-
Notifications
You must be signed in to change notification settings - Fork 0
/
do_firewall.tf
76 lines (68 loc) · 2 KB
/
do_firewall.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
locals {
allowed_subnets = {
internet = "0.0.0.0/0"
tailnet = "100.64.0.0/10"
}
allowed_inbounds = [{
name = "SSH"
protocol = "tcp"
port_range = "22"
source_addresses = [local.allowed_subnets.tailnet]
},
{
name = "HTTP",
protocol = "tcp"
port_range = "80"
source_addresses = [local.allowed_subnets.internet]
},
{
name = "HTTPS",
protocol = "tcp"
port_range = "443"
source_addresses = [local.allowed_subnets.internet]
},
{
name = "QUIC",
protocol = "udp"
port_range = "443"
source_addresses = [local.allowed_subnets.internet]
},
{
name = "Tailscale",
protocol = "udp"
port_range = "41641"
source_addresses = [local.allowed_subnets.internet]
}]
allowed_outbounds = [{
name = "All TCP"
protocol = "tcp"
port_range = "1-65535"
source_addresses = [local.allowed_subnets.internet]
},
{
name = "All UDP"
protocol = "udp"
port_range = "1-65535"
source_addresses = [local.allowed_subnets.internet]
}]
}
resource "digitalocean_firewall" "forem" {
name = resource.digitalocean_droplet.forem.name
droplet_ids = [resource.digitalocean_droplet.forem.id]
dynamic "inbound_rule" {
for_each = { for i, v in local.allowed_inbounds : i => v }
content {
protocol = inbound_rule.value["protocol"]
port_range = inbound_rule.value["port_range"]
source_addresses = inbound_rule.value["source_addresses"]
}
}
dynamic "outbound_rule" {
for_each = { for i, v in local.allowed_outbounds : i => v }
content {
protocol = outbound_rule.value["protocol"]
port_range = outbound_rule.value["port_range"]
destination_addresses = outbound_rule.value["source_addresses"]
}
}
}