Enable firewall rule on kubernetes nodepool
Opened this issue · 4 comments
Current Provider Version
tf -version
Terraform v1.7.4
on linux_amd64
+ provider registry.terraform.io/ionos-cloud/ionoscloud v6.4.13
Use-cases
I would like to enable the firewall of kubernetes nodepool by using terraform. Currently when creating a nodepool I do not have access to the server or nic resource that contains this flag.
Attempted Solutions
I tried to import the nic ressource but this a little bit tricky.
Proposal
I see 2 possibilities to address that topic.
- Allow enablement of the firewall as a nodepool property boolean flag.
- Provide an attachment ressource that allows to perform additional configuration of an nic ressource.
This is not supported in the backend. There were discussions at some point, but there are no clear plans to allow this.
@cristiGuranIonos Does this mean it is not possible to enable the firewall with terraform. Is there a workaround by using an API call?
As a workaround I tried with creating an additional NIC to perform the firewall enablement action but as you already stated it seems explicitly prohibited:
│ Error: error occured while creating a nic: an error occured while creating nic for dcId: 8f9e61ba-e4a3-417d-8386-1871102a4d4e, server_id: 81cef2fa-b6ee-486d-b165-cd689fc97a00, Response: (403 Forbidden {
│ "httpStatus" : 403,
│ "messages" : [ {
│ "errorCode" : "452",
│ "message" : "Access Denied: Server 81cef2fa-b6ee-486d-b165-cd689fc97a00 is managed by 'k8s'."
│ } ]
│ }
│ )
tf:
resource "ionoscloud_k8s_node_pool" "node_pool" {
name = var.ionos_k8s_nodepool_name
k8s_version = var.ionos_k8s_nodepool_version
maintenance_window {
day_of_the_week = "Sunday"
time = "03:30:00Z"
}
datacenter_id = data.ionoscloud_datacenter.dc.id
k8s_cluster_id = ionoscloud_k8s_cluster.cluster.id
cpu_family = "INTEL_SKYLAKE"
availability_zone = "AUTO"
storage_type = "HDD"
node_count = var.ionos_nodepool_spec.node_count
cores_count = var.ionos_nodepool_spec.cores_count
ram_size = var.ionos_nodepool_spec.ram_size
storage_size = var.ionos_nodepool_spec.storage_size
# initial deploy private lan
lans {
id = ionoscloud_lan.private.id
}
}
data ionoscloud_servers k8s_nodes {
datacenter_id = data.ionoscloud_datacenter.dc.id
filter {
name = "name"
value = var.ionos_k8s_nodepool_name
}
depends_on = [ionoscloud_k8s_node_pool.node_pool]
}
resource "ionoscloud_nic" "public_nic" {
count = var.ionos_nodepool_spec.node_count
datacenter_id = data.ionoscloud_datacenter.dc.id
server_id = data.ionoscloud_servers.k8s_nodes.servers[count.index].id
name = "NIC ${ionoscloud_lan.public.name}"
lan = ionoscloud_lan.public.id
firewall_active = true
depends_on = [ionoscloud_k8s_node_pool.node_pool]
}
Treating the nodepool as a normal server is not allowed as it might lead to undefined behaviour.