-
Notifications
You must be signed in to change notification settings - Fork 0
/
bluewing.tf
109 lines (93 loc) · 2.97 KB
/
bluewing.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
terraform {
required_providers {
digitalocean = {
source = "digitalocean/digitalocean"
version = "~> 2.20.0"
}
}
}
# This is provided by the docker-compose.yaml environment that the terraform plugin runs in.
variable "do_token" {
type = string
sensitive = true
nullable = false
description = "The token retrieved from DigitalOcean to be used to interact with their API. Retrieve from here: https://cloud.digitalocean.com/account/api/tokens?i=aa3c54"
}
provider "digitalocean" {
token = var.do_token
}
# The "Bluewing" project that is used to contain bluewing-general resources.
data "digitalocean_project" "bluewing-project" {
name = "Bluewing"
}
data "digitalocean_tag" "bluewing-tag" {
name = "bluewing"
}
# The `bluewing-vpn` droplet that contains our instance of OpenVPN to connect to bluewing resources.
data "digitalocean_droplet" "bluewing-vpn" {
name = "bluewing-vpn"
}
# Retrieves the VPC that the `bluewing` droplet will be assigned to.
data "digitalocean_vpc" "default-sfo3" {
region = "sfo3"
}
# Retrieves the SSH key that the `bluewing` droplet will be associated with.
data "digitalocean_ssh_key" "luke-ssh-key" {
name = "lukedavia@icloud.com"
}
resource "digitalocean_droplet" "bluewing" {
image = "ubuntu-22-04-x64"
name = "bluewing"
region = "sfo3"
size = "s-1vcpu-1gb"
backups = false
monitoring = true
ipv6 = true
vpc_uuid = data.digitalocean_vpc.default-sfo3.id
ssh_keys = [data.digitalocean_ssh_key.luke-ssh-key.fingerprint]
resize_disk = false
user_data = file("provision.sh")
tags = [data.digitalocean_tag.bluewing-tag.name]
}
# Attach bluewing droplet to the bluewing project.
resource "digitalocean_project_resources" "bluewing-bluewing" {
project = data.digitalocean_project.bluewing-project.id
resources = [
digitalocean_droplet.bluewing.urn
]
}
# Define a firewall that prevents SSH access to resources unless the originating IP
# is from the `bluewing-vpn` droplet. Allow in all other HTTP/HTTPS traffic, and allow all outbound traffic.
# The `bluewing` droplet is then attached to this rule.
resource "digitalocean_firewall" "VpnRequiredForSshTraffic" {
name = "VpnRequiredForSshTraffic"
droplet_ids = [digitalocean_droplet.bluewing.id]
inbound_rule {
protocol = "icmp"
source_addresses = ["0.0.0.0/0", "::/0"]
}
inbound_rule {
protocol = "tcp"
port_range = "22"
source_tags = ["bluewing-vpn"]
}
inbound_rule {
protocol = "tcp"
port_range = "80"
source_addresses = ["0.0.0.0/0", "::/0"]
}
inbound_rule {
protocol = "tcp"
port_range = "443"
source_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "icmp"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "tcp"
port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
}