diff --git a/contrib/terraform/gcp/README.md b/contrib/terraform/gcp/README.md index c3e6eecd1..01e5299db 100644 --- a/contrib/terraform/gcp/README.md +++ b/contrib/terraform/gcp/README.md @@ -75,6 +75,11 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports) * `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443 +* `extra_ingress_firewalls`: Additional ingress firewall rules. Key will be used as the name of the rule + * `source_ranges`: List of IP ranges (CIDR). Example: `["8.8.8.8"]` + * `protocol`: Protocol. Example `"tcp"` + * `ports`: List of ports, as string. Example `["53"]` + * `target_tags`: List of target tag (either the machine name or `control-plane` or `worker`). Example: `["control-plane", "worker-0"]` ### Optional diff --git a/contrib/terraform/gcp/main.tf b/contrib/terraform/gcp/main.tf index a9083775b..b0b91f57b 100644 --- a/contrib/terraform/gcp/main.tf +++ b/contrib/terraform/gcp/main.tf @@ -34,4 +34,6 @@ module "kubernetes" { api_server_whitelist = var.api_server_whitelist nodeport_whitelist = var.nodeport_whitelist ingress_whitelist = var.ingress_whitelist + + extra_ingress_firewalls = var.extra_ingress_firewalls } diff --git a/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf b/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf index 3ad64ca7e..a83b73bb2 100644 --- a/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf +++ b/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf @@ -219,7 +219,7 @@ resource "google_compute_instance" "master" { machine_type = each.value.size zone = each.value.zone - tags = ["master"] + tags = ["control-plane", "master", each.key] boot_disk { initialize_params { @@ -325,7 +325,7 @@ resource "google_compute_instance" "worker" { machine_type = each.value.size zone = each.value.zone - tags = ["worker"] + tags = ["worker", each.key] boot_disk { initialize_params { @@ -398,3 +398,24 @@ resource "google_compute_target_pool" "worker_lb" { name = "${var.prefix}-worker-lb-pool" instances = local.worker_target_list } + +resource "google_compute_firewall" "extra_ingress_firewall" { + for_each = { + for name, firewall in var.extra_ingress_firewalls : + name => firewall + } + + name = "${var.prefix}-${each.key}-ingress" + network = google_compute_network.main.name + + priority = 100 + + source_ranges = each.value.source_ranges + + target_tags = each.value.target_tags + + allow { + protocol = each.value.protocol + ports = each.value.ports + } +} diff --git a/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf b/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf index 16e616ae9..bb8d23be0 100644 --- a/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf +++ b/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf @@ -14,7 +14,7 @@ variable "machines" { })) boot_disk = object({ image_name = string - size = number + size = number }) })) } @@ -73,3 +73,14 @@ variable "ingress_whitelist" { variable "private_network_cidr" { default = "10.0.10.0/24" } + +variable "extra_ingress_firewalls" { + type = map(object({ + source_ranges = set(string) + protocol = string + ports = list(string) + target_tags = set(string) + })) + + default = {} +} diff --git a/contrib/terraform/gcp/variables.tf b/contrib/terraform/gcp/variables.tf index 3b7bd0069..3e960232a 100644 --- a/contrib/terraform/gcp/variables.tf +++ b/contrib/terraform/gcp/variables.tf @@ -95,3 +95,14 @@ variable "ingress_whitelist" { type = list(string) default = ["0.0.0.0/0"] } + +variable "extra_ingress_firewalls" { + type = map(object({ + source_ranges = set(string) + protocol = string + ports = list(string) + target_tags = set(string) + })) + + default = {} +}