--- hcloud_firewall_objects: - name: "{{ stage }}-default" state: present rules: - direction: in protocol: icmp port: '' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: ICMP allowed - direction: in protocol: tcp port: '22' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: SSH allowed - direction: in protocol: tcp port: '80' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: HTTP allowed - direction: in protocol: tcp port: '443' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: HTTPS allowed - direction: in protocol: tcp port: 'any' source_ips: '{{ ip_whitelist_admins }}' destination_ips: [] description: TCP - allow work from home without VPN - direction: in protocol: udp port: 'any' source_ips: '{{ ip_whitelist_admins }}' destination_ips: [] description: UDP - allow work from home without VPN apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-monitoring" state: present rules: - direction: in protocol: tcp port: '9080-9085' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: 'Server/Service Monitoring' - direction: in protocol: tcp port: '9001' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: 'PgAdmin' - direction: in protocol: tcp port: '9187' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: 'Postgres-Exporter' apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-monitoring-extern-https" state: present rules: - direction: in protocol: tcp port: '443' source_ips: - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=connect' - type: label_selector label_selector: selector: 'service=keycloak' hcloud_firewall_objects_awx: - name: "{{ stage }}-awx-ssh-access-for-k8s-nodes" state: present rules: - direction: in protocol: tcp port: '22' source_ips: "{{ awx_source_ips }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' hcloud_firewall_objects_backup: - name: "{{ stage }}-backup-ssh-access" state: present rules: - direction: in protocol: tcp port: '22' source_ips: - "{{ offsite_storage_server_ip }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=backup' hcloud_firewall_objects_gitea: - name: "{{ stage }}-access-to-gitea" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access for whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + awx_source_ips }}" destination_ips: [] description: "Allow access for kubernetes worker nodes" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + (gitea_https_whitelisted_ips | default([])) }}" destination_ips: [] description: "Allow access for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'service=gitea' hcloud_firewall_objects_keycloak: - name: "{{ stage }}-access-to-keycloak" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access for whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + awx_source_ips }}" destination_ips: [] description: "Allow access for kubernetes worker nodes" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + (keycloak_https_whitelisted_ips | default([])) }}" destination_ips: [] description: "Allow access for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'service=keycloak' hcloud_firewall_objects_kibana: - name: "{{ stage }}-access-to-kibana" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access for whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + awx_source_ips }}" destination_ips: [] description: "Allow access for kubernetes worker nodes" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + (kibana_https_whitelisted_ips | default([])) }}" destination_ips: [] description: "Allow access for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'service=kibana' hcloud_firewall_objects_management: - name: "{{ stage }}-access-to-management" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access for whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + awx_source_ips }}" destination_ips: [] description: "Allow access for kubernetes worker nodes" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + (management_https_whitelisted_ips | default([])) }}" destination_ips: [] description: "Allow access for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'service=connect,tenant=management'