Add `myipv4` as possible firewall setting input #1932

vsalomaki · 2025-10-11T20:20:35Z

Description

Add ability to use the string "myipv4" as a source_ip or destination_ip in the firewall rules. Idea is that the current external IP of the TF-user is retrieved using dig -4 +short myip.opendns.com @resolver1.opendns.com and if the "myipv4" is used in any of the firewall ip-ranges, the string is replaced with the IP-address retrieve from opendns.

Gemini

Summary of Changes

This pull request significantly enhances firewall configuration by allowing users to specify a dynamic placeholder, "myipv4", in their firewall rules. This placeholder is automatically resolved to the user's current public IPv4 address using an external dig command, eliminating the need for manual updates when their IP changes. The change integrates a robust IP detection script and refactors firewall rule processing to ensure flexible and convenient management of network access.

Highlights

Dynamic Public IPv4 Resolution: Introduced the ability to use a configurable placeholder string (default "myipv4") in firewall rules, which is dynamically resolved to the user's current public IPv4 address using the dig command.

Firewall Rule Integration: The placeholder can be used in source_ips or destination_ips arrays within firewall_kube_api_source, firewall_ssh_source, and extra_firewall_rules, and is replaced with the detected IP in CIDR/32 format.

Robust IP Detection Script: A bash script executed via the external Terraform provider fetches the IPv4, includes fallbacks (OpenDNS, Google DNS), and performs strict validation to ensure a valid IP is returned. The script is only executed if the placeholder is present in firewall rules.

New Terraform Provider Dependency: The hashicorp/external Terraform provider (~> 2.0) is now a required dependency to enable external command execution for IP detection.

Refactored Firewall Rule Processing: The locals.tf file now includes logic to iterate through merged firewall rules, replacing the placeholder with the resolved public IP and handling cases where rules are null or the placeholder is not used.

Changelog

data.tf

Added data "external" "my_ip" block to fetch the current public IPv4 address.

Implemented a bash script within the external data source that uses dig with OpenDNS and Google DNS as fallbacks to retrieve the IPv4 address.

The script includes robust validation for dig command existence, empty results, and strict IPv4 address format, exiting with an error if validation fails.

The execution of this data source is conditional, only running if var.my_ipv4_ref is found in any firewall rule definitions.

kube.tf.example

Updated comments for firewall_kube_api_source, firewall_ssh_source, and extra_firewall_rules to document the usage of the "myipv4" placeholder and its dependency on the dig command.

Added an example demonstrating the use of "myipv4" in firewall_ssh_source.

locals.tf

Introduced a new local variable my_public_ipv4_cidr which constructs the CIDR block (e.g., 1.2.3.4/32) from the fetched IP, using try for robustness.

Refactored the firewall_rules_list logic to iterate through merged firewall rules and dynamically replace var.my_ipv4_ref in source_ips and destination_ips arrays with local.my_public_ipv4_cidr.

The replacement logic uses try and compact to ensure robustness, handling cases where source_ips or destination_ips might be null or where the placeholder should be filtered out if the IP is not fetched.

variables.tf

Updated the extra_firewall_rules variable type to a more specific object structure, including description, direction, protocol, port, source_ips, and destination_ips.

Added a validation block for extra_firewall_rules to ensure the direction is either 'in' or 'out'.

Added a new string variable my_ipv4_ref with a default value of "myipv4", allowing users to customize the placeholder string for their IPv4 address in firewall rules.

versions.tf

Added the hashicorp/external Terraform provider as a required dependency with a version constraint of ~> 2.0.

gemini-code-assist · 2025-10-11T20:20:47Z

Summary of Changes

Hello @vsalomaki, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the flexibility of firewall configurations by allowing users to specify 'myipv4' as a source or destination IP. This placeholder is automatically resolved to the user's current public IPv4 address, eliminating the need for manual updates when their IP changes. The change integrates an external data source to fetch the IP and updates the firewall rule processing to perform the necessary substitution.

Highlights

Dynamic IP Detection: Introduced a mechanism to automatically detect the user's public IPv4 address using the dig command and the external Terraform provider.
Firewall Rule Placeholder: Added support for a new 'myipv4' placeholder string in firewall source/destination IP arrays, which will be dynamically replaced with the detected public IPv4 address in CIDR/32 format.
Enhanced Firewall Configuration: Modified the firewall rule processing logic to identify and substitute the 'myipv4' placeholder, simplifying the configuration for allowing access from the user's current IP.
New Provider Dependency: Included the hashicorp/external Terraform provider as a required dependency to enable the execution of external commands for IP detection.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request introduces a convenient feature to use the string "myipv4" in firewall rules, which gets replaced by the user's public IPv4 address. The implementation uses an external data source to fetch the IP address.

My review focuses on improving the robustness of the IP fetching mechanism and simplifying some of the Terraform logic for better maintainability. Specifically, I've suggested changes to handle potential failures in retrieving the IP address to prevent Terraform errors.

A point of consideration is that this change introduces a new dependency on the dig command-line tool (from dnsutils or bind-utils), which must be installed on the machine running Terraform. It would be beneficial to document this requirement for users.

data.tf

locals.tf

vsalomaki · 2025-10-11T20:29:59Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a useful feature allowing 'myipv4' as a dynamic placeholder for the user's public IP in firewall rules. The implementation uses an external data source with dig to resolve the IP, and then substitutes it within the firewall rule definitions. The overall approach is solid. I've provided a couple of suggestions to enhance robustness and maintainability. One key suggestion is to add validation to the IP fetching script to handle non-IP responses gracefully. Another is to simplify the placeholder replacement logic in your Terraform configuration for better readability.

data.tf

locals.tf

vsalomaki · 2025-10-11T20:45:18Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a useful feature to dynamically use the current public IP in firewall rules. The implementation is generally good, but I've found a critical issue that could cause Terraform to fail, along with a couple of medium-severity issues related to robustness and documentation. My review includes suggestions to fix the critical bug, make the IP detection more robust, and clean up a comment in the example file. Overall, a great addition with these fixes applied.

locals.tf

data.tf

kube.tf.example

vsalomaki · 2025-10-11T20:56:11Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a useful feature to allow using "myipv4" in firewall rules, which is then dynamically replaced with the user's public IP address. The implementation is solid, leveraging an external data source. I've provided a couple of suggestions to enhance the robustness of the IP fetching script and to improve the readability and conciseness of the Terraform code that handles the IP replacement.

data.tf

locals.tf

vsalomaki · 2025-10-11T21:00:20Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a convenient feature to use "myipv4" in firewall rules, which gets dynamically replaced with the user's public IP address. The implementation is solid, leveraging an external data source. My review focuses on enhancing the robustness of this new feature. I've identified a potential issue with IP address validation and a scenario where a misconfiguration could lead to a Terraform error. I've provided specific code suggestions to address these points, making the feature more resilient and user-friendly.

locals.tf

data.tf

vsalomaki · 2025-10-11T21:09:02Z

/gemini summary

gemini-code-assist · 2025-10-11T21:09:24Z

Summary of Changes

This pull request significantly enhances the flexibility of firewall configurations by enabling the use of a dynamic 'myipv4' placeholder. This placeholder automatically resolves to the user's current public IPv4 address, eliminating the need for manual updates when their IP changes. The implementation integrates an external data source to fetch the IP and updates the firewall rule processing to perform the necessary substitution, making firewall management more convenient and robust.

Highlights

Dynamic Public IP Detection: Introduced a mechanism to automatically detect the user's public IPv4 address using the dig command and the external Terraform provider. This IP is then used in firewall rules.
Firewall Rule Placeholder: Added support for a new 'myipv4' placeholder string in firewall source_ips or destination_ips arrays. This placeholder is dynamically replaced with the detected public IPv4 address in CIDR/32 format.
Enhanced Firewall Configuration: Modified the firewall rule processing logic to identify and substitute the 'myipv4' placeholder, simplifying the configuration for allowing access from the user's current IP without manual updates.
New Provider Dependency: Included the hashicorp/external Terraform provider as a required dependency to enable the execution of external commands for IP detection.
Configurable IP Fetching: Added a new fetch_myip boolean variable (defaulting to true) to control whether the public IP address should be fetched and used in firewall rules.

Changelog

data.tf
- Added a new data "external" "my_ipv4" block to fetch the current public IPv4 address using a bash script that executes dig against myip.opendns.com.
- Implemented robust validation within the bash script to ensure the fetched value is a valid IPv4 address and handles potential errors gracefully.
- The execution of this data source is conditional on the new var.fetch_myip.
kube.tf.example
- Added a new commented variable fetch_myip with a default value of true.
- Updated comments for firewall_kube_api_source, firewall_ssh_source, and extra_firewall_rules to document the usage of the 'myipv4' placeholder and its dependencies (dig and fetch_myip = true).
- Included an example of using 'myipv4' in firewall_ssh_source.
locals.tf
- Introduced a new local variable my_public_ipv4_cidr which constructs the CIDR block (e.g., 1.2.3.4/32) from the fetched IP, conditional on var.fetch_myip.
- Refactored the firewall_rules_list logic to iterate through merged firewall rules and dynamically replace the 'myipv4' string in source_ips and destination_ips arrays.
- The replacement logic now uses concat and try to ensure robustness, handling cases where source_ips or destination_ips might be null or where fetch_myip is disabled (in which case 'myipv4' entries are simply removed).
variables.tf
- Added a new boolean variable fetch_myip with a default value of true and a descriptive comment.
versions.tf
- Added the hashicorp/external Terraform provider as a required dependency with a version constraint of ~> 2.0.

Activity

gemini-code-assist[bot] provided an initial summary of changes.
vsalomaki made multiple requests for /gemini review and /gemini summary.
gemini-code-assist[bot] provided several review comments, initially suggesting improvements for the robustness of the dig command's output handling (e.g., checking for empty strings, non-IP strings, multiple IPs, and using a stricter regex).
gemini-code-assist[bot] also suggested simplifying the source_ips and destination_ips logic using lookup() and try() functions.
A critical issue was identified by gemini-code-assist[bot] regarding the handling of 'myipv4' when fetch_myip is false, leading to the current robust concat and try implementation to filter out the placeholder in such cases.
A minor suggestion was made to complete an incomplete comment in kube.tf.example.

vsalomaki · 2025-10-11T22:04:34Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a convenient feature to use "myipv4" in firewall rules, which is dynamically replaced with the user's public IP. The implementation is well-structured, using a new fetch_myip variable to control the feature and an external data source to retrieve the IP address.

My review includes two suggestions for improvement:

In data.tf, I recommend adding a timeout to the dig command to make the IP fetching process more robust against network issues.
In locals.tf, I've proposed a refactoring of the logic that replaces "myipv4" to make it more concise and efficient.

Overall, this is a great enhancement to the module's flexibility.

data.tf

locals.tf

vsalomaki · 2025-10-11T22:09:26Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a convenient 'myipv4' placeholder for firewall rules, which dynamically resolves to the user's public IP address. The implementation uses a Terraform external data source to fetch the IP via a shell script. My review focuses on improving the robustness of this shell script by adding more specific error handling for cases like the 'dig' command not being available or network issues preventing IP retrieval. This will enhance the reliability and user-friendliness of the new feature.

data.tf

vsalomaki · 2025-10-11T22:19:35Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a valuable feature for dynamically configuring firewall rules using the myipv4 placeholder. The implementation is well-executed, using a Terraform external data source to fetch the user's public IP. My review focuses on enhancing the robustness of the IP detection, improving naming consistency for better clarity, and simplifying some of the new Terraform logic. Overall, these are great changes that improve the module's flexibility.

data.tf

locals.tf

variables.tf

vsalomaki · 2025-10-11T22:32:31Z

/gemini summary

gemini-code-assist

Code Review

This pull request introduces a valuable feature allowing the use of a dynamic "myipv4" placeholder in firewall rules. The implementation is well-executed, leveraging the external data source with a robust shell script for IP detection. The refactoring of firewall rule processing and the move to a strongly-typed object for extra_firewall_rules significantly improve the module's quality and maintainability. I have one suggestion to enhance the robustness of the logic that detects the usage of the placeholder.

locals.tf

vsalomaki · 2025-10-29T19:38:26Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a valuable feature by allowing the dynamic use of "myipv4" in firewall rules. The implementation is robust, using the external data source to fetch the user's public IP and intelligently replacing it in the firewall rule definitions. The refactoring of extra_firewall_rules to use a specific object type with validation is a significant improvement to the module's type safety and usability. My feedback includes a suggestion to simplify the IP-fetching script by using curl instead of dig to reduce external dependencies, and a minor simplification in the firewall rule processing logic.

data.tf

locals.tf

vsalomaki · 2025-10-29T21:28:23Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a convenient feature allowing the use of myipv4 as a dynamic placeholder for the user's public IP address in firewall rules. The implementation is well-thought-out, using the external data source to fetch the IP address via a shell script with fallbacks, and conditionally running it only when needed. The refactoring of the extra_firewall_rules variable to use a specific object type is also a significant improvement in type safety and clarity for the module's interface.

My review includes a couple of suggestions: one to enhance the robustness of the IP replacement logic to match the intent described in the pull request, and another to highlight a breaking change introduced by the stricter typing of firewall rules, which should be communicated to users. Overall, this is a valuable addition to the module.

locals.tf

variables.tf

vsalomaki · 2025-10-29T21:34:21Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a useful feature to dynamically use the runner's public IPv4 address in firewall rules by using the myipv4 placeholder. The implementation is solid, leveraging an external data source to execute a shell script that fetches the IP. The changes are well-structured, making good use of modern Terraform features like optional attributes and validation blocks for improved type safety and clarity. The documentation updates are also clear and helpful. I have one suggestion to improve the robustness of the IP-fetching shell script.

data.tf

vsalomaki · 2025-10-29T22:11:26Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a useful feature to allow myipv4 as a dynamic placeholder for the user's public IP in firewall rules. The implementation is robust, using an external data source with a bash script that includes fallbacks and error handling. The changes also improve the module's type safety by defining a specific object type for extra_firewall_rules. My review includes a couple of suggestions to further improve the API design of the new firewall rule variable and to enhance the robustness of the IP detection script.

data.tf

variables.tf

vsalomaki · 2025-10-29T22:29:58Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a valuable feature that allows using a dynamic 'myipv4' placeholder in firewall rules. The implementation is well-executed, using an external data source with a robust bash script for IP detection, including fallbacks. The changes significantly improve the module's usability and safety by introducing a strongly-typed extra_firewall_rules variable with comprehensive validation.

My main suggestion for improvement is to implement a fail-fast mechanism. If myipv4 is used but the IP address cannot be resolved, the current implementation will result in a provider-level error about an empty IP list, which might be confusing. I recommend adding a precondition block to the hcloud_firewall resource to catch this case early and provide a more specific error message to the user. For example:

resource "hcloud_firewall" "my_firewall" {
  # ... other arguments
  dynamic "rule" {
    for_each = local.firewall_rules_list
    content {
      # ... rule content
    }
  }

  lifecycle {
    precondition {
      condition     = !local.is_ref_myipv4_used || local.my_public_ipv4_cidr != null
      error_message = "Failed to retrieve public IPv4 address for 'myipv4' replacement. Please check your internet connection and ensure 'dig' is installed."
    }
  }
}

This would make the module even more user-friendly.

data.tf

vsalomaki · 2025-10-29T22:57:13Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a useful feature to dynamically use the user's public IPv4 in firewall rules. The implementation is mostly solid, leveraging the external data source and adding robust validation for firewall rule inputs. My main feedback focuses on improving the reliability of the IP address detection script by adding a fallback mechanism, which also aligns it with the documentation. I've also suggested a minor change to ensure that any failure in IP resolution fails loudly, preventing potential silent security misconfigurations. Overall, these are great additions to the module.

data.tf

locals.tf

vsalomaki · 2025-10-29T23:23:45Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a very useful feature, allowing the use of a dynamic myipv4 placeholder in firewall rules. The implementation is well thought out, using an external data source to fetch the user's public IP and a precondition lifecycle hook to ensure the apply fails safely if the IP cannot be resolved. The refactoring of extra_firewall_rules to use a specific object type with validation is also a great improvement for the module's robustness.

My main feedback is to make the IP detection script even more resilient by adding a fallback mechanism, as was mentioned in the pull request description. I've included a suggestion for this.

data.tf

…e ip-address is then fetched on terraform run from opendns (google as secondary)

vsalomaki · 2025-10-29T23:50:10Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a valuable feature by allowing the myipv4 placeholder in firewall rules, which dynamically resolves to the user's public IP address. The implementation is robust, leveraging an external data source, conditional logic, and clear user-facing validation through a precondition block. The refactoring of the extra_firewall_rules variable to use a specific object type with validation is also a significant improvement in module usability and safety.

My review identifies one high-severity issue in the shell script used for IP detection, where an incorrect DNS record type is queried, causing the primary lookup method to fail. Fixing this will make the feature work as originally intended. Overall, this is a well-executed enhancement to the module.

data.tf

vsalomaki · 2025-11-12T18:28:06Z

How to proceed, should these PRs be pointed to a different branch, other than "master"? @mysticaltech