Add ability to use "myipv4" as a pseudo-address in firewall rules. The ip-address is then fetched on terraform run from opendns (google as secondary)

Author: vsalomaki

data.tf

@@ -32,3 +32,38 @@ data "hcloud_ssh_keys" "keys_by_selector" {
   count         = length(var.ssh_hcloud_key_label) > 0 ? 1 : 0
   with_selector = var.ssh_hcloud_key_label
 }
+
+data "external" "my_ip" {
+  count = local.is_ref_myipv4_used ? 1 : 0
+
+  program = [
+    "bash",
+    "-c",
+    <<-EOT
+      set -euo pipefail
+
+      error_exit() {
+        echo "Error: $1" >&2
+        exit 1
+      }
+
+      if ! command -v dig &> /dev/null; then
+        error_exit "'dig' command not found. Please install it (e.g., 'apt-get install dnsutils' or 'yum install bind-utils')."
+      fi
+      
+      IPV4_REGEX="^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"
+
+      IPV4=""
+
+      if ! [[ "$IPV4" =~ $IPV4_REGEX ]]; then
+        IPV4=$(dig +time=5 +tries=2 -4 +short TXT o-o.myaddr.l.google.com @ns1.google.com | head -n 1 | tr -d '"' || true)
+      fi
+
+      if [[ "$IPV4" =~ $IPV4_REGEX ]]; then
+        echo "{\"ipv4\": \"$IPV4\"}"
+      else
+        error_exit "Failed to retrieve a valid public IPv4 address. Last value received was: '$IPV4'"
+      fi
+    EOT
+  ]
+}

kube.tf.example

@@ -784,12 +784,14 @@ module "kube-hetzner" {
   # you would have to connect to any control plane node via SSH, as you can run kubectl from within these.
   # Please be advised that this setting has no effect on the load balancer when the use_control_plane_lb variable is set to true. This is
   # because firewall rules cannot be applied to load balancers yet.
+  # Note: You can use the string "myipv4" as an IP address in the array and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available.
   # firewall_kube_api_source = null
 
   # Allow SSH access from the specified networks. Default: ["0.0.0.0/0", "::/0"]
   # Allowed values: null (disable SSH rule entirely) or a list of allowed networks with CIDR notation.
   # Ideally you would set your IP there. And if it changes after cluster deploy, you can always update this variable and apply again.
-  # firewall_ssh_source = ["1.2.3.4/32"]
+  # Note: You can use the string "myipv4" as an IP address in the array and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available.
+  # firewall_ssh_source = ["myipv4", "1.2.3.4/32"]
 
   # By default, SELinux is enabled in enforcing mode on all nodes. For container-specific SELinux issues,
   # consider using the pre-installed 'udica' tool to create custom, targeted SELinux policies instead of
@@ -798,6 +800,7 @@ module "kube-hetzner" {
 
   # Adding extra firewall rules, like opening a port
   # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
+  # Note: You can use the string "myipv4" as an IP address in the `source_ips` or `destination_ips` arrays and it will be replaced with the CIDR/32 of your IP as reported by myip.opendns.com. Use of "myipv4" requires `dig` to be available.
   # extra_firewall_rules = [
   #   {
   #     description = "For Postgres"

locals.tf

@@ -27,6 +27,17 @@ locals {
   dns_servers_ipv4 = [for ip in var.dns_servers : ip if provider::assert::ipv4(ip)]
   dns_servers_ipv6 = [for ip in var.dns_servers : ip if provider::assert::ipv6(ip)]
 
+  # My IPv4 related variables.
+  is_ref_myipv4_used = (
+    contains(coalesce(var.firewall_kube_api_source, []), var.myipv4_ref) ||
+    contains(coalesce(var.firewall_ssh_source, []), var.myipv4_ref) ||
+    contains(flatten([
+      for rule in var.extra_firewall_rules : concat(coalesce(rule.source_ips, []), coalesce(rule.destination_ips, []))
+    ]), var.myipv4_ref)
+  )
+  my_public_ipv4_cidr = try("${data.external.my_ip[0].result.ipv4}/32", null)
+
+
   additional_k3s_environment = join("\n",
     [
       for var_name, var_value in var.additional_k3s_environment :
@@ -509,8 +520,15 @@ locals {
   # merge the two lists
   firewall_rules_merged = merge(local.firewall_rules, local.extra_firewall_rules)
 
-  # convert the merged list back to a list
-  firewall_rules_list = values(local.firewall_rules_merged)
+  # replace "myipv4" (var.myipv4_ref) with the actual value, merge to a list
+  firewall_rules_list = [for key, rule in local.firewall_rules_merged : {
+    description     = rule.description
+    direction       = rule.direction
+    protocol        = rule.protocol
+    port            = rule.port
+    source_ips      = compact([for ip in lookup(rule, "source_ips", []) : ip == var.myipv4_ref ? local.my_public_ipv4_cidr : ip])
+    destination_ips = compact([for ip in lookup(rule, "destination_ips", []) : ip == var.myipv4_ref ? local.my_public_ipv4_cidr : ip])
+  } if rule != null]
 
   labels = {
     "provisioner" = "terraform",

main.tf

@@ -78,5 +78,11 @@ resource "hcloud_firewall" "k3s" {
       source_ips      = lookup(rule.value, "source_ips", [])
     }
   }
-}
 
+  lifecycle {
+    precondition {
+      condition     = !local.is_ref_myipv4_used || local.my_public_ipv4_cidr != null
+      error_message = "Failed to retrieve public IPv4 address for 'myipv4' replacement. Please check your internet connection and ensure 'dig' is installed."
+    }
+  }
+}

variables.tf

@@ -667,9 +667,29 @@ variable "automatically_upgrade_os" {
 }
 
 variable "extra_firewall_rules" {
-  type        = list(any)
+  type = list(object({
+    description     = optional(string, "")
+    direction       = string
+    protocol        = optional(string, "tcp")
+    port            = optional(string, null)
+    source_ips      = optional(list(string), [])
+    destination_ips = optional(list(string), [])
+  }))
+
   default     = []
   description = "Additional firewall rules to apply to the cluster."
+
+  validation {
+    condition = alltrue([
+      for rule in var.extra_firewall_rules : (
+        contains(["in", "out"], rule.direction) &&
+        (rule.direction == "in" ? length(rule.source_ips) > 0 : true) &&
+        (rule.direction == "out" ? length(rule.destination_ips) > 0 : true) &&
+        (contains(["tcp", "udp"], rule.protocol) ? rule.port != null && rule.port != "" : true)
+      )
+    ])
+    error_message = "Invalid firewall rule configuration: direction must be 'in' or 'out'; source_ips must be defined (non-empty) for 'in' rules; destination_ips must be defined (non-empty) for 'out' rules; for 'tcp' or 'udp' protocols, port must be defined (non-null and non-empty)."
+  }
 }
 
 variable "firewall_kube_api_source" {
@@ -684,6 +704,12 @@ variable "firewall_ssh_source" {
   description = "Source networks that have SSH access to the servers."
 }
 
+variable "myipv4_ref" {
+  type        = string
+  default     = "myipv4"
+  description = "Name to be used in firewall rules as a substitute for your own IPv4 address."
+}
+
 variable "use_cluster_name_in_node_name" {
   type        = bool
   default     = true

versions.tf

@@ -9,6 +9,10 @@ terraform {
       source  = "hetznercloud/hcloud"
       version = ">= 1.51.0"
     }
+    external = {
+      source  = "hashicorp/external"
+      version = "~> 2.0"
+    }
     local = {
       source  = "hashicorp/local"
       version = ">= 2.5.2"