terraform-hcloud-kube-hetzner/main.tf

187 lines
3.4 KiB
Terraform
Raw Normal View History

2021-11-30 23:09:34 +01:00
resource "random_password" "k3s_token" {
2021-07-30 10:12:37 +02:00
length = 48
special = false
}
2022-02-05 00:02:25 +01:00
resource "hcloud_ssh_key" "k3s" {
name = "k3s"
2021-11-30 23:09:34 +01:00
public_key = local.ssh_public_key
2021-07-30 10:12:37 +02:00
}
resource "hcloud_network" "k3s" {
2022-02-05 00:02:25 +01:00
name = "k3s"
2021-07-30 10:12:37 +02:00
ip_range = "10.0.0.0/8"
}
resource "hcloud_network_subnet" "k3s" {
network_id = hcloud_network.k3s.id
type = "cloud"
network_zone = var.network_region
2021-07-30 10:12:37 +02:00
ip_range = "10.0.0.0/16"
}
resource "hcloud_firewall" "k3s" {
2022-02-05 00:02:25 +01:00
name = "k3s"
2021-12-10 00:48:45 +01:00
# Allowing internal cluster traffic and Hetzner metadata service and cloud API IPs
rule {
direction = "in"
protocol = "tcp"
port = "any"
source_ips = [
"127.0.0.1/32",
"10.0.0.0/8",
"169.254.169.254/32",
"213.239.246.1/32"
]
}
rule {
direction = "in"
protocol = "udp"
port = "any"
source_ips = [
"127.0.0.1/32",
"10.0.0.0/8",
"169.254.169.254/32",
"213.239.246.1/32"
]
}
rule {
direction = "in"
protocol = "icmp"
source_ips = [
"127.0.0.1/32",
"10.0.0.0/8",
"169.254.169.254/32",
"213.239.246.1/32"
]
}
# Allow all traffic to the kube api server
rule {
direction = "in"
protocol = "tcp"
port = "6443"
source_ips = [
"0.0.0.0/0"
]
}
# Allow all traffic to the ssh port
rule {
direction = "in"
protocol = "tcp"
port = "22"
source_ips = [
"0.0.0.0/0"
]
}
2021-07-30 10:12:37 +02:00
2021-11-30 23:09:34 +01:00
# Allow ping on ipv4
rule {
direction = "in"
protocol = "icmp"
source_ips = [
"0.0.0.0/0"
]
2021-07-30 10:12:37 +02:00
}
2022-01-05 15:04:22 +01:00
# Allow basic out traffic
# ICMP to ping outside services
rule {
direction = "out"
protocol = "icmp"
destination_ips = [
"0.0.0.0/0"
]
}
# DNS
rule {
direction = "out"
protocol = "tcp"
port = "53"
destination_ips = [
"0.0.0.0/0"
]
}
rule {
direction = "out"
protocol = "udp"
port = "53"
destination_ips = [
"0.0.0.0/0"
]
}
# HTTP(s)
rule {
direction = "out"
protocol = "tcp"
port = "80"
destination_ips = [
"0.0.0.0/0"
]
}
rule {
direction = "out"
protocol = "tcp"
port = "443"
destination_ips = [
"0.0.0.0/0"
]
}
#NTP
rule {
direction = "out"
protocol = "udp"
port = "123"
destination_ips = [
"0.0.0.0/0"
]
}
2021-07-30 10:12:37 +02:00
}
2022-02-10 03:01:40 +01:00
resource "hcloud_placement_group" "k3s" {
name = "k3s"
type = "spread"
labels = {
"provisioner" = "terraform",
"engine" = "k3s"
}
}
2022-02-14 00:24:08 +01:00
data "hcloud_load_balancer" "traefik" {
name = "traefik"
depends_on = [null_resource.kustomization]
2022-02-14 00:24:08 +01:00
}
2022-02-24 01:44:56 +01:00
2022-02-25 00:21:28 +01:00
resource "null_resource" "destroy_traefik_loadbalancer" {
# this only gets triggered before total destruction of the cluster, but when the necessary elements to run the commands are still available
2022-02-24 01:44:56 +01:00
triggers = {
2022-02-25 00:21:28 +01:00
kustomization_id = null_resource.kustomization.id
2022-02-24 01:44:56 +01:00
}
# Important when issuing terraform destroy, otherwise the LB will not let the network get deleted
provisioner "local-exec" {
2022-02-25 00:21:28 +01:00
when = destroy
command = <<-EOT
kubectl -n kube-system delete service traefik --kubeconfig ${path.module}/kubeconfig.yaml
2022-02-24 01:44:56 +01:00
EOT
on_failure = continue
}
2022-02-25 00:21:28 +01:00
depends_on = [
local_file.kubeconfig,
null_resource.control_planes[0],
hcloud_network_subnet.k3s,
hcloud_network.k3s,
hcloud_firewall.k3s,
hcloud_placement_group.k3s,
hcloud_ssh_key.k3s
]
2022-02-24 01:44:56 +01:00
}