contrib/terraform/gcp: allow extra ingress firewalls (#9658)

Signed-off-by: Mathieu Parent <math.parent@gmail.com>

Signed-off-by: Mathieu Parent <math.parent@gmail.com>

contrib/terraform/gcp/README.md

@@ -75,6 +75,11 @@ ansible-playbook -i contrib/terraform/gcs/inventory.ini cluster.yml -b -v
 * `api_server_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the API server
 * `nodeport_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to the kubernetes nodes on port 30000-32767 (kubernetes nodeports)
 * `ingress_whitelist`: List of IP ranges (CIDR) that will be allowed to connect to ingress on ports 80 and 443
+* `extra_ingress_firewalls`: Additional ingress firewall rules. Key will be used as the name of the rule
+  * `source_ranges`: List of IP ranges (CIDR). Example: `["8.8.8.8"]`
+  * `protocol`: Protocol. Example `"tcp"`
+  * `ports`: List of ports, as string. Example `["53"]`
+  * `target_tags`: List of target tag (either the machine name or `control-plane` or `worker`). Example: `["control-plane", "worker-0"]`
 
 ### Optional
 

contrib/terraform/gcp/main.tf

@@ -34,4 +34,6 @@ module "kubernetes" {
   api_server_whitelist = var.api_server_whitelist
   nodeport_whitelist   = var.nodeport_whitelist
   ingress_whitelist    = var.ingress_whitelist
+
+  extra_ingress_firewalls = var.extra_ingress_firewalls
 }

contrib/terraform/gcp/modules/kubernetes-cluster/main.tf

@@ -219,7 +219,7 @@ resource "google_compute_instance" "master" {
   machine_type = each.value.size
   zone         = each.value.zone
 
-  tags = ["master"]
+  tags = ["control-plane", "master", each.key]
 
   boot_disk {
     initialize_params {
@@ -325,7 +325,7 @@ resource "google_compute_instance" "worker" {
   machine_type = each.value.size
   zone         = each.value.zone
 
-  tags = ["worker"]
+  tags = ["worker", each.key]
 
   boot_disk {
     initialize_params {
@@ -398,3 +398,24 @@ resource "google_compute_target_pool" "worker_lb" {
   name      = "${var.prefix}-worker-lb-pool"
   instances = local.worker_target_list
 }
+
+resource "google_compute_firewall" "extra_ingress_firewall" {
+  for_each = {
+    for name, firewall in var.extra_ingress_firewalls :
+    name => firewall
+  }
+
+  name    = "${var.prefix}-${each.key}-ingress"
+  network = google_compute_network.main.name
+
+  priority = 100
+
+  source_ranges = each.value.source_ranges
+
+  target_tags = each.value.target_tags
+
+  allow {
+    protocol = each.value.protocol
+    ports    = each.value.ports
+  }
+}

contrib/terraform/gcp/modules/kubernetes-cluster/variables.tf

@@ -14,7 +14,7 @@ variable "machines" {
     }))
     boot_disk = object({
       image_name = string
-      size = number
+      size       = number
     })
   }))
 }
@@ -73,3 +73,14 @@ variable "ingress_whitelist" {
 variable "private_network_cidr" {
   default = "10.0.10.0/24"
 }
+
+variable "extra_ingress_firewalls" {
+  type = map(object({
+    source_ranges = set(string)
+    protocol      = string
+    ports         = list(string)
+    target_tags   = set(string)
+  }))
+
+  default = {}
+}

contrib/terraform/gcp/variables.tf

@@ -95,3 +95,14 @@ variable "ingress_whitelist" {
   type = list(string)
   default = ["0.0.0.0/0"]
 }
+
+variable "extra_ingress_firewalls" {
+  type = map(object({
+    source_ranges = set(string)
+    protocol      = string
+    ports         = list(string)
+    target_tags   = set(string)
+  }))
+
+  default = {}
+}