From 42a4f9768c4578820d0ce902875c424f046f0750 Mon Sep 17 00:00:00 2001 From: mahesh yadav Date: Tue, 20 Jun 2023 17:40:31 +0530 Subject: [PATCH] fix: add example for database firewall --- .github/dependabot.yml | 13 ++++++ .github/workflows/tf-checks.yml | 7 ++- README.yaml | 34 ++++++++++++--- _examples/basic/example.tf | 14 +++--- _examples/complete/example.tf | 2 +- _examples/database_firewall/example.tf | 22 ++++++++++ _examples/database_firewall/outputs.tf | 4 ++ _examples/database_firewall/versions.tf | 10 +++++ main.tf | 57 +++++++++++++++++++------ outputs.tf | 9 ++++ variables.tf | 30 +++++++++++++ 11 files changed, 173 insertions(+), 29 deletions(-) create mode 100644 _examples/database_firewall/example.tf create mode 100644 _examples/database_firewall/outputs.tf create mode 100644 _examples/database_firewall/versions.tf diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2ed5c50..7ad4f1e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -62,4 +62,17 @@ updates: reviewers: - "approvers" # Allow up to 3 open pull requests for pip dependencies + open-pull-requests-limit: 3 + + - package-ecosystem: "terraform" # See documentation for possible values + directory: "/_examples/database_firewall" # Location of package manifests + schedule: + interval: "weekly" + # Add assignees + assignees: + - "clouddrove-ci" + # Add reviewer + reviewers: + - "approvers" + # Allow up to 3 open pull requests for pip dependencies open-pull-requests-limit: 3 \ No newline at end of file diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml index a0e9afa..dbfbb19 100644 --- a/.github/workflows/tf-checks.yml +++ b/.github/workflows/tf-checks.yml @@ -13,4 +13,9 @@ jobs: tf-basic-example: uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master with: - working_directory: './_examples/basic/' \ No newline at end of file + working_directory: './_examples/basic/' + + tf-database-firewall-example: + uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master + with: + working_directory: './_examples/database_firewall/' \ No newline at end of file diff --git a/README.yaml b/README.yaml index 110eaf0..9e56f1b 100644 --- a/README.yaml +++ b/README.yaml @@ -36,12 +36,32 @@ usage : |- Here is an example of how you can use this module in your inventory structure: ```hcl module "firewall" { - source = "terraform-do-modules/firewall/digitalocean" - version = "0.15.0" - name = "app" - environment = "test" - allowed_ip = ["0.0.0.0/0"] - allowed_ports = [22, 80] - droplet_ids = module.droplet.id + source = "terraform-do-modules/firewall/digitalocean" + version = "0.15.0" + name = "app" + environment = "test" + allowed_ip = ["0.0.0.0/0"] + allowed_ports = [22, 80] + droplet_ids = [] + kubernetes_ids = [] + load_balancer_uids = [] + } + ``` + + ### databases firewall Example + Here is an example of how you can use this module in your inventory structure: + ```hcl + module "firewall" { + source = "terraform-do-modules/firewall/digitalocean" + version = "0.15.0" + name = local.name + environment = local.environment + database_cluster_id = "" + rules = [ + { + type = "ip_addr" + value = "192.168.1.1" + }, + ] } ``` \ No newline at end of file diff --git a/_examples/basic/example.tf b/_examples/basic/example.tf index 3d9b4ed..3a37bad 100644 --- a/_examples/basic/example.tf +++ b/_examples/basic/example.tf @@ -9,10 +9,12 @@ locals { ## Firewall module call ##------------------------------------------------ module "firewall" { - source = "./../../" - name = local.name - environment = local.environment - allowed_ip = ["0.0.0.0/0"] - allowed_ports = [22, 80] - # droplet_ids = "" #### Add droplet ids + source = "./../../" + name = local.name + environment = local.environment + allowed_ip = ["0.0.0.0/0"] + allowed_ports = [22, 80] + droplet_ids = [] #### Add droplet ids + kubernetes_ids = [] #### Add kubernetes ids + load_balancer_uids = [] #### Add load balancer uids } diff --git a/_examples/complete/example.tf b/_examples/complete/example.tf index 50cb92f..b229f2a 100644 --- a/_examples/complete/example.tf +++ b/_examples/complete/example.tf @@ -26,7 +26,7 @@ module "droplet" { environment = local.environment region = local.region vpc_uuid = module.vpc.id - ssh_key = "ssh-rsaEl36y5Z2dDUyrcT6FdayhRGtJPfUJfc22tgu= test" + ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbnaeXI+pAfwoMBLDl2r+fsRrBoqgRY54gcAawz0XJOiG6esHa13r28GGuEyAm5UGhDkVm6PZ8JAmLNpe8BTjJzF3BEZb+MMf0YLG+Gz6V5uyz9efuKxZqNTk2El36y5Z2dDUyrcT6FdayhRGtJPfUJc22tgucaTwA0I41SVJDb6OPeSYFalWIHk953RePWnJAjpRKyRqjnkbn6VUCqVQSNdJ+C4Qs7Zydullusm45UOMjhi20dgttdnnz6y9AOJDLws5IVmiee+Qwt1jO86RYSGyN2ikJQa6zB7Si1b8hlrVvDkBVGSxKs2mMJuLjXSx/SqdcwW17CDZLQoJ03WJgW3vs2sriyrtsFxWHCjssidl0sF83qVvUEsJKyNo7A6cXTAC++n2HlmWiDFpAns7qCrMkBJPOIT3hKDROozU+sLH8AL/mNd4yGpdTKDQGf+nDWq/5EGkHO4aq9RW9gQbGCX6H/zQTYudaDKLoVGf5LkYWtOC8+wfWmf2/dUA1KDU= devops" user_data = file("user-data.sh") ####firewall inbound_rules = [ diff --git a/_examples/database_firewall/example.tf b/_examples/database_firewall/example.tf new file mode 100644 index 0000000..fde94e5 --- /dev/null +++ b/_examples/database_firewall/example.tf @@ -0,0 +1,22 @@ +provider "digitalocean" {} + +locals { + name = "app" + environment = "test" +} + +##------------------------------------------------ +## database Firewall module call +##------------------------------------------------ +module "firewall" { + source = "./../../" + name = local.name + environment = local.environment + database_cluster_id = "" ## add database cluster id + rules = [ + { + type = "ip_addr" + value = "192.168.1.1" + }, + ] +} diff --git a/_examples/database_firewall/outputs.tf b/_examples/database_firewall/outputs.tf new file mode 100644 index 0000000..68d95e0 --- /dev/null +++ b/_examples/database_firewall/outputs.tf @@ -0,0 +1,4 @@ +output "uuid" { + value = module.firewall[*].database_uuid + description = "A unique identifier for the firewall rule." +} diff --git a/_examples/database_firewall/versions.tf b/_examples/database_firewall/versions.tf new file mode 100644 index 0000000..cb6c070 --- /dev/null +++ b/_examples/database_firewall/versions.tf @@ -0,0 +1,10 @@ +# Terraform version +terraform { + required_version = ">= 1.4.6" + required_providers { + digitalocean = { + source = "digitalocean/digitalocean" + version = ">= 2.28.1" + } + } +} \ No newline at end of file diff --git a/main.tf b/main.tf index 1502d13..823043b 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,6 @@ -#Module : Label -#Description : This terraform module is designed to generate consistent label names and -# tags for resources. You can use terraform-labels to implement a strict -# naming convention. +##----------------------------------------------------------------------------- +## Labels module callled that will be used for naming and tags. +##----------------------------------------------------------------------------- module "labels" { source = "git::https://github.com/terraform-do-modules/terraform-digitalocean-labels.git?ref=internal-426m" name = var.name @@ -10,8 +9,9 @@ module "labels" { label_order = var.label_order } -#Module : Firewall +##------------------------------------------------------------------------------------------------------------------------- #Description : Provides a DigitalOcean Cloud Firewall resource. This can be used to create, modify, and delete Firewalls. +##------------------------------------------------------------------------------------------------------------------------- #tfsec:ignore:digitalocean-compute-no-public-ingress ## because by default we use ["0.0.0.0/0"], do not use on prod env. #tfsec:ignore:digitalocean-compute-no-public-egress ## The port is exposed for ingress from the internet, by default we use ["0.0.0.0/0", "::/0"]. @@ -23,22 +23,34 @@ resource "digitalocean_firewall" "default" { iterator = port for_each = var.allowed_ports content { - port_range = port.value - protocol = var.protocol - source_addresses = var.allowed_ip + port_range = port.value + protocol = var.protocol + source_addresses = var.allowed_ip + source_droplet_ids = var.droplet_ids + source_load_balancer_uids = var.load_balancer_uids + source_kubernetes_ids = var.kubernetes_ids + source_tags = var.tags } } outbound_rule { - protocol = "tcp" - port_range = "1-65535" - destination_addresses = ["0.0.0.0/0", "::/0"] + protocol = "tcp" + port_range = "1-65535" + destination_addresses = ["0.0.0.0/0", "::/0"] + destination_droplet_ids = var.droplet_ids + destination_kubernetes_ids = var.kubernetes_ids + destination_load_balancer_uids = var.load_balancer_uids + destination_tags = var.tags } outbound_rule { - protocol = "udp" - port_range = "1-65535" - destination_addresses = ["0.0.0.0/0", "::/0"] + protocol = "udp" + port_range = "1-65535" + destination_addresses = ["0.0.0.0/0", "::/0"] + destination_droplet_ids = var.droplet_ids + destination_kubernetes_ids = var.kubernetes_ids + destination_load_balancer_uids = var.load_balancer_uids + destination_tags = var.tags } tags = [ @@ -47,3 +59,20 @@ resource "digitalocean_firewall" "default" { module.labels.managedby ] } + +##------------------------------------------------------------------------------------------------------------------------------------------ +#Description : Provides a DigitalOcean database firewall resource allowing you to restrict connections to your database to trusted sources. +##------------------------------------------------------------------------------------------------------------------------------------------ +resource "digitalocean_database_firewall" "default" { + count = var.enabled == true && var.database_cluster_id != null ? 1 : 0 + + cluster_id = var.database_cluster_id + + dynamic "rule" { + for_each = var.rules + content { + type = rule.value.type + value = rule.value.value + } + } +} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf index 6763c1e..fa5919c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -24,3 +24,12 @@ output "outbound_rule" { value = digitalocean_firewall.default[*].outbound_rule description = "The name of the Firewall." } + +output "database_uuid" { + value = digitalocean_database_firewall.default[*].id + description = "A unique identifier for the firewall rule." +} +output "cluster_id" { + value = digitalocean_database_firewall.default[*].cluster_id + description = "The ID of the target database cluster." +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 9e8ae80..9d71668 100644 --- a/variables.tf +++ b/variables.tf @@ -54,3 +54,33 @@ variable "droplet_ids" { default = [] description = "The ID of the VPC that the instance security group belongs to." } + +variable "load_balancer_uids" { + type = list(any) + default = [] + description = "The ID of the VPC that the load_balancer security group belongs to." +} + +variable "kubernetes_ids" { + type = list(any) + default = [] + description = "The ID of the VPC that the kubernetes security group belongs to." +} + +variable "tags" { + type = list(any) + default = [] + description = "An array containing the names of Tags corresponding to groups of Droplets from which the inbound traffic will be accepted." +} + +variable "database_cluster_id" { + type = string + default = null + description = "The ID of the target database cluster." +} + +variable "rules" { + type = any + default = [] + description = "List of objects that represent the configuration of each inbound rule." +} \ No newline at end of file