beeta/devops/terraform/modules/firewalls/main.tf

# =============================================================================
# Firewalls Module
# Defense in depth with DigitalOcean Cloud Firewalls
# =============================================================================

# -----------------------------------------------------------------------------
# Jump Host Firewall
# Only allows SSH on non-standard port from anywhere
# -----------------------------------------------------------------------------
resource "digitalocean_firewall" "jump_host" {
  name = "${var.project_name}-${var.environment}-jump-fw"

  droplet_ids = [var.jump_host_droplet_id]

  # Inbound: SSH on non-standard port
  inbound_rule {
    protocol         = "tcp"
    port_range       = var.jump_host_ssh_port
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  # Inbound: Allow all VPC traffic
  inbound_rule {
    protocol         = "tcp"
    port_range       = "1-65535"
    source_addresses = [var.vpc_ip_range]
  }

  inbound_rule {
    protocol         = "udp"
    port_range       = "1-65535"
    source_addresses = [var.vpc_ip_range]
  }

  inbound_rule {
    protocol         = "icmp"
    source_addresses = [var.vpc_ip_range]
  }

  # Outbound: Only necessary traffic (security hardening)
  outbound_rule {
    protocol              = "tcp"
    port_range            = "53"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "53"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "80"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTP (apt)
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "443"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTPS
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "123"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # NTP
  }

  outbound_rule {
    protocol              = "icmp"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  # VPC outbound (all ports for internal communication)
  outbound_rule {
    protocol              = "tcp"
    port_range            = "1-65535"
    destination_addresses = [var.vpc_ip_range]
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "1-65535"
    destination_addresses = [var.vpc_ip_range]
  }
}

# -----------------------------------------------------------------------------
# Forgejo Firewall
# Allows HTTP, HTTPS, and Git SSH from anywhere
# System SSH only from VPC (handled by VPC rule)
# -----------------------------------------------------------------------------
resource "digitalocean_firewall" "forgejo" {
  name = "${var.project_name}-${var.environment}-forgejo-fw"

  droplet_ids = [var.forgejo_droplet_id]

  # Inbound: HTTP
  inbound_rule {
    protocol         = "tcp"
    port_range       = "80"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  # Inbound: HTTPS
  inbound_rule {
    protocol         = "tcp"
    port_range       = "443"
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  # Inbound: Git SSH
  inbound_rule {
    protocol         = "tcp"
    port_range       = var.forgejo_git_ssh_port
    source_addresses = ["0.0.0.0/0", "::/0"]
  }

  # Inbound: Allow all VPC traffic (includes system SSH on non-standard port)
  inbound_rule {
    protocol         = "tcp"
    port_range       = "1-65535"
    source_addresses = [var.vpc_ip_range]
  }

  inbound_rule {
    protocol         = "udp"
    port_range       = "1-65535"
    source_addresses = [var.vpc_ip_range]
  }

  inbound_rule {
    protocol         = "icmp"
    source_addresses = [var.vpc_ip_range]
  }

  # Outbound: Only necessary traffic (security hardening)
  outbound_rule {
    protocol              = "tcp"
    port_range            = "53"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "53"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # DNS
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "80"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTP (apt, Let's Encrypt)
  }

  outbound_rule {
    protocol              = "tcp"
    port_range            = "443"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # HTTPS (Docker, webhooks)
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "123"
    destination_addresses = ["0.0.0.0/0", "::/0"]  # NTP
  }

  outbound_rule {
    protocol              = "icmp"
    destination_addresses = ["0.0.0.0/0", "::/0"]
  }

  # VPC outbound (all ports for internal communication)
  outbound_rule {
    protocol              = "tcp"
    port_range            = "1-65535"
    destination_addresses = [var.vpc_ip_range]
  }

  outbound_rule {
    protocol              = "udp"
    port_range            = "1-65535"
    destination_addresses = [var.vpc_ip_range]
  }
}