fix: add example for database firewall

terraform-do-modules · Jun 20, 2023 · 42a4f97 · 42a4f97
1 parent 131ccc8
commit 42a4f97
Show file tree

Hide file tree

Showing 11 changed files with 173 additions and 29 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -62,4 +62,17 @@ updates:
     reviewers:
       - "approvers"
     # Allow up to 3 open pull requests for pip dependencies
+    open-pull-requests-limit: 3
+
+  - package-ecosystem: "terraform" # See documentation for possible values
+    directory: "/_examples/database_firewall" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    # Add assignees
+    assignees:
+      - "clouddrove-ci"
+    # Add reviewer
+    reviewers:
+      - "approvers"
+    # Allow up to 3 open pull requests for pip dependencies
     open-pull-requests-limit: 3
diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml
@@ -13,4 +13,9 @@ jobs:
   tf-basic-example:
     uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
     with:
-      working_directory: './_examples/basic/'
+      working_directory: './_examples/basic/'
+
+  tf-database-firewall-example:
+    uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
+    with:
+      working_directory: './_examples/database_firewall/'
diff --git a/README.yaml b/README.yaml
@@ -36,12 +36,32 @@ usage : |-
   Here is an example of how you can use this module in your inventory structure:
   ```hcl
        module "firewall" {
-       source          = "terraform-do-modules/firewall/digitalocean"
-       version         = "0.15.0"
-       name            = "app"
-       environment     = "test"
-       allowed_ip      = ["0.0.0.0/0"]
-       allowed_ports   = [22, 80]
-       droplet_ids     = module.droplet.id
+       source             = "terraform-do-modules/firewall/digitalocean"
+       version            = "0.15.0"
+       name               = "app"
+       environment        = "test"
+       allowed_ip         = ["0.0.0.0/0"]
+       allowed_ports      = [22, 80]
+       droplet_ids        = []
+       kubernetes_ids     = []
+       load_balancer_uids = []
+       }
+  ```
+
+  ### databases firewall Example
+  Here is an example of how you can use this module in your inventory structure:
+  ```hcl
+       module "firewall" {
+       source             = "terraform-do-modules/firewall/digitalocean"
+       version            = "0.15.0"
+       name                = local.name
+       environment         = local.environment
+       database_cluster_id = ""
+       rules = [
+          {
+            type  = "ip_addr"
+            value = "192.168.1.1"
+          },
+        ]
        }
   ```
diff --git a/_examples/basic/example.tf b/_examples/basic/example.tf
@@ -9,10 +9,12 @@ locals {
 ## Firewall module call
 ##------------------------------------------------
 module "firewall" {
-  source        = "./../../"
-  name          = local.name
-  environment   = local.environment
-  allowed_ip    = ["0.0.0.0/0"]
-  allowed_ports = [22, 80]
-  #  droplet_ids     = "" #### Add droplet ids
+  source             = "./../../"
+  name               = local.name
+  environment        = local.environment
+  allowed_ip         = ["0.0.0.0/0"]
+  allowed_ports      = [22, 80]
+  droplet_ids        = [] #### Add droplet ids
+  kubernetes_ids     = [] #### Add kubernetes ids
+  load_balancer_uids = [] #### Add load balancer uids
 }
diff --git a/_examples/complete/example.tf b/_examples/complete/example.tf
@@ -26,7 +26,7 @@ module "droplet" {
   environment = local.environment
   region      = local.region
   vpc_uuid    = module.vpc.id
-  ssh_key     = "ssh-rsaEl36y5Z2dDUyrcT6FdayhRGtJPfUJfc22tgu= test"
+  ssh_key     = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbnaeXI+pAfwoMBLDl2r+fsRrBoqgRY54gcAawz0XJOiG6esHa13r28GGuEyAm5UGhDkVm6PZ8JAmLNpe8BTjJzF3BEZb+MMf0YLG+Gz6V5uyz9efuKxZqNTk2El36y5Z2dDUyrcT6FdayhRGtJPfUJc22tgucaTwA0I41SVJDb6OPeSYFalWIHk953RePWnJAjpRKyRqjnkbn6VUCqVQSNdJ+C4Qs7Zydullusm45UOMjhi20dgttdnnz6y9AOJDLws5IVmiee+Qwt1jO86RYSGyN2ikJQa6zB7Si1b8hlrVvDkBVGSxKs2mMJuLjXSx/SqdcwW17CDZLQoJ03WJgW3vs2sriyrtsFxWHCjssidl0sF83qVvUEsJKyNo7A6cXTAC++n2HlmWiDFpAns7qCrMkBJPOIT3hKDROozU+sLH8AL/mNd4yGpdTKDQGf+nDWq/5EGkHO4aq9RW9gQbGCX6H/zQTYudaDKLoVGf5LkYWtOC8+wfWmf2/dUA1KDU= devops"
   user_data   = file("user-data.sh")
   ####firewall
   inbound_rules = [

diff --git a/_examples/database_firewall/example.tf b/_examples/database_firewall/example.tf
@@ -0,0 +1,22 @@
+provider "digitalocean" {}
+
+locals {
+  name        = "app"
+  environment = "test"
+}
+
+##------------------------------------------------
+## database Firewall module call
+##------------------------------------------------
+module "firewall" {
+  source              = "./../../"
+  name                = local.name
+  environment         = local.environment
+  database_cluster_id = "" ## add database cluster id
+  rules = [
+    {
+      type  = "ip_addr"
+      value = "192.168.1.1"
+    },
+  ]
+}
diff --git a/_examples/database_firewall/outputs.tf b/_examples/database_firewall/outputs.tf
@@ -0,0 +1,4 @@
+output "uuid" {
+  value       = module.firewall[*].database_uuid
+  description = "A unique identifier for the firewall rule."
+}
diff --git a/_examples/database_firewall/versions.tf b/_examples/database_firewall/versions.tf
@@ -0,0 +1,10 @@
+# Terraform version
+terraform {
+  required_version = ">= 1.4.6"
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = ">= 2.28.1"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -1,7 +1,6 @@
-#Module      : Label
-#Description : This terraform module is designed to generate consistent label names and
-#              tags for resources. You can use terraform-labels to implement a strict
-#              naming convention.
+##-----------------------------------------------------------------------------
+## Labels module callled that will be used for naming and tags.
+##-----------------------------------------------------------------------------
 module "labels" {
   source      = "git::https://github.com/terraform-do-modules/terraform-digitalocean-labels.git?ref=internal-426m"
   name        = var.name
@@ -10,8 +9,9 @@ module "labels" {
   label_order = var.label_order
 }
 
-#Module      :  Firewall
+##-------------------------------------------------------------------------------------------------------------------------
 #Description :  Provides a DigitalOcean Cloud Firewall resource. This can be used to create, modify, and delete Firewalls.
+##-------------------------------------------------------------------------------------------------------------------------
 
 #tfsec:ignore:digitalocean-compute-no-public-ingress   ## because by default we use ["0.0.0.0/0"], do not use on prod env.
 #tfsec:ignore:digitalocean-compute-no-public-egress    ## The port is exposed for ingress from the internet, by default we use  ["0.0.0.0/0", "::/0"].
@@ -23,22 +23,34 @@ resource "digitalocean_firewall" "default" {
     iterator = port
     for_each = var.allowed_ports
     content {
-      port_range       = port.value
-      protocol         = var.protocol
-      source_addresses = var.allowed_ip
+      port_range                = port.value
+      protocol                  = var.protocol
+      source_addresses          = var.allowed_ip
+      source_droplet_ids        = var.droplet_ids
+      source_load_balancer_uids = var.load_balancer_uids
+      source_kubernetes_ids     = var.kubernetes_ids
+      source_tags               = var.tags
     }
   }
 
   outbound_rule {
-    protocol              = "tcp"
-    port_range            = "1-65535"
-    destination_addresses = ["0.0.0.0/0", "::/0"]
+    protocol                       = "tcp"
+    port_range                     = "1-65535"
+    destination_addresses          = ["0.0.0.0/0", "::/0"]
+    destination_droplet_ids        = var.droplet_ids
+    destination_kubernetes_ids     = var.kubernetes_ids
+    destination_load_balancer_uids = var.load_balancer_uids
+    destination_tags               = var.tags
   }
 
   outbound_rule {
-    protocol              = "udp"
-    port_range            = "1-65535"
-    destination_addresses = ["0.0.0.0/0", "::/0"]
+    protocol                       = "udp"
+    port_range                     = "1-65535"
+    destination_addresses          = ["0.0.0.0/0", "::/0"]
+    destination_droplet_ids        = var.droplet_ids
+    destination_kubernetes_ids     = var.kubernetes_ids
+    destination_load_balancer_uids = var.load_balancer_uids
+    destination_tags               = var.tags
   }
 
   tags = [
@@ -47,3 +59,20 @@ resource "digitalocean_firewall" "default" {
     module.labels.managedby
   ]
 }
+
+##------------------------------------------------------------------------------------------------------------------------------------------
+#Description : Provides a DigitalOcean database firewall resource allowing you to restrict connections to your database to trusted sources.
+##------------------------------------------------------------------------------------------------------------------------------------------
+resource "digitalocean_database_firewall" "default" {
+  count = var.enabled == true && var.database_cluster_id != null ? 1 : 0
+
+  cluster_id = var.database_cluster_id
+
+  dynamic "rule" {
+    for_each = var.rules
+    content {
+      type  = rule.value.type
+      value = rule.value.value
+    }
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -24,3 +24,12 @@ output "outbound_rule" {
   value       = digitalocean_firewall.default[*].outbound_rule
   description = "The name of the Firewall."
 }
+
+output "database_uuid" {
+  value       = digitalocean_database_firewall.default[*].id
+  description = "A unique identifier for the firewall rule."
+}
+output "cluster_id" {
+  value       = digitalocean_database_firewall.default[*].cluster_id
+  description = "The ID of the target database cluster."
+}
diff --git a/variables.tf b/variables.tf
@@ -54,3 +54,33 @@ variable "droplet_ids" {
   default     = []
   description = "The ID of the VPC that the instance security group belongs to."
 }
+
+variable "load_balancer_uids" {
+  type        = list(any)
+  default     = []
+  description = "The ID of the VPC that the load_balancer security group belongs to."
+}
+
+variable "kubernetes_ids" {
+  type        = list(any)
+  default     = []
+  description = "The ID of the VPC that the kubernetes security group belongs to."
+}
+
+variable "tags" {
+  type        = list(any)
+  default     = []
+  description = "An array containing the names of Tags corresponding to groups of Droplets from which the inbound traffic will be accepted."
+}
+
+variable "database_cluster_id" {
+  type        = string
+  default     = null
+  description = "The ID of the target database cluster."
+}
+
+variable "rules" {
+  type        = any
+  default     = []
+  description = "List of objects that represent the configuration of each inbound rule."
+}