The Terraform-Code of compute instance:
resource "openstack_compute_instance_v2" "my-server" {
name = "my-server"
image_id = "xxxx"
security_groups = [ openstack_networking_secgroup_v2.my_sec_group.name ]
user_data = "${file("./cloud-config.yaml")}"
config_drive = true
network { name = openstack_networking_network_v2.some_network.name }
}
resource "openstack_networking_secgroup_v2" "my_sec_group" {
name = "my_sec_group"
delete_default_rules = true
}
resource "openstack_networking_secgroup_rule_v2" "allow_metadata_service" {
direction = "egress"
ethertype = "IPv4"
remote_ip_prefix = "169.254.169.254/32"
security_group_id = openstack_networking_secgroup_v2.my_sec_group.id
}
# WORKS ONLY WITH SECURITY GROUP RULE allow_everything
resource "openstack_networking_secgroup_rule_v2" "allow_everything" {
direction = "egress"
ethertype = "IPv4"
remote_ip_prefix = "0.0.0.0/0"
security_group_id = openstack_networking_secgroup_v2.my_sec_group.id
}
The cloud init:
#cloud-config
users:
- name: root
shell: /bin/bash
hashed_passwd: xxxx
...
If I remove the security-group-rule allow_everything, the VM/cloud-init does NOT configure the networks properly. What could be the reason that I need to allow 0.0.0.0/0? How can I limit the CIDR to be more secure and keep cloud init running?
