Skip to content

Commit

Permalink
feat: restrict api server access from jumphost cidr
Browse files Browse the repository at this point in the history 
Signed-off-by: Fredrik Klingenberg <[email protected]>
  • Loading branch information
@fredrkl
fredrkl committed Nov 12, 2023
1 parent b6c7230 commit 36e4e99
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 9 deletions.
1 change: 0 additions & 1 deletion .trivyignore
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
AVD-AZU-0040
AVD-AZU-0041
11 changes: 6 additions & 5 deletions terraform/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,12 @@ module "network" {
}

module "aks" {
source = "./modules/aks"
resource_group = azurerm_resource_group.aks
subnet_id = module.network.aks_dataplane_subnet_id
api_server_subnet_id = module.network.api_server_subnet_id
api_server_identity_id = module.identities.aks_identity_id
source = "./modules/aks"
resource_group = azurerm_resource_group.aks
subnet_id = module.network.aks_dataplane_subnet_id
api_server_subnet_id = module.network.api_server_subnet_id
api_server_identity_id = module.identities.aks_identity_id
api_server_allowed_cidr_blocks = module.network.jumphost_subnet_cidr_blocks

count = var.enable_aks ? 1 : 0
}
Expand Down
1 change: 1 addition & 0 deletions terraform/modules/aks/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ resource "azurerm_kubernetes_cluster" "example" {
api_server_access_profile {
vnet_integration_enabled = true
subnet_id = var.api_server_subnet_id
authorized_ip_ranges = var.api_server_allowed_cidr_blocks
}

tags = {
Expand Down
5 changes: 5 additions & 0 deletions terraform/modules/aks/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,8 @@ variable "api_server_identity_id" {
type = string
description = "The ID of the identity to assign to the AKS API server."
}

variable "api_server_allowed_cidr_blocks" {
type = list(string)
description = "The CIDR blocks allowed to access the AKS API server."
}
4 changes: 2 additions & 2 deletions terraform/modules/network/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@ resource "azurerm_subnet" "api-server" {
}
}
}
resource "azurerm_subnet" "jumphost_subnet_id" {
name = "jumphost_subnet_id"
resource "azurerm_subnet" "jumphost_subnet" {
name = "jumphost_subnet"
resource_group_name = var.resource_group.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.1.3.32/27"]
Expand Down
7 changes: 6 additions & 1 deletion terraform/modules/network/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,10 @@ output "api_server_subnet_id" {

output "jumphost_subnet_id" {
description = "The ID of the subnet"
value = azurerm_subnet.jumphost_subnet_id.id
value = azurerm_subnet.jumphost_subnet.id
}

output "jumphost_subnet_cidr_blocks" {
description = "The CIDR blocks of the subnet"
value = azurerm_subnet.jumphost_subnet.address_prefixes
}

0 comments on commit 36e4e99

Please sign in to comment.