Murat ÖZDEMİR
2d515f7206
This commit introduces the foundational Infrastructure-as-Code for provisioning a test environment on Hetzner Cloud. It defines server nodes, private networking, comprehensive firewalls, and includes documentation on resource lifecycle and safe configuration practices.
172 lines
3.3 KiB
HCL
172 lines
3.3 KiB
HCL
# Swarm node firewall — public HTTP/HTTPS + private infra services
|
|
resource "hcloud_firewall" "swarm" {
|
|
name = "${local.name_prefix}-firewall-swarm"
|
|
|
|
# SSH — admin CIDRs only
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "22"
|
|
source_ips = var.admin_allowed_cidrs
|
|
}
|
|
|
|
# HTTP public
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "80"
|
|
source_ips = ["0.0.0.0/0", "::/0"]
|
|
}
|
|
|
|
# HTTPS public
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "443"
|
|
source_ips = ["0.0.0.0/0", "::/0"]
|
|
}
|
|
|
|
# Docker Swarm control plane
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "2377"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# Docker Swarm node discovery (TCP)
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "7946"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# Docker Swarm node discovery (UDP)
|
|
rule {
|
|
direction = "in"
|
|
protocol = "udp"
|
|
port = "7946"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# Docker Swarm VXLAN overlay
|
|
rule {
|
|
direction = "in"
|
|
protocol = "udp"
|
|
port = "4789"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# Vault API — private only, never public
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "8200"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# Redis
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "6379"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# RabbitMQ AMQP
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "5672"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# RabbitMQ STOMP
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "61613"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# RabbitMQ Web STOMP
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "15674"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# RabbitMQ Management — admin CIDRs only
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "15672"
|
|
source_ips = var.admin_allowed_cidrs
|
|
}
|
|
|
|
# APISIX Admin API — admin CIDRs only
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "9180"
|
|
source_ips = var.admin_allowed_cidrs
|
|
}
|
|
|
|
# Prometheus — admin CIDRs only
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "9090"
|
|
source_ips = var.admin_allowed_cidrs
|
|
}
|
|
|
|
# Grafana — admin CIDRs only
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "3000"
|
|
source_ips = var.admin_allowed_cidrs
|
|
}
|
|
|
|
labels = {
|
|
environment = var.environment
|
|
role = "swarm"
|
|
}
|
|
}
|
|
|
|
# DB node firewall — SSH + DB ports from app/swarm subnet only
|
|
resource "hcloud_firewall" "db" {
|
|
name = "${local.name_prefix}-firewall-db"
|
|
|
|
# SSH — admin CIDRs only
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "22"
|
|
source_ips = var.admin_allowed_cidrs
|
|
}
|
|
|
|
# PostgreSQL from app/swarm subnet
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "5432"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
# MongoDB from app/swarm subnet
|
|
rule {
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "27017"
|
|
source_ips = [local.app_subnet_cidr]
|
|
}
|
|
|
|
labels = {
|
|
environment = var.environment
|
|
role = "db"
|
|
}
|
|
}
|