GitXplorerGitXplorer
a

terraform-digitalocean-firewall-cloudflare

public
23 stars
9 forks
0 issues

Commits

List of commits on branch main.
Unverified
19afecc6e5c4a7b98ee46da62ecccd1958745f32

Add .terraform.lock.hcl to .gitignore

aandrewsomething committed 3 years ago
Unverified
3ff0c5802d8bccf996bc925f9f83eb114a7f4552

example: Update to include required_providers

aandrewsomething committed 3 years ago
Verified
6898077cdae706d3c390203310e7a1fcc12e21b4

Merge pull request #5 from fr3fou/patch-1

aandrewsomething committed 3 years ago
Verified
7555ab9476f8f06043bbc2ea88e7c48fd836e491

fix: update main.tf for Terraform >= 0.13

ffr3fou committed 3 years ago
Unverified
979e45eeb2896d8c4b7e6ded8e2831289c0fb879

Update examples for changes in Cloudflare provider.

aandrewsomething committed 5 years ago
Verified
ccd8181af000e7c4b644ffda176d32a1e9e27b96

Merge pull request #3 from AdrianLThomas/master

aandrewsomething committed 5 years ago

README

The README file for this repository.

Terraform Module for DigitalOcean Firewall + Cloudflare

This module allows you to create a DigitalOcean Firewall that only accepts inbound connections from Cloudflare's published list of IP addresses.

Why would I use this?

Cloudflare provides DDOS protection for domains using its DNS. If an attacker knows the IP address of your origin server, this can easily be circumvented. Using the approach in this module prevents incoming connections to the server from all non-Cloudflare IPs.

This could be done at the server level using iptables or other firewall software. Though a missconfigured firewall could prevent you from accessing your server. Using a DigitalOcean Firewall, you can open or close additional ports as needed.

This can also be achieved at the web server level using the DenyAllButCloudFlare rule from Cloudflare's Mod_Cloudflare Apache extension or similar tools for Nginx. Though this still uses bandwidth and system resources on the origin server. Using a DigitalOcean Firewall means the un-wanted traffic will be blocked before it ever reaches you.

Cloudflare IP addresses may also change. Tracking those changes and applying them by hand in the DigitalOcean control panel can be tedious. Using this module, re-running terraform apply will pick up those changes and reconfigure your Firewall.

Module input variables

  • name - The name of the firewall to be created.
  • droplet_ids - A list of the IDs of the Droplets assigned to the Firewall.
  • tags - A list of tag names assigned to the Firewall.

Example

This example creates a Firewall and a tag named allow_inbound_cloudflare. Any Droplet with this tag applied to it will only allow inbound connections to ports 80 and 443 from Cloudflare IPs.

module "firewall_inbound_cloudflare" {
  source = "andrewsomething/firewall-cloudflare/digitalocean"

  name   = "inbound-cloudflare"
  tags   = ["allow_inbound_cloudflare"]
}

resource "digitalocean_tag" "allow_inbound_cloudflare" {
  name = "allow_inbound_cloudflare"
}

Note: DigitalOcean Firewalls are composable. Creating separate Firewalls for separate concerns is considered a best practice. When using the above example, additional Firewalls should be applied to the Droplets in order to allow for things like inbound SSH access and outbound DNS lookups.

License

MIT licensed. See LICENSE for full details.