Add ability to use "myipv4" as a pseudo-address in firewall rules. The ip-address is then fetched on terraform run from opendns (google as secondary)

Author: vsalomaki

data.tf

@@ -32,3 +32,35 @@ data "hcloud_ssh_keys" "keys_by_selector" {
   count         = length(var.ssh_hcloud_key_label) > 0 ? 1 : 0
   with_selector = var.ssh_hcloud_key_label
 }
+
+data "external" "my_ip" {
+  count = local.is_ref_myipv4_used ? 1 : 0
+
+  program = [
+    "bash",
+    "-c",
+    <<-EOT
+      set -euo pipefail
+      error_exit() {
+        echo "Error: $1" >&2
+        exit 1
+      }
+
+      if ! command -v dig &> /dev/null; then
+        error_exit "'dig' command not found. Please install it (e.g., 'apt-get install dnsutils' or 'yum install bind-utils')."
+      fi
+      IPV4=$(dig +time=5 +tries=2 -4 +short myip.opendns.com @resolver1.opendns.com | head -n 1 || true)
+      if [ -z "$IPV4" ]; then
+        IPV4=$(dig +time=5 +tries=2 -4 +short TXT o-o.myaddr.l.google.com @ns1.google.com | head -n 1 | tr -d '"' || true)
+      fi
+      if [ -z "$IPV4" ]; then
+        error_exit "Failed to retrieve public IPv4 address. The command returned an empty string. Please check network connectivity."
+      fi
+      if [[ "$IPV4" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; then
+        echo "{\"ipv4\": \"$IPV4\"}"
+      else
+        error_exit "Retrieved value '$IPV4' is not a valid public IPv4 address."
+      fi
+    EOT
+  ]
+}

kube.tf.example

@@ -784,12 +784,14 @@ module "kube-hetzner" {
   # you would have to connect to any control plane node via SSH, as you can run kubectl from within these.
   # Please be advised that this setting has no effect on the load balancer when the use_control_plane_lb variable is set to true. This is
   # because firewall rules cannot be applied to load balancers yet.
+  # Note: You can use the string "myipv4" as an IP address in the array and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available.
   # firewall_kube_api_source = null
 
   # Allow SSH access from the specified networks. Default: ["0.0.0.0/0", "::/0"]
   # Allowed values: null (disable SSH rule entirely) or a list of allowed networks with CIDR notation.
   # Ideally you would set your IP there. And if it changes after cluster deploy, you can always update this variable and apply again.
-  # firewall_ssh_source = ["1.2.3.4/32"]
+  # Note: You can use the string "myipv4" as an IP address in the array and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available.
+  # firewall_ssh_source = ["myipv4", "1.2.3.4/32"]
 
   # By default, SELinux is enabled in enforcing mode on all nodes. For container-specific SELinux issues,
   # consider using the pre-installed 'udica' tool to create custom, targeted SELinux policies instead of
@@ -798,6 +800,7 @@ module "kube-hetzner" {
 
   # Adding extra firewall rules, like opening a port
   # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
+  # Note: You can use the string "myipv4" as an IP address in the `source_ips` or `destination_ips` arrays and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available.
   # extra_firewall_rules = [
   #   {
   #     description = "For Postgres"

locals.tf

@@ -27,6 +27,17 @@ locals {
   dns_servers_ipv4 = [for ip in var.dns_servers : ip if provider::assert::ipv4(ip)]
   dns_servers_ipv6 = [for ip in var.dns_servers : ip if provider::assert::ipv6(ip)]
 
+  # My IPv4 related variables.
+  is_ref_myipv4_used = (
+    contains(coalesce(var.firewall_kube_api_source, []), var.myipv4_ref) ||
+    contains(coalesce(var.firewall_ssh_source, []), var.myipv4_ref) ||
+    contains(flatten([
+      for rule in var.extra_firewall_rules : concat(coalesce(rule.source_ips, []), coalesce(rule.destination_ips, []))
+    ]), var.myipv4_ref)
+  )
+  my_public_ipv4_cidr = try("${data.external.my_ip[0].result.ipv4}/32", null)
+
+
   additional_k3s_environment = join("\n",
     [
       for var_name, var_value in var.additional_k3s_environment :
@@ -509,8 +520,15 @@ locals {
   # merge the two lists
   firewall_rules_merged = merge(local.firewall_rules, local.extra_firewall_rules)
 
-  # convert the merged list back to a list
-  firewall_rules_list = values(local.firewall_rules_merged)
+  # replace "myipv4" (var.myipv4_ref) with the actual value, merge to a list
+  firewall_rules_list = [for key, rule in local.firewall_rules_merged : {
+    description     = rule.description
+    direction       = rule.direction
+    protocol        = rule.protocol
+    port            = rule.port
+    source_ips      = compact([for ip in lookup(rule, "source_ips", []) : ip == var.myipv4_ref ? local.my_public_ipv4_cidr : ip])
+    destination_ips = compact([for ip in lookup(rule, "destination_ips", []) : ip == var.myipv4_ref ? local.my_public_ipv4_cidr : ip])
+  } if rule != null]
 
   labels = {
     "provisioner" = "terraform",

variables.tf

@@ -667,9 +667,22 @@ variable "automatically_upgrade_os" {
 }
 
 variable "extra_firewall_rules" {
-  type        = list(any)
+  type = list(object({
+    description     = optional(string, "")
+    direction       = string
+    protocol        = optional(string, "tcp")
+    port            = string
+    source_ips      = optional(list(string), [])
+    destination_ips = optional(list(string), [])
+  }))
+
   default     = []
   description = "Additional firewall rules to apply to the cluster."
+
+  validation {
+    condition     = alltrue([for rule in var.extra_firewall_rules : contains(["in", "out"], rule.direction)])
+    error_message = "The direction must be either 'in' or 'out'."
+  }
 }
 
 variable "firewall_kube_api_source" {
@@ -684,6 +697,12 @@ variable "firewall_ssh_source" {
   description = "Source networks that have SSH access to the servers."
 }
 
+variable "myipv4_ref" {
+  type        = string
+  default     = "myipv4"
+  description = "Name to be used in firewall rules as a substitute for your own IPv4 address."
+}
+
 variable "use_cluster_name_in_node_name" {
   type        = bool
   default     = true

versions.tf

@@ -9,6 +9,10 @@ terraform {
       source  = "hetznercloud/hcloud"
       version = ">= 1.51.0"
     }
+    external = {
+      source  = "hashicorp/external"
+      version = "~> 2.0"
+    }
     local = {
       source  = "hashicorp/local"
       version = ">= 2.5.2"