feat: enable multiple cidr for k8s/ssh

zifeo · Oct 15, 2024 · 6b8ca67 · 6b8ca67
1 parent 4a494df
commit 6b8ca67
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 12 deletions.
diff --git a/agent.log.zip b/agent.log.zip
diff --git a/examples/single-server/main.tf b/examples/single-server/main.tf
@@ -10,8 +10,8 @@ module "rke2" {
   ssh_authorized_keys = ["~/.ssh/id_rsa.pub"]
   floating_pool       = "ext-floating1"
   # should be restricted to a secure bastion
-  rules_ssh_cidr = "0.0.0.0/0"
-  rules_k8s_cidr = "0.0.0.0/0"
+  rules_ssh_cidr = ["0.0.0.0/0"]
+  rules_k8s_cidr = ["0.0.0.0/0"]
   # auto load manifest form a folder (https://docs.rke2.io/advanced#auto-deploying-manifests)
   manifests_folder = "./manifests"
 
@@ -27,7 +27,7 @@ module "rke2" {
     system_user      = "ubuntu"
     boot_volume_size = 6
 
-    rke2_version     = "v1.28.4+rke2r1"
+    rke2_version     = "v1.30.3+rke2r1"
     rke2_volume_size = 8
     # https://docs.rke2.io/install/install_options/server_config/
     rke2_config = <<EOF
@@ -50,7 +50,7 @@ EOF
       system_user      = "ubuntu"
       boot_volume_size = 6
 
-      rke2_version     = "v1.28.4+rke2r1"
+      rke2_version     = "v1.30.3+rke2r1"
       rke2_volume_size = 8
     }
   ]

diff --git a/secgroup.tf b/secgroup.tf
@@ -35,8 +35,8 @@ resource "openstack_networking_secgroup_rule_v2" "agent_outside6" {
 resource "openstack_networking_secgroup_rule_v2" "outside_servers" {
   for_each = {
     for rule in concat(
-      var.rules_ssh_cidr != null ? [{ "port" : 22, "protocol" : "tcp", "source" : var.rules_ssh_cidr }] : [],
-      var.rules_k8s_cidr != null ? [{ "port" : 6443, "protocol" : "tcp", "source" : var.rules_k8s_cidr }] : [],
+      var.rules_ssh_cidr != null ? [for r in var.rules_ssh_cidr : { "port" : 22, "protocol" : "tcp", "source" : r }] : [],
+      var.rules_k8s_cidr != null ? [for r in var.rules_k8s_cidr : { "port" : 6443, "protocol" : "tcp", "source" : r }] : [],
     ) :
     format("%s-%s-%s", rule["source"], rule["protocol"], rule["port"]) => rule
   }

diff --git a/variables.tf b/variables.tf
@@ -13,18 +13,18 @@ variable "floating_pool" {
 }
 
 variable "rules_ssh_cidr" {
-  type = string
+  type = list(string)
   validation {
-    condition     = can(cidrnetmask(var.rules_ssh_cidr)) || var.rules_ssh_cidr == null
-    error_message = "Must be a valid IPv4 CIDR block or null (no access)"
+    condition     = var.rules_ssh_cidr == null ? true : alltrue([for r in var.rules_ssh_cidr : can(cidrnetmask(r))])
+    error_message = "Must be a valid IPv4 CIDR list or null (no access)"
   }
 }
 
 variable "rules_k8s_cidr" {
-  type = string
+  type = list(string)
   validation {
-    condition     = can(cidrnetmask(var.rules_k8s_cidr)) || var.rules_k8s_cidr == null
-    error_message = "Must be a valid IPv4 CIDR block or null (no access)"
+    condition     = var.rules_k8s_cidr == null ? true : alltrue([for r in var.rules_k8s_cidr : can(cidrnetmask(r))])
+    error_message = "Must be a valid IPv4 CIDR list or null (no access)"
   }
 }