From 299a9ae7bae08c6c8bbb687e61fa0b6e9a6cedb2 Mon Sep 17 00:00:00 2001
From: Mathieu Parent <math.parent@gmail.com>
Date: Thu, 3 Mar 2022 01:52:46 +0100
Subject: [PATCH] terraform/gcp: Add ingress_whitelist (#8590)
Also, do not create unneeded resources (target pools are charged and should
only be created when needed).
---
contrib/terraform/gcp/README.md | 1 +
contrib/terraform/gcp/main.tf | 1 +
.../gcp/modules/kubernetes-cluster/main.tf | 36 +++++++++++++++----
.../gcp/modules/kubernetes-cluster/output.tf | 4 +--
.../modules/kubernetes-cluster/variables.tf | 5 +++
contrib/terraform/gcp/tfvars.json | 3 ++
contrib/terraform/gcp/variables.tf | 5 +++
7 files changed, 46 insertions(+), 9 deletions(-)
diff --git a/contrib/terraform/gcp/README.md b/contrib/terraform/gcp/README.md
index 3bf120e5a..c3e6eecd1 100644
--- a/contrib/terraform/gcp/README.md
+++ b/contrib/terraform/gcp/README.md
@@ -74,6 +74,7 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
* `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
+* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
### Optional
diff --git a/contrib/terraform/gcp/main.tf b/contrib/terraform/gcp/main.tf
index 94333e74c..a9083775b 100644
--- a/contrib/terraform/gcp/main.tf
+++ b/contrib/terraform/gcp/main.tf
@@ -33,4 +33,5 @@ module "kubernetes" {
ssh_whitelist = var.ssh_whitelist
api_server_whitelist = var.api_server_whitelist
nodeport_whitelist = var.nodeport_whitelist
+ ingress_whitelist = var.ingress_whitelist
}
diff --git a/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf b/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf
index 1cea6eebf..3ad64ca7e 100644
--- a/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf
+++ b/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf
@@ -43,6 +43,8 @@ resource "google_compute_firewall" "allow_internal" {
}
resource "google_compute_firewall" "ssh" {
+ count = length(var.ssh_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-ssh-firewall"
network = google_compute_network.main.name
@@ -57,6 +59,8 @@ resource "google_compute_firewall" "ssh" {
}
resource "google_compute_firewall" "api_server" {
+ count = length(var.api_server_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-api-server-firewall"
network = google_compute_network.main.name
@@ -71,6 +75,8 @@ resource "google_compute_firewall" "api_server" {
}
resource "google_compute_firewall" "nodeport" {
+ count = length(var.nodeport_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-nodeport-firewall"
network = google_compute_network.main.name
@@ -85,12 +91,14 @@ resource "google_compute_firewall" "nodeport" {
}
resource "google_compute_firewall" "ingress_http" {
+ count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-http-ingress-firewall"
network = google_compute_network.main.name
priority = 100
- source_ranges = ["0.0.0.0/0"]
+ source_ranges = var.ingress_whitelist
allow {
protocol = "tcp"
@@ -99,12 +107,14 @@ resource "google_compute_firewall" "ingress_http" {
}
resource "google_compute_firewall" "ingress_https" {
+ count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-https-ingress-firewall"
network = google_compute_network.main.name
priority = 100
- source_ranges = ["0.0.0.0/0"]
+ source_ranges = var.ingress_whitelist
allow {
protocol = "tcp"
@@ -247,14 +257,18 @@ resource "google_compute_instance" "master" {
}
resource "google_compute_forwarding_rule" "master_lb" {
+ count = length(var.api_server_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-master-lb-forward-rule"
port_range = "6443"
- target = google_compute_target_pool.master_lb.id
+ target = google_compute_target_pool.master_lb[count.index].id
}
resource "google_compute_target_pool" "master_lb" {
+ count = length(var.api_server_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-master-lb-pool"
instances = local.master_target_list
}
@@ -349,30 +363,38 @@ resource "google_compute_instance" "worker" {
}
resource "google_compute_address" "worker_lb" {
+ count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-worker-lb-address"
address_type = "EXTERNAL"
region = var.region
}
resource "google_compute_forwarding_rule" "worker_http_lb" {
+ count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-worker-http-lb-forward-rule"
- ip_address = google_compute_address.worker_lb.address
+ ip_address = google_compute_address.worker_lb[count.index].address
port_range = "80"
- target = google_compute_target_pool.worker_lb.id
+ target = google_compute_target_pool.worker_lb[count.index].id
}
resource "google_compute_forwarding_rule" "worker_https_lb" {
+ count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-worker-https-lb-forward-rule"
- ip_address = google_compute_address.worker_lb.address
+ ip_address = google_compute_address.worker_lb[count.index].address
port_range = "443"
- target = google_compute_target_pool.worker_lb.id
+ target = google_compute_target_pool.worker_lb[count.index].id
}
resource "google_compute_target_pool" "worker_lb" {
+ count = length(var.ingress_whitelist) > 0 ? 1 : 0
+
name = "${var.prefix}-worker-lb-pool"
instances = local.worker_target_list
}
diff --git a/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf b/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf
index 8e5b08016..d0ffaa93e 100644
--- a/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf
+++ b/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf
@@ -19,9 +19,9 @@ output "worker_ip_addresses" {
}
output "ingress_controller_lb_ip_address" {
- value = google_compute_address.worker_lb.address
+ value = length(var.ingress_whitelist) > 0 ? google_compute_address.worker_lb.0.address : ""
}
output "control_plane_lb_ip_address" {
- value = google_compute_forwarding_rule.master_lb.ip_address
+ value = length(var.api_server_whitelist) > 0 ? google_compute_forwarding_rule.master_lb.0.ip_address : ""
}
diff --git a/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf b/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf
index 2724f2b23..16e616ae9 100644
--- a/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf
+++ b/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf
@@ -65,6 +65,11 @@ variable "nodeport_whitelist" {
type = list(string)
}
+variable "ingress_whitelist" {
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
variable "private_network_cidr" {
default = "10.0.10.0/24"
}
diff --git a/contrib/terraform/gcp/tfvars.json b/contrib/terraform/gcp/tfvars.json
index 06249d6d8..056b8fe80 100644
--- a/contrib/terraform/gcp/tfvars.json
+++ b/contrib/terraform/gcp/tfvars.json
@@ -16,6 +16,9 @@
"nodeport_whitelist": [
"1.2.3.4/32"
],
+ "ingress_whitelist": [
+ "0.0.0.0/0"
+ ],
"machines": {
"master-0": {
diff --git a/contrib/terraform/gcp/variables.tf b/contrib/terraform/gcp/variables.tf
index c2593d33b..3b7bd0069 100644
--- a/contrib/terraform/gcp/variables.tf
+++ b/contrib/terraform/gcp/variables.tf
@@ -90,3 +90,8 @@ variable api_server_whitelist {
variable nodeport_whitelist {
type = list(string)
}
+
+variable "ingress_whitelist" {
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
--
GitLab