From f850066aad19b2fd11d39c28a8a86b3f1ab0b418 Mon Sep 17 00:00:00 2001 From: Noah Date: Tue, 23 Dec 2025 10:54:03 +0100 Subject: [PATCH] Refactor firewall rules and add network resources for production environment --- terraform/prod__firewall.tf | 36 +++++++- terraform/prod_network.tf | 9 ++ terraform/terraform.tfstate | 131 ++++++++++++++++++++++++++++- terraform/terraform.tfstate.backup | 65 ++++++++++++-- 4 files changed, 230 insertions(+), 11 deletions(-) create mode 100644 terraform/prod_network.tf diff --git a/terraform/prod__firewall.tf b/terraform/prod__firewall.tf index eab0813..95a359c 100644 --- a/terraform/prod__firewall.tf +++ b/terraform/prod__firewall.tf @@ -2,21 +2,49 @@ resource "hcloud_firewall" "production_fw" { name = "production-fw" rule { direction = "in" - protocol = "icmp" + protocol = "tcp" + port = "80" source_ips = [ "0.0.0.0/0", "::/0" ] } - - rule { + rule { direction = "in" protocol = "tcp" - port = "80-85" + port = "443" source_ips = [ "0.0.0.0/0", "::/0" ] } + rule { + direction = "in" + protocol = "tcp" + port = "22" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + rule { + direction = "out" + protocol = "tcp" + port = "any" + destination_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + rule { + direction = "out" + protocol = "udp" + port = "any" + destination_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + } \ No newline at end of file diff --git a/terraform/prod_network.tf b/terraform/prod_network.tf new file mode 100644 index 0000000..54839b1 --- /dev/null +++ b/terraform/prod_network.tf @@ -0,0 +1,9 @@ +resource "hcloud_network" "prodnet" { + name = "prod-network" + ip_range = "10.0.0.0/16" +} + +resource "netbox_ip_range" "prodnet" { + start_address = "10.0.0.1/16" + end_address = "10.0.255.254/16" +} \ No newline at end of file diff --git a/terraform/terraform.tfstate b/terraform/terraform.tfstate index 2c25993..0af2c10 100644 --- a/terraform/terraform.tfstate +++ b/terraform/terraform.tfstate @@ -1,9 +1,136 @@ { "version": 4, "terraform_version": "1.14.3", - "serial": 3, + "serial": 10, "lineage": "2f42bf18-041f-78d9-24cc-d9a193bc3daf", "outputs": {}, - "resources": [], + "resources": [ + { + "mode": "managed", + "type": "hcloud_firewall", + "name": "production_fw", + "provider": "provider[\"registry.terraform.io/hetznercloud/hcloud\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "apply_to": [], + "id": "10323541", + "labels": {}, + "name": "production-fw", + "rule": [ + { + "description": "", + "destination_ips": [ + "0.0.0.0/0", + "::/0" + ], + "direction": "out", + "port": "any", + "protocol": "tcp", + "source_ips": [] + }, + { + "description": "", + "destination_ips": [ + "0.0.0.0/0", + "::/0" + ], + "direction": "out", + "port": "any", + "protocol": "udp", + "source_ips": [] + }, + { + "description": "", + "destination_ips": [], + "direction": "in", + "port": "22", + "protocol": "tcp", + "source_ips": [ + "0.0.0.0/0", + "::/0" + ] + }, + { + "description": "", + "destination_ips": [], + "direction": "in", + "port": "443", + "protocol": "tcp", + "source_ips": [ + "0.0.0.0/0", + "::/0" + ] + }, + { + "description": "", + "destination_ips": [], + "direction": "in", + "port": "80", + "protocol": "tcp", + "source_ips": [ + "0.0.0.0/0", + "::/0" + ] + } + ] + }, + "sensitive_attributes": [], + "identity_schema_version": 0, + "private": "bnVsbA==" + } + ] + }, + { + "mode": "managed", + "type": "hcloud_network", + "name": "prodnet", + "provider": "provider[\"registry.terraform.io/hetznercloud/hcloud\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "delete_protection": false, + "expose_routes_to_vswitch": false, + "id": "11773043", + "ip_range": "10.0.0.0/16", + "labels": {}, + "name": "prod-network" + }, + "sensitive_attributes": [], + "identity_schema_version": 0, + "private": "bnVsbA==" + } + ] + }, + { + "mode": "managed", + "type": "netbox_ip_range", + "name": "prodnet", + "provider": "provider[\"registry.terraform.io/e-breuninger/netbox\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "description": null, + "end_address": "10.0.255.254/16", + "id": "1", + "role_id": null, + "size": 65534, + "start_address": "10.0.0.1/16", + "status": "active", + "tags": null, + "tags_all": [], + "tenant_id": null, + "vrf_id": null + }, + "sensitive_attributes": [], + "identity_schema_version": 0, + "private": "bnVsbA==" + } + ] + } + ], "check_results": null } diff --git a/terraform/terraform.tfstate.backup b/terraform/terraform.tfstate.backup index d9c5f53..863008c 100644 --- a/terraform/terraform.tfstate.backup +++ b/terraform/terraform.tfstate.backup @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.14.3", - "serial": 1, + "serial": 8, "lineage": "2f42bf18-041f-78d9-24cc-d9a193bc3daf", "outputs": {}, "resources": [ @@ -15,16 +15,38 @@ "schema_version": 0, "attributes": { "apply_to": [], - "id": "10322075", + "id": "10323541", "labels": {}, "name": "production-fw", "rule": [ + { + "description": "", + "destination_ips": [ + "0.0.0.0/0", + "::/0" + ], + "direction": "out", + "port": "any", + "protocol": "tcp", + "source_ips": [] + }, + { + "description": "", + "destination_ips": [ + "0.0.0.0/0", + "::/0" + ], + "direction": "out", + "port": "any", + "protocol": "udp", + "source_ips": [] + }, { "description": "", "destination_ips": [], "direction": "in", - "port": "", - "protocol": "icmp", + "port": "22", + "protocol": "tcp", "source_ips": [ "0.0.0.0/0", "::/0" @@ -34,7 +56,18 @@ "description": "", "destination_ips": [], "direction": "in", - "port": "80-85", + "port": "443", + "protocol": "tcp", + "source_ips": [ + "0.0.0.0/0", + "::/0" + ] + }, + { + "description": "", + "destination_ips": [], + "direction": "in", + "port": "80", "protocol": "tcp", "source_ips": [ "0.0.0.0/0", @@ -48,6 +81,28 @@ "private": "bnVsbA==" } ] + }, + { + "mode": "managed", + "type": "hcloud_network", + "name": "prodnet", + "provider": "provider[\"registry.terraform.io/hetznercloud/hcloud\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "delete_protection": false, + "expose_routes_to_vswitch": false, + "id": "11773043", + "ip_range": "10.0.0.0/16", + "labels": null, + "name": "prod-network" + }, + "sensitive_attributes": [], + "identity_schema_version": 0, + "private": "bnVsbA==" + } + ] } ], "check_results": null