terrafrom: Add missing SSH firewall rules

This patch adds the required firewall rules to automatically allow ssh access from the local machine (but only from this machine) to all Kubernetes notes.

terrafrom: Add missing SSH firewall rules
3d283b78 · Sheogorath · 1a0ab912 · 3d283b78 · 3d283b78 · 3d283b78
Verified Commit 3d283b78 authored 3 years ago by Sheogorath
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -23,6 +23,25 @@ provider "registry.terraform.io/cloudflare/cloudflare" {
  ]
 }
+provider "registry.terraform.io/hashicorp/http" {
+  version     = "2.1.0"
+  constraints = "2.1.0"
+  hashes = [
+    "h1:HmUcHqc59VeHReHD2SEhnLVQPUKHKTipJ8Jxq67GiDU=",
+    "zh:03d82dc0887d755b8406697b1d27506bc9f86f93b3e9b4d26e0679d96b802826",
+    "zh:0704d02926393ddc0cfad0b87c3d51eafeeae5f9e27cc71e193c141079244a22",
+    "zh:095ea350ea94973e043dad2394f10bca4a4bf41be775ba59d19961d39141d150",
+    "zh:0b71ac44e87d6964ace82979fc3cbb09eb876ed8f954449481bcaa969ba29cb7",
+    "zh:0e255a170db598bd1142c396cefc59712ad6d4e1b0e08a840356a371e7b73bc4",
+    "zh:67c8091cfad226218c472c04881edf236db8f2dc149dc5ada878a1cd3c1de171",
+    "zh:75df05e25d14b5101d4bc6624ac4a01bb17af0263c9e8a740e739f8938b86ee3",
+    "zh:b4e36b2c4f33fdc44bf55fa1c9bb6864b5b77822f444bd56f0be7e9476674d0e",
+    "zh:b9b36b01d2ec4771838743517bc5f24ea27976634987c6d5529ac4223e44365d",
+    "zh:ca264a916e42e221fddb98d640148b12e42116046454b39ede99a77fc52f59f4",
+    "zh:fe373b2fb2cc94777a91ecd7ac5372e699748c455f44f6ea27e494de9e5e6f92",
+  ]
+}
 provider "registry.terraform.io/hashicorp/local" {
  version     = "1.4.0"
  constraints = "1.4.0"

--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
-# https://docs.k8s.io/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-network-connectivity-user-infra_installing-platform-agnostic
 resource "hcloud_firewall" "k8s-node" {
  name = "k8s-node"
  apply_to {

--- a/terraform/ssh.tf
+++ b/terraform/ssh.tf
+data "hcloud_ssh_keys" "all_keys" {
+}
+# Get current public IPs to configure SSH firewall
+data "http" "myipv4" {
+  url = "https://api4.ipify.org"
+}
+data "http" "myipv6" {
+  url = "https://api6.ipify.org"
+}
+resource "hcloud_firewall" "k8s-ssh" {
+  name = "k8s-ssh"
+  apply_to {
+    label_selector = "k8s.io/node"
+  }
+  # ICMP is always a good idea
+  #
+  # Network reachability tests
+  rule {
+      description     = "ICMP"
+      direction       = "in"
+      protocol        = "icmp"
+      source_ips      = [
+        "0.0.0.0/0",
+        "::/0"
+      ]
+  }
+  rule {
+      description     = "SSH access"
+      direction       = "in"
+      protocol        = "tcp"
+      port            = "22"
+      source_ips      = [
+        "${chomp(data.http.myipv4.body)}/32",
+        "${replace(chomp(data.http.myipv6.body), "/^([0-9a-f]+:[0-9a-f]+:[0-9a-f]+:[0-9a-f]+):.*/", "$1")}::/64",
+      ]
+  }
+}
--- a/terraform/ssh_keys.tf
+++ b/terraform/ssh_keys.tf
-data "hcloud_ssh_keys" "all_keys" {
-}
--- a/terraform/versions.tf
+++ b/terraform/versions.tf
@@ -16,6 +16,10 @@ terraform {
      source  = "hashicorp/local"
      version = "1.4.0"
    }
+    http = {
+      source  = "hashicorp/http"
+      version = "2.1.0"
+    }
  }
  required_version = ">= 0.14"
 }