refactor:(terraform): make bastion ssh ingress cidrs configurable

controlplaneio · Jan 8, 2024 · 882d998 · 882d998
1 parent 181b41e
commit 882d998
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 11 deletions.
diff --git a/terraform/modules/cluster/bastion.tf b/terraform/modules/cluster/bastion.tf
@@ -4,7 +4,7 @@ resource "aws_instance" "bastion" {
   key_name                    = aws_key_pair.admin.id
   subnet_id                   = var.public_subnet_id
   associate_public_ip_address = true
-  vpc_security_group_ids      = [
+  vpc_security_group_ids = [
     aws_security_group.bastion.id,
   ]
 
@@ -55,10 +55,7 @@ resource "aws_security_group_rule" "bastion_ssh_ingress" {
   protocol          = "tcp"
   from_port         = 22
   to_port           = 22
-  cidr_blocks       = [
-    format("%s/32", trim(data.http.player_ip.response_body, "\n")),
-    #    "0.0.0.0/0",
-  ]
+  cidr_blocks       = local.bastion_ssh_ingress
 }
 
 resource "aws_security_group_rule" "bastion_open_egress" {
@@ -67,11 +64,9 @@ resource "aws_security_group_rule" "bastion_open_egress" {
   protocol          = -1
   from_port         = 0
   to_port           = 0
-  cidr_blocks       = [
+  cidr_blocks = [
     "0.0.0.0/0",
   ]
 }
 
-data "http" "player_ip" {
-  url = "https://icanhazip.com/"
-}
+
diff --git a/terraform/modules/cluster/locals.tf b/terraform/modules/cluster/locals.tf
@@ -4,10 +4,19 @@ locals {
   admin_key_name    = format("%s-admin-key", var.name)
   player_key_name   = format("%s-player-key", var.name)
 
+  bastion_ssh_ingress = length(var.bastion_ssh_ingress) > 0 ? var.bastion_ssh_ingress : [
+    format("%s/32", trim(data.http.player_ip.response_body, "\n")),
+  ]
+
   instances = merge([for i in module.instances : i.instances]...)
 
   hosts_by_group = merge([
     for i, g in var.instance_groups:
     { format("%s", lower(var.instance_groups[i].name)) = keys(module.instances[i].instances) }
   ]...)
 }
+
+data "http" "player_ip" {
+  url = "https://icanhazip.com/"
+}
+
diff --git a/terraform/modules/cluster/variables.tf b/terraform/modules/cluster/variables.tf
@@ -37,6 +37,11 @@ variable "bastion_volume_size" {
   default     = "8"
 }
 
+variable "bastion_ssh_ingress" {
+  description = "List of CIDR blocks to grant ssh access to bastion."
+  type = list(string)
+}
+
 variable "instance_groups" {
   description = ""
   type        = list(object({

diff --git a/terraform/workspaces/simulator/main.tf b/terraform/workspaces/simulator/main.tf
@@ -3,6 +3,12 @@ variable "name" {
   default     = "simulator"
 }
 
+variable "bastion_ssh_ingress" {
+  description = "List of CIDR blocks to grant ssh access to bastion."
+  type        = list(string)
+  default     = []
+}
+
 variable "ansible_playbook_dir" {
   description = "The full path to the directory containing the Ansible Playbooks."
   default     = "/simulator/ansible/playbooks"
@@ -28,8 +34,6 @@ variable "player_bundle_dir" {
   default     = "/simulator/config/player"
 }
 
-# TODO: add switch to turn of ip lookup and ingress control
-
 locals {
   ssh_identity_filename    = "simulator_rsa"
   ssh_config_filename      = "simulator_config"
@@ -99,6 +103,7 @@ module "cluster" {
   availability_zone     = random_shuffle.availability_zones.result[0]
   bastion_ami_id        = local.bastion_ami_id
   bastion_instance_type = local.bastion_instance_type
+  bastion_ssh_ingress   = []
   instance_groups       = local.instance_groups
   tags                  = local.tags
 }