From 7dbf54d81c8f79ec7f1a6a5c5e063089776e7dac Mon Sep 17 00:00:00 2001
From: nxtcoder17 <nxtcoder17@gmail.com>
Date: Tue, 17 Sep 2024 01:23:11 +0530
Subject: [PATCH] feat(gcp): exposes port 53 (UDP) on master nodes to public

As we are using an internal DNS server, for resolution across
envrironments, we need to expose port 53 (UDP) on master nodes
---
 terraform/bundles/gcp/master-nodes/main.tf  |  1 +
 terraform/modules/gcp/firewall/main.tf      | 17 ++++++++++++++++-
 terraform/modules/gcp/firewall/variables.tf |  6 ++++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/terraform/bundles/gcp/master-nodes/main.tf b/terraform/bundles/gcp/master-nodes/main.tf
index c153532..d633e7c 100644
--- a/terraform/bundles/gcp/master-nodes/main.tf
+++ b/terraform/bundles/gcp/master-nodes/main.tf
@@ -33,6 +33,7 @@ module "master-nodes-firewall" {
   network_name                = var.network
   target_tags                 = local.k3s_masters_tags
   allow_ssh                   = true
+  allow_dns_traffic           = true
 }
 
 module "master-nodes" {
diff --git a/terraform/modules/gcp/firewall/main.tf b/terraform/modules/gcp/firewall/main.tf
index f8120d0..1e77979 100644
--- a/terraform/modules/gcp/firewall/main.tf
+++ b/terraform/modules/gcp/firewall/main.tf
@@ -19,7 +19,6 @@ locals {
       protocol    = "tcp"
       ports       = ["6443"]
     },
-
     {
       description = "k3s masters: flannel wireguard_native communication, source: https://docs.k3s.io/installation/requirements#networking"
       protocol    = "udp"
@@ -57,6 +56,14 @@ locals {
     },
   ]
 
+  incoming_dns_traffic = [
+    {
+      description = "allows dns communication"
+      protocol    = "udp"
+      ports       = ["53"]
+    },
+  ]
+
   node_ports = [
     {
       description = "open node ports"
@@ -138,6 +145,14 @@ resource "google_compute_firewall" "k3s_master_nodes_public" {
     }
   }
 
+  dynamic "allow" {
+    for_each = { for k, v in local.incoming_dns_traffic : k => v if var.allow_dns_traffic }
+    content {
+      protocol = allow.value.protocol
+      ports    = allow.value.ports
+    }
+  }
+
   // Target tags can be used to apply this rule to specific instances
   target_tags = var.target_tags
 
diff --git a/terraform/modules/gcp/firewall/variables.tf b/terraform/modules/gcp/firewall/variables.tf
index ebc2488..e2eccba 100644
--- a/terraform/modules/gcp/firewall/variables.tf
+++ b/terraform/modules/gcp/firewall/variables.tf
@@ -46,3 +46,9 @@ variable "allow_ssh" {
   type        = bool
   description = "should allow node ports ?"
 }
+
+variable "allow_dns_traffic" {
+  type        = bool
+  description = "should allow dns traffic ?"
+  default     = false
+}