Add the ability to manage default firewall rules

[johnamurray]

When you standup a network domain it comes with a set of default firewall rules that currently cannot be managed by terraform as it doesn't create them. I would like to disable (in particular) the rule that denies all inbound IPv6 traffic.

@tintoy could maybe point me in the right direction and I can try and sort out. Maybe a data resource?

[wninobla]

Hi John,

@johnamurray In terms of how Terraform works that isn't necessarily how you would typically go about disabling a resource that wasn't originally spun up by Terraform. You could I suppose export the configuration to get it to be recognized by the terraforn state file but this is something better server via an API call or a post transaction via Ansible or Chef.

[tintoy]

I'm thinking maybe they might work better as settings on the network domain (data sources are read-only, BTW).

Something like:

resource "ddcloud_networkdomain" "my_domain" {
  name = "My Domain"

  default_firewall_rule {
    type = "BlockOutboundMailIPv4"
    enabled = true
  }

  default_firewall_rule {
    type = "DenyExternalInboundIPv6"
    enabled = false
  }
}

Note that the CCDEFAULT. prefix is not included in the rule type. This makes it harder to anyone to think they can control a regular firewall rule with this.

CC: @johnamurray @alexbacchin

PS. @wninobla ordinarily I'd agree with you here, but I think this might be a special case; without the ability to manage the enablement of these rules, a large proportion of the the use cases for this provider would be unnecessarily difficult to achieve. I think if we tie them to the network domain then Terraform's life-cycle model won't be violated.

[johnamurray]

@wninobla - true but the reason I want to get the IPV6 deny disabled is so that a server can bootstrap using chef (or whatever) on ipv6 rather than giving it a public ipv4 address. My hack at the moment is a null resource that does an api call to disable the rule

[tintoy]

Implemented in v1.1.7.

[wninobla]

OK that makes more sense to me. We don't get a load of people trying to use IPv6 in that sense since they are rather slow in the transition from traditional IPv4 address space. Sounds to me between you and Adam we will want to get in a feature enhancement to the build.

---

From: John Murray notifications@github.com Sent: Wednesday, November 23, 2016 6:41 PM To: DimensionDataResearch/dd-cloud-compute-terraform Cc: William Ninobla (ITaaS); Mention Subject: Re: [DimensionDataResearch/dd-cloud-compute-terraform] Add the ability to manage default firewall rules (#54)

@wninoblahttps://github.com/wninobla - true but the reason I want to get the IPV6 deny disabled is so that a server can bootstrap using chef (or whatever) on ipv6 rather than giving it a public ipv4 address. My hack at the moment is a null resource that does an api call to disable the rule

- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/DimensionDataResearch/dd-cloud-compute-terraform/issues/54#issuecomment-262677584, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AQe9vxThnT5xzEkoWoT8WV85rCSL8X5Hks5rBPllgaJpZM4K6DJe.

itevomcid

[tintoy]

(cough) This has already been implemented :)

On 29 Nov 2016, at 3:19 AM, wninobla

OK that makes more sense to me. We don't get a load of people trying to use IPv6 in that sense since they are rather slow in the transition from traditional IPv4 address space. Sounds to me between you and Adam we will want to get in a feature enhancement to the build.