Add "myipv4" as possible firewall setting input

vsalomaki · vsalomaki · commit d0190b879a48 · 2025-10-12T00:07:52.000+03:00
diff --git a/data.tf b/data.tf
@@ -32,3 +32,21 @@ data "hcloud_ssh_keys" "keys_by_selector" {
   count         = length(var.ssh_hcloud_key_label) > 0 ? 1 : 0
   with_selector = var.ssh_hcloud_key_label
 }
+
+data "external" "my_ipv4" {
+  count = var.fetch_myip ? 1 : 0
+
+  program = [
+    "bash",
+    "-c",
+    <<-EOT
+      IP=$(dig -4 +short myip.opendns.com @resolver1.opendns.com | head -n 1)
+      if [[ "$IP" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+        echo "{\"ip\": \"$IP\"}"
+      else
+        echo "Error: Failed to retrieve a valid public IPv4 address. Retrieved: '$IP'. Please check network connectivity and ensure 'dig' is installed." >&2
+        exit 1
+      fi
+    EOT
+  ]
+}
diff --git a/kube.tf.example b/kube.tf.example
@@ -770,18 +770,23 @@ module "kube-hetzner" {
   # If you want to allow all outbound traffic you can set this to "false". Default is "true".
   # restrict_outbound_traffic = false
 
+  # Fetch the current user IP-address using myip.opendns.com so that it can be used in firewall rules with the string "myipv4". Default: true.
+  # fetch_myip = true
+
   # Allow access to the Kube API from the specified networks. The default is ["0.0.0.0/0", "::/0"].
   # Allowed values: null (disable Kube API rule entirely) or a list of allowed networks with CIDR notation.
   # For maximum security, it's best to disable it completely by setting it to null. However, in that case, to get access to the kube api,
   # you would have to connect to any control plane node via SSH, as you can run kubectl from within these.
   # Please be advised that this setting has no effect on the load balancer when the use_control_plane_lb variable is set to true. This is
   # because firewall rules cannot be applied to load balancers yet.
+  # Note: You can use the string "myipv4" as an IP address in the array and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available and `fetch_myip = true`.
   # firewall_kube_api_source = null
 
   # Allow SSH access from the specified networks. Default: ["0.0.0.0/0", "::/0"]
   # Allowed values: null (disable SSH rule entirely) or a list of allowed networks with CIDR notation.
   # Ideally you would set your IP there. And if it changes after cluster deploy, you can always update this variable and apply again.
-  # firewall_ssh_source = ["1.2.3.4/32"]
+  # Note: You can use the string "myipv4" as an IP address in the array and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available and `fetch_myip = true`.
+  # firewall_ssh_source = ["myipv4", "1.2.3.4/32"]
 
   # By default, SELinux is enabled in enforcing mode on all nodes. For container-specific SELinux issues,
   # consider using the pre-installed 'udica' tool to create custom, targeted SELinux policies instead of
@@ -790,6 +795,7 @@ module "kube-hetzner" {
 
   # Adding extra firewall rules, like opening a port
   # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
+  # Note: You can use the string "myipv4" as an IP address in the `source_ips` or `destination_ips` arrays and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available and `fetch_myip = true`.
   # extra_firewall_rules = [
   #   {
   #     description = "For Postgres"
diff --git a/locals.tf b/locals.tf
@@ -27,6 +27,8 @@ locals {
   dns_servers_ipv4 = [for ip in var.dns_servers : ip if provider::assert::ipv4(ip)]
   dns_servers_ipv6 = [for ip in var.dns_servers : ip if provider::assert::ipv6(ip)]
 
+  my_public_ipv4_cidr = var.fetch_myip ? "${data.external.my_ipv4[0].result.ip}/32" : null
+
   additional_k3s_environment = join("\n",
     [
       for var_name, var_value in var.additional_k3s_environment :
@@ -474,8 +476,19 @@ locals {
   # merge the two lists
   firewall_rules_merged = merge(local.firewall_rules, local.extra_firewall_rules)
 
-  # convert the merged list back to a list
-  firewall_rules_list = values(local.firewall_rules_merged)
+  # replace "myipv4" with the actual value, merge to a list
+  firewall_rules_list = [for key, rule in local.firewall_rules_merged : {
+    description = rule.description
+    direction   = rule.direction
+    protocol    = rule.protocol
+    port        = rule.port
+    source_ips = try([
+      for ip in rule.source_ips : ip == "myipv4" && var.fetch_myip ? local.my_public_ipv4_cidr : ip
+    ], null)
+    destination_ips = try([
+      for ip in rule.destination_ips : ip == "myipv4" && var.fetch_myip ? local.my_public_ipv4_cidr : ip
+    ], null)
+  } if rule != null]
 
   labels = {
     "provisioner" = "terraform",
diff --git a/variables.tf b/variables.tf
@@ -660,6 +660,12 @@ variable "automatically_upgrade_os" {
   description = "Whether to enable or disable automatic os updates. Defaults to true. Should be disabled for single-node clusters"
 }
 
+variable "fetch_myip" {
+  type        = bool
+  default     = true
+  description = "Whether to fetch the public ip of the current client for the use of firewall configuration."
+}
+
 variable "extra_firewall_rules" {
   type        = list(any)
   default     = []
diff --git a/versions.tf b/versions.tf
@@ -9,6 +9,10 @@ terraform {
       source  = "hetznercloud/hcloud"
       version = ">= 1.51.0"
     }
+    external = {
+      source  = "hashicorp/external"
+      version = "~> 2.0"
+    }
     local = {
       source  = "hashicorp/local"
       version = ">= 2.5.2"
