feat: add fireflow to the Pulumi stack

config

@@ -1 +1 @@
-Subproject commit d07bf63dad2132cb3d6f16641ed7f917a2b29282
+Subproject commit bbb8123ffb9781d818da1bff92d92dd8a0bbe009

config.go

@@ -32,15 +32,21 @@ type domainRecord struct {
 }
 
 type firewallConfig struct {
-	Label string         `json:"label"`
+	Label   string          `json:"label"`
+	Inbound firewallRuleSet `json:"inbound"`
+}
+
+type firewallRuleSet struct {
 	Allow []firewallRule `json:"allow"`
 	Deny  []firewallRule `json:"deny"`
 }
 
 type firewallRule struct {
-	Label    string `json:"label"`
+	Label       string   `json:"label"`
-	Protocol string `json:"protocol"`
+	Protocol    string   `json:"protocol"`
-	Ports    string `json:"ports"`
+	Ports       string   `json:"ports"`
+	SourceIpv4s []string `json:"sourceIpv4s"`
+	SourceIpv6s []string `json:"sourceIpv6s"`
 }
 
 type instanceConfig struct {

infra.go.bck

@@ -72,70 +72,3 @@ import (
 //
 //	return nil
 //}
-
-//func firewall(ctx *pulumi.Context, instanceID pulumi.IntOutput) error {
-//	allowHttp := linode.FirewallInboundArgs{
-//		Label:    pulumi.String("accept-inbound-tcp-80"),
-//		Action:   pulumi.String("ACCEPT"),
-//		Protocol: pulumi.String("TCP"),
-//		Ports:    pulumi.String("80"),
-//		Ipv4s: pulumi.StringArray{
-//			pulumi.String("0.0.0.0/0"),
-//		},
-//		Ipv6s: pulumi.StringArray{
-//			pulumi.String("::/0"),
-//		},
-//	}
-//
-//	allowHttps := linode.FirewallInboundArgs{
-//		Label:    pulumi.String("accept-inbound-tcp-443"),
-//		Action:   pulumi.String("ACCEPT"),
-//		Protocol: pulumi.String("TCP"),
-//		Ports:    pulumi.String("443"),
-//		Ipv4s: pulumi.StringArray{
-//			pulumi.String("0.0.0.0/0"),
-//		},
-//		Ipv6s: pulumi.StringArray{
-//			pulumi.String("::/0"),
-//		},
-//	}
-//
-//	tags := []string{"flow"}
-//
-//	label := "fireflow"
-//
-//	firewallArgs := linode.FirewallArgs{
-//		Label:         pulumi.String(label),
-//		Tags:          pulumi.ToStringArray(tags),
-//		InboundPolicy: pulumi.String("DROP"),
-//		Inbounds: linode.FirewallInboundArray{
-//			&allowHttp,
-//			&allowHttps,
-//		},
-//		OutboundPolicy: pulumi.String("ACCEPT"),
-//		Linodes: pulumi.IntArray{
-//			instanceID,
-//		},
-//	}
-//
-//	_, err := linode.NewFirewall(ctx, label, &firewallArgs)
-//	if err != nil {
-//		return fmt.Errorf("unable to update the firewall; %w", err)
-//	}
-//
-//	return nil
-//}
-
-//func main() {
-//        pulumi.Run(func(ctx *pulumi.Context) error {
-//                _, err := linode.NewDomainRecord(ctx, "root", &linode.DomainRecordArgs{
-//                        DomainId:   pulumi.Int(1297393),
-//                        RecordType: pulumi.String("A"),
-//                        Target:     pulumi.String("213.52.130.52"),
-//                }, pulumi.Protect(true))
-//                if err != nil {
-//                        return err
-//                }
-//                return nil
-//        })
-//}

main.go

@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"strconv"
 
+	"github.com/pulumi/pulumi-linode/sdk/v3/go/linode"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
-	"github.com/pulumi/pulumi-linode/sdk/v3/go/linode"
 )
 
 func main() {
@@ -23,6 +23,11 @@ func infra(ctx *pulumi.Context) error {
 		return fmt.Errorf("unable to load the platform configuration; %w", err)
 	}
 
+	instance, err := getInstance(ctx, p)
+	if err != nil {
+		return err
+	}
+
 	if err := domain(ctx, p); err != nil {
 		return fmt.Errorf("unable to manage the domain; %w", err)
 	}
@@ -31,19 +36,39 @@ func infra(ctx *pulumi.Context) error {
 		return fmt.Errorf("unable to manage the domain records; %w", err)
 	}
 
+	if err := firewall(ctx, p, instance.Instances[0].Id); err != nil {
+		return fmt.Errorf("unable to manage the firewall; %w", err)
+	}
+
 	return nil
 }
 
+func getInstance(ctx *pulumi.Context, cfg *platform) (*linode.GetInstancesResult, error) {
+	args := linode.GetInstancesArgs{
+		Filters: []linode.GetInstancesFilter{
+			{
+				Name:   "label",
+				Values: []string{cfg.Instance.Label},
+			},
+		},
+	}
+
+	instance, err := linode.GetInstances(ctx, &args)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get instance details; %w", err)
+	}
+
+	return instance, nil
+}
+
 func domain(ctx *pulumi.Context, cfg *platform) error {
 	domainArgs := linode.DomainArgs{
 		Description: pulumi.String(cfg.Domain.Description),
 		Domain:      pulumi.String(cfg.Domain.Name),
 		SoaEmail:    pulumi.String(cfg.Domain.Email),
 		Status:      pulumi.String("active"),
-		Tags: pulumi.StringArray{
+		Tags:        pulumi.ToStringArray(cfg.Tags),
-			pulumi.String("flow"),
+		Type:        pulumi.String(cfg.Domain.Type),
-		},
-		Type: pulumi.String(cfg.Domain.Type),
 	}
 
 	_, err := linode.NewDomain(ctx, cfg.Domain.Name, &domainArgs, pulumi.Protect(true))
@@ -88,3 +113,38 @@ func records(ctx *pulumi.Context, cfg *platform) error {
 
 	return nil
 }
+
+func firewall(ctx *pulumi.Context, cfg *platform, instanceID int) error {
+	inbounds := linode.FirewallInboundArray{}
+
+	for _, a := range cfg.Firewall.Inbound.Allow {
+		allow := linode.FirewallInboundArgs{
+			Label:    pulumi.String(a.Label),
+			Action:   pulumi.String("ACCEPT"),
+			Protocol: pulumi.String(a.Protocol),
+			Ports:    pulumi.String(a.Ports),
+			Ipv4s:    pulumi.ToStringArray(a.SourceIpv4s),
+			Ipv6s:    pulumi.ToStringArray(a.SourceIpv6s),
+		}
+
+		inbounds = append(inbounds, allow)
+	}
+
+	firewallArgs := linode.FirewallArgs{
+		Label:          pulumi.String(cfg.Firewall.Label),
+		Tags:           pulumi.ToStringArray(cfg.Tags),
+		InboundPolicy:  pulumi.String("DROP"),
+		Inbounds:       inbounds,
+		OutboundPolicy: pulumi.String("ACCEPT"),
+		Linodes: pulumi.IntArray{
+			pulumi.Int(instanceID),
+		},
+	}
+
+	_, err := linode.NewFirewall(ctx, cfg.Firewall.Label, &firewallArgs)
+	if err != nil {
+		return fmt.Errorf("unable to update the firewall; %w", err)
+	}
+
+	return nil
+}