# ============================================================================= # Firewalls Module # Defense in depth with DigitalOcean Cloud Firewalls # ============================================================================= # ----------------------------------------------------------------------------- # Jump Host Firewall # Only allows SSH on non-standard port from anywhere # ----------------------------------------------------------------------------- resource "digitalocean_firewall" "jump_host" { name = "${var.project_name}-${var.environment}-jump-fw" droplet_ids = [var.jump_host_droplet_id] # Inbound: SSH on non-standard port inbound_rule { protocol = "tcp" port_range = var.jump_host_ssh_port source_addresses = ["0.0.0.0/0", "::/0"] } # Inbound: Allow all VPC traffic inbound_rule { protocol = "tcp" port_range = "1-65535" source_addresses = [var.vpc_ip_range] } inbound_rule { protocol = "udp" port_range = "1-65535" source_addresses = [var.vpc_ip_range] } inbound_rule { protocol = "icmp" source_addresses = [var.vpc_ip_range] } # Outbound: Only necessary traffic (security hardening) outbound_rule { protocol = "tcp" port_range = "53" destination_addresses = ["0.0.0.0/0", "::/0"] # DNS } outbound_rule { protocol = "udp" port_range = "53" destination_addresses = ["0.0.0.0/0", "::/0"] # DNS } outbound_rule { protocol = "tcp" port_range = "80" destination_addresses = ["0.0.0.0/0", "::/0"] # HTTP (apt) } outbound_rule { protocol = "tcp" port_range = "443" destination_addresses = ["0.0.0.0/0", "::/0"] # HTTPS } outbound_rule { protocol = "udp" port_range = "123" destination_addresses = ["0.0.0.0/0", "::/0"] # NTP } outbound_rule { protocol = "icmp" destination_addresses = ["0.0.0.0/0", "::/0"] } # VPC outbound (all ports for internal communication) outbound_rule { protocol = "tcp" port_range = "1-65535" destination_addresses = [var.vpc_ip_range] } outbound_rule { protocol = "udp" port_range = "1-65535" destination_addresses = [var.vpc_ip_range] } } # ----------------------------------------------------------------------------- # Forgejo Firewall # Allows HTTP, HTTPS, and Git SSH from anywhere # System SSH only from VPC (handled by VPC rule) # ----------------------------------------------------------------------------- resource "digitalocean_firewall" "forgejo" { name = "${var.project_name}-${var.environment}-forgejo-fw" droplet_ids = [var.forgejo_droplet_id] # Inbound: HTTP inbound_rule { protocol = "tcp" port_range = "80" source_addresses = ["0.0.0.0/0", "::/0"] } # Inbound: HTTPS inbound_rule { protocol = "tcp" port_range = "443" source_addresses = ["0.0.0.0/0", "::/0"] } # Inbound: Git SSH inbound_rule { protocol = "tcp" port_range = var.forgejo_git_ssh_port source_addresses = ["0.0.0.0/0", "::/0"] } # Inbound: Allow all VPC traffic (includes system SSH on non-standard port) inbound_rule { protocol = "tcp" port_range = "1-65535" source_addresses = [var.vpc_ip_range] } inbound_rule { protocol = "udp" port_range = "1-65535" source_addresses = [var.vpc_ip_range] } inbound_rule { protocol = "icmp" source_addresses = [var.vpc_ip_range] } # Outbound: Only necessary traffic (security hardening) outbound_rule { protocol = "tcp" port_range = "53" destination_addresses = ["0.0.0.0/0", "::/0"] # DNS } outbound_rule { protocol = "udp" port_range = "53" destination_addresses = ["0.0.0.0/0", "::/0"] # DNS } outbound_rule { protocol = "tcp" port_range = "80" destination_addresses = ["0.0.0.0/0", "::/0"] # HTTP (apt, Let's Encrypt) } outbound_rule { protocol = "tcp" port_range = "443" destination_addresses = ["0.0.0.0/0", "::/0"] # HTTPS (Docker, webhooks) } outbound_rule { protocol = "udp" port_range = "123" destination_addresses = ["0.0.0.0/0", "::/0"] # NTP } outbound_rule { protocol = "icmp" destination_addresses = ["0.0.0.0/0", "::/0"] } # VPC outbound (all ports for internal communication) outbound_rule { protocol = "tcp" port_range = "1-65535" destination_addresses = [var.vpc_ip_range] } outbound_rule { protocol = "udp" port_range = "1-65535" destination_addresses = [var.vpc_ip_range] } }