Alex Stanhope

Technical Architect

Oracle Cloud

When you provision a machine in Oracle Cloud it’s tempting to use the VCN’s Default Security List:

resource "oci_core_subnet" "subnet" {
  availability_domain = data.oci_identity_availability_domain.ad.name
  cidr_block = "10.46.0.0/24"
  display_name = "subnet-${var.hostname}"
  dns_label = "subnet${var.hostname}"
  security_list_ids = [
    oci_core_vcn.vcn.default_security_list_id]
...

Restricting port 22

If you don’t want SSH open to all and sundry, it’s important to create your own empty security list thus:

resource "oci_core_subnet" "subnet" {
  availability_domain = data.oci_identity_availability_domain.ad.name
  cidr_block = "10.46.0.0/24"
  display_name = "subnet-${var.hostname}"
  dns_label = "subnet${var.hostname}"
  security_list_ids = [
    oci_core_security_list.empty_security_list.id]
  compartment_id = var.compartment_ocid
  vcn_id = oci_core_vcn.vcn.id
  route_table_id = oci_core_vcn.vcn.default_route_table_id
  dhcp_options_id = oci_core_vcn.vcn.default_dhcp_options_id
}

# create empty security list to avoid using 'default' with open 22
resource "oci_core_security_list" "empty_security_list" {
  compartment_id = var.compartment_ocid
  vcn_id = oci_core_vcn.vcn.id
  display_name = "seclist-${var.hostname}"
}

which means you can explicitly open the ports you want in the Network Security Group:

resource "oci_core_network_security_group_security_rule" "nsg_outbound" {
  network_security_group_id = "${oci_core_network_security_group.nsg.id}"
  direction = "EGRESS"
  protocol = "all"
  description = "nsg-${var.hostname}-outbound"
  destination = "0.0.0.0/0"
  destination_type = "CIDR_BLOCK"
}

resource "oci_core_network_security_group_security_rule" "nsg_inbound_ssh" {
  network_security_group_id = "${oci_core_network_security_group.nsg.id}"
  direction = "INGRESS"
  protocol = "6" # TCP
  description = "nsg-${var.hostname}-inbound-ssh"
  # allow SSH traffic only from the bastion
  source = "${data.dns_a_record_set.bastion-host.addrs[0]}/32"
  source_type = "CIDR_BLOCK"
  destination = "${module.vminst.public_ip}/32"
  destination_type = "CIDR_BLOCK"
  tcp_options {
    destination_port_range {
      min = 22
      max = 22
    }
  }
}

Open-source

All the code for these tutorials is available as part of DevOps-Workstream.

Get your team coding

If you'd like to help your Operations team move to infrastructure-as-code, please get in touch to find out how Lightenna Consulting could accelerate your Cloud journey.

Leave a comment

You may also enjoy