From 3d283b7891fca0b16e4574de73e57f1ee8bc9369 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 10 Oct 2021 16:27:59 +0200
Subject: [PATCH] terrafrom: Add missing SSH firewall rules
This patch adds the required firewall rules to automatically allow ssh
access from the local machine (but only from this machine) to all
Kubernetes notes.
---
terraform/.terraform.lock.hcl | 19 +++++++++++++++++
terraform/firewall.tf | 1 -
terraform/ssh.tf | 40 +++++++++++++++++++++++++++++++++++
terraform/ssh_keys.tf | 2 --
terraform/versions.tf | 4 ++++
5 files changed, 63 insertions(+), 3 deletions(-)
create mode 100644 terraform/ssh.tf
delete mode 100644 terraform/ssh_keys.tf
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 8fcfc0578..6f546a0a2 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -23,6 +23,25 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
]
}
+provider "registry.terraform.io/hashicorp/http" {
+ version = "2.1.0"
+ constraints = "2.1.0"
+ hashes = [
+ "h1:HmUcHqc59VeHReHD2SEhnLVQPUKHKTipJ8Jxq67GiDU=",
+ "zh:03d82dc0887d755b8406697b1d27506bc9f86f93b3e9b4d26e0679d96b802826",
+ "zh:0704d02926393ddc0cfad0b87c3d51eafeeae5f9e27cc71e193c141079244a22",
+ "zh:095ea350ea94973e043dad2394f10bca4a4bf41be775ba59d19961d39141d150",
+ "zh:0b71ac44e87d6964ace82979fc3cbb09eb876ed8f954449481bcaa969ba29cb7",
+ "zh:0e255a170db598bd1142c396cefc59712ad6d4e1b0e08a840356a371e7b73bc4",
+ "zh:67c8091cfad226218c472c04881edf236db8f2dc149dc5ada878a1cd3c1de171",
+ "zh:75df05e25d14b5101d4bc6624ac4a01bb17af0263c9e8a740e739f8938b86ee3",
+ "zh:b4e36b2c4f33fdc44bf55fa1c9bb6864b5b77822f444bd56f0be7e9476674d0e",
+ "zh:b9b36b01d2ec4771838743517bc5f24ea27976634987c6d5529ac4223e44365d",
+ "zh:ca264a916e42e221fddb98d640148b12e42116046454b39ede99a77fc52f59f4",
+ "zh:fe373b2fb2cc94777a91ecd7ac5372e699748c455f44f6ea27e494de9e5e6f92",
+ ]
+}
+
provider "registry.terraform.io/hashicorp/local" {
version = "1.4.0"
constraints = "1.4.0"
diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index d156b903a..c19819f45 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -1,4 +1,3 @@
-# https://docs.k8s.io/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-network-connectivity-user-infra_installing-platform-agnostic
resource "hcloud_firewall" "k8s-node" {
name = "k8s-node"
apply_to {
diff --git a/terraform/ssh.tf b/terraform/ssh.tf
new file mode 100644
index 000000000..e99707ebb
--- /dev/null
+++ b/terraform/ssh.tf
@@ -0,0 +1,40 @@
+data "hcloud_ssh_keys" "all_keys" {
+}
+
+# Get current public IPs to configure SSH firewall
+data "http" "myipv4" {
+ url = "https://api4.ipify.org"
+}
+data "http" "myipv6" {
+ url = "https://api6.ipify.org"
+}
+
+resource "hcloud_firewall" "k8s-ssh" {
+ name = "k8s-ssh"
+ apply_to {
+ label_selector = "k8s.io/node"
+ }
+
+ # ICMP is always a good idea
+ #
+ # Network reachability tests
+ rule {
+ description = "ICMP"
+ direction = "in"
+ protocol = "icmp"
+ source_ips = [
+ "0.0.0.0/0",
+ "::/0"
+ ]
+ }
+ rule {
+ description = "SSH access"
+ direction = "in"
+ protocol = "tcp"
+ port = "22"
+ source_ips = [
+ "${chomp(data.http.myipv4.body)}/32",
+ "${replace(chomp(data.http.myipv6.body), "/^([0-9a-f]+:[0-9a-f]+:[0-9a-f]+:[0-9a-f]+):.*/", "$1")}::/64",
+ ]
+ }
+}
diff --git a/terraform/ssh_keys.tf b/terraform/ssh_keys.tf
deleted file mode 100644
index db794f29d..000000000
--- a/terraform/ssh_keys.tf
+++ /dev/null
@@ -1,2 +0,0 @@
-data "hcloud_ssh_keys" "all_keys" {
-}
diff --git a/terraform/versions.tf b/terraform/versions.tf
index 4922ac71a..98407af46 100644
--- a/terraform/versions.tf
+++ b/terraform/versions.tf
@@ -16,6 +16,10 @@ terraform {
source = "hashicorp/local"
version = "1.4.0"
}
+ http = {
+ source = "hashicorp/http"
+ version = "2.1.0"
+ }
}
required_version = ">= 0.14"
}
--
GitLab