafka_listener_port }}/tcp"
zone=public permanent=true state=enabled immediate=yes
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ kafka_listener_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: open kafka rest proxy port
firewalld: port="{{ kafka_rest_proxy_listener_port }}/tcp"
zone=public permanent=true state=enabled immediate=yes
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ kafka_rest_proxy_listener_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: systemd install kafka service script
template: src=kafka.service.j2
@@ -14,16 +14,60 @@
owner={{ user }}
group={{ group }}

- name: open firewall ports for MFT
firewalld: port="{{ item }}/tcp"
zone=public permanent=true state=enabled immediate=yes
- name: open firewall ports for MFT grpc service api
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ mft_api_service_grpc_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: open firewall ports for MFT default agent
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ mft_default_agent_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: open firewall ports for MFT consul
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ mft_consul_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: open firewall ports for MFT grpc resource service
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ mft_resource_service_grpc_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ mft_api_service_grpc_port }}"
- "{{ mft_default_agent_port }}"
- "{{ mft_consul_port }}"
- "{{ mft_resource_service_grpc_port }}"
- "{{ mft_secret_service_grpc_port }}"
- "{{ sharing_subnets }}"

- name: open firewall ports for MFT grpc secret service
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ mft_secret_service_grpc_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: git checkout from MFT github repo {{ mft_repo }} branch {{ mft_git_branch }}
git: repo="{{ mft_repo }}"
@@ -16,11 +16,15 @@
become_user: "{{ user }}"

- name: open firewall ports for Workflow Engine
firewalld: port="{{ item }}/tcp"
zone=public permanent=true state=enabled immediate=yes
with_items:
- "{{ workflow_manager_grpc_port }}"
firewalld:
zone: public
permanent: yes
state: enabled
immediate: yes
rich_rule: rule family=ipv4 source address="{{ item }}" port port="{{ workflow_manager_grpc_port }}" protocol=tcp accept
become: yes
with_items:
- "{{ sharing_subnets }}"

- name: Run Datalake maven build
command: mvn clean install -Dmaven.test.skip=true chdir="{{ datalake_source_dir }}/"

0 comments on commit 4b57253

Please sign in to comment.