resource "hcloud_network" "network" { name = "proxy-network" ip_range = local.network_cidr } resource "hcloud_network_subnet" "subnet" { type = "cloud" network_id = hcloud_network.network.id network_zone = "eu-central" ip_range = local.subnet_cidr } resource "hcloud_network_route" "privNet" { network_id = hcloud_network.network.id destination = "0.0.0.0/0" gateway = local.proxy_ip } /* -------------------------------------------------------------------------- */ resource "hcloud_primary_ip" "public_ip" { name = "proxy-public-ip" datacenter = local.datacenter type = "ipv4" assignee_type = "server" auto_delete = false } resource "hcloud_ssh_key" "ssh_key" { name = "proxy-ssh-key" public_key = file(var.public_ssh_key_path) } resource "hcloud_server" "server_instance" { name = "proxy-server" image = local.server_image server_type = local.server_type datacenter = local.datacenter ssh_keys = [hcloud_ssh_key.ssh_key.id] public_net { ipv4_enabled = true ipv4 = hcloud_primary_ip.public_ip.id ipv6_enabled = false } network { network_id = hcloud_network.network.id ip = local.proxy_ip alias_ips = [ ] } depends_on = [ hcloud_network_subnet.subnet, hcloud_primary_ip.public_ip ] } resource "hcloud_firewall" "server_firewall" { name = "proxy-server-firewall" # Allow ICMP. rule { direction = "in" protocol = "icmp" source_ips = ["0.0.0.0/0", "::/0"] } # Allow all out. rule { direction = "out" protocol = "tcp" port = "any" destination_ips = ["0.0.0.0/0", "::/0"] } # Allow ingress for in-network. rule { direction = "in" protocol = "tcp" source_ips = [local.network_cidr] } # Poke holes for applications, and SSH. dynamic "rule" { for_each = ["80", "443", "22", "81"] content { direction = "in" protocol = "tcp" port = rule.value source_ips = ["0.0.0.0/0", "::/0"] } } } resource "hcloud_firewall_attachment" "server_fw_attachment" { firewall_id = hcloud_firewall.server_firewall.id server_ids = [hcloud_server.server_instance.id] }