-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathfirewall.tf
128 lines (115 loc) · 3.64 KB
/
firewall.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
locals {
firewall_kube_api_source = (
var.firewall_kube_api_source != null ?
var.firewall_kube_api_source :
var.firewall_api_source
)
firewall_talos_api_source = (
var.firewall_talos_api_source != null ?
var.firewall_talos_api_source :
var.firewall_api_source
)
firewall_use_current_ipv4 = local.network_public_ipv4_enabled && coalesce(
var.firewall_use_current_ipv4,
var.cluster_access == "public" && local.firewall_kube_api_source == null && local.firewall_talos_api_source == null
)
firewall_use_current_ipv6 = local.network_public_ipv6_enabled && coalesce(
var.firewall_use_current_ipv6,
var.cluster_access == "public" && local.firewall_kube_api_source == null && local.firewall_talos_api_source == null
)
current_ip = concat(
local.firewall_use_current_ipv4 ? ["${chomp(data.http.current_ipv4[0].response_body)}/32"] : [],
local.firewall_use_current_ipv6 ? (
strcontains(data.http.current_ipv6[0].response_body, ":") ?
[cidrsubnet("${chomp(data.http.current_ipv6[0].response_body)}/64", 0, 0)] :
[]
) : []
)
firewall_default_rules = concat(
local.firewall_kube_api_source != null || length(local.current_ip) > 0 ? [
{
description = "Allow Incoming Requests to Kube API"
direction = "in"
source_ips = coalesce(local.firewall_kube_api_source, local.current_ip)
protocol = "tcp"
port = local.kube_api_port
}
] : [],
local.firewall_talos_api_source != null || length(local.current_ip) > 0 ? [
{
description = "Allow Incoming Requests to Talos API"
direction = "in"
source_ips = coalesce(local.firewall_talos_api_source, local.current_ip)
protocol = "tcp"
port = local.talos_api_port
}
] : [],
)
firewall_rules = {
for rule in local.firewall_default_rules :
format("%s-%s-%s",
lookup(rule, "direction", "null"),
lookup(rule, "protocol", "null"),
lookup(rule, "port", "null")
) => rule
}
firewall_extra_rules = {
for rule in var.firewall_extra_rules :
format("%s-%s-%s",
lookup(rule, "direction", "null"),
lookup(rule, "protocol", "null"),
coalesce(lookup(rule, "port", "null"), "null")
) => rule
}
firewall_rules_list = values(
merge(local.firewall_extra_rules, local.firewall_rules)
)
}
data "http" "current_ipv4" {
count = local.firewall_use_current_ipv4 ? 1 : 0
url = "https://ipv4.icanhazip.com"
retry {
attempts = 10
min_delay_ms = 1000
max_delay_ms = 1000
}
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "HTTP status code invalid"
}
}
}
data "http" "current_ipv6" {
count = local.firewall_use_current_ipv6 ? 1 : 0
url = "https://${var.firewall_use_current_ipv6 == true ? "ipv6." : ""}icanhazip.com"
retry {
attempts = 10
min_delay_ms = 1000
max_delay_ms = 1000
}
lifecycle {
postcondition {
condition = contains([200], self.status_code)
error_message = "HTTP status code invalid"
}
}
}
resource "hcloud_firewall" "this" {
name = var.cluster_name
dynamic "rule" {
for_each = local.firewall_rules_list
//noinspection HILUnresolvedReference
content {
description = rule.value.description
direction = rule.value.direction
source_ips = lookup(rule.value, "source_ips", [])
destination_ips = lookup(rule.value, "destination_ips", [])
protocol = rule.value.protocol
port = lookup(rule.value, "port", null)
}
}
labels = {
cluster = var.cluster_name
}
}