# Hetzner Cloud Firewall resource "hcloud_firewall" "icmp" { name = "ICMP" rule { direction = "in" protocol = "icmp" source_ips = [ "0.0.0.0/0", "::/0" ] } apply_to { label_selector = "env=prod" } } resource "hcloud_firewall" "ssh" { name = "SSH" rule { direction = "in" protocol = "tcp" port = "22" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } apply_to { label_selector = "env=prod" } } resource "hcloud_firewall" "web" { name = "Webserver" rule { direction = "in" protocol = "tcp" port = "80" description = "HTTP" source_ips = [ "0.0.0.0/0", "::/0" ] } rule { direction = "in" protocol = "tcp" port = "443" description = "HTTPS" source_ips = [ "0.0.0.0/0", "::/0" ] } apply_to { server = hcloud_server.web.id } } resource "hcloud_firewall" "monitoring" { name = "Monitoring" rule { direction = "in" protocol = "tcp" port = "9100" description = "node-exporter" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } rule { direction = "in" protocol = "tcp" port = "9558" description = "systemd-exporter" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } rule { direction = "in" protocol = "tcp" port = "9187" description = "postgres-exporter" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } rule { direction = "in" protocol = "tcp" port = "9113" description = "nginx-exporter" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } rule { direction = "in" protocol = "tcp" port = "9253" description = "php-exporter" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } rule { direction = "in" protocol = "tcp" port = "9205" description = "nextcloud" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } rule { direction = "in" protocol = "tcp" port = "9206" description = "nextcloud_push" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } rule { direction = "in" protocol = "tcp" port = "5572" description = "rclone" source_ips = [ var.bastion_host.ipv4, var.bastion_host.ipv6 ] } # apply_to { # server = hcloud_server.web.id # } }