diff --git a/contrib/terraform/gcp/README.md b/contrib/terraform/gcp/README.md index 3bf120e5a..c3e6eecd1 100644 --- a/contrib/terraform/gcp/README.md +++ b/contrib/terraform/gcp/README.md @@ -74,6 +74,7 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v * `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports) +* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443 ### Optional diff --git a/contrib/terraform/gcp/main.tf b/contrib/terraform/gcp/main.tf index 94333e74c..a9083775b 100644 --- a/contrib/terraform/gcp/main.tf +++ b/contrib/terraform/gcp/main.tf @@ -33,4 +33,5 @@ module "kubernetes" { ssh_whitelist = var.ssh_whitelist api_server_whitelist = var.api_server_whitelist nodeport_whitelist = var.nodeport_whitelist + ingress_whitelist = var.ingress_whitelist } diff --git a/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf b/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf index 1cea6eebf..3ad64ca7e 100644 --- a/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf +++ b/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf @@ -43,6 +43,8 @@ resource "google_compute_firewall" "allow_internal" { } resource "google_compute_firewall" "ssh" { + count = length(var.ssh_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-ssh-firewall" network = google_compute_network.main.name @@ -57,6 +59,8 @@ resource "google_compute_firewall" "ssh" { } resource "google_compute_firewall" "api_server" { + count = length(var.api_server_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-api-server-firewall" network = google_compute_network.main.name @@ -71,6 +75,8 @@ resource "google_compute_firewall" "api_server" { } resource "google_compute_firewall" "nodeport" { + count = length(var.nodeport_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-nodeport-firewall" network = google_compute_network.main.name @@ -85,12 +91,14 @@ resource "google_compute_firewall" "nodeport" { } resource "google_compute_firewall" "ingress_http" { + count = length(var.ingress_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-http-ingress-firewall" network = google_compute_network.main.name priority = 100 - source_ranges = ["0.0.0.0/0"] + source_ranges = var.ingress_whitelist allow { protocol = "tcp" @@ -99,12 +107,14 @@ resource "google_compute_firewall" "ingress_http" { } resource "google_compute_firewall" "ingress_https" { + count = length(var.ingress_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-https-ingress-firewall" network = google_compute_network.main.name priority = 100 - source_ranges = ["0.0.0.0/0"] + source_ranges = var.ingress_whitelist allow { protocol = "tcp" @@ -247,14 +257,18 @@ resource "google_compute_instance" "master" { } resource "google_compute_forwarding_rule" "master_lb" { + count = length(var.api_server_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-master-lb-forward-rule" port_range = "6443" - target = google_compute_target_pool.master_lb.id + target = google_compute_target_pool.master_lb[count.index].id } resource "google_compute_target_pool" "master_lb" { + count = length(var.api_server_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-master-lb-pool" instances = local.master_target_list } @@ -349,30 +363,38 @@ resource "google_compute_instance" "worker" { } resource "google_compute_address" "worker_lb" { + count = length(var.ingress_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-worker-lb-address" address_type = "EXTERNAL" region = var.region } resource "google_compute_forwarding_rule" "worker_http_lb" { + count = length(var.ingress_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-worker-http-lb-forward-rule" - ip_address = google_compute_address.worker_lb.address + ip_address = google_compute_address.worker_lb[count.index].address port_range = "80" - target = google_compute_target_pool.worker_lb.id + target = google_compute_target_pool.worker_lb[count.index].id } resource "google_compute_forwarding_rule" "worker_https_lb" { + count = length(var.ingress_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-worker-https-lb-forward-rule" - ip_address = google_compute_address.worker_lb.address + ip_address = google_compute_address.worker_lb[count.index].address port_range = "443" - target = google_compute_target_pool.worker_lb.id + target = google_compute_target_pool.worker_lb[count.index].id } resource "google_compute_target_pool" "worker_lb" { + count = length(var.ingress_whitelist) > 0 ? 1 : 0 + name = "${var.prefix}-worker-lb-pool" instances = local.worker_target_list } diff --git a/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf b/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf index 8e5b08016..d0ffaa93e 100644 --- a/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf +++ b/contrib/terraform/gcp/modules/kubernetes-cluster/output.tf @@ -19,9 +19,9 @@ output "worker_ip_addresses" { } output "ingress_controller_lb_ip_address" { - value = google_compute_address.worker_lb.address + value = length(var.ingress_whitelist) > 0 ? google_compute_address.worker_lb.0.address : "" } output "control_plane_lb_ip_address" { - value = google_compute_forwarding_rule.master_lb.ip_address + value = length(var.api_server_whitelist) > 0 ? google_compute_forwarding_rule.master_lb.0.ip_address : "" } diff --git a/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf b/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf index 2724f2b23..16e616ae9 100644 --- a/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf +++ b/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf @@ -65,6 +65,11 @@ variable "nodeport_whitelist" { type = list(string) } +variable "ingress_whitelist" { + type = list(string) + default = ["0.0.0.0/0"] +} + variable "private_network_cidr" { default = "10.0.10.0/24" } diff --git a/contrib/terraform/gcp/tfvars.json b/contrib/terraform/gcp/tfvars.json index 06249d6d8..056b8fe80 100644 --- a/contrib/terraform/gcp/tfvars.json +++ b/contrib/terraform/gcp/tfvars.json @@ -16,6 +16,9 @@ "nodeport_whitelist": [ "1.2.3.4/32" ], + "ingress_whitelist": [ + "0.0.0.0/0" + ], "machines": { "master-0": { diff --git a/contrib/terraform/gcp/variables.tf b/contrib/terraform/gcp/variables.tf index c2593d33b..3b7bd0069 100644 --- a/contrib/terraform/gcp/variables.tf +++ b/contrib/terraform/gcp/variables.tf @@ -90,3 +90,8 @@ variable api_server_whitelist { variable nodeport_whitelist { type = list(string) } + +variable "ingress_whitelist" { + type = list(string) + default = ["0.0.0.0/0"] +}