contrib/terraform/gcp: allow extra ingress firewalls (#9658)

Signed-off-by: Mathieu Parent <math.parent@gmail.com> Signed-off-by: Mathieu Parent <math.parent@gmail.com>
2 years ago · c80bb0007a
5 changed files with 53 additions and 3 deletions
--- a/contrib/terraform/gcp/README.md
+++ b/contrib/terraform/gcp/README.md
@ -75,6 +75,11 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
 * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
 * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
 * `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
+* `extra_ingress_firewalls`: Additional ingress firewall rules. Key will be used as the name of the rule
+  * `source_ranges`: List of IP ranges (CIDR). Example: `["8.8.8.8"]`
+  * `protocol`: Protocol. Example `"tcp"`
+  * `ports`: List of ports, as string. Example `["53"]`
+  * `target_tags`: List of target tag (either the machine name or `control-plane` or `worker`). Example: `["control-plane", "worker-0"]`

 ### Optional

--- a/contrib/terraform/gcp/main.tf
+++ b/contrib/terraform/gcp/main.tf
@ -34,4 +34,6 @@ module "kubernetes" {
  api_server_whitelist = var.api_server_whitelist
  nodeport_whitelist   = var.nodeport_whitelist
  ingress_whitelist    = var.ingress_whitelist
+
+  extra_ingress_firewalls = var.extra_ingress_firewalls
 }
--- a/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf
+++ b/contrib/terraform/gcp/modules/kubernetes-cluster/main.tf
@ -219,7 +219,7 @@ resource "google_compute_instance" "master" {
  machine_type = each.value.size
  zone         = each.value.zone

-  tags = ["master"]
+  tags = ["control-plane", "master", each.key]

  boot_disk {
    initialize_params {
@ -325,7 +325,7 @@ resource "google_compute_instance" "worker" {
  machine_type = each.value.size
  zone         = each.value.zone

-  tags = ["worker"]
+  tags = ["worker", each.key]

  boot_disk {
    initialize_params {
@ -398,3 +398,24 @@ resource "google_compute_target_pool" "worker_lb" {
  name      = "${var.prefix}-worker-lb-pool"
  instances = local.worker_target_list
 }
+
+resource "google_compute_firewall" "extra_ingress_firewall" {
+  for_each = {
+    for name, firewall in var.extra_ingress_firewalls :
+    name => firewall
+  }
+
+  name    = "${var.prefix}-${each.key}-ingress"
+  network = google_compute_network.main.name
+
+  priority = 100
+
+  source_ranges = each.value.source_ranges
+
+  target_tags = each.value.target_tags
+
+  allow {
+    protocol = each.value.protocol
+    ports    = each.value.ports
+  }
+}
--- a/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf
+++ b/contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf
@ -14,7 +14,7 @@ variable "machines" {
    }))
    boot_disk = object({
      image_name = string
-      size = number
+      size       = number
    })
  }))
 }
@ -73,3 +73,14 @@ variable "ingress_whitelist" {
 variable "private_network_cidr" {
  default = "10.0.10.0/24"
 }
+
+variable "extra_ingress_firewalls" {
+  type = map(object({
+    source_ranges = set(string)
+    protocol      = string
+    ports         = list(string)
+    target_tags   = set(string)
+  }))
+
+  default = {}
+}
--- a/contrib/terraform/gcp/variables.tf
+++ b/contrib/terraform/gcp/variables.tf
@ -95,3 +95,14 @@ variable "ingress_whitelist" {
  type = list(string)
  default = ["0.0.0.0/0"]
 }
+
+variable "extra_ingress_firewalls" {
+  type = map(object({
+    source_ranges = set(string)
+    protocol      = string
+    ports         = list(string)
+    target_tags   = set(string)
+  }))
+
+  default = {}
+}