From 7ebeac3093408e7de7f9fafca74bad99a748c0d2 Mon Sep 17 00:00:00 2001 From: B Pearson Date: Thu, 19 Oct 2023 00:04:28 -0400 Subject: [PATCH 01/12] testing more module --- cloudflare/firewall/main.tf | 68 ++++++++++++++++++++++++ cloudflare/firewall/provider.tf | 14 +++++ cloudflare/firewall/variables.tf | 20 +++++++ cloudflare/mail_server/main.tf | 51 +----------------- cloudflare/mail_server_secondary/main.tf | 2 + 5 files changed, 106 insertions(+), 49 deletions(-) create mode 100644 cloudflare/firewall/main.tf create mode 100644 cloudflare/firewall/provider.tf create mode 100644 cloudflare/firewall/variables.tf diff --git a/cloudflare/firewall/main.tf b/cloudflare/firewall/main.tf new file mode 100644 index 0000000..7cd0edc --- /dev/null +++ b/cloudflare/firewall/main.tf @@ -0,0 +1,68 @@ +# +## Email +# +resource "cloudflare_email_routing_catch_all" "example" { + zone_id = var.zone_id + name = "email catch all" + enabled = true + + matcher { + type = "all" + } + + action { + type = "forward" + value = ["bwp.pearson@gmail.com"] + } +} + +# +## Block non US CA AU countries +# + +resource "cloudflare_filter" "countries" { + zone_id = var.zone_id + description = "Expression to block all countries except US, CA and AU" + expression = "(ip.geoip.country ne \"US\" and ip.geoip.country ne \"CA\" and ip.geoip.country ne \"AU\")" +} + +resource "cloudflare_firewall_rule" "countries" { + zone_id = var.zone_id + description = "Firewall rule to block all countries except US, CA and AU" + filter_id = cloudflare_filter.countries.id + action = "block" +} + +# +## Bots +# + +resource "cloudflare_filter" "bots" { + zone_id = var.zone_id + description = "Expression to block bots determined by CF" + expression = "(cf.client.bot)" +} + +resource "cloudflare_firewall_rule" "bots" { + zone_id = var.zone_id + description = "Firewall rule to block bots determined by CF" + filter_id = cloudflare_filter.bots.id + action = "block" +} + +# +## Block threats greater than Medium +# + +resource "cloudflare_filter" "threats" { + zone_id = var.zone_id + description = "Expression to block medium threats" + expression = "(cf.threat_score gt 14)" +} + +resource "cloudflare_firewall_rule" "threats" { + zone_id = var.zone_id + description = "Firewall rule to block medium threats" + filter_id = cloudflare_filter.threats.id + action = "block" +} diff --git a/cloudflare/firewall/provider.tf b/cloudflare/firewall/provider.tf new file mode 100644 index 0000000..bf769f2 --- /dev/null +++ b/cloudflare/firewall/provider.tf @@ -0,0 +1,14 @@ +# Configure the Cloudflare provider. +# You may optionally use version directive to prevent breaking changes occurring unannounced. +terraform { + required_providers { + cloudflare = { + source = "cloudflare/cloudflare" + version = "4.11.0" + } + namecheap = { + source = "namecheap/namecheap" + version = ">= 2.0.0" + } + } +} diff --git a/cloudflare/firewall/variables.tf b/cloudflare/firewall/variables.tf new file mode 100644 index 0000000..db41434 --- /dev/null +++ b/cloudflare/firewall/variables.tf @@ -0,0 +1,20 @@ +variable "zone_id" { + type = string + default = null +} + +variable "account_id" { + type = string + default = null +} + +variable "name" { + type = string + default = null + +} + +variable "tld" { + type = string + default = ".com" +} diff --git a/cloudflare/mail_server/main.tf b/cloudflare/mail_server/main.tf index 95913b0..9c4ab86 100644 --- a/cloudflare/mail_server/main.tf +++ b/cloudflare/mail_server/main.tf @@ -51,53 +51,6 @@ resource "cloudflare_record" "txt" { value = "v=spf1 include:_spf.mx.cloudflare.net ~all" } -# -## Block non US CA AU countries -# - -resource "cloudflare_filter" "countries" { - zone_id = var.zone_id - description = "Expression to block all countries except US, CA and AU" - expression = "(ip.geoip.country ne \"US\" and ip.geoip.country ne \"CA\" and ip.geoip.country ne \"AU\")" -} - -resource "cloudflare_firewall_rule" "countries" { - zone_id = var.zone_id - description = "Firewall rule to block all countries except US, CA and AU" - filter_id = cloudflare_filter.countries.id - action = "block" -} - -# -## Bots -# - -resource "cloudflare_filter" "bots" { - zone_id = var.zone_id - description = "Expression to block bots determined by CF" - expression = "(cf.client.bot)" -} - -resource "cloudflare_firewall_rule" "bots" { - zone_id = var.zone_id - description = "Firewall rule to block bots determined by CF" - filter_id = cloudflare_filter.bots.id - action = "block" -} - -# -## Block threats greater than Medium -# - -resource "cloudflare_filter" "threats" { - zone_id = var.zone_id - description = "Expression to block medium threats" - expression = "(cf.threat_score gt 14)" -} - -resource "cloudflare_firewall_rule" "threats" { - zone_id = var.zone_id - description = "Firewall rule to block medium threats" - filter_id = cloudflare_filter.threats.id - action = "block" +module "firewall" { + source = "./firewall" } diff --git a/cloudflare/mail_server_secondary/main.tf b/cloudflare/mail_server_secondary/main.tf index afba1f3..b216163 100644 --- a/cloudflare/mail_server_secondary/main.tf +++ b/cloudflare/mail_server_secondary/main.tf @@ -43,6 +43,8 @@ resource "cloudflare_record" "mx85" { priority = "85" } +module "" + resource "cloudflare_record" "txt" { allow_overwrite = true zone_id = var.zone_id From 782836053d16b948a1a40d0577481062ca1adb42 Mon Sep 17 00:00:00 2001 From: B Pearson Date: Thu, 19 Oct 2023 00:08:00 -0400 Subject: [PATCH 02/12] always yag --- .github/workflows/tags.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml index a192d76..67165e1 100644 --- a/.github/workflows/tags.yaml +++ b/.github/workflows/tags.yaml @@ -3,7 +3,7 @@ name: Create New Tag on: push: branches: - - 'main' + - '*' jobs: create-tag: @@ -15,7 +15,12 @@ jobs: - name: Set tag version id: set_version - run: echo "::set-output name=tag::v$(date +'%Y%m%d%H%M%S')" + run: | + if [ "${GITHUB_REF##*/}" == "main" ]; then + echo "::set-output name=tag::$(date +'%Y%m%d%H%M%S')" + else + echo "::set-output name=tag::rc:$(date +'%Y%m%d%H%M%S')" + fi - name: Create Git Tag run: git tag ${{ steps.set_version.outputs.tag }} From c39828dc89fc5f2776fdb1b51b76210d3a6d05a0 Mon Sep 17 00:00:00 2001 From: B Pearson Date: Thu, 19 Oct 2023 00:11:10 -0400 Subject: [PATCH 03/12] cleanup --- .github/workflows/tags.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml index 67165e1..cc0db93 100644 --- a/.github/workflows/tags.yaml +++ b/.github/workflows/tags.yaml @@ -19,7 +19,7 @@ jobs: if [ "${GITHUB_REF##*/}" == "main" ]; then echo "::set-output name=tag::$(date +'%Y%m%d%H%M%S')" else - echo "::set-output name=tag::rc:$(date +'%Y%m%d%H%M%S')" + echo "::set-output name=tag::rc$(date +'%Y%m%d%H%M%S')" fi - name: Create Git Tag From b5a5584373b0d156c11e18a845d2b2498353109d Mon Sep 17 00:00:00 2001 From: B Pearson Date: Thu, 19 Oct 2023 00:12:44 -0400 Subject: [PATCH 04/12] more cleanu --- cloudflare/mail_server_secondary/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/cloudflare/mail_server_secondary/main.tf b/cloudflare/mail_server_secondary/main.tf index b216163..afba1f3 100644 --- a/cloudflare/mail_server_secondary/main.tf +++ b/cloudflare/mail_server_secondary/main.tf @@ -43,8 +43,6 @@ resource "cloudflare_record" "mx85" { priority = "85" } -module "" - resource "cloudflare_record" "txt" { allow_overwrite = true zone_id = var.zone_id From e85b31de22e916beae546a40667ee1a4c0ddd332 Mon Sep 17 00:00:00 2001 From: B Pearson Date: Thu, 19 Oct 2023 00:23:53 -0400 Subject: [PATCH 05/12] update --- cloudflare/mail_server/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudflare/mail_server/main.tf b/cloudflare/mail_server/main.tf index 9c4ab86..1a2f50e 100644 --- a/cloudflare/mail_server/main.tf +++ b/cloudflare/mail_server/main.tf @@ -52,5 +52,5 @@ resource "cloudflare_record" "txt" { } module "firewall" { - source = "./firewall" + source = "../firewall" } From fcfd2697239b0483a4a8707dcc7f547ab438b04d Mon Sep 17 00:00:00 2001 From: B Pearson Date: Thu, 19 Oct 2023 00:38:45 -0400 Subject: [PATCH 06/12] couple adjustments --- cloudflare/firewall/main.tf | 2 +- cloudflare/mail_server_secondary/main.tf | 75 +----------------------- 2 files changed, 3 insertions(+), 74 deletions(-) diff --git a/cloudflare/firewall/main.tf b/cloudflare/firewall/main.tf index 7cd0edc..2fabf21 100644 --- a/cloudflare/firewall/main.tf +++ b/cloudflare/firewall/main.tf @@ -1,7 +1,7 @@ # ## Email # -resource "cloudflare_email_routing_catch_all" "example" { +resource "cloudflare_email_routing_catch_all" "forward" { zone_id = var.zone_id name = "email catch all" enabled = true diff --git a/cloudflare/mail_server_secondary/main.tf b/cloudflare/mail_server_secondary/main.tf index afba1f3..45d06ae 100644 --- a/cloudflare/mail_server_secondary/main.tf +++ b/cloudflare/mail_server_secondary/main.tf @@ -1,21 +1,6 @@ # ## Email # -resource "cloudflare_email_routing_catch_all" "catch_all" { - zone_id = var.zone_id - name = "email catch all" - enabled = true - - matcher { - type = "all" - } - - action { - type = "forward" - value = ["bwp.pearson@gmail.com"] - } -} - resource "cloudflare_record" "mx77" { allow_overwrite = true zone_id = var.zone_id @@ -42,62 +27,6 @@ resource "cloudflare_record" "mx85" { value = "route3.mx.cloudflare.net" priority = "85" } - -resource "cloudflare_record" "txt" { - allow_overwrite = true - zone_id = var.zone_id - name = "@" - type = "TXT" - value = "v=spf1 include:_spf.mx.cloudflare.net ~all" -} - -# -## Block non US CA AU countries -# - -resource "cloudflare_filter" "countries" { - zone_id = var.zone_id - description = "Expression to block all countries except US, CA and AU" - expression = "(ip.geoip.country ne \"US\" and ip.geoip.country ne \"CA\" and ip.geoip.country ne \"AU\")" -} - -resource "cloudflare_firewall_rule" "countries" { - zone_id = var.zone_id - description = "Firewall rule to block all countries except US, CA and AU" - filter_id = cloudflare_filter.countries.id - action = "block" -} - -# -## Bots -# - -resource "cloudflare_filter" "bots" { - zone_id = var.zone_id - description = "Expression to block bots determined by CF" - expression = "(cf.client.bot)" -} - -resource "cloudflare_firewall_rule" "bots" { - zone_id = var.zone_id - description = "Firewall rule to block bots determined by CF" - filter_id = cloudflare_filter.bots.id - action = "block" -} - -# -## Block threats greater than Medium -# - -resource "cloudflare_filter" "threats" { - zone_id = var.zone_id - description = "Expression to block medium threats" - expression = "(cf.threat_score gt 14)" -} - -resource "cloudflare_firewall_rule" "threats" { - zone_id = var.zone_id - description = "Firewall rule to block medium threats" - filter_id = cloudflare_filter.threats.id - action = "block" +module "firewall" { + source = "../firewall" } From 47772e8438994b1ea152cdfc4a2d47a57801c374 Mon Sep 17 00:00:00 2001 From: B Pearson Date: Thu, 19 Oct 2023 15:38:26 -0400 Subject: [PATCH 07/12] another update and test --- cloudflare/mail_server/main.tf | 18 ++---------------- cloudflare/mail_server_secondary/main.tf | 3 ++- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/cloudflare/mail_server/main.tf b/cloudflare/mail_server/main.tf index 1a2f50e..575d0ec 100644 --- a/cloudflare/mail_server/main.tf +++ b/cloudflare/mail_server/main.tf @@ -1,21 +1,6 @@ # ## Email # -resource "cloudflare_email_routing_catch_all" "example" { - zone_id = var.zone_id - name = "email catch all" - enabled = true - - matcher { - type = "all" - } - - action { - type = "forward" - value = ["bwp.pearson@gmail.com"] - } -} - resource "cloudflare_record" "mx0" { allow_overwrite = true zone_id = var.zone_id @@ -52,5 +37,6 @@ resource "cloudflare_record" "txt" { } module "firewall" { - source = "../firewall" + source = "../firewall" + zone_id = var.zone_id } diff --git a/cloudflare/mail_server_secondary/main.tf b/cloudflare/mail_server_secondary/main.tf index 45d06ae..0b60a42 100644 --- a/cloudflare/mail_server_secondary/main.tf +++ b/cloudflare/mail_server_secondary/main.tf @@ -28,5 +28,6 @@ resource "cloudflare_record" "mx85" { priority = "85" } module "firewall" { - source = "../firewall" + source = "../firewall" + zone_id = var.zone_id } From 4c91c6a0dff773848bd4629e492398fc55259444 Mon Sep 17 00:00:00 2001 From: B Pearson Date: Fri, 27 Oct 2023 16:55:01 -0400 Subject: [PATCH 08/12] update --- renovate.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/renovate.json b/renovate.json index f45d8f1..8c0f687 100644 --- a/renovate.json +++ b/renovate.json @@ -1,5 +1,9 @@ { - "extends": [ - "config:base" + "packageRules": [ + { + "matchUpdateTypes": ["minor", "patch"], + "matchCurrentVersion": "!/^0/", + "automerge": true + } ] } From ed8ae9c3ed5e38a5b513872d1955bfd4a8f17e7b Mon Sep 17 00:00:00 2001 From: B Pearson Date: Fri, 27 Oct 2023 16:59:34 -0400 Subject: [PATCH 09/12] bump --- .github/workflows/tags.yaml | 7 +++++-- VERSION.txt | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 VERSION.txt diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml index cc0db93..c70fc55 100644 --- a/.github/workflows/tags.yaml +++ b/.github/workflows/tags.yaml @@ -17,9 +17,12 @@ jobs: id: set_version run: | if [ "${GITHUB_REF##*/}" == "main" ]; then - echo "::set-output name=tag::$(date +'%Y%m%d%H%M%S')" + #echo "::set-output name=tag::$(date +'%Y%m%d%H%M%S')" + echo "::set-output name=tag::$(cat VERION.txt')" + else - echo "::set-output name=tag::rc$(date +'%Y%m%d%H%M%S')" + # echo "::set-output name=tag::rc$(date +'%Y%m%d%H%M%S')" + echo "::set-output name=tag::rc$(cat VERION.txt')$short_sha" fi - name: Create Git Tag diff --git a/VERSION.txt b/VERSION.txt new file mode 100644 index 0000000..3eefcb9 --- /dev/null +++ b/VERSION.txt @@ -0,0 +1 @@ +1.0.0 From fb6169f3dac2a4789612ff35f180fda7a0b1952d Mon Sep 17 00:00:00 2001 From: B Pearson Date: Fri, 27 Oct 2023 17:01:15 -0400 Subject: [PATCH 10/12] bump --- .github/workflows/tags.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml index c70fc55..69bd052 100644 --- a/.github/workflows/tags.yaml +++ b/.github/workflows/tags.yaml @@ -22,7 +22,7 @@ jobs: else # echo "::set-output name=tag::rc$(date +'%Y%m%d%H%M%S')" - echo "::set-output name=tag::rc$(cat VERION.txt')$short_sha" + echo "::set-output name=tag::rc$(cat VERION.txt')${SHORT_SHA}" fi - name: Create Git Tag From 00ace6f4dfcbbd7d91a307da5c2d9f12d968c25f Mon Sep 17 00:00:00 2001 From: B Pearson Date: Fri, 27 Oct 2023 17:08:47 -0400 Subject: [PATCH 11/12] bump --- .github/workflows/tags.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml index 69bd052..b9f2d65 100644 --- a/.github/workflows/tags.yaml +++ b/.github/workflows/tags.yaml @@ -18,11 +18,10 @@ jobs: run: | if [ "${GITHUB_REF##*/}" == "main" ]; then #echo "::set-output name=tag::$(date +'%Y%m%d%H%M%S')" - echo "::set-output name=tag::$(cat VERION.txt')" - + echo "::set-output name=tag::$(cat VERSION.txt')" else # echo "::set-output name=tag::rc$(date +'%Y%m%d%H%M%S')" - echo "::set-output name=tag::rc$(cat VERION.txt')${SHORT_SHA}" + echo "::set-output name=tag::rc$(cat VERSION.txt')${SHORT_SHA}" fi - name: Create Git Tag From b99600407521e3ca9d39bb9510c6a6e2596e821f Mon Sep 17 00:00:00 2001 From: B Pearson Date: Fri, 27 Oct 2023 20:50:09 -0400 Subject: [PATCH 12/12] test --- .github/workflows/tags.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml index b9f2d65..e3bedb4 100644 --- a/.github/workflows/tags.yaml +++ b/.github/workflows/tags.yaml @@ -21,7 +21,7 @@ jobs: echo "::set-output name=tag::$(cat VERSION.txt')" else # echo "::set-output name=tag::rc$(date +'%Y%m%d%H%M%S')" - echo "::set-output name=tag::rc$(cat VERSION.txt')${SHORT_SHA}" + echo "::set-output name=tag::rc$(cat VERSION.txt${SHORT_SHA})'" fi - name: Create Git Tag