Merge pull request #16 from cruxstack/dev

sgtoj · web-flow · commit 4a57e9697753 · 2025-07-24T12:14:54.000-04:00
feat: support user-defined cirds
diff --git a/main.tf b/main.tf
@@ -76,16 +76,17 @@ module "auth_servers" {
 
   experimental = local.teleport_experimental_mode
 
-  dns_parent_zone_id     = var.dns_parent_zone_id
-  dns_parent_zone_name   = var.dns_parent_zone_name
-  artifacts_bucket_name  = local.artifacts_bucket_name
-  logs_bucket_name       = local.logs_bucket_name
-  vpc_id                 = var.vpc_id
-  vpc_private_subnet_ids = var.vpc_private_subnet_ids
-  vpc_public_subnet_ids  = var.vpc_public_subnet_ids
-  aws_account_id         = local.aws_account_id
-  aws_kv_namespace       = local.aws_kv_namespace
-  aws_region_name        = local.aws_region_name
+  dns_parent_zone_id               = var.dns_parent_zone_id
+  dns_parent_zone_name             = var.dns_parent_zone_name
+  artifacts_bucket_name            = local.artifacts_bucket_name
+  logs_bucket_name                 = local.logs_bucket_name
+  vpc_id                           = var.vpc_id
+  vpc_private_subnet_ids           = var.vpc_private_subnet_ids
+  vpc_public_subnet_ids            = var.vpc_public_subnet_ids
+  vpc_security_group_allowed_cirds = local.instance_config.auth.allowed_cirds
+  aws_account_id                   = local.aws_account_id
+  aws_kv_namespace                 = local.aws_kv_namespace
+  aws_region_name                  = local.aws_region_name
 
   context = module.teleport_cluster_label.context
 }
@@ -111,16 +112,17 @@ module "proxy_servers" {
 
   experimental = local.teleport_experimental_mode
 
-  dns_parent_zone_id     = var.dns_parent_zone_id
-  dns_parent_zone_name   = var.dns_parent_zone_name
-  artifacts_bucket_name  = local.artifacts_bucket_name # todo - create bucket with module
-  logs_bucket_name       = local.logs_bucket_name
-  vpc_id                 = var.vpc_id
-  vpc_private_subnet_ids = var.vpc_private_subnet_ids
-  vpc_public_subnet_ids  = var.vpc_public_subnet_ids
-  aws_account_id         = local.aws_account_id
-  aws_kv_namespace       = local.aws_kv_namespace
-  aws_region_name        = local.aws_region_name
+  dns_parent_zone_id               = var.dns_parent_zone_id
+  dns_parent_zone_name             = var.dns_parent_zone_name
+  artifacts_bucket_name            = local.artifacts_bucket_name # todo - create bucket with module
+  logs_bucket_name                 = local.logs_bucket_name
+  vpc_id                           = var.vpc_id
+  vpc_private_subnet_ids           = var.vpc_private_subnet_ids
+  vpc_public_subnet_ids            = var.vpc_public_subnet_ids
+  vpc_security_group_allowed_cirds = local.instance_config.proxy.allowed_cirds
+  aws_account_id                   = local.aws_account_id
+  aws_kv_namespace                 = local.aws_kv_namespace
+  aws_region_name                  = local.aws_region_name
 
   context = module.teleport_cluster_label.context
 }
@@ -146,16 +148,17 @@ module "node_servers" {
 
   experimental = local.teleport_experimental_mode
 
-  dns_parent_zone_id     = var.dns_parent_zone_id
-  dns_parent_zone_name   = var.dns_parent_zone_name
-  artifacts_bucket_name  = local.artifacts_bucket_name # todo - create bucket with module
-  logs_bucket_name       = local.logs_bucket_name
-  vpc_id                 = var.vpc_id
-  vpc_private_subnet_ids = var.vpc_private_subnet_ids
-  vpc_public_subnet_ids  = var.vpc_public_subnet_ids
-  aws_account_id         = local.aws_account_id
-  aws_kv_namespace       = local.aws_kv_namespace
-  aws_region_name        = local.aws_region_name
+  dns_parent_zone_id               = var.dns_parent_zone_id
+  dns_parent_zone_name             = var.dns_parent_zone_name
+  artifacts_bucket_name            = local.artifacts_bucket_name # todo - create bucket with module
+  logs_bucket_name                 = local.logs_bucket_name
+  vpc_id                           = var.vpc_id
+  vpc_private_subnet_ids           = var.vpc_private_subnet_ids
+  vpc_public_subnet_ids            = var.vpc_public_subnet_ids
+  vpc_security_group_allowed_cirds = local.instance_config.node.allowed_cirds
+  aws_account_id                   = local.aws_account_id
+  aws_kv_namespace                 = local.aws_kv_namespace
+  aws_region_name                  = local.aws_region_name
 
   context = module.teleport_cluster_label.context
 }
diff --git a/modules/teleport-node/main.tf b/modules/teleport-node/main.tf
@@ -411,7 +411,7 @@ module "security_group" {
   preserve_security_group_id = true
   allow_all_egress           = true
 
-  rules = [{
+  rules = compact([{
     key                      = "group"
     type                     = "ingress"
     from_port                = 0
@@ -422,84 +422,92 @@ module "security_group" {
     ipv6_cidr_blocks         = []
     source_security_group_id = null
     self                     = true
-    }, {
-    key                      = "auth"
-    type                     = "ingress"
-    from_port                = 3025
-    to_port                  = 3025
-    protocol                 = "tcp"
-    description              = "allow auth traffic"
-    cidr_blocks              = ["0.0.0.0/0"]
-    ipv6_cidr_blocks         = []
-    source_security_group_id = null
-    self                     = null
-    }, {
-    key                      = "node-ssh"
-    type                     = "ingress"
-    from_port                = 3022
-    to_port                  = 3022
-    protocol                 = "tcp"
-    description              = "allow teleport node ssh"
-    cidr_blocks              = ["0.0.0.0/0"]
-    ipv6_cidr_blocks         = []
-    source_security_group_id = null
-    self                     = null
-    }, {
-    key                      = "proxy-ssh"
-    type                     = "ingress"
-    from_port                = 3023
-    to_port                  = 3023
-    protocol                 = "tcp"
-    description              = "allow teleport proxy ssh"
-    cidr_blocks              = ["0.0.0.0/0"]
-    ipv6_cidr_blocks         = []
-    source_security_group_id = null
-    self                     = null
-    }, {
-    key                      = "proxy-reverse-ssh"
-    type                     = "ingress"
-    from_port                = 3024
-    to_port                  = 3024
-    protocol                 = "tcp"
-    description              = "allow teleport proxy reverse-ssh"
-    cidr_blocks              = ["0.0.0.0/0"]
-    ipv6_cidr_blocks         = []
-    source_security_group_id = null
-    self                     = null
-    }, {
-    key                      = "proxy-https"
-    type                     = "ingress"
-    from_port                = 443
-    to_port                  = 443
-    protocol                 = "tcp"
-    description              = "allow teleport proxy https"
-    cidr_blocks              = ["0.0.0.0/0"]
-    ipv6_cidr_blocks         = []
-    source_security_group_id = null
-    self                     = null
-    }, {
-    key                      = "proxy-web"
-    type                     = "ingress"
-    from_port                = 3080
-    to_port                  = 3080
-    protocol                 = "tcp"
-    description              = "allow teleport proxy https"
-    cidr_blocks              = ["0.0.0.0/0"]
-    ipv6_cidr_blocks         = []
-    source_security_group_id = null
-    self                     = null
-    }, {
-    key                      = "node-mysql"
-    type                     = "ingress"
-    from_port                = 3036
-    to_port                  = 3036
-    protocol                 = "tcp"
-    description              = "allow teleport proxy https"
-    cidr_blocks              = ["0.0.0.0/0"]
-    ipv6_cidr_blocks         = []
-    source_security_group_id = null
-    self                     = null
-  }]
+    },
+    length(var.vpc_security_group_allowed_cirds) > 0 ? {
+      key                      = "auth"
+      type                     = "ingress"
+      from_port                = 3025
+      to_port                  = 3025
+      protocol                 = "tcp"
+      description              = "allow auth traffic"
+      cidr_blocks              = var.vpc_security_group_allowed_cirds
+      ipv6_cidr_blocks         = []
+      source_security_group_id = null
+      self                     = null
+    } : null,
+    length(var.vpc_security_group_allowed_cirds) > 0 ? {
+      key                      = "node-ssh"
+      type                     = "ingress"
+      from_port                = 3022
+      to_port                  = 3022
+      protocol                 = "tcp"
+      description              = "allow teleport node ssh"
+      cidr_blocks              = var.vpc_security_group_allowed_cirds
+      ipv6_cidr_blocks         = []
+      source_security_group_id = null
+      self                     = null
+    } : null,
+    length(var.vpc_security_group_allowed_cirds) > 0 ? {
+      key                      = "proxy-ssh"
+      type                     = "ingress"
+      from_port                = 3023
+      to_port                  = 3023
+      protocol                 = "tcp"
+      description              = "allow teleport proxy ssh"
+      cidr_blocks              = var.vpc_security_group_allowed_cirds
+      ipv6_cidr_blocks         = []
+      source_security_group_id = null
+      self                     = null
+    } : null,
+    length(var.vpc_security_group_allowed_cirds) > 0 ? {
+      key                      = "proxy-reverse-ssh"
+      type                     = "ingress"
+      from_port                = 3024
+      to_port                  = 3024
+      protocol                 = "tcp"
+      description              = "allow teleport proxy reverse-ssh"
+      cidr_blocks              = var.vpc_security_group_allowed_cirds
+      ipv6_cidr_blocks         = []
+      source_security_group_id = null
+      self                     = null
+    } : null,
+    length(var.vpc_security_group_allowed_cirds) > 0 ? {
+      key                      = "proxy-https"
+      type                     = "ingress"
+      from_port                = 443
+      to_port                  = 443
+      protocol                 = "tcp"
+      description              = "allow teleport proxy https"
+      cidr_blocks              = var.vpc_security_group_allowed_cirds
+      ipv6_cidr_blocks         = []
+      source_security_group_id = null
+      self                     = null
+    } : null,
+    length(var.vpc_security_group_allowed_cirds) > 0 ? {
+      key                      = "proxy-web"
+      type                     = "ingress"
+      from_port                = 3080
+      to_port                  = 3080
+      protocol                 = "tcp"
+      description              = "allow teleport proxy (alternative) https"
+      cidr_blocks              = var.vpc_security_group_allowed_cirds
+      ipv6_cidr_blocks         = []
+      source_security_group_id = null
+      self                     = null
+    } : null,
+    length(var.vpc_security_group_allowed_cirds) > 0 ? {
+      key                      = "proxy-mysql"
+      type                     = "ingress"
+      from_port                = 3036
+      to_port                  = 3036
+      protocol                 = "tcp"
+      description              = "allow teleport proxy db connections"
+      cidr_blocks              = var.vpc_security_group_allowed_cirds
+      ipv6_cidr_blocks         = []
+      source_security_group_id = null
+      self                     = null
+    } : null,
+  ])
 
   tags    = merge(module.node_type_label.tags, { Name = module.node_type_label.id })
   context = module.node_type_label.context
diff --git a/modules/teleport-node/variables.tf b/modules/teleport-node/variables.tf
@@ -90,6 +90,11 @@ variable "vpc_id" {
   type = string
 }
 
+variable "vpc_security_group_allowed_cirds" {
+  type    = list(string)
+  default = ["0.0.0.0/0"]
+}
+
 variable "vpc_security_group_ids" {
   type    = list(string)
   default = []
diff --git a/variables.tf b/variables.tf
@@ -27,19 +27,22 @@ variable "teleport_experimental_mode" {
 variable "instance_config" {
   type = object({
     auth = optional(object({
-      count = optional(number, 1)
-      sizes = optional(list(string), ["t3.micro", "t3a.micro"])
+      count         = optional(number, 1)
+      sizes         = optional(list(string), ["t3.micro", "t3a.micro"])
+      allowed_cidrs = optional(string, ["0.0.0.0/0"])
     }), {})
     node = optional(object({
-      count = optional(number, 1)
-      sizes = optional(list(string), ["t3.micro", "t3a.micro"])
+      count         = optional(number, 1)
+      sizes         = optional(list(string), ["t3.micro", "t3a.micro"])
+      allowed_cidrs = optional(string, ["0.0.0.0/0"])
     }), {})
     proxy = optional(object({
-      count = optional(number, 1)
-      sizes = optional(list(string), ["t3.micro", "t3a.micro"])
+      count         = optional(number, 1)
+      sizes         = optional(list(string), ["t3.micro", "t3a.micro"])
+      allowed_cidrs = optional(string, ["0.0.0.0/0"])
     }), {})
   })
-  description = "Configuration for the instances. Each type (`auth`, `node`, `proxy`) contains an object with `count` and `sizes`."
+  description = "Configuration for the instances. Each type (`auth`, `node`, `proxy`) contains an object with `count`, `sizes`, and `allowed_cidrs`."
   default     = {}
 }
 
