-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature]: add hcloud_firewall_rule resource #1010
Comments
Hey, |
thank you for your fast response! while it is true that the current hcloud provider allows for adding rules during firewall creation, the feature i am requesting would help streamline our workflow and enhance flexibility when dealing with large-scale infrastructure.
applying this same logic to firewall rules would be a natural fit. by introducing a hcloud_firewall_rule resource that could be added independently, we would maintain consistency across the provider and keep the code cleaner. it follows the same principle as adding firewalls to servers using hcloud_firewall_attachment, which allows us to manage resources flexibly and modularly.
to summarize, while the current provider can handle firewalls well in a monolithic setup, this feature would help improve modularity, separation of responsibilities, and scalability in environments using tools like terragrunt. it would allow us to manage infrastructure in a more decentralized, maintainable way while keeping consistent with other hcloud resources. |
Have you considered adding multiple firewalls to your servers? Reading your use case, I understand that you try to pack everything in a single firewall, which indeed, might not scale well, is that correct? |
we don't pack everything in one firewall but we want to keep the firewall count as low as possible to have good oversight over the security. we tried to use more firewalls but ended up having firewalls which are basically rules. of course it works but it is still "wrong"(tm). rules are something dynamic (we come from useing shorewall with ipsets), with the current interface of the cloud firewall they are quite static. if the api and the provider have a rule interface it would even be possible to create an interface for fail2ban. with the current interface it is only possible to:
instead of
|
I have the same perception. Having firewall rule as a separate resource would bring extra flexibility. As a reference, without the intention of comparing Hetzner with other CSP, but just to have an alternative implementation as a reference, I would mention AWS terraform provider:
[1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group |
Thanks for both your inputs! I agree that some improvement can be made. Our focus is currently on other topics, so I'll leave this open until we find some time to pick it up. |
What whould you like to see?
adding firewall rules to an existing firewall would be really awesome. it would help splitting respnsibilities. we create firewalls with terragrunt where the rules are read from a yaml file. the terragrunt config resides in a firewall subfolder. if i create a new server i would need to export all server_ips and roles as output and depend on it in the firewall module and add some logic to add the server ips based on their roles to the firewall.
i would love to see the i can go the other way round and create a simple firewall and then in the server module i simply add the a new rule to a given firewall.
The text was updated successfully, but these errors were encountered: