allow to set ssh access

d843f86d · Rob Kooper · 25a9d9e8 · d843f86d · d843f86d · d843f86d
Commit d843f86d authored 1 year ago by Rob Kooper
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.

 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).

+## 2.3.0 - 2023-08-25
+
+### Changed
+- allow to specify what machines you can ssh from to controlplanes
+
 ## 2.2.0 - 2023-08-07

 ### Removed

--- a/terraform/modules/rke1/security_group.tf
+++ b/terraform/modules/rke1/security_group.tf
@@ -38,12 +38,14 @@ resource "openstack_networking_secgroup_rule_v2" "ingress_icmp" {

 # Ingress IPv4  TCP 22 (SSH)  0.0.0.0/0 - - 
 resource "openstack_networking_secgroup_rule_v2" "ingress_ssh" {
-  description       = "ssh"
+  for_each          = var.openstack_security_ssh
+  description       = "ssh from ${each.key}"
  direction         = "ingress"
  ethertype         = "IPv4"
  protocol          = "tcp"
  port_range_min    = 22
  port_range_max    = 22
+  remote_ip_prefix  = each.value
  security_group_id = openstack_networking_secgroup_v2.cluster_security_group.id
  depends_on        = [openstack_networking_secgroup_v2.cluster_security_group]
 }

--- a/terraform/modules/rke1/variables.tf
+++ b/terraform/modules/rke1/variables.tf
@@ -149,6 +149,14 @@ variable "openstack_security_kubernetes" {
  }
 }

+variable "openstack_security_ssh" {
+  type        = map(any)
+  description = "IP address to allow connections to ssh, default is open to the world"
+  default = {
+    "world" : "0.0.0.0/0"
+  }
+}
+
 variable "openstack_os_image" {
  type        = map(any)
  description = "Map from short OS name to image"