From e97cc2025e7b66a92648be04d211fdffd9934ceb Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Mon, 22 Jan 2024 15:21:58 +0200 Subject: [PATCH 1/7] feat(private-cluster): add a possibility for having unique fw names --- modules/private-cluster/firewall.tf | 22 +++++++++++++++------- modules/private-cluster/variables.tf | 6 ++++++ 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index a5d89cefe0..5c03f47d62 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -24,9 +24,17 @@ Required for clusters when VPCs enforce a default-deny egress rule *****************************************/ + locals { + rule_name_base = ( + var.make_firewall_rule_names_unique ? + "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix.result}" : + substr(var.name, 0, min(36, length(var.name))) + ) +} + resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" + name = "gke-${local.rule_name_base}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -60,7 +68,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" + name = "gke-${local.rule_name_base}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -87,7 +95,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" + name = "gke-shadow-${local.rule_name_base}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -116,7 +124,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" + name = "gke-shadow-${local.rule_name_base}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -142,7 +150,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" + name = "gke-shadow-${local.rule_name_base}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -177,7 +185,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" + name = "gke-shadow-${local.rule_name_base}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -204,7 +212,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" + name = "gke-shadow-${local.rule_name_base}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 2f3de8bc6d..427c3731d3 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -473,6 +473,12 @@ variable "add_master_webhook_firewall_rules" { default = false } +variable "make_firewall_rule_names_unique" { + type = bool + description = "Create additional firewall rule unique suffix" + default = false +} + variable "firewall_priority" { type = number description = "Priority rule for firewall rules" From c0bacd84d466eb40e5754eaa42dbb7835737d7dc Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Mon, 22 Jan 2024 15:48:54 +0200 Subject: [PATCH 2/7] feat(private-cluster): add a possibility for having unique fw names --- modules/private-cluster/firewall.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index 5c03f47d62..a636a607b6 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -32,6 +32,13 @@ ) } +resource "random_string" "google_compute_firewall_suffix" { + upper = false + lower = true + special = false + length = 4 +} + resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 name = "gke-${local.rule_name_base}-intra-cluster-egress" From a6c41779b14bec7c6e09b14508e767100496d4ee Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Mon, 22 Jan 2024 15:57:57 +0200 Subject: [PATCH 3/7] feat(private-cluster): add a possibility for having unique fw names --- modules/private-cluster/firewall.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index a636a607b6..cec2243b04 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -24,15 +24,16 @@ Required for clusters when VPCs enforce a default-deny egress rule *****************************************/ - locals { +locals { rule_name_base = ( var.make_firewall_rule_names_unique ? - "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix.result}" : + "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix[0].result}" : substr(var.name, 0, min(36, length(var.name))) ) } resource "random_string" "google_compute_firewall_suffix" { + count = var.make_firewall_rule_names_unique ? 1 : 0 upper = false lower = true special = false From 386a6450dd990be4465467954bdbf575b528c52c Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Mon, 22 Jan 2024 16:12:30 +0200 Subject: [PATCH 4/7] feat(private-cluster): add a possibility for having unique fw names --- modules/private-cluster/firewall.tf | 4 ++-- modules/private-cluster/variables.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index cec2243b04..989591524b 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -26,14 +26,14 @@ *****************************************/ locals { rule_name_base = ( - var.make_firewall_rule_names_unique ? + var.add_firewall_rule_name_unique_suffix ? "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix[0].result}" : substr(var.name, 0, min(36, length(var.name))) ) } resource "random_string" "google_compute_firewall_suffix" { - count = var.make_firewall_rule_names_unique ? 1 : 0 + count = var.add_firewall_rule_name_unique_suffix ? 1 : 0 upper = false lower = true special = false diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 427c3731d3..30baafecd3 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -473,7 +473,7 @@ variable "add_master_webhook_firewall_rules" { default = false } -variable "make_firewall_rule_names_unique" { +variable "add_firewall_rule_name_unique_suffix" { type = bool description = "Create additional firewall rule unique suffix" default = false From 2fd8c159b56bff01291d25fb233db1e7c8ad31fe Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Wed, 24 Jan 2024 11:01:15 +0200 Subject: [PATCH 5/7] feat(betaa-public-cluster): add a possibility for having unique fw names --- modules/beta-public-cluster/firewall.tf | 25 ++++++++++++++++-------- modules/beta-public-cluster/variables.tf | 6 ++++++ 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf index 1e61965ca2..6d1331ba43 100644 --- a/modules/beta-public-cluster/firewall.tf +++ b/modules/beta-public-cluster/firewall.tf @@ -24,9 +24,18 @@ Required for clusters when VPCs enforce a default-deny egress rule *****************************************/ + +locals { + rule_name_base = ( + var.add_firewall_rule_name_unique_suffix ? + "${substr(var.name, 0, min(31, length(var.name)))}-${random_string.google_compute_firewall_suffix[0].result}" : + substr(var.name, 0, min(36, length(var.name))) + ) +} + resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-intra-cluster-egress" + name = "gke-$${local.rule_name_base}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -67,7 +76,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" + name = "gke-$${local.rule_name_base}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -99,7 +108,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-webhooks" + name = "gke-$${local.rule_name_base}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -129,7 +138,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-all" + name = "gke-shadow-$${local.rule_name_base}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -158,7 +167,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-master" + name = "gke-shadow-$${local.rule_name_base}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -184,7 +193,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-vms" + name = "gke-shadow-$${local.rule_name_base}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -219,7 +228,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-inkubelet" + name = "gke-shadow-$${local.rule_name_base}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -246,7 +255,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-${substr(var.name, 0, min(36, length(var.name)))}-exkubelet" + name = "gke-shadow-$${local.rule_name_base}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index e6f3eab0e4..d068164904 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -780,3 +780,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "add_firewall_rule_name_unique_suffix" { + type = bool + description = "Create additional firewall rule unique suffix" + default = false +} From 071b2033c394dd3ea12be728d08dd160a2529067 Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Wed, 24 Jan 2024 11:26:03 +0200 Subject: [PATCH 6/7] feat(betaa-public-cluster): add a possibility for having unique fw names --- modules/beta-public-cluster/firewall.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf index 6d1331ba43..0493f55237 100644 --- a/modules/beta-public-cluster/firewall.tf +++ b/modules/beta-public-cluster/firewall.tf @@ -33,6 +33,14 @@ locals { ) } +resource "random_string" "google_compute_firewall_suffix" { + count = var.add_firewall_rule_name_unique_suffix ? 1 : 0 + upper = false + lower = true + special = false + length = 4 +} + resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 name = "gke-$${local.rule_name_base}-intra-cluster-egress" From 3c6b17f94d6c8635703cb29f94681093690231fe Mon Sep 17 00:00:00 2001 From: Anatoliy Dutchak Date: Wed, 24 Jan 2024 11:30:12 +0200 Subject: [PATCH 7/7] feat(betaa-public-cluster): add a possibility for having unique fw names --- modules/beta-public-cluster/firewall.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf index 0493f55237..fbf04dcd78 100644 --- a/modules/beta-public-cluster/firewall.tf +++ b/modules/beta-public-cluster/firewall.tf @@ -43,7 +43,7 @@ resource "random_string" "google_compute_firewall_suffix" { resource "google_compute_firewall" "intra_egress" { count = var.add_cluster_firewall_rules ? 1 : 0 - name = "gke-$${local.rule_name_base}-intra-cluster-egress" + name = "gke-${local.rule_name_base}-intra-cluster-egress" description = "Managed by terraform gke module: Allow pods to communicate with each other and the master" project = local.network_project_id network = var.network @@ -84,7 +84,7 @@ resource "google_compute_firewall" "intra_egress" { *****************************************/ resource "google_compute_firewall" "tpu_egress" { count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 - name = "gke-$${local.rule_name_base}-tpu-egress" + name = "gke-${local.rule_name_base}-tpu-egress" description = "Managed by terraform gke module: Allow pods to communicate with TPUs" project = local.network_project_id network = var.network @@ -116,7 +116,7 @@ resource "google_compute_firewall" "tpu_egress" { *****************************************/ resource "google_compute_firewall" "master_webhooks" { count = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules ? 1 : 0 - name = "gke-$${local.rule_name_base}-webhooks" + name = "gke-${local.rule_name_base}-webhooks" description = "Managed by terraform gke module: Allow master to hit pods for admission controllers/webhooks" project = local.network_project_id network = var.network @@ -146,7 +146,7 @@ resource "google_compute_firewall" "master_webhooks" { resource "google_compute_firewall" "shadow_allow_pods" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-$${local.rule_name_base}-all" + name = "gke-shadow-${local.rule_name_base}-all" description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication." project = local.network_project_id network = var.network @@ -175,7 +175,7 @@ resource "google_compute_firewall" "shadow_allow_pods" { resource "google_compute_firewall" "shadow_allow_master" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-$${local.rule_name_base}-master" + name = "gke-shadow-${local.rule_name_base}-master" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -201,7 +201,7 @@ resource "google_compute_firewall" "shadow_allow_master" { resource "google_compute_firewall" "shadow_allow_nodes" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-$${local.rule_name_base}-vms" + name = "gke-shadow-${local.rule_name_base}-vms" description = "Managed by Terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes communication." project = local.network_project_id network = var.network @@ -236,7 +236,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" { resource "google_compute_firewall" "shadow_allow_inkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-$${local.rule_name_base}-inkubelet" + name = "gke-shadow-${local.rule_name_base}-inkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default rule allowing worker nodes & pods communication to kubelet." project = local.network_project_id network = var.network @@ -263,7 +263,7 @@ resource "google_compute_firewall" "shadow_allow_inkubelet" { resource "google_compute_firewall" "shadow_deny_exkubelet" { count = var.add_shadow_firewall_rules ? 1 : 0 - name = "gke-shadow-$${local.rule_name_base}-exkubelet" + name = "gke-shadow-${local.rule_name_base}-exkubelet" description = "Managed by terraform GKE module: A shadow firewall rule to match the default deny rule to kubelet." project = local.network_project_id network = var.network