Enable firewall rule on kubernetes nodepool

Question

Enable firewall rule on kubernetes nodepool

Opened this issue 4 months ago · 4 comments

Current Provider Version

tf -version
Terraform v1.7.4
on linux_amd64
+ provider registry.terraform.io/ionos-cloud/ionoscloud v6.4.13

Use-cases

I would like to enable the firewall of kubernetes nodepool by using terraform. Currently when creating a nodepool I do not have access to the server or nic resource that contains this flag.

Attempted Solutions

I tried to import the nic ressource but this a little bit tricky.

Proposal

I see 2 possibilities to address that topic.

Allow enablement of the firewall as a nodepool property boolean flag.
Provide an attachment ressource that allows to perform additional configuration of an nic ressource.

Answer 1 · 2024-03-01T14:58:27.000Z

This is not supported in the backend. There were discussions at some point, but there are no clear plans to allow this.

Answer 2 · 2024-03-19T17:13:55.000Z

@cristiGuranIonos Does this mean it is not possible to enable the firewall with terraform. Is there a workaround by using an API call?

Answer 3 · 2024-03-19T17:41:08.000Z

As a workaround I tried with creating an additional NIC to perform the firewall enablement action but as you already stated it seems explicitly prohibited:

│ Error: error occured while creating a nic: an error occured while creating nic for dcId: 8f9e61ba-e4a3-417d-8386-1871102a4d4e, server_id: 81cef2fa-b6ee-486d-b165-cd689fc97a00, Response: (403 Forbidden {
│   "httpStatus" : 403,
│   "messages" : [ {
│     "errorCode" : "452",
│     "message" : "Access Denied: Server 81cef2fa-b6ee-486d-b165-cd689fc97a00 is managed by 'k8s'."
│   } ]
│ }
│ )

tf:

resource "ionoscloud_k8s_node_pool" "node_pool" {
  name        = var.ionos_k8s_nodepool_name
  k8s_version = var.ionos_k8s_nodepool_version
  maintenance_window {
    day_of_the_week = "Sunday"
    time            = "03:30:00Z"
  }
  datacenter_id     = data.ionoscloud_datacenter.dc.id
  k8s_cluster_id    = ionoscloud_k8s_cluster.cluster.id
  cpu_family        = "INTEL_SKYLAKE"
  availability_zone = "AUTO"
  storage_type      = "HDD"
  node_count        = var.ionos_nodepool_spec.node_count
  cores_count       = var.ionos_nodepool_spec.cores_count
  ram_size          = var.ionos_nodepool_spec.ram_size
  storage_size      = var.ionos_nodepool_spec.storage_size


  # initial deploy private lan
  lans {
    id              = ionoscloud_lan.private.id
  }
}

data ionoscloud_servers k8s_nodes {
  datacenter_id = data.ionoscloud_datacenter.dc.id

  filter {
    name = "name"
    value = var.ionos_k8s_nodepool_name
  }

  depends_on = [ionoscloud_k8s_node_pool.node_pool]
}

resource "ionoscloud_nic" "public_nic" {

  count = var.ionos_nodepool_spec.node_count

  datacenter_id   = data.ionoscloud_datacenter.dc.id
  server_id       = data.ionoscloud_servers.k8s_nodes.servers[count.index].id
  name            = "NIC ${ionoscloud_lan.public.name}"
  lan             = ionoscloud_lan.public.id
  firewall_active = true

  depends_on = [ionoscloud_k8s_node_pool.node_pool]
}

Answer 4 · 2024-03-20T07:54:15.000Z

Treating the nodepool as a normal server is not allowed as it might lead to undefined behaviour.