mirrors/terraform-provider-proxmox
0
0
Fork 0
mirror of https://github.com/bpg/terraform-provider-proxmox.git synced 2025-07-06 05:53:58 +00:00
Code
9465f1472c
terraform-provider-proxmox/docs/resources/virtual_environment_firewall_rules.md
Pavel Boldyrev 98e1cff7fe
feat: Add firewall resources (#246) 
* refactoring existing cluster / firewall API for better composition

* add basic security groups API
fix linter errors

* add rules API

* fix after renaming resourceVirtualEnvironmentClusterIPSet

* fix linter errors

* make linter happy

* even more refactoring

* tidy up datasources

* in refactoring spree

* update examples

* fix firewall resource/datasource & client error handling

* add ipset(s) datasource

* update docs

* add security group resource with rules

* docs

* fix security group update, TODO: rule update

* fix after rebase

* add rule update, extract common rule schema, refactor group

* fix linter  errors

* bump linter for ci

* make alias and ipset reusable

* make security group reusable

* refactor datasources

* add security group datasources

* fix linter errors

* update docs

TODO: documentation for group datasources

* add sg docs, update doc index

* minor cleanup

* fix examples & tests

* stub for firewall-level options and rules

* extract firewall interface

* add firewall options and rules on the cluster level

TODO: issues with rule list management

* refactor all resources format AGAIN, now more flat, without complex subresources

* sort out hierarchy of APIs and remove duplication in API wrappers

* bring back security group

* finally, working rules

* restore cluster firewall option

* add containers support

* add options

* move rules back under security group, update docs

* fix vm_id / container_id attrs

* add examples

* cleanup

* more cleanup


Release-As: 0.17.0-rc1
2023-04-02 18:01:10 -04:00

3.6 KiB
Raw Blame History

layout title permalink nav_order parent subcategory
page proxmox_virtual_environment_firewall_rules /resources/virtual_environment_firewall_rules 10 Resources Virtual Environment

Resource: proxmox_virtual_environment_firewall_rules

A security group is a collection of rules, defined at cluster level, which can be used in all VMs' rules. For example, you can define a group named “webserver” with rules to open the http and https ports. Rules can be created on the cluster level, on VM / Container level.

Example Usage

resource "proxmox_virtual_environment_firewall_rules" "inbound" {
  depends_on = [proxmox_virtual_environment_vm.example]

  node_name = proxmox_virtual_environment_vm.example.node_name
  vm_id     = proxmox_virtual_environment_vm.example.vm_id
  
  rule {
    type    = "in"
    action  = "ACCEPT"
    comment = "Allow HTTP"
    dest    = "192.168.1.5"
    dport   = "80"
    proto   = "tcp"
    log     = "info"
  }

  rule {
    type    = "in"
    action  = "ACCEPT"
    comment = "Allow HTTPS"
    dest    = "192.168.1.5"
    dport   = "443"
    proto   = "tcp"
    log     = "info"
  }
}

Argument Reference

  • node_name - (Optional) Node name. Leave empty for cluster level aliases.
  • vm_id - (Optional) VM ID. Leave empty for cluster level aliases.
  • container_id - (Optional) Container ID. Leave empty for cluster level aliases.
  • rule - (Optional) Firewall rule block (multiple blocks supported).
    • action - (Required) Rule action (ACCEPT, DROP, REJECT).
    • type - (Required) Rule type (in, out).
    • comment - (Optional) Rule comment.
    • dest - (Optional) Restrict packet destination address. This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like 20.34.101.207-201.3.9.99, or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.
    • dport - (Optional) Restrict TCP/UDP destination port. You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\d+:\d+', for example 80:85, and you can use comma separated list to match several ports or ranges.
    • enable - (Optional) Enable this rule. Defaults to true.
    • iface - (Optional) Network interface name. You have to use network configuration key names for VMs and containers ('net\d+'). Host related rules can use arbitrary strings.
    • log - (Optional) Log level for this rule (emerg, alert, crit, err, warning, notice, info, debug, nolog).
    • macro- (Optional) Macro name. Use predefined standard macro.
    • proto - (Optional) Restrict packet protocol. You can use protocol names or simple numbers (0-255), as defined in '/etc/protocols'.
    • source - (Optional) Restrict packet source address. This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like 20.34.101.207-201.3.9.99, or a list of IP addresses and networks ( entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.
    • sport - (Optional) Restrict TCP/UDP source port. You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\d+:\d+', for example 80:85, and you can use comma separated list to match several ports or ranges.

Attribute Reference

  • rule
    • pos - Position of the rule in the list.