-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewalls.tf
78 lines (58 loc) · 2.25 KB
/
firewalls.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
locals {
# Build a list of full paths to yaml files
firewall_file_full_paths = flatten([
for path in var.firewall_yaml_dirs : [
for file in fileset(path, "**") :
format("%s/%s", path, file)
]
])
# Build a list of decoded yaml file contents
decoded_firewall_yaml_files = flatten([
for full_path in local.firewall_file_full_paths :
try(yamldecode(file(full_path)), {})
])
# Extract the firewall configs and their names and store them in a list.
# Each item in the list is all the firewalls held in a single yaml file.
extracted_firewalls = flatten([
for firewall_map in local.decoded_firewall_yaml_files :
lookup(firewall_map, "firewalls", {})
])
# This works. Dont touch it.
# It takes all the groups and their rules from all files and builds a map. The keys are hash of the rule
# parameters, to avoid clashes
firewall_rules = {
for index, rule in flatten([
for file in local.extracted_firewalls : [
for group in try(keys(file), []) : [
for rules_list in file[group] : [
merge(rules_list, {"firewall_group" = group})
]
]
]
]) : sha256(format("%s%s%s%s", rule.notes, rule.firewall_group, rule.network, rule.protocol)) => rule
}
# Get just the groups, and create a map. The key and value are the same, cos resources need a map to use for_each
# rather than a list.
firewall_groups = {
for index, group in flatten([
for file in local.extracted_firewalls : [
for group in try(keys(file), []) :
group
]
]) : format("%s", group) => group
}
}
resource "vultr_firewall_group" "firewall_group" {
for_each = try(local.firewall_groups, {})
description = each.value
}
resource "vultr_firewall_rule" "firewall_rule" {
for_each = local.firewall_rules != null ? local.firewall_rules : {}
firewall_group_id = vultr_firewall_group.firewall_group[each.value.firewall_group].id
protocol = each.value.protocol
ip_type = "v4"
subnet = element(split("/", each.value.network), 0)
subnet_size = element(split("/", each.value.network), 1)
port = each.value.protocol != "icmp" ? lookup(each.value, "port", "1:65535") : ""
notes = each.value.notes
}