diff --git a/terraform/bundles/gcp/master-nodes/main.tf b/terraform/bundles/gcp/master-nodes/main.tf index c153532..d633e7c 100644 --- a/terraform/bundles/gcp/master-nodes/main.tf +++ b/terraform/bundles/gcp/master-nodes/main.tf @@ -33,6 +33,7 @@ module "master-nodes-firewall" { network_name = var.network target_tags = local.k3s_masters_tags allow_ssh = true + allow_dns_traffic = true } module "master-nodes" { diff --git a/terraform/modules/gcp/firewall/main.tf b/terraform/modules/gcp/firewall/main.tf index f8120d0..1e77979 100644 --- a/terraform/modules/gcp/firewall/main.tf +++ b/terraform/modules/gcp/firewall/main.tf @@ -19,7 +19,6 @@ locals { protocol = "tcp" ports = ["6443"] }, - { description = "k3s masters: flannel wireguard_native communication, source: https://docs.k3s.io/installation/requirements#networking" protocol = "udp" @@ -57,6 +56,14 @@ locals { }, ] + incoming_dns_traffic = [ + { + description = "allows dns communication" + protocol = "udp" + ports = ["53"] + }, + ] + node_ports = [ { description = "open node ports" @@ -138,6 +145,14 @@ resource "google_compute_firewall" "k3s_master_nodes_public" { } } + dynamic "allow" { + for_each = { for k, v in local.incoming_dns_traffic : k => v if var.allow_dns_traffic } + content { + protocol = allow.value.protocol + ports = allow.value.ports + } + } + // Target tags can be used to apply this rule to specific instances target_tags = var.target_tags diff --git a/terraform/modules/gcp/firewall/variables.tf b/terraform/modules/gcp/firewall/variables.tf index ebc2488..e2eccba 100644 --- a/terraform/modules/gcp/firewall/variables.tf +++ b/terraform/modules/gcp/firewall/variables.tf @@ -46,3 +46,9 @@ variable "allow_ssh" { type = bool description = "should allow node ports ?" } + +variable "allow_dns_traffic" { + type = bool + description = "should allow dns traffic ?" + default = false +}