serguzim/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor firewalls and add descriptions

Browse source
This commit is contained in:
Tobias Reisinger 2024-11-01 03:12:34 +01:00
parent 96b298c0c9
commit fb9d50a86e
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
4 changed files with 33 additions and 27 deletions
modules/infrastructure
hcloud.tfvariables.tf

32
modules/infrastructure/hcloud.tf
View file

@ -49,11 +49,6 @@ resource "hcloud_server" "nodes" {
ipv4 = hcloud_primary_ip.node_ipv4_addresses[each.key].id
ipv6 = hcloud_primary_ip.node_ipv6_addresses[each.key].id
}
labels = merge({
"serguzim.net" = ""
},
{ for k, v in var.services : "service/${k}" => "" if (v.host == each.key || v.host == "*") }
)
lifecycle {
ignore_changes = [
ssh_keys,
@ -75,33 +70,28 @@ locals {
}
# Create firewalls
resource "hcloud_firewall" "always" {
name = "always"
resource "hcloud_firewall" "nodes_services" {
for_each = local.hetzner_hosts
name = each.key
apply_to {
label_selector = "serguzim.net"
server = hcloud_server.nodes[each.key].id
}
rule {
direction = "in"
protocol = "icmp"
source_ips = local.default_firewall_source_ips
}
}
resource "hcloud_firewall" "services" {
for_each = { for k, v in var.services : k => v.ports if v.ports != null }
name = each.key
apply_to {
label_selector = "service/${each.key}"
description = "ICMP"
direction = "in"
protocol = "icmp"
source_ips = local.default_firewall_source_ips
}
dynamic "rule" {
for_each = each.value
for_each = flatten([ for k, v in var.services : v.ports if (v.ports != null && (v.host == each.key || v.host == "*")) ])
content {
description = rule.value.description
direction = "in"
protocol = rule.value.protocol
port = rule.value.port
source_ips = local.default_firewall_source_ips
}
}
}
}

1
modules/infrastructure/variables.tf
View file

@ -23,6 +23,7 @@ variable "services" {
type = string
})))
ports = optional(list(object({
description = string
port = number
protocol = string
type = string