import * as pulumi from "@pulumi/pulumi"; /** * Attaches resource to a Hetzner Cloud Firewall. * * _Note_: only one `hcloud.FirewallAttachment` per Firewall is allowed. * Any resources that should be attached to that Firewall need to be * specified in that `hcloud.FirewallAttachment`. * * ## Example Usage * * ### Attach Servers * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as hcloud from "@pulumi/hcloud"; * * const testServer = new hcloud.Server("test_server", { * name: "test-server", * serverType: "cx23", * image: "ubuntu-24.04", * }); * const basicFirewall = new hcloud.Firewall("basic_firewall", {name: "basic_firewall"}); * const fwRef = new hcloud.FirewallAttachment("fw_ref", { * firewallId: basicFirewall.id, * serverIds: [testServer.id], * }); * ``` * * ### Attach Label Selectors * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as hcloud from "@pulumi/hcloud"; * * const testServer = new hcloud.Server("test_server", { * name: "test-server", * serverType: "cx23", * image: "ubuntu-24.04", * labels: { * "firewall-attachment": "test-server", * }, * }); * const basicFirewall = new hcloud.Firewall("basic_firewall", {name: "basic_firewall"}); * const fwRef = new hcloud.FirewallAttachment("fw_ref", { * firewallId: basicFirewall.id, * labelSelectors: ["firewall-attachment=test-server"], * }); * ``` * * ### Ensure a server is attached to a Firewall on first boot * * The `firewallIds` property of the `hcloud.Server` resource ensures that * a server is attached to the specified Firewalls before its first boot. * This is **not** the case when using the `hcloud.FirewallAttachment` * resource to attach servers to a Firewall. In some scenarios this may * pose a security risk. * * The following workaround ensures that a server is attached to a Firewall * _before_ it first boots. However, the workaround requires two Firewalls. * Additionally the server resource definition needs to ignore any remote * changes to the `hcloud_server.firewall_ids` property. This is done using * the `ignoreRemoteFirewallIds` property of `hcloud.Server`. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as hcloud from "@pulumi/hcloud"; * import * as std from "@pulumi/std"; * * const denyAll = new hcloud.Firewall("deny_all", {name: "deny_all"}); * const testServer = new hcloud.Server("test_server", { * name: "test-server", * serverType: "cx23", * image: "ubuntu-24.04", * ignoreRemoteFirewallIds: true, * firewallIds: [denyAll.id], * }); * const allowRules = new hcloud.Firewall("allow_rules", { * name: "allow_rules", * rules: [{ * direction: "in", * protocol: "tcp", * port: "22", * sourceIps: [ * "0.0.0.0/0", * "::/0", * ], * destinationIps: [std.format({ * input: "%s/32", * args: [testServer.ipv4Address], * }).then(invoke => invoke.result)], * }], * }); * const denyAllAtt = new hcloud.FirewallAttachment("deny_all_att", { * firewallId: denyAll.id, * serverIds: [testServer.id], * }); * const allowRulesAtt = new hcloud.FirewallAttachment("allow_rules_att", { * firewallId: allowRules.id, * serverIds: [testServer.id], * }); * ``` * * ## Import * * Firewall Attachments can be imported using the `id` of the firewall: * * ```sh * $ pulumi import hcloud:index/firewallAttachment:FirewallAttachment example "$FIREWALL_ID" * ``` */ export declare class FirewallAttachment extends pulumi.CustomResource { /** * Get an existing FirewallAttachment resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: FirewallAttachmentState, opts?: pulumi.CustomResourceOptions): FirewallAttachment; /** * Returns true if the given object is an instance of FirewallAttachment. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is FirewallAttachment; /** * ID of the firewall the resources * should be attached to. */ readonly firewallId: pulumi.Output; /** * List of label selectors used to * select resources to attach to the firewall. */ readonly labelSelectors: pulumi.Output; /** * List of Server IDs to attach to the * firewall. */ readonly serverIds: pulumi.Output; /** * Create a FirewallAttachment resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: FirewallAttachmentArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering FirewallAttachment resources. */ export interface FirewallAttachmentState { /** * ID of the firewall the resources * should be attached to. */ firewallId?: pulumi.Input; /** * List of label selectors used to * select resources to attach to the firewall. */ labelSelectors?: pulumi.Input[]>; /** * List of Server IDs to attach to the * firewall. */ serverIds?: pulumi.Input[]>; } /** * The set of arguments for constructing a FirewallAttachment resource. */ export interface FirewallAttachmentArgs { /** * ID of the firewall the resources * should be attached to. */ firewallId: pulumi.Input; /** * List of label selectors used to * select resources to attach to the firewall. */ labelSelectors?: pulumi.Input[]>; /** * List of Server IDs to attach to the * firewall. */ serverIds?: pulumi.Input[]>; }