From e80bcb5a8b6bb5fc44ddd18dee433c36f334c58d Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Tue, 23 Mar 2021 22:33:10 +0000
Subject: [PATCH] Move generic vultr firewall stuff into module

Modules are pretty nice!
---
 terraform/casey_vps.tf                | 53 ++++-----------------------
 terraform/vultr_firewall/group.tf     |  3 ++
 terraform/vultr_firewall/outputs.tf   |  3 ++
 terraform/vultr_firewall/ping.tf      | 15 ++++++++
 terraform/vultr_firewall/rules.tf     | 21 +++++++++++
 terraform/vultr_firewall/terraform.tf |  8 ++++
 terraform/vultr_firewall/variables.tf |  2 +
 terraform/walker_vps.tf               | 52 ++++----------------------
 8 files changed, 66 insertions(+), 91 deletions(-)
 create mode 100644 terraform/vultr_firewall/group.tf
 create mode 100644 terraform/vultr_firewall/outputs.tf
 create mode 100644 terraform/vultr_firewall/ping.tf
 create mode 100644 terraform/vultr_firewall/rules.tf
 create mode 100644 terraform/vultr_firewall/terraform.tf
 create mode 100644 terraform/vultr_firewall/variables.tf

diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf
index a77dd96..701bb36 100644
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@@ -1,12 +1,15 @@
-locals {
-  casey_open_ports = toset([
+module "casey_firewall" {
+  source = "./vultr_firewall/"
+
+  description = "casey"
+  ports = [
     "80/tcp",
     "443/tcp",
     "51820/udp",
     "4242/tcp",
     "8448/tcp",
     "6328/udp"
-  ])
+  ]
 }
 
 
@@ -14,47 +17,5 @@ resource "vultr_instance" "casey" {
   plan              = "" # On a plan unsupported by API
   region            = "lhr"
   hostname          = "casey"
-  firewall_group_id = vultr_firewall_group.casey.id
-}
-
-resource "vultr_firewall_group" "casey" {
-  description = "casey"
-}
-
-resource "vultr_firewall_rule" "casey_ping" {
-  firewall_group_id = vultr_firewall_group.casey.id
-  protocol          = "icmp"
-  ip_type           = "v4"
-  subnet            = "0.0.0.0"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "casey_pingv6" {
-  firewall_group_id = vultr_firewall_group.casey.id
-  protocol          = "icmp"
-  ip_type           = "v6"
-  subnet            = "::"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "casey_v4" {
-  for_each = local.casey_open_ports
-
-  firewall_group_id = vultr_firewall_group.casey.id
-  protocol          = split("/", each.value)[1]
-  port              = split("/", each.value)[0]
-  ip_type           = "v4"
-  subnet            = "0.0.0.0"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "casey_v6" {
-  for_each = local.casey_open_ports
-
-  firewall_group_id = vultr_firewall_group.casey.id
-  protocol          = split("/", each.value)[1]
-  port              = split("/", each.value)[0]
-  ip_type           = "v6"
-  subnet            = "::"
-  subnet_size       = 0
+  firewall_group_id = module.casey_firewall.firewall_group.id
 }
diff --git a/terraform/vultr_firewall/group.tf b/terraform/vultr_firewall/group.tf
new file mode 100644
index 0000000..72800fb
--- /dev/null
+++ b/terraform/vultr_firewall/group.tf
@@ -0,0 +1,3 @@
+resource "vultr_firewall_group" "group" {
+  description = var.description
+}
diff --git a/terraform/vultr_firewall/outputs.tf b/terraform/vultr_firewall/outputs.tf
new file mode 100644
index 0000000..019116e
--- /dev/null
+++ b/terraform/vultr_firewall/outputs.tf
@@ -0,0 +1,3 @@
+output "firewall_group" {
+  value = vultr_firewall_group.group
+}
diff --git a/terraform/vultr_firewall/ping.tf b/terraform/vultr_firewall/ping.tf
new file mode 100644
index 0000000..efcb033
--- /dev/null
+++ b/terraform/vultr_firewall/ping.tf
@@ -0,0 +1,15 @@
+resource "vultr_firewall_rule" "ping" {
+  firewall_group_id = vultr_firewall_group.group.id
+  protocol          = "icmp"
+  ip_type           = "v4"
+  subnet            = "0.0.0.0"
+  subnet_size       = 0
+}
+
+resource "vultr_firewall_rule" "pingv6" {
+  firewall_group_id = vultr_firewall_group.group.id
+  protocol          = "icmp"
+  ip_type           = "v6"
+  subnet            = "::"
+  subnet_size       = 0
+}
diff --git a/terraform/vultr_firewall/rules.tf b/terraform/vultr_firewall/rules.tf
new file mode 100644
index 0000000..f6363e1
--- /dev/null
+++ b/terraform/vultr_firewall/rules.tf
@@ -0,0 +1,21 @@
+resource "vultr_firewall_rule" "v4" {
+  for_each = toset(var.ports)
+
+  firewall_group_id = vultr_firewall_group.group.id
+  protocol          = split("/", each.value)[1]
+  port              = split("/", each.value)[0]
+  ip_type           = "v4"
+  subnet            = "0.0.0.0"
+  subnet_size       = 0
+}
+
+resource "vultr_firewall_rule" "v6" {
+  for_each = toset(var.ports)
+
+  firewall_group_id = vultr_firewall_group.group.id
+  protocol          = split("/", each.value)[1]
+  port              = split("/", each.value)[0]
+  ip_type           = "v6"
+  subnet            = "::"
+  subnet_size       = 0
+}
diff --git a/terraform/vultr_firewall/terraform.tf b/terraform/vultr_firewall/terraform.tf
new file mode 100644
index 0000000..406feae
--- /dev/null
+++ b/terraform/vultr_firewall/terraform.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    vultr = {
+      source  = "vultr/vultr"
+      version = "2.1.4"
+    }
+  }
+}
diff --git a/terraform/vultr_firewall/variables.tf b/terraform/vultr_firewall/variables.tf
new file mode 100644
index 0000000..d10f9c9
--- /dev/null
+++ b/terraform/vultr_firewall/variables.tf
@@ -0,0 +1,2 @@
+variable "ports" {}
+variable "description" {}
diff --git a/terraform/walker_vps.tf b/terraform/walker_vps.tf
index 89e770c..9fa1307 100644
--- a/terraform/walker_vps.tf
+++ b/terraform/walker_vps.tf
@@ -1,55 +1,17 @@
-locals {
-  walker_open_ports = toset([
+module "walker_firewall" {
+  source = "./vultr_firewall/"
+
+  description = "walker"
+  ports = toset([
     "80/tcp",
     "443/tcp",
   ])
 }
 
+
 resource "vultr_instance" "walker" {
   plan              = "vhf-1c-1gb"
   region            = "lhr"
   hostname          = "walker"
-  firewall_group_id = vultr_firewall_group.walker.id
-}
-
-resource "vultr_firewall_group" "walker" {
-  description = "walker"
-}
-
-resource "vultr_firewall_rule" "walker_ping" {
-  firewall_group_id = vultr_firewall_group.walker.id
-  protocol          = "icmp"
-  ip_type           = "v4"
-  subnet            = "0.0.0.0"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "walker_pingv6" {
-  firewall_group_id = vultr_firewall_group.walker.id
-  protocol          = "icmp"
-  ip_type           = "v6"
-  subnet            = "::"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "walker_v4" {
-  for_each = local.walker_open_ports
-
-  firewall_group_id = vultr_firewall_group.walker.id
-  protocol          = split("/", each.value)[1]
-  port              = split("/", each.value)[0]
-  ip_type           = "v4"
-  subnet            = "0.0.0.0"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "walker_v6" {
-  for_each = local.walker_open_ports
-
-  firewall_group_id = vultr_firewall_group.walker.id
-  protocol          = split("/", each.value)[1]
-  port              = split("/", each.value)[0]
-  ip_type           = "v6"
-  subnet            = "::"
-  subnet_size       = 0
+  firewall_group_id = module.walker_firewall.firewall_group.id
 }