Move generic vultr firewall stuff into module

Modules are pretty nice!

terraform/casey_vps.tf

@@ -1,12 +1,15 @@
-locals {
+module "casey_firewall" {
-  casey_open_ports = toset([
+  source = "./vultr_firewall/"
+
+  description = "casey"
+  ports = [
     "80/tcp",
     "443/tcp",
     "51820/udp",
     "4242/tcp",
     "8448/tcp",
     "6328/udp"
-  ])
+  ]
 }
 
 
@@ -14,47 +17,5 @@ resource "vultr_instance" "casey" {
   plan              = "" # On a plan unsupported by API
   region            = "lhr"
   hostname          = "casey"
-  firewall_group_id = vultr_firewall_group.casey.id
+  firewall_group_id = module.casey_firewall.firewall_group.id
-}
-
-resource "vultr_firewall_group" "casey" {
-  description = "casey"
-}
-
-resource "vultr_firewall_rule" "casey_ping" {
-  firewall_group_id = vultr_firewall_group.casey.id
-  protocol          = "icmp"
-  ip_type           = "v4"
-  subnet            = "0.0.0.0"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "casey_pingv6" {
-  firewall_group_id = vultr_firewall_group.casey.id
-  protocol          = "icmp"
-  ip_type           = "v6"
-  subnet            = "::"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "casey_v4" {
-  for_each = local.casey_open_ports
-
-  firewall_group_id = vultr_firewall_group.casey.id
-  protocol          = split("/", each.value)[1]
-  port              = split("/", each.value)[0]
-  ip_type           = "v4"
-  subnet            = "0.0.0.0"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "casey_v6" {
-  for_each = local.casey_open_ports
-
-  firewall_group_id = vultr_firewall_group.casey.id
-  protocol          = split("/", each.value)[1]
-  port              = split("/", each.value)[0]
-  ip_type           = "v6"
-  subnet            = "::"
-  subnet_size       = 0
 }

terraform/vultr_firewall/group.tf

@@ -0,0 +1,3 @@
+resource "vultr_firewall_group" "group" {
+  description = var.description
+}

terraform/vultr_firewall/outputs.tf

@@ -0,0 +1,3 @@
+output "firewall_group" {
+  value = vultr_firewall_group.group
+}

terraform/vultr_firewall/ping.tf

@@ -0,0 +1,15 @@
+resource "vultr_firewall_rule" "ping" {
+  firewall_group_id = vultr_firewall_group.group.id
+  protocol          = "icmp"
+  ip_type           = "v4"
+  subnet            = "0.0.0.0"
+  subnet_size       = 0
+}
+
+resource "vultr_firewall_rule" "pingv6" {
+  firewall_group_id = vultr_firewall_group.group.id
+  protocol          = "icmp"
+  ip_type           = "v6"
+  subnet            = "::"
+  subnet_size       = 0
+}

terraform/vultr_firewall/rules.tf

@@ -0,0 +1,21 @@
+resource "vultr_firewall_rule" "v4" {
+  for_each = toset(var.ports)
+
+  firewall_group_id = vultr_firewall_group.group.id
+  protocol          = split("/", each.value)[1]
+  port              = split("/", each.value)[0]
+  ip_type           = "v4"
+  subnet            = "0.0.0.0"
+  subnet_size       = 0
+}
+
+resource "vultr_firewall_rule" "v6" {
+  for_each = toset(var.ports)
+
+  firewall_group_id = vultr_firewall_group.group.id
+  protocol          = split("/", each.value)[1]
+  port              = split("/", each.value)[0]
+  ip_type           = "v6"
+  subnet            = "::"
+  subnet_size       = 0
+}

terraform/vultr_firewall/terraform.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    vultr = {
+      source  = "vultr/vultr"
+      version = "2.1.4"
+    }
+  }
+}

terraform/vultr_firewall/variables.tf

@@ -0,0 +1,2 @@
+variable "ports" {}
+variable "description" {}

terraform/walker_vps.tf

@@ -1,55 +1,17 @@
-locals {
+module "walker_firewall" {
-  walker_open_ports = toset([
+  source = "./vultr_firewall/"
+
+  description = "walker"
+  ports = toset([
     "80/tcp",
     "443/tcp",
   ])
 }
 
+
 resource "vultr_instance" "walker" {
   plan              = "vhf-1c-1gb"
   region            = "lhr"
   hostname          = "walker"
-  firewall_group_id = vultr_firewall_group.walker.id
+  firewall_group_id = module.walker_firewall.firewall_group.id
-}
-
-resource "vultr_firewall_group" "walker" {
-  description = "walker"
-}
-
-resource "vultr_firewall_rule" "walker_ping" {
-  firewall_group_id = vultr_firewall_group.walker.id
-  protocol          = "icmp"
-  ip_type           = "v4"
-  subnet            = "0.0.0.0"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "walker_pingv6" {
-  firewall_group_id = vultr_firewall_group.walker.id
-  protocol          = "icmp"
-  ip_type           = "v6"
-  subnet            = "::"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "walker_v4" {
-  for_each = local.walker_open_ports
-
-  firewall_group_id = vultr_firewall_group.walker.id
-  protocol          = split("/", each.value)[1]
-  port              = split("/", each.value)[0]
-  ip_type           = "v4"
-  subnet            = "0.0.0.0"
-  subnet_size       = 0
-}
-
-resource "vultr_firewall_rule" "walker_v6" {
-  for_each = local.walker_open_ports
-
-  firewall_group_id = vultr_firewall_group.walker.id
-  protocol          = split("/", each.value)[1]
-  port              = split("/", each.value)[0]
-  ip_type           = "v6"
-  subnet            = "::"
-  subnet_size       = 0
 }