Merge branch 'feat_rancher_aws_sg_ingress_cidr' into fork

wombelix · Nov 8, 2024 · 87674a7 · 87674a7
2 parents dd46573 + 289682f
commit 87674a7
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 10 deletions.
diff --git a/rancher/aws/infra.tf b/rancher/aws/infra.tf
@@ -67,17 +67,21 @@ resource "aws_route_table_association" "rancher_route_table_association" {
   route_table_id = aws_route_table.rancher_route_table.id
 }
 
-# Security group to allow all traffic
-resource "aws_security_group" "rancher_sg_allowall" {
-  name        = "${var.prefix}-rancher-allowall"
-  description = "Rancher quickstart - allow all traffic"
+# Security group to allow ingress and egress traffic
+resource "aws_security_group" "rancher_security_group" {
+  # Adds unique suffix to the SG name, required by lifecycle policy
+  name_prefix = "${var.prefix}-rancher-security-group"
+  description = "Rancher quickstart - allow traffic from ${var.security_group_ingress_cidr}"
   vpc_id      = aws_vpc.rancher_vpc.id
 
   ingress {
     from_port   = "0"
     to_port     = "0"
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = [
+      var.security_group_ingress_cidr
+    ]
+    self        = true
   }
 
   egress {
@@ -90,6 +94,11 @@ resource "aws_security_group" "rancher_sg_allowall" {
   tags = {
     Creator = "rancher-quickstart"
   }
+
+  # Allows changes on existing SG without dependency violation
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # EIP resource for Rancher Server
@@ -108,7 +117,7 @@ resource "aws_instance" "rancher_server" {
   instance_type = var.instance_type
 
   key_name                    = aws_key_pair.quickstart_key_pair.key_name
-  vpc_security_group_ids      = [aws_security_group.rancher_sg_allowall.id]
+  vpc_security_group_ids      = [aws_security_group.rancher_security_group.id]
   subnet_id                   = aws_subnet.rancher_subnet.id
   associate_public_ip_address = true
 
@@ -143,6 +152,28 @@ resource "aws_eip_association" "rancher_server" {
   allocation_id = aws_eip.rancher_server.id
 }
 
+# Split-horizon DNS setup to make rancher reachable through private ip inside vpc
+resource "aws_route53_zone" "rancher_route53_private" {
+  name    = "sslip.io"
+  comment = "${var.prefix}-rancher-route53"
+
+  vpc {
+    vpc_id = aws_vpc.rancher_vpc.id
+  }
+
+  tags = {
+    Name    = "${var.prefix}-rancher-route53"
+    Creator = "rancher-quickstart"
+  }
+}
+resource "aws_route53_record" "rancher_sslip_private" {
+  zone_id = aws_route53_zone.rancher_route53_private.zone_id
+  name    = join(".", ["rancher", aws_instance.rancher_server.public_ip, "sslip.io"])
+  type    = "A"
+  ttl     = 300
+  records = [aws_instance.rancher_server.private_ip]
+}
+
 # Rancher resources
 module "rancher_common" {
   source = "../rancher-common"
@@ -168,13 +199,14 @@ module "rancher_common" {
 # AWS EC2 instance for creating a single node workload cluster
 resource "aws_instance" "quickstart_node" {
   depends_on = [
-    aws_route_table_association.rancher_route_table_association
+    aws_route_table_association.rancher_route_table_association,
+    aws_route53_record.rancher_sslip_private
   ]
   ami           = data.aws_ami.sles.id
   instance_type = var.instance_type
 
   key_name                    = aws_key_pair.quickstart_key_pair.key_name
-  vpc_security_group_ids      = [aws_security_group.rancher_sg_allowall.id]
+  vpc_security_group_ids      = [aws_security_group.rancher_security_group.id]
   subnet_id                   = aws_subnet.rancher_subnet.id
   associate_public_ip_address = true
 

diff --git a/rancher/aws/terraform.tfvars.example b/rancher/aws/terraform.tfvars.example
@@ -42,3 +42,6 @@ rancher_server_admin_password = ""
 #windows_instance_type = "t3a.large"
 
 #workload_kubernetes_version = "v1.30.4+rke2r1"
+
+# CIDR that is allowed to access the Rancher server and workload cluster, default: 0.0.0.0/0
+security_group_ingress_cidr = "0.0.0.0/0"
diff --git a/rancher/aws/variables.tf b/rancher/aws/variables.tf
@@ -90,6 +90,12 @@ variable "add_windows_node" {
   default     = false
 }
 
+variable "security_group_ingress_cidr" {
+  type        = string
+  description = "CIDR that is allowed to access the Rancher server and workload cluster, default: 0.0.0.0/0"
+  default     = "0.0.0.0/0"
+}
+
 # Local variables used to reduce repetition
 locals {
   node_username = "ec2-user"

diff --git a/rancher/aws/windows.tf b/rancher/aws/windows.tf
@@ -7,7 +7,7 @@ resource "aws_instance" "quickstart_node_win" {
   instance_type = var.windows_instance_type
 
   key_name                    = aws_key_pair.quickstart_key_pair.key_name
-  vpc_security_group_ids      = [aws_security_group.rancher_sg_allowall.id]
+  vpc_security_group_ids      = [aws_security_group.rancher_security_group.id]
   subnet_id                   = aws_subnet.rancher_subnet.id
   associate_public_ip_address = true
   get_password_data           = true

diff --git a/rancher/rancher-common/k3s.tf b/rancher/rancher-common/k3s.tf
@@ -2,8 +2,9 @@
 
 resource "ssh_resource" "install_k3s" {
   host = var.node_public_ip
+  # Advertise kube apiserver on internal ip (advertise-address), allow access in addition through public ip (tls-san)
   commands = [
-    "bash -c 'curl https://get.k3s.io | INSTALL_K3S_EXEC=\"server --node-external-ip ${var.node_public_ip} --node-ip ${var.node_internal_ip}\" INSTALL_K3S_VERSION=${var.rancher_kubernetes_version} sh -'"
+    "bash -c 'curl https://get.k3s.io | INSTALL_K3S_EXEC=\"server --node-external-ip ${var.node_public_ip} --node-ip ${var.node_internal_ip} --advertise-address ${var.node_internal_ip} --tls-san ${var.node_public_ip}\" INSTALL_K3S_VERSION=${var.rancher_kubernetes_version} sh -'"
   ]
   user        = var.node_username
   private_key = var.ssh_private_key_pem