feat: only allow requests from jumphost subnet

Signed-off-by: Fredrik Klingenberg <[email protected]>
fredrkl · Nov 13, 2023 · a9ef0db · a9ef0db
1 parent f5a259d
commit a9ef0db
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 8 deletions.
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -83,6 +83,6 @@ jobs:
         terraform plan -out=tfplan -var="location=eastus" -var="name_prefix=test" -var="bastion_admin_password=${{ secrets.BASTION_ADMIN_PASSWORD }}" -var="ssh_public_key=${{ secrets.BASTION_SSH_PUBLIC_KEY }}"
         terraform-bin show -json -no-color tfplan > tfplan.json
         terraform-bin show -no-color tfplan >> $GITHUB_STEP_SUMMARY
-    - name: Terraform Apply
-      working-directory: ./terraform
-      run: terraform apply tfplan
+#    - name: Terraform Apply
+#      working-directory: ./terraform
+#      run: terraform apply tfplan
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -19,11 +19,12 @@ module "network" {
 }
 
 module "aks" {
-  source                 = "./modules/aks"
-  resource_group         = azurerm_resource_group.aks
-  subnet_id              = module.network.aks_dataplane_subnet_id
-  api_server_subnet_id   = module.network.api_server_subnet_id
-  api_server_identity_id = module.identities.aks_identity_id
+  source                         = "./modules/aks"
+  resource_group                 = azurerm_resource_group.aks
+  subnet_id                      = module.network.aks_dataplane_subnet_id
+  api_server_subnet_id           = module.network.api_server_subnet_id
+  api_server_identity_id         = module.identities.aks_identity_id
+  api_server_allowed_cidr_blocks = module.network.jumphost_subnet_cidr_blocks
 
   count = var.enable_aks ? 1 : 0
 }

diff --git a/terraform/modules/aks/main.tf b/terraform/modules/aks/main.tf
@@ -36,6 +36,7 @@ resource "azurerm_kubernetes_cluster" "example" {
   api_server_access_profile {
     vnet_integration_enabled = true
     subnet_id                = var.api_server_subnet_id
+    authorized_ip_ranges     = var.api_server_allowed_cidr_blocks
   }
 
   tags = {

diff --git a/terraform/modules/aks/variables.tf b/terraform/modules/aks/variables.tf
@@ -20,3 +20,8 @@ variable "api_server_identity_id" {
   type        = string
   description = "The ID of the identity to assign to the AKS API server."
 }
+
+variable "api_server_allowed_cidr_blocks" {
+  type        = list(string)
+  description = "The CIDR blocks allowed to access the AKS API server."
+}