contrib/terraform/gcp: allow extra ingress firewalls (#9658)

Signed-off-by: Mathieu Parent <math.parent@gmail.com>

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
pull/9674/head
Mathieu Parent 2023-01-17 08:46:32 +01:00 committed by GitHub
parent 8a03bb1bb4
commit c80bb0007a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 53 additions and 3 deletions

View File

@ -75,6 +75,11 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports) * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443 * `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
* `extra_ingress_firewalls`: Additional ingress firewall rules. Key will be used as the name of the rule
* `source_ranges`: List of IP ranges (CIDR). Example: `["8.8.8.8"]`
* `protocol`: Protocol. Example `"tcp"`
* `ports`: List of ports, as string. Example `["53"]`
* `target_tags`: List of target tag (either the machine name or `control-plane` or `worker`). Example: `["control-plane", "worker-0"]`
### Optional ### Optional

View File

@ -34,4 +34,6 @@ module "kubernetes" {
api_server_whitelist = var.api_server_whitelist api_server_whitelist = var.api_server_whitelist
nodeport_whitelist = var.nodeport_whitelist nodeport_whitelist = var.nodeport_whitelist
ingress_whitelist = var.ingress_whitelist ingress_whitelist = var.ingress_whitelist
extra_ingress_firewalls = var.extra_ingress_firewalls
} }

View File

@ -219,7 +219,7 @@ resource "google_compute_instance" "master" {
machine_type = each.value.size machine_type = each.value.size
zone = each.value.zone zone = each.value.zone
tags = ["master"] tags = ["control-plane", "master", each.key]
boot_disk { boot_disk {
initialize_params { initialize_params {
@ -325,7 +325,7 @@ resource "google_compute_instance" "worker" {
machine_type = each.value.size machine_type = each.value.size
zone = each.value.zone zone = each.value.zone
tags = ["worker"] tags = ["worker", each.key]
boot_disk { boot_disk {
initialize_params { initialize_params {
@ -398,3 +398,24 @@ resource "google_compute_target_pool" "worker_lb" {
name = "${var.prefix}-worker-lb-pool" name = "${var.prefix}-worker-lb-pool"
instances = local.worker_target_list instances = local.worker_target_list
} }
resource "google_compute_firewall" "extra_ingress_firewall" {
for_each = {
for name, firewall in var.extra_ingress_firewalls :
name => firewall
}
name = "${var.prefix}-${each.key}-ingress"
network = google_compute_network.main.name
priority = 100
source_ranges = each.value.source_ranges
target_tags = each.value.target_tags
allow {
protocol = each.value.protocol
ports = each.value.ports
}
}

View File

@ -14,7 +14,7 @@ variable "machines" {
})) }))
boot_disk = object({ boot_disk = object({
image_name = string image_name = string
size = number size = number
}) })
})) }))
} }
@ -73,3 +73,14 @@ variable "ingress_whitelist" {
variable "private_network_cidr" { variable "private_network_cidr" {
default = "10.0.10.0/24" default = "10.0.10.0/24"
} }
variable "extra_ingress_firewalls" {
type = map(object({
source_ranges = set(string)
protocol = string
ports = list(string)
target_tags = set(string)
}))
default = {}
}

View File

@ -95,3 +95,14 @@ variable "ingress_whitelist" {
type = list(string) type = list(string)
default = ["0.0.0.0/0"] default = ["0.0.0.0/0"]
} }
variable "extra_ingress_firewalls" {
type = map(object({
source_ranges = set(string)
protocol = string
ports = list(string)
target_tags = set(string)
}))
default = {}
}