[upcloud] Fixed issue where DNS would be blocked while using allowlist (#9510)

* [upcloud] Fixed issue where DNS would be blocked while using allowlist * Missed one NTP rule

[upcloud] Fixed issue where DNS would be blocked while using allowlist (#9510)
07ad5ecf · Fredrik Liv · GitHub · 4db5e663 · 07ad5ecf
Unverified Commit 07ad5ecf authored 2 years ago by Fredrik Liv Committed by GitHub 2 years ago
--- a/contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf
+++ b/contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf
@@ -251,8 +251,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@@ -267,8 +267,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@@ -283,8 +283,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv6"
      protocol               = firewall_rule.value
@@ -299,8 +299,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv6"
      protocol               = firewall_rule.value
@@ -315,8 +315,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "NTP Port"
-      destination_port_end   = "123"
-      destination_port_start = "123"
+      source_port_end        = "123"
+      source_port_start      = "123"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@@ -325,6 +325,20 @@ resource "upcloud_firewall_rules" "master" {
    }
  }

+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "NTP Port"
+      source_port_end        = "123"
+      source_port_start      = "123"
+      direction              = "in"
+      family                 = "IPv6"
+      protocol               = firewall_rule.value
+    }
+  }
+
  firewall_rule {
    action    = var.firewall_default_deny_in ? "drop" : "accept"
    direction = "in"
@@ -394,8 +408,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@@ -410,8 +424,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@@ -426,8 +440,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv6"
      protocol               = firewall_rule.value
@@ -442,8 +456,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv6"
      protocol               = firewall_rule.value
@@ -458,8 +472,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "NTP Port"
-      destination_port_end   = "123"
-      destination_port_start = "123"
+      source_port_end        = "123"
+      source_port_start      = "123"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@@ -468,6 +482,20 @@ resource "upcloud_firewall_rules" "k8s" {
    }
  }

+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "NTP Port"
+      source_port_end        = "123"
+      source_port_start      = "123"
+      direction              = "in"
+      family                 = "IPv6"
+      protocol               = firewall_rule.value
+    }
+  }
+
  firewall_rule {
    action    = var.firewall_default_deny_in ? "drop" : "accept"
    direction = "in"