Skip to content

Latest commit

 

History

History
114 lines (78 loc) · 3.63 KB

README.md

File metadata and controls

114 lines (78 loc) · 3.63 KB
Raw

AWS VPC with firewall by Terraform for OSD Network Verifier Test

This repository contains Terraform scripts to set up a VPC in AWS with public, private, and firewall subnets. An Internet Gateway is also set up for the VPC. A network firewall with a firewall policy and a rule group is also set up for the VPC.

Use block_domains to add the domain you want to blocked and then test with osd-network-verifier.

Prerequisites

  • Terraform 0.12.x or later
  • AWS Account

Usage

AWS Credentials

This script uses AWS profiles for authentication. You should configure your AWS credentials in your AWS credentials file. The default location is ~/.aws/credentials on Unix systems and C:\Users\USERNAME\.aws\credentials on Windows. You can specify the profile to use in the terraform.tfvars file.

Configuration

Before running the scripts, you need to configure the variables used by the scripts. A terraform.tfvars.example file is provided as a template. Here are the steps to configure the variables:

  1. Copy the example file:

    cp terraform.tfvars.example terraform.tfvars

  2. Open the terraform.tfvars file in a text editor.

  3. Replace the Variable values with your actual values. Here is an explanation of each variable:

  • profile: The AWS profile to use. This profile should be configured in your AWS credentials file.
  • region: The AWS region where resources will be created.
  • availability_zone: The availability zone within the region where subnets will be created.
  • vpc_cidr_block: The CIDR block for the VPC.
  • public_subnet_cidr_block: The CIDR block for the public subnet within the VPC.
  • private_subnet_cidr_block: The CIDR block for the private subnet within the VPC.
  • firewall_subnet_cidr_block: The CIDR block for the firewall subnet within the VPC.
  • block_domains: A list of domains that you want to block.
  • firewall_name: The name of the network firewall.
  • firewall_policy_name: The name of the firewall policy.
  • rule_group_name: The name of the stateful rule group for the firewall.

Running the scripts

  1. Initialize Terraform:
terraform init
  1. Check the execution plan:
terraform plan
  1. Apply the changes:
terraform apply
  1. To destroy the resources:
terraform destroy

Outputs

The scripts output the IDs of the created VPC and subnets.

  • vpc_id: The ID of the VPC.
  • region: The region of the VPC.
  • public_subnet_id: The ID of the public subnet.
  • private_subnet_id: The ID of the private subnet.
  • firewall_subnet_id: The ID of the firewall subnet.

Test OSD Network Verifier

Use the following command example tp verfifer the block domain failed the verifier.

osd-network-verifier egress \
    --platform aws \
    --subnet-id $private_subnet_id \
    --security-group-id "" \
    --profile $aws_profile \
    --region $region

Replace $private_subnet_id, $aws_profile and $region with the terraform output value.

Example:

$ ./osd-network-verifier egress --platform aws --subnet-id subnet-080exxxxxxxx6aef1 --security-group-id "" --profile default --region us-east-1                                                                                                                         1 ↵
Using region: us-east-1
Created security group with ID: sg-04f4xxxxxxxx53f29
Created instance with ID: i-0197xxxxxxxx8c4ce
Summary:
printing out failures:
 - egressURL error: api.openshift.com:443
 - egressURL error: quay.io:443
 - egressURL error: registry.redhat.io:443

printing out exceptions preventing the verifier from running the specific test:
printing out errors faced during the execution:
Failure!