Skip to content

Terraform module for DigitalOcean providing a basic firewall rules set

License

Notifications You must be signed in to change notification settings

thojkooi/terraform-digitalocean-firewall-rules

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Terraform - DigitalOcean basic firewall rule set

Terraform module to configure a basic default set of firewall rules on DigitalOcean, based on personal preferences. It creates outbound rules for http, https, dns, ntp and ssh traffic, and inbound rules for ssh, with various configuration options.

CircleCI


Requirements

  • Terraform >= v0.11.7
  • Digitalocean account / API token with write access

Usage

Basic usage example:

provider "digitalocean" {
}

resource "digitalocean_tag" "environment" {
    name = "development"
}

module "default-firewall" {
    source  = "thojkooi/firewall-rules/digitalocean"
    version = "1.0.0"

    prefix  = "dev"
    tags    = ["${digitalocean_tag.environment.id}"]
}

Disable ssh outbound connections:

provider "digitalocean" {
}

resource "digitalocean_tag" "environment" {
    name = "development"
}

module "default-firewall" {
    source  = "thojkooi/firewall-rules/digitalocean"
    version = "1.0.0"

    prefix                         = "dev"
    tags                           = ["${digitalocean_tag.environment.id}"]
    allowed_outbound_ssh_addresses = []
}

Firewall rules

The following rules will be created:

  • HTTP outbound (destination port 80)
  • HTTPS outbound (destination port 443)
  • DNS outbound (destination ports 53/tcp and 53/udp)
  • NTP outbound (destination port 123/udp)
  • SSH outbound (destination port 22)
  • SSH inbound (port 22)

Each rule allows by default the following IP addresses: ["0.0.0.0/0", "::/0"]. It is possible to lock this down further by overwriting the various variables available for each rule set.