# DigitalOcean Provider Resources # Conditionally created when var.cloud_provider == "digitalocean" # ============================================================================= # FIREWALL (DigitalOcean calls this "Firewall") # ============================================================================= resource "digitalocean_firewall" "agent" { count = local.is_digitalocean ? 1 : 0 name = "${var.server_name}-firewall" # Inbound: SSH only inbound_rule { protocol = "tcp" port_range = tostring(var.ssh_port) source_addresses = var.ssh_allowed_ips } # Outbound: Allow all outbound_rule { protocol = "tcp" port_range = "1-65535" destination_addresses = ["0.0.0.0/0", "::/0"] } outbound_rule { protocol = "udp" port_range = "1-65535" destination_addresses = ["0.0.0.0/0", "::/0"] } outbound_rule { protocol = "icmp" destination_addresses = ["0.0.0.0/0", "::/0"] } } # ============================================================================= # DROPLET (Server) # ============================================================================= resource "digitalocean_droplet" "agent" { count = local.is_digitalocean ? 1 : 0 name = var.server_name image = "ubuntu-24-04-x64" size = var.droplet_size_digitalocean region = var.region_digitalocean # SSH keys specified by fingerprint - DigitalOcean accepts fingerprints directly ssh_keys = var.ssh_key_fingerprints # Tags for organization tags = [ var.project_name, var.environment, var.agent_framework ] # Cloud-init user data user_data = local.userdata } # ============================================================================= # FIREWALL ATTACHMENT # ============================================================================= resource "digitalocean_firewall" "agent_attachment" { count = local.is_digitalocean ? 1 : 0 name = "${var.server_name}-firewall" droplet_ids = [digitalocean_droplet.agent[0].id] }