Improve Cluster Authorized IP Management (#69)

* Improving allow IP management for the cluster. * Updating var type. * Testing multiple ips * Removing test ip.
astronomer · Nov 4, 2022 · cc5178a · cc5178a
1 parent 170dd43
commit cc5178a
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 11 deletions.
diff --git a/examples/from_scratch/main.tf b/examples/from_scratch/main.tf
@@ -8,13 +8,18 @@ variable "spotinist_token" {
   default = "12345"
 }
 
+data "http" "local_ip" {
+  url = "https://api.ipify.org/"
+}
+
 module "astronomer_gcp" {
   source                     = "../.."
   deployment_id              = var.deployment_id
   dns_managed_zone           = "astrodev"
   email                      = "[email protected]"
   zonal_cluster              = var.zonal
   management_endpoint        = "public"
+  kube_api_whitelist_cidr    = ["${trimspace(data.http.local_ip.response_body)}/32"]
   enable_gke_metered_billing = true
   db_max_connections         = 1000
   db_version                 = "POSTGRES_14"

diff --git a/main.tf b/main.tf
@@ -3,10 +3,6 @@ resource "random_string" "password" {
   special = true
 }
 
-data "http" "local_ip" {
-  url = "https://api.ipify.org/"
-}
-
 # data "google_container_engine_versions" "versions" {
 #   location       = var.zonal_cluster ? local.zone : local.region
 #   version_prefix = "1.14."
@@ -96,12 +92,14 @@ resource "google_container_cluster" "primary" {
   }
 
   master_authorized_networks_config {
-    cidr_blocks {
-      # display_name = google_compute_subnetwork.bastion.name
-      # either whitelist the caller's IP or only allow access from bastion
-      cidr_block = var.management_endpoint == "public" ? var.kube_api_whitelist_cidr == "" ? "${trimspace(data.http.local_ip.response_body)}/32" : var.kube_api_whitelist_cidr : google_compute_subnetwork.bastion[0].ip_cidr_range
+    dynamic "cidr_blocks" {
+      for_each = var.management_endpoint == "public" ? var.kube_api_whitelist_cidr : toset([google_compute_subnetwork.bastion[0].ip_cidr_range])
+      content {
+        # display_name = google_compute_subnetwork.bastion.name
+        # either whitelist the caller's IP or only allow access from bastion
+        cidr_block = cidr_blocks.key
+      }
     }
-
   }
 
   pod_security_policy_config {

diff --git a/variables.tf b/variables.tf
@@ -507,8 +507,8 @@ variable "maintenance_exclusion" {
 ## Extra stuff
 
 variable "kube_api_whitelist_cidr" {
-  default     = ""
-  type        = string
+  default     = []
+  type        = set(string)
   description = "If not provided, will whitelist only the calling IP, otherwise provide this CIDR block. This is ignore if var.management_endpoint is not set to 'public'"
 }