From f04411377f377da7020710cc75c277175a23b8e9 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Sat, 12 Aug 2017 17:03:01 -0700
Subject: [PATCH] digital-ocean: Add cluster firewall rules

* Requires Terraform v0.10.0+
---
 .../container-linux/kubernetes/controllers.tf |  2 +-
 .../container-linux/kubernetes/network.tf     | 53 +++++++++++++++++++
 .../container-linux/kubernetes/workers.tf     |  2 +-
 3 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 digital-ocean/container-linux/kubernetes/network.tf

diff --git a/digital-ocean/container-linux/kubernetes/controllers.tf b/digital-ocean/container-linux/kubernetes/controllers.tf
index bbd06b61..bd04c9d7 100644
--- a/digital-ocean/container-linux/kubernetes/controllers.tf
+++ b/digital-ocean/container-linux/kubernetes/controllers.tf
@@ -33,7 +33,7 @@ resource "digitalocean_droplet" "controllers" {
   ]
 }
 
-// Tag to label controllers
+# Tag to label controllers
 resource "digitalocean_tag" "controllers" {
   name = "${var.cluster_name}-controller"
 }
diff --git a/digital-ocean/container-linux/kubernetes/network.tf b/digital-ocean/container-linux/kubernetes/network.tf
new file mode 100644
index 00000000..d0a6479a
--- /dev/null
+++ b/digital-ocean/container-linux/kubernetes/network.tf
@@ -0,0 +1,53 @@
+resource "digitalocean_firewall" "rules" {
+  name = "${var.cluster_name}"
+
+  tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
+
+  # allow ssh, http/https ingress, and peer-to-peer traffic
+  inbound_rule = [
+    {
+      protocol = "tcp"
+      port_range = "22"
+      source_addresses = ["0.0.0.0/0", "::/0"]
+    },
+    {
+      protocol = "tcp"
+      port_range = "80"
+      source_addresses = ["0.0.0.0/0", "::/0"]
+    },
+    {
+      protocol = "tcp"
+      port_range = "443"
+      source_addresses = ["0.0.0.0/0", "::/0"]
+    },
+    {
+      protocol = "udp"
+      port_range = "all"
+      source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
+    },
+    {
+      protocol = "tcp"
+      port_range = "all"
+      source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
+    },
+  ]
+
+  # allow all outbound traffic
+  outbound_rule = [
+    {
+      protocol = "icmp"
+      destination_addresses = ["0.0.0.0/0", "::/0"]
+    },
+    {
+      protocol = "udp"
+      port_range = "all"
+      destination_addresses = ["0.0.0.0/0", "::/0"]
+    },
+    {
+      protocol = "tcp"
+      port_range = "all"
+      destination_addresses = ["0.0.0.0/0", "::/0"]
+    },
+  ]
+}
+
diff --git a/digital-ocean/container-linux/kubernetes/workers.tf b/digital-ocean/container-linux/kubernetes/workers.tf
index e34e5f95..95461e5a 100644
--- a/digital-ocean/container-linux/kubernetes/workers.tf
+++ b/digital-ocean/container-linux/kubernetes/workers.tf
@@ -33,7 +33,7 @@ resource "digitalocean_droplet" "workers" {
   ]
 }
 
-// Tag to label workers
+# Tag to label workers
 resource "digitalocean_tag" "workers" {
   name = "${var.cluster_name}-worker"
 }