added dynamic rule and var extra_firewall_rules

This commit is contained in:
Karim Naufal 2022-02-27 23:15:46 +01:00
parent adca2a0e0b
commit 4fe79625b1
4 changed files with 150 additions and 118 deletions

121
locals.tf
View File

@ -17,6 +17,127 @@ locals {
csi_version = var.hetzner_csi_version != null ? var.hetzner_csi_version : data.github_release.hetzner_csi.release_tag csi_version = var.hetzner_csi_version != null ? var.hetzner_csi_version : data.github_release.hetzner_csi.release_tag
kured_version = data.github_release.kured.release_tag kured_version = data.github_release.kured.release_tag
base_firewall_rules = [
# Allowing internal cluster traffic and Hetzner metadata service and cloud API IPs
{
direction = "in"
protocol = "tcp"
port = "any"
source_ips = [
var.network_ipv4_range,
"127.0.0.1/32",
"169.254.169.254/32",
"213.239.246.1/32"
]
},
{
direction = "in"
protocol = "udp"
port = "any"
source_ips = [
var.network_ipv4_range,
"127.0.0.1/32",
"169.254.169.254/32",
"213.239.246.1/32"
]
},
{
direction = "in"
protocol = "icmp"
source_ips = [
var.network_ipv4_range,
"127.0.0.1/32",
"169.254.169.254/32",
"213.239.246.1/32"
]
},
# Allow all traffic to the kube api server
{
direction = "in"
protocol = "tcp"
port = "6443"
source_ips = [
"0.0.0.0/0"
]
},
# Allow all traffic to the ssh port
{
direction = "in"
protocol = "tcp"
port = "22"
source_ips = [
"0.0.0.0/0"
]
},
# Allow ping on ipv4
{
direction = "in"
protocol = "icmp"
source_ips = [
"0.0.0.0/0"
]
},
# Allow basic out traffic
# ICMP to ping outside services
{
direction = "out"
protocol = "icmp"
destination_ips = [
"0.0.0.0/0"
]
},
# DNS
{
direction = "out"
protocol = "tcp"
port = "53"
destination_ips = [
"0.0.0.0/0"
]
},
{
direction = "out"
protocol = "udp"
port = "53"
destination_ips = [
"0.0.0.0/0"
]
},
# HTTP(s)
{
direction = "out"
protocol = "tcp"
port = "80"
destination_ips = [
"0.0.0.0/0"
]
},
{
direction = "out"
protocol = "tcp"
port = "443"
destination_ips = [
"0.0.0.0/0"
]
},
#NTP
{
direction = "out"
protocol = "udp"
port = "123"
destination_ips = [
"0.0.0.0/0"
]
}
]
common_commands_install_k3s = [ common_commands_install_k3s = [
"set -ex", "set -ex",
# prepare the k3s config directory # prepare the k3s config directory

127
main.tf
View File

@ -24,125 +24,16 @@ resource "hcloud_network_subnet" "subnet" {
resource "hcloud_firewall" "k3s" { resource "hcloud_firewall" "k3s" {
name = "k3s" name = "k3s"
# Allowing internal cluster traffic and Hetzner metadata service and cloud API IPs dynamic "rule" {
rule { for_each = concat(local.base_firewall_rules, var.extra_firewall_rules)
direction = "in" content {
protocol = "tcp" direction = rule.value.direction
port = "any" protocol = rule.value.protocol
source_ips = [ port = lookup(rule.value, "port", null)
var.network_ipv4_range, destination_ips = lookup(rule.value, "destination_ips", null)
"127.0.0.1/32", source_ips = lookup(rule.value, "source_ips", null)
"169.254.169.254/32", }
"213.239.246.1/32"
]
} }
rule {
direction = "in"
protocol = "udp"
port = "any"
source_ips = [
var.network_ipv4_range,
"127.0.0.1/32",
"169.254.169.254/32",
"213.239.246.1/32"
]
}
rule {
direction = "in"
protocol = "icmp"
source_ips = [
var.network_ipv4_range,
"127.0.0.1/32",
"169.254.169.254/32",
"213.239.246.1/32"
]
}
# Allow all traffic to the kube api server
rule {
direction = "in"
protocol = "tcp"
port = "6443"
source_ips = [
"0.0.0.0/0"
]
}
# Allow all traffic to the ssh port
rule {
direction = "in"
protocol = "tcp"
port = "22"
source_ips = [
"0.0.0.0/0"
]
}
# Allow ping on ipv4
rule {
direction = "in"
protocol = "icmp"
source_ips = [
"0.0.0.0/0"
]
}
# Allow basic out traffic
# ICMP to ping outside services
rule {
direction = "out"
protocol = "icmp"
destination_ips = [
"0.0.0.0/0"
]
}
# DNS
rule {
direction = "out"
protocol = "tcp"
port = "53"
destination_ips = [
"0.0.0.0/0"
]
}
rule {
direction = "out"
protocol = "udp"
port = "53"
destination_ips = [
"0.0.0.0/0"
]
}
# HTTP(s)
rule {
direction = "out"
protocol = "tcp"
port = "80"
destination_ips = [
"0.0.0.0/0"
]
}
rule {
direction = "out"
protocol = "tcp"
port = "443"
destination_ips = [
"0.0.0.0/0"
]
}
#NTP
rule {
direction = "out"
protocol = "udp"
port = "123"
destination_ips = [
"0.0.0.0/0"
]
}
} }
resource "hcloud_placement_group" "k3s" { resource "hcloud_placement_group" "k3s" {

View File

@ -50,3 +50,17 @@ agent_nodepools = {
# Allows you to specify either stable, latest, or testing (defaults to stable), see https://rancher.com/docs/k3s/latest/en/upgrades/basic/ # Allows you to specify either stable, latest, or testing (defaults to stable), see https://rancher.com/docs/k3s/latest/en/upgrades/basic/
# initial_k3s_channel = "latest" # initial_k3s_channel = "latest"
# Adding extra firewall rules, like opening a port
# In this example with allow port TCP 5432 for a Postgres service we will open via a nodeport
# More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
extra_firewall_rules = [
{
direction = "in"
protocol = "tcp"
port = "5432"
source_ips = [
"0.0.0.0/0"
]
},
]

View File

@ -113,3 +113,9 @@ variable "automatically_upgrade_k3s" {
default = true default = true
description = "Whether to automatically upgrade k3s based on the selected channel" description = "Whether to automatically upgrade k3s based on the selected channel"
} }
variable "extra_firewall_rules" {
type = list(any)
default = []
description = "Additional firewall rules to apply to the cluster"
}