Removed client public IP auto detection

README.md

@@ -145,31 +145,21 @@ When your brand-new cluster is up and running, the sky is your limit! 🎉
 
 You can view all kinds of details about the cluster by running `terraform output kubeconfig` or `terraform output -json kubeconfig | jq`.
 
-### Connect via SSH
+To manage your cluster with `kubectl`, you can either use SSH to connect to a control plane node or connect to the Kube API directly.
 
-Connect to one of the control plane nodes via SSH with `ssh root@<cp-ipv4-address>`. Now you can use kubectl to manage your workloads right away. By default, the firewall only allows SSH connections from your public IPv4 address unless `firewall_ssh_source` is set to a different value in your kube.tf.
+### Connect via SSH
 
-To update your current public IPv4 address to the firewall, you can run:
-```bash
-terraform apply -target=module.kube-hetzner.hcloud_firewall.k3s
-```
+You can connect to one of the control plane nodes via SSH with `ssh root@<cp-ip-address>`. Now you are able to use `kubectl` to manage your workloads right away. By default, the firewall allows SSH connections from everywhere. You can change that by configuring the `firewall_ssh_source` in your kube.tf file.
 
 ### Connect via Kube API
 
-Add an additional firewall rule to your kube.tf to access the Kube API. Be careful when exposing the Kube API. It is recommended not to expose it to the public world. If possible, only allow connections from trusted source IPs. Example configuration:
+Make sure you can connect to the Kube API from a trusted network by configuring `firewall_kube_api_source` in your kube.tf file like that:
 ```hcl
-extra_firewall_rules = [
-  {
-    description = "Allow Incoming Requests to Kube API Server"
-    direction   = "in"
-    protocol    = "tcp"
-    port        = "6443"
-    source_ips  = ["1.2.3.4/32"]
-  }
-]
-```
-
-You can immediately kubectl into it (using the `clustername_kubeconfig.yaml` saved to the project's directory after the installation). By doing `kubectl --kubeconfig clustername_kubeconfig.yaml`, but for more convenience, either create a symlink from `~/.kube/config` to `clustername_kubeconfig.yaml` or add an export statement to your `~/.bashrc` or `~/.zshrc` file, as follows (you can get the path of `clustername_kubeconfig.yaml` by running `pwd`):
+firewall_kube_api_source = ["1.2.3.4/32"]
+```
+**Info:** Opening the Kube API to the public (`["0.0.0.0/0", "::/0"]`) is not recommended!
+
+If you have access to the Kube API, you can immediately kubectl into it (using the `clustername_kubeconfig.yaml` saved to the project's directory after the installation). By doing `kubectl --kubeconfig clustername_kubeconfig.yaml`, but for more convenience, either create a symlink from `~/.kube/config` to `clustername_kubeconfig.yaml` or add an export statement to your `~/.bashrc` or `~/.zshrc` file, as follows (you can get the path of `clustername_kubeconfig.yaml` by running `pwd`):
 
 ```sh
 export KUBECONFIG=/<path-to>/clustername_kubeconfig.yaml

data.tf

@@ -39,14 +39,3 @@ data "hcloud_ssh_keys" "keys_by_selector" {
   count         = length(var.ssh_hcloud_key_label) > 0 ? 1 : 0
   with_selector = var.ssh_hcloud_key_label
 }
-
-data "http" "client_public_ipv4" {
-  url = "https://ipv4.icanhazip.com"
-
-  lifecycle {
-    postcondition {
-      condition     = self.status_code == 200
-      error_message = "Status code invalid"
-    }
-  }
-}

kube.tf.example

@@ -482,22 +482,18 @@ module "kube-hetzner" {
   # If you want to allow all outbound traffic you can set this to "false". Default is "true".
   # restrict_outbound_traffic = false
 
-  # Allow SSH access from the specified networks. By default the public IPv4 address is automatically determined and applied to the firewall.
-  # If you want to update the firewall with your current public IP, you can execute `terraform apply -target=module.kube-hetzner.hcloud_firewall.k3s`.
-  # Allowed values: null (disable ssh rule entirely), [] (automatic IPv4 detection) or a list of allowed networks with CIDR notation (detection disabled) 
-  # firewall_ssh_source = ["0.0.0.0/0", "::/0"]
+  # Allow access to the Kube API from the specified networks. Default: ["0.0.0.0/0", "::/0"]
+  # Allowed values: null (disable Kube API rule entirely) or a list of allowed networks with CIDR notation
+  firewall_kube_api_source = null
+
+  # Allow SSH access from the specified networks. Default: ["0.0.0.0/0", "::/0"]
+  # Allowed values: null (disable SSH rule entirely) or a list of allowed networks with CIDR notation
+  # firewall_ssh_source = ["1.2.3.4/32", "1234::1/128"]
 
   # Adding extra firewall rules, like opening a port
   # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall
   # extra_firewall_rules = [
   #   {
-  #     description = "Allow Incoming Requests to Kube API Server"
-  #     direction   = "in"
-  #     protocol    = "tcp"
-  #     port        = "6443"
-  #     source_ips  = ["1.2.3.4/32"]
-  #   },
-  #   {
   #     description = "For Postgres"
   #     direction       = "in"
   #     protocol        = "tcp"

locals.tf

@@ -144,9 +144,18 @@ locals {
         direction   = "in"
         protocol    = "tcp"
         port        = var.ssh_port
-        source_ips  = coalescelist(var.firewall_ssh_source, ["${chomp(data.http.client_public_ipv4.response_body)}/32"])
+        source_ips  = var.firewall_ssh_source
       },
     ],
+    var.firewall_kube_api_source == null ? [] : [
+      {
+        description = "Allow Incoming Requests to Kube API Server"
+        direction   = "in"
+        protocol    = "tcp"
+        port        = "6443"
+        source_ips  = var.firewall_kube_api_source
+      }
+    ],
     !var.restrict_outbound_traffic ? [] : [
       # Allow basic out traffic
       # ICMP to ping outside services

variables.tf

@@ -379,9 +379,15 @@ variable "extra_firewall_rules" {
   description = "Additional firewall rules to apply to the cluster."
 }
 
+variable "firewall_kube_api_source" {
+  type        = list(string)
+  default     = ["0.0.0.0/0", "::/0"]
+  description = "Source networks that have Kube API access to the servers."
+}
+
 variable "firewall_ssh_source" {
   type        = list(string)
-  default     = []
+  default     = ["0.0.0.0/0", "::/0"]
   description = "Source networks that have SSH access to the servers."
 }
 

versions.tf

@@ -9,10 +9,6 @@ terraform {
       source  = "hetznercloud/hcloud"
       version = ">= 1.41.0"
     }
-    http = {
-      source  = "hashicorp/http"
-      version = ">= 3.0"
-    }
     local = {
       source  = "hashicorp/local"
       version = ">= 2.0.0"