fix: added 1 additional rule to allow control plane to be accessed by specified list of cidr blocks (#431)

hyder · web-flow · commit 2eec72ebaab9 · 2021-11-29T17:49:59.000+11:00
Signed-off-by: Ali Mukadam &lt;ali.mukadam@oracle.com&gt;
diff --git a/modules/extensions/calico.tf b/modules/extensions/calico.tf
@@ -14,7 +14,7 @@ resource "null_resource" "install_calico" {
     bastion_private_key = local.ssh_private_key
   }
 
-  depends_on = [null_resource.install_kubectl_operator, null_resource.write_kubeconfig_on_operator]
+  depends_on = [null_resource.install_kubectl_on_operator, null_resource.write_kubeconfig_on_operator]
 
   provisioner "file" {
     content     = local.install_calico_template
diff --git a/modules/extensions/k8stools.tf b/modules/extensions/k8stools.tf
@@ -1,7 +1,7 @@
 # Copyright 2017, 2021 Oracle Corporation and/or affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
-resource "null_resource" "install_kubectl_operator" {
+resource "null_resource" "install_kubectl_on_operator" {
   connection {
     host        = var.operator_private_ip
     private_key = local.ssh_private_key
@@ -31,7 +31,7 @@ resource "null_resource" "install_kubectl_operator" {
 }
 
 # helm
-resource "null_resource" "install_helm_operator" {
+resource "null_resource" "install_helm_on_operator" {
   connection {
     host        = var.operator_private_ip
     private_key = local.ssh_private_key
@@ -44,7 +44,7 @@ resource "null_resource" "install_helm_operator" {
     bastion_private_key = local.ssh_private_key
   }
 
-  depends_on = [null_resource.install_kubectl_operator, null_resource.write_kubeconfig_on_operator]
+  depends_on = [null_resource.install_kubectl_on_operator, null_resource.write_kubeconfig_on_operator]
 
   provisioner "file" {
     content     = local.install_helm_template
diff --git a/modules/extensions/kubeconfig.tf b/modules/extensions/kubeconfig.tf
@@ -39,7 +39,7 @@ resource "null_resource" "write_kubeconfig_on_operator" {
     bastion_private_key = local.ssh_private_key
   }
 
-  depends_on = [null_resource.install_kubectl_operator]
+  depends_on = [null_resource.install_kubectl_on_operator]
 
   provisioner "file" {
     content     = local.generate_kubeconfig_template
diff --git a/modules/extensions/metricserver.tf b/modules/extensions/metricserver.tf
@@ -14,7 +14,7 @@ resource "null_resource" "enable_metric_server" {
     bastion_private_key = local.ssh_private_key
   }
 
-  depends_on = [null_resource.install_kubectl_operator, null_resource.write_kubeconfig_on_operator]
+  depends_on = [null_resource.install_kubectl_on_operator, null_resource.write_kubeconfig_on_operator]
 
   provisioner "file" {
     content     = local.metric_server_template
diff --git a/modules/extensions/serviceaccount.tf b/modules/extensions/serviceaccount.tf
@@ -14,7 +14,7 @@ resource "null_resource" "create_service_account" {
     bastion_private_key = local.ssh_private_key
   }
 
-  depends_on = [null_resource.install_kubectl_operator, null_resource.write_kubeconfig_on_operator]
+  depends_on = [null_resource.install_kubectl_on_operator, null_resource.write_kubeconfig_on_operator]
 
   provisioner "file" {
     content = local.create_service_account_template
diff --git a/modules/network/nsgs.tf b/modules/network/nsgs.tf
@@ -78,6 +78,35 @@ resource "oci_core_network_security_group_security_rule" "cp_ingress" {
   }
 }
 
+resource "oci_core_network_security_group_security_rule" "cp_ingress_additional_cidrs" {
+  network_security_group_id = oci_core_network_security_group.cp.id
+  description               = "Allow additional CIDR block access to control plane. Required for kubectl/helm."
+  direction                 = "INGRESS"
+  protocol                  = local.tcp_protocol
+  source                    = element(var.control_plane_allowed_cidrs, count.index)
+  source_type               = "CIDR_BLOCK"
+
+  stateless = false
+
+  tcp_options {
+    destination_port_range {
+      min = 6443
+      max = 6443
+    }
+  }
+
+  icmp_options {
+    type = 3
+    code = 4
+  }
+
+  count = length(var.control_plane_allowed_cidrs)
+
+  lifecycle {
+    ignore_changes = [source, source_type, direction, protocol, tcp_options]
+  }
+}
+
 # workers nsg and rules
 resource "oci_core_network_security_group" "workers" {
   compartment_id = var.compartment_id

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ resource "null_resource" "install_calico" {`
`14`	`14`	`bastion_private_key = local.ssh_private_key`
`15`	`15`	`}`
`16`	`16`
`17`		`- depends_on = [null_resource.install_kubectl_operator, null_resource.write_kubeconfig_on_operator]`
	`17`	`+ depends_on = [null_resource.install_kubectl_on_operator, null_resource.write_kubeconfig_on_operator]`
`18`	`18`
`19`	`19`	`provisioner "file" {`
`20`	`20`	`content = local.install_calico_template`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ resource "null_resource" "write_kubeconfig_on_operator" {`
`39`	`39`	`bastion_private_key = local.ssh_private_key`
`40`	`40`	`}`
`41`	`41`
`42`		`- depends_on = [null_resource.install_kubectl_operator]`
	`42`	`+ depends_on = [null_resource.install_kubectl_on_operator]`
`43`	`43`
`44`	`44`	`provisioner "file" {`
`45`	`45`	`content = local.generate_kubeconfig_template`