Use a single rule for both. Also rename the rule and improve the
description to make it clear that it concerns the main cluster. Drop the
old IP addresses of wuiet and the old UBC subnet. Ideally we should have
a least of host there, but that's already an improvement.
- ferm::rule { 'dsa-postgres-danzi':
+ ferm::rule { 'dsa-postgres-main':
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 206.12.19.0/24 209.87.16.0/24 5.153.231.18/32 ))'
- }
- ferm::rule { 'dsa-postgres-danzi6':
- domain => 'ip6',
- description => 'Allow postgress access',
- rule => '&SERVICE_RANGE(tcp, 5433, ( 2607:f8f0:610:4000::/64 2607:f8f0:614:1::/64 2001:41c8:1000:21::21:18/128 ))'
+ description => 'Allow postgress access to cluster: main',
+ domain => '(ip ip6)',
+ rule => '&SERVICE_RANGE(tcp, 5433, ( 209.87.16.0/24 2607:f8f0:614:1::/64 ))'
ferm::rule { 'dsa-postgres2-danzi':
description => 'Allow postgress access2',
rule => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'
ferm::rule { 'dsa-postgres2-danzi':
description => 'Allow postgress access2',
rule => '&SERVICE_RANGE(tcp, 5434, ( 209.87.16.0/24 ))'