[upcloud] Fixed issue where DNS would be blocked while using allowlist (#9510)

* [upcloud] Fixed issue where DNS would be blocked while using allowlist * Missed one NTP rule
1 year ago · 07ad5ecfce
1 changed files with 48 additions and 20 deletions
--- a/contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf
+++ b/contrib/terraform/upcloud/modules/kubernetes-cluster/main.tf
@ -251,8 +251,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@ -267,8 +267,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@ -283,8 +283,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv6"
      protocol               = firewall_rule.value
@ -299,8 +299,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv6"
      protocol               = firewall_rule.value
@ -315,8 +315,8 @@ resource "upcloud_firewall_rules" "master" {
    content {
      action                 = "accept"
      comment                = "NTP Port"
-      destination_port_end   = "123"
-      destination_port_start = "123"
+      source_port_end        = "123"
+      source_port_start      = "123"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@ -325,6 +325,20 @@ resource "upcloud_firewall_rules" "master" {
    }
  }

+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "NTP Port"
+      source_port_end        = "123"
+      source_port_start      = "123"
+      direction              = "in"
+      family                 = "IPv6"
+      protocol               = firewall_rule.value
+    }
+  }
+
  firewall_rule {
    action    = var.firewall_default_deny_in ? "drop" : "accept"
    direction = "in"
@ -394,8 +408,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@ -410,8 +424,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@ -426,8 +440,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv6"
      protocol               = firewall_rule.value
@ -442,8 +456,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "UpCloud DNS"
-      destination_port_end   = "53"
-      destination_port_start = "53"
+      source_port_end        = "53"
+      source_port_start      = "53"
      direction              = "in"
      family                 = "IPv6"
      protocol               = firewall_rule.value
@ -458,8 +472,8 @@ resource "upcloud_firewall_rules" "k8s" {
    content {
      action                 = "accept"
      comment                = "NTP Port"
-      destination_port_end   = "123"
-      destination_port_start = "123"
+      source_port_end        = "123"
+      source_port_start      = "123"
      direction              = "in"
      family                 = "IPv4"
      protocol               = firewall_rule.value
@ -468,6 +482,20 @@ resource "upcloud_firewall_rules" "k8s" {
    }
  }

+  dynamic firewall_rule {
+    for_each = var.firewall_default_deny_in ? ["udp"] : []
+
+    content {
+      action                 = "accept"
+      comment                = "NTP Port"
+      source_port_end        = "123"
+      source_port_start      = "123"
+      direction              = "in"
+      family                 = "IPv6"
+      protocol               = firewall_rule.value
+    }
+  }
+
  firewall_rule {
    action    = var.firewall_default_deny_in ? "drop" : "accept"
    direction = "in"