terraform/gcp: Add ingress_whitelist (#8590)

Also, do not create unneeded resources (target pools are charged and should
only be created when needed).
This commit is contained in:
Mathieu Parent 2022-03-03 01:52:46 +01:00 committed by GitHub
parent bf7a506f79
commit 299a9ae7ba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 46 additions and 9 deletions

View file

@ -74,6 +74,7 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
* `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes * `ssh_whitelist`: List of IP ranges (CIDR) that will be allowed to ssh to the nodes
* `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
* `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports) * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
* `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
### Optional ### Optional

View file

@ -33,4 +33,5 @@ module "kubernetes" {
ssh_whitelist = var.ssh_whitelist ssh_whitelist = var.ssh_whitelist
api_server_whitelist = var.api_server_whitelist api_server_whitelist = var.api_server_whitelist
nodeport_whitelist = var.nodeport_whitelist nodeport_whitelist = var.nodeport_whitelist
ingress_whitelist = var.ingress_whitelist
} }

View file

@ -43,6 +43,8 @@ resource "google_compute_firewall" "allow_internal" {
} }
resource "google_compute_firewall" "ssh" { resource "google_compute_firewall" "ssh" {
count = length(var.ssh_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-ssh-firewall" name = "${var.prefix}-ssh-firewall"
network = google_compute_network.main.name network = google_compute_network.main.name
@ -57,6 +59,8 @@ resource "google_compute_firewall" "ssh" {
} }
resource "google_compute_firewall" "api_server" { resource "google_compute_firewall" "api_server" {
count = length(var.api_server_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-api-server-firewall" name = "${var.prefix}-api-server-firewall"
network = google_compute_network.main.name network = google_compute_network.main.name
@ -71,6 +75,8 @@ resource "google_compute_firewall" "api_server" {
} }
resource "google_compute_firewall" "nodeport" { resource "google_compute_firewall" "nodeport" {
count = length(var.nodeport_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-nodeport-firewall" name = "${var.prefix}-nodeport-firewall"
network = google_compute_network.main.name network = google_compute_network.main.name
@ -85,12 +91,14 @@ resource "google_compute_firewall" "nodeport" {
} }
resource "google_compute_firewall" "ingress_http" { resource "google_compute_firewall" "ingress_http" {
count = length(var.ingress_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-http-ingress-firewall" name = "${var.prefix}-http-ingress-firewall"
network = google_compute_network.main.name network = google_compute_network.main.name
priority = 100 priority = 100
source_ranges = ["0.0.0.0/0"] source_ranges = var.ingress_whitelist
allow { allow {
protocol = "tcp" protocol = "tcp"
@ -99,12 +107,14 @@ resource "google_compute_firewall" "ingress_http" {
} }
resource "google_compute_firewall" "ingress_https" { resource "google_compute_firewall" "ingress_https" {
count = length(var.ingress_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-https-ingress-firewall" name = "${var.prefix}-https-ingress-firewall"
network = google_compute_network.main.name network = google_compute_network.main.name
priority = 100 priority = 100
source_ranges = ["0.0.0.0/0"] source_ranges = var.ingress_whitelist
allow { allow {
protocol = "tcp" protocol = "tcp"
@ -247,14 +257,18 @@ resource "google_compute_instance" "master" {
} }
resource "google_compute_forwarding_rule" "master_lb" { resource "google_compute_forwarding_rule" "master_lb" {
count = length(var.api_server_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-master-lb-forward-rule" name = "${var.prefix}-master-lb-forward-rule"
port_range = "6443" port_range = "6443"
target = google_compute_target_pool.master_lb.id target = google_compute_target_pool.master_lb[count.index].id
} }
resource "google_compute_target_pool" "master_lb" { resource "google_compute_target_pool" "master_lb" {
count = length(var.api_server_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-master-lb-pool" name = "${var.prefix}-master-lb-pool"
instances = local.master_target_list instances = local.master_target_list
} }
@ -349,30 +363,38 @@ resource "google_compute_instance" "worker" {
} }
resource "google_compute_address" "worker_lb" { resource "google_compute_address" "worker_lb" {
count = length(var.ingress_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-worker-lb-address" name = "${var.prefix}-worker-lb-address"
address_type = "EXTERNAL" address_type = "EXTERNAL"
region = var.region region = var.region
} }
resource "google_compute_forwarding_rule" "worker_http_lb" { resource "google_compute_forwarding_rule" "worker_http_lb" {
count = length(var.ingress_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-worker-http-lb-forward-rule" name = "${var.prefix}-worker-http-lb-forward-rule"
ip_address = google_compute_address.worker_lb.address ip_address = google_compute_address.worker_lb[count.index].address
port_range = "80" port_range = "80"
target = google_compute_target_pool.worker_lb.id target = google_compute_target_pool.worker_lb[count.index].id
} }
resource "google_compute_forwarding_rule" "worker_https_lb" { resource "google_compute_forwarding_rule" "worker_https_lb" {
count = length(var.ingress_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-worker-https-lb-forward-rule" name = "${var.prefix}-worker-https-lb-forward-rule"
ip_address = google_compute_address.worker_lb.address ip_address = google_compute_address.worker_lb[count.index].address
port_range = "443" port_range = "443"
target = google_compute_target_pool.worker_lb.id target = google_compute_target_pool.worker_lb[count.index].id
} }
resource "google_compute_target_pool" "worker_lb" { resource "google_compute_target_pool" "worker_lb" {
count = length(var.ingress_whitelist) > 0 ? 1 : 0
name = "${var.prefix}-worker-lb-pool" name = "${var.prefix}-worker-lb-pool"
instances = local.worker_target_list instances = local.worker_target_list
} }

View file

@ -19,9 +19,9 @@ output "worker_ip_addresses" {
} }
output "ingress_controller_lb_ip_address" { output "ingress_controller_lb_ip_address" {
value = google_compute_address.worker_lb.address value = length(var.ingress_whitelist) > 0 ? google_compute_address.worker_lb.0.address : ""
} }
output "control_plane_lb_ip_address" { output "control_plane_lb_ip_address" {
value = google_compute_forwarding_rule.master_lb.ip_address value = length(var.api_server_whitelist) > 0 ? google_compute_forwarding_rule.master_lb.0.ip_address : ""
} }

View file

@ -65,6 +65,11 @@ variable "nodeport_whitelist" {
type = list(string) type = list(string)
} }
variable "ingress_whitelist" {
type = list(string)
default = ["0.0.0.0/0"]
}
variable "private_network_cidr" { variable "private_network_cidr" {
default = "10.0.10.0/24" default = "10.0.10.0/24"
} }

View file

@ -16,6 +16,9 @@
"nodeport_whitelist": [ "nodeport_whitelist": [
"1.2.3.4/32" "1.2.3.4/32"
], ],
"ingress_whitelist": [
"0.0.0.0/0"
],
"machines": { "machines": {
"master-0": { "master-0": {

View file

@ -90,3 +90,8 @@ variable api_server_whitelist {
variable nodeport_whitelist { variable nodeport_whitelist {
type = list(string) type = list(string)
} }
variable "ingress_whitelist" {
type = list(string)
default = ["0.0.0.0/0"]
}