reorganize firewall rules to make it more obvious what has changed

main.tf

@@ -31,8 +31,6 @@ data "external" "my_ip" {
 module "k8s" {
   source = "./modules/hetzner/kubernetes"
 
-  development_ips = [ for ip in data.external.my_ip.result : ip ]
-
   name     = "cluster1"
   ssh_keys = [for o in hcloud_ssh_key.this : o.id]
   # Only odd numbers of servers make any sense
@@ -47,6 +45,11 @@ module "k8s" {
     location = "fsn1"
     count    = 1
   }]
+  kubernetes_exposed_ips = values(data.external.my_ip.result)
+  ssh_exposed_ips        = values(data.external.my_ip.result)
+  public_tcp_services = {
+    http = ["80", "443"]
+  }
 }
 
 locals {

modules/hetzner/kubernetes/main.tf

@@ -18,6 +18,17 @@ locals {
       )
     }
   ]...)
+  all_ips           = ["0.0.0.0/0", "::/0"]
+  ping_firewall     = var.ping_enabled ? { "ping" : [{ protocol = "icmp", port = null }] } : {}
+  k8s_firewall      = { "kubernetes" : [{ port = "6443", source_ips = concat([local.network], var.kubernetes_exposed_ips) }] }
+  ssh_firewall      = length(var.ssh_exposed_ips) > 0 ? { "ssh" : [{ port = 1022, source_ips = var.ssh_exposed_ips }] } : {}
+  service_firewalls = { for service, ports in var.public_tcp_services : service => [for port in ports : { port = port }] }
+  firewalls = merge(
+    local.ping_firewall,
+    local.k8s_firewall,
+    local.ssh_firewall,
+    local.service_firewalls
+  )
 }
 
 resource "hcloud_network" "this" {
@@ -44,43 +55,16 @@ resource "random_string" "k3s_token" {
 }
 
 resource "hcloud_firewall" "this" {
-  name = var.name
+  for_each = local.firewalls
-  rule {
+
-    direction = "in"
+  name = each.key
-    protocol = "icmp"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-  rule {
-    direction = "in"
-    protocol = "tcp"
-    port = "22"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-  rule {
-    direction = "in"
-    protocol = "tcp"
-    port = "80"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-  rule {
-    direction = "in"
-    protocol = "tcp"
-    port = "443"
-    source_ips = ["0.0.0.0/0", "::/0"]
-  }
-  rule {
-    direction = "in"
-    protocol = "tcp"
-    port = "6443"
-    source_ips = concat([local.network], var.development_ips)
-  }
   dynamic "rule" {
-    for_each = length(var.development_ips) == 0 ? {} : { ips = 1 }
+    for_each = each.value
     content {
-      direction = "in"
+      direction  = lookup(rule.value, "direction", "in")
-      protocol = "tcp"
+      protocol   = lookup(rule.value, "protocol", "tcp")
-      port = "1022"
+      source_ips = lookup(rule.value, "source_ips", local.all_ips)
-      source_ips = var.development_ips
+      port       = lookup(rule.value, "port")
     }
   }
 }
@@ -109,7 +93,7 @@ resource "hcloud_server" "server" {
       first_ip         = each.value.first_ip
     }
   )
-  firewall_ids = [hcloud_firewall.this.id]
+  firewall_ids = [for firewall in hcloud_firewall.this : firewall.id]
 }
 
 resource "hcloud_server" "agent" {

modules/hetzner/kubernetes/variables.tf

@@ -23,7 +23,22 @@ variable "agents" {
   }))
 }
 
-variable "development_ips" {
+variable "ping_enabled" {
+  type = bool
+  default = true
+}
+
+variable "public_tcp_services" {
+  type = map(list(string))
+  default = {}
+}
+
+variable "kubernetes_exposed_ips" {
+  type = list(string)
+  default = []
+}
+
+variable "ssh_exposed_ips" {
   type = list(string)
   default = []
 }