diff --git a/config b/config index d07bf63..bbb8123 160000 --- a/config +++ b/config @@ -1 +1 @@ -Subproject commit d07bf63dad2132cb3d6f16641ed7f917a2b29282 +Subproject commit bbb8123ffb9781d818da1bff92d92dd8a0bbe009 diff --git a/config.go b/config.go index badaffd..4899abd 100644 --- a/config.go +++ b/config.go @@ -32,15 +32,21 @@ type domainRecord struct { } type firewallConfig struct { - Label string `json:"label"` + Label string `json:"label"` + Inbound firewallRuleSet `json:"inbound"` +} + +type firewallRuleSet struct { Allow []firewallRule `json:"allow"` Deny []firewallRule `json:"deny"` } type firewallRule struct { - Label string `json:"label"` - Protocol string `json:"protocol"` - Ports string `json:"ports"` + Label string `json:"label"` + Protocol string `json:"protocol"` + Ports string `json:"ports"` + SourceIpv4s []string `json:"sourceIpv4s"` + SourceIpv6s []string `json:"sourceIpv6s"` } type instanceConfig struct { diff --git a/infra.go.bck b/infra.go.bck index 2cfe464..993c616 100644 --- a/infra.go.bck +++ b/infra.go.bck @@ -72,70 +72,3 @@ import ( // // return nil //} - -//func firewall(ctx *pulumi.Context, instanceID pulumi.IntOutput) error { -// allowHttp := linode.FirewallInboundArgs{ -// Label: pulumi.String("accept-inbound-tcp-80"), -// Action: pulumi.String("ACCEPT"), -// Protocol: pulumi.String("TCP"), -// Ports: pulumi.String("80"), -// Ipv4s: pulumi.StringArray{ -// pulumi.String("0.0.0.0/0"), -// }, -// Ipv6s: pulumi.StringArray{ -// pulumi.String("::/0"), -// }, -// } -// -// allowHttps := linode.FirewallInboundArgs{ -// Label: pulumi.String("accept-inbound-tcp-443"), -// Action: pulumi.String("ACCEPT"), -// Protocol: pulumi.String("TCP"), -// Ports: pulumi.String("443"), -// Ipv4s: pulumi.StringArray{ -// pulumi.String("0.0.0.0/0"), -// }, -// Ipv6s: pulumi.StringArray{ -// pulumi.String("::/0"), -// }, -// } -// -// tags := []string{"flow"} -// -// label := "fireflow" -// -// firewallArgs := linode.FirewallArgs{ -// Label: pulumi.String(label), -// Tags: pulumi.ToStringArray(tags), -// InboundPolicy: pulumi.String("DROP"), -// Inbounds: linode.FirewallInboundArray{ -// &allowHttp, -// &allowHttps, -// }, -// OutboundPolicy: pulumi.String("ACCEPT"), -// Linodes: pulumi.IntArray{ -// instanceID, -// }, -// } -// -// _, err := linode.NewFirewall(ctx, label, &firewallArgs) -// if err != nil { -// return fmt.Errorf("unable to update the firewall; %w", err) -// } -// -// return nil -//} - -//func main() { -// pulumi.Run(func(ctx *pulumi.Context) error { -// _, err := linode.NewDomainRecord(ctx, "root", &linode.DomainRecordArgs{ -// DomainId: pulumi.Int(1297393), -// RecordType: pulumi.String("A"), -// Target: pulumi.String("213.52.130.52"), -// }, pulumi.Protect(true)) -// if err != nil { -// return err -// } -// return nil -// }) -//} diff --git a/main.go b/main.go index bb078c5..5c2784e 100644 --- a/main.go +++ b/main.go @@ -4,9 +4,9 @@ import ( "fmt" "strconv" + "github.com/pulumi/pulumi-linode/sdk/v3/go/linode" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" - "github.com/pulumi/pulumi-linode/sdk/v3/go/linode" ) func main() { @@ -23,6 +23,11 @@ func infra(ctx *pulumi.Context) error { return fmt.Errorf("unable to load the platform configuration; %w", err) } + instance, err := getInstance(ctx, p) + if err != nil { + return err + } + if err := domain(ctx, p); err != nil { return fmt.Errorf("unable to manage the domain; %w", err) } @@ -31,19 +36,39 @@ func infra(ctx *pulumi.Context) error { return fmt.Errorf("unable to manage the domain records; %w", err) } + if err := firewall(ctx, p, instance.Instances[0].Id); err != nil { + return fmt.Errorf("unable to manage the firewall; %w", err) + } + return nil } +func getInstance(ctx *pulumi.Context, cfg *platform) (*linode.GetInstancesResult, error) { + args := linode.GetInstancesArgs{ + Filters: []linode.GetInstancesFilter{ + { + Name: "label", + Values: []string{cfg.Instance.Label}, + }, + }, + } + + instance, err := linode.GetInstances(ctx, &args) + if err != nil { + return nil, fmt.Errorf("unable to get instance details; %w", err) + } + + return instance, nil +} + func domain(ctx *pulumi.Context, cfg *platform) error { domainArgs := linode.DomainArgs{ Description: pulumi.String(cfg.Domain.Description), Domain: pulumi.String(cfg.Domain.Name), SoaEmail: pulumi.String(cfg.Domain.Email), Status: pulumi.String("active"), - Tags: pulumi.StringArray{ - pulumi.String("flow"), - }, - Type: pulumi.String(cfg.Domain.Type), + Tags: pulumi.ToStringArray(cfg.Tags), + Type: pulumi.String(cfg.Domain.Type), } _, err := linode.NewDomain(ctx, cfg.Domain.Name, &domainArgs, pulumi.Protect(true)) @@ -88,3 +113,38 @@ func records(ctx *pulumi.Context, cfg *platform) error { return nil } + +func firewall(ctx *pulumi.Context, cfg *platform, instanceID int) error { + inbounds := linode.FirewallInboundArray{} + + for _, a := range cfg.Firewall.Inbound.Allow { + allow := linode.FirewallInboundArgs{ + Label: pulumi.String(a.Label), + Action: pulumi.String("ACCEPT"), + Protocol: pulumi.String(a.Protocol), + Ports: pulumi.String(a.Ports), + Ipv4s: pulumi.ToStringArray(a.SourceIpv4s), + Ipv6s: pulumi.ToStringArray(a.SourceIpv6s), + } + + inbounds = append(inbounds, allow) + } + + firewallArgs := linode.FirewallArgs{ + Label: pulumi.String(cfg.Firewall.Label), + Tags: pulumi.ToStringArray(cfg.Tags), + InboundPolicy: pulumi.String("DROP"), + Inbounds: inbounds, + OutboundPolicy: pulumi.String("ACCEPT"), + Linodes: pulumi.IntArray{ + pulumi.Int(instanceID), + }, + } + + _, err := linode.NewFirewall(ctx, cfg.Firewall.Label, &firewallArgs) + if err != nil { + return fmt.Errorf("unable to update the firewall; %w", err) + } + + return nil +}