hetzner.hcloud
hetzner.hcloud copied to clipboard
ansible-collections
Support Firewall resource selectors
SUMMARY
Support apply_to parameter in firewalls to configure firewall resource selectors.
ISSUE TYPE
- Feature Idea
COMPONENT NAME
hetzner.hcloud.hcloud_firewall
ADDITIONAL INFORMATION
Right now firewalls cannot be specified using apply_to. This makes them more or less unsuitable if utilizing labels. Specifying each server manually through hcloud_server_module seems counter unintuitive. Especially for more complex setups. Note the official api does not support lookup by server names and has a different apply_to syntax. However i think this is more likely to be idomatic in ansible. Implementations therefore need to resolve the id of the servers automatically.
Otherwise implementation should be more or less straight forward by calling https://api.hetzner.cloud/v1/firewalls , https://api.hetzner.cloud/v1/firewalls/{id}/actions/apply_to_resources and https://api.hetzner.cloud/v1/firewalls/{id}/actions/remove_from_resources respectively to create or update or delete unused resources.
- name: Create main firewall
'hetzner.hcloud.hcloud_firewall':
name: main_fw
apply_to:
label_selectors:
- k
servers:
- my-server-name
rules:
- direction: in
protocol: tcp
port: 22
source_ips:
- 0.0.0.0/0
- ::/0
description: Allows SSH access
state: present
I would love that feature. It was obvious to me that it was already implemented (as there is a similar feature in hetzner.hcloud.hcloud_load_balancer_target)
+1 on this. Was happy that the load balancers can do this, but it would be great if we wouldn't have to "resort" to custom scripting for this.
The documentation is a bit misleading and i think the situation is even simpler. The server module does not take a list of firewalls, but instead takes a list of firewall names when creating the servers. This works:
- name: create worker servers
hcloud_server:
api_token: "{{ hcloud_token }}"
name: "worker-{{ item }}"
server_type: "{{ swarmsible_hetzner_worker_server_type }}"
image: "{{ swarmsible_hetzner_server_image }}"
location: "{{ swarmsible_hetzner_server_location }}"
ssh_keys:
- "{{ swarmsible_swarmsible_hetzner_ansible_root_ssh_key_name }}"
labels:
swarm_role: "worker"
firewalls:
- "swarm-servers"
state: present
register: worker_servers
# hack. condition on block against this though
with_sequence: start=1 end={{ swarmsible_hetzner_worker_count if swarmsible_hetzner_worker_count | int > 0 else 1 }}
So for automation purposes, this is fine, the documentation is actually misleading here https://docs.ansible.com/ansible/latest/collections/hetzner/hcloud/hcloud_server_module.html#parameter-firewalls
Support for apply_to via labels would be neat though.
To be able to support firewall for servers created by a kubernetes cluster via cluster autoscaling, this would be neat! +1
This would be extremely beneficial to attach new firewalls to servers that have already been created +1
This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@fabrykowski Have a look at the draft PR that joola is working on https://github.com/ansible-collections/hetzner.hcloud/pull/324
I'd also need this for a client, we currently have to work around the issue by directly utilizing the API.
@jooola I've looked through the PR and it seems to be finished? What is missing on your part?
I am not happy with my current implementation, I have a reworked implementation locally that needs some testing. I'll try to work n this today.
The PR https://github.com/ansible-collections/hetzner.hcloud/pull/324 is almost complete, feel free to try it out! Any feedback is really appreciated!