From cc5178a697311d2aa261efb5a87248e8ec016908 Mon Sep 17 00:00:00 2001
From: Mishal Shah <100714644+mishah334@users.noreply.github.com>
Date: Fri, 4 Nov 2022 09:35:30 +0530
Subject: [PATCH] Improve Cluster Authorized IP Management (#69)

* Improving allow IP management for the cluster.

* Updating var type.

* Testing multiple ips

* Removing test ip.
---
 examples/from_scratch/main.tf |  5 +++++
 main.tf                       | 16 +++++++---------
 variables.tf                  |  4 ++--
 3 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/examples/from_scratch/main.tf b/examples/from_scratch/main.tf
index 54ee8c9..ff8069b 100644
--- a/examples/from_scratch/main.tf
+++ b/examples/from_scratch/main.tf
@@ -8,6 +8,10 @@ variable "spotinist_token" {
   default = "12345"
 }
 
+data "http" "local_ip" {
+  url = "https://api.ipify.org/"
+}
+
 module "astronomer_gcp" {
   source                     = "../.."
   deployment_id              = var.deployment_id
@@ -15,6 +19,7 @@ module "astronomer_gcp" {
   email                      = "infrastructure@astronomer.io"
   zonal_cluster              = var.zonal
   management_endpoint        = "public"
+  kube_api_whitelist_cidr    = ["${trimspace(data.http.local_ip.response_body)}/32"]
   enable_gke_metered_billing = true
   db_max_connections         = 1000
   db_version                 = "POSTGRES_14"
diff --git a/main.tf b/main.tf
index cef53c4..4860837 100644
--- a/main.tf
+++ b/main.tf
@@ -3,10 +3,6 @@ resource "random_string" "password" {
   special = true
 }
 
-data "http" "local_ip" {
-  url = "https://api.ipify.org/"
-}
-
 # data "google_container_engine_versions" "versions" {
 #   location       = var.zonal_cluster ? local.zone : local.region
 #   version_prefix = "1.14."
@@ -96,12 +92,14 @@ resource "google_container_cluster" "primary" {
   }
 
   master_authorized_networks_config {
-    cidr_blocks {
-      # display_name = google_compute_subnetwork.bastion.name
-      # either whitelist the caller's IP or only allow access from bastion
-      cidr_block = var.management_endpoint == "public" ? var.kube_api_whitelist_cidr == "" ? "${trimspace(data.http.local_ip.response_body)}/32" : var.kube_api_whitelist_cidr : google_compute_subnetwork.bastion[0].ip_cidr_range
+    dynamic "cidr_blocks" {
+      for_each = var.management_endpoint == "public" ? var.kube_api_whitelist_cidr : toset([google_compute_subnetwork.bastion[0].ip_cidr_range])
+      content {
+        # display_name = google_compute_subnetwork.bastion.name
+        # either whitelist the caller's IP or only allow access from bastion
+        cidr_block = cidr_blocks.key
+      }
     }
-
   }
 
   pod_security_policy_config {
diff --git a/variables.tf b/variables.tf
index edf3271..074984c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -507,8 +507,8 @@ variable "maintenance_exclusion" {
 ## Extra stuff
 
 variable "kube_api_whitelist_cidr" {
-  default     = ""
-  type        = string
+  default     = []
+  type        = set(string)
   description = "If not provided, will whitelist only the calling IP, otherwise provide this CIDR block. This is ignore if var.management_endpoint is not set to 'public'"
 }