Skip to content

Commit a1a5c53

Browse files
Mia-Crossbene2k1Gnoale
authored
feat(k8s): add cluster ACLs (#3033)
* feat(k8s): add ACL feature * Apply suggestions from code review Co-authored-by: Benedikt Rollik <[email protected]> Co-authored-by: Guillaume Noale <[email protected]> --------- Co-authored-by: Benedikt Rollik <[email protected]> Co-authored-by: Guillaume Noale <[email protected]>
1 parent bb312bf commit a1a5c53

File tree

5 files changed

+4633
-0
lines changed

5 files changed

+4633
-0
lines changed

docs/resources/k8s_acl.md

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,108 @@
1+
---
2+
subcategory: "Kubernetes"
3+
page_title: "Scaleway: scaleway_k8s_acl"
4+
---
5+
6+
# Resource: scaleway_k8s_acl
7+
8+
Creates and manages Scaleway Kubernetes Cluster authorized IPs.
9+
For more information, please refer to the [API documentation](https://www.scaleway.com/en/developers/api/kubernetes/#path-access-control-list-add-new-acls).
10+
11+
~> **Important:** When creating a Cluster, it comes with a default ACL rule allowing all ranges `0.0.0.0/0`.
12+
Defining custom ACLs with Terraform will overwrite this rule, but it will be recreated automatically when deleting the ACL resource.
13+
14+
## Example Usage
15+
16+
### Basic
17+
18+
```terraform
19+
resource "scaleway_vpc_private_network" "acl_basic" {}
20+
21+
resource "scaleway_k8s_cluster" "acl_basic" {
22+
name = "acl-basic"
23+
version = "1.32.2"
24+
cni = "cilium"
25+
delete_additional_resources = true
26+
private_network_id = scaleway_vpc_private_network.acl_basic.id
27+
}
28+
29+
resource "scaleway_k8s_acl" "acl_basic" {
30+
cluster_id = scaleway_k8s_cluster.acl_basic.id
31+
acl_rules {
32+
ip = "1.2.3.4/32"
33+
description = "Allow 1.2.3.4"
34+
}
35+
acl_rules {
36+
scaleway_ranges = true
37+
description = "Allow all Scaleway ranges"
38+
}
39+
}
40+
```
41+
42+
### Full-isolation
43+
44+
```terraform
45+
resource "scaleway_vpc_private_network" "acl_basic" {}
46+
47+
resource "scaleway_k8s_cluster" "acl_basic" {
48+
name = "acl-basic"
49+
version = "1.32.2"
50+
cni = "cilium"
51+
delete_additional_resources = true
52+
private_network_id = scaleway_vpc_private_network.acl_basic.id
53+
}
54+
55+
resource "scaleway_k8s_acl" "acl_basic" {
56+
cluster_id = scaleway_k8s_cluster.acl_basic.id
57+
no_ip_allowed = true
58+
}
59+
```
60+
61+
## Argument Reference
62+
63+
The following arguments are supported:
64+
65+
- `cluster_id` - (Required) UUID of the cluster. The ID of the cluster is also the ID of the ACL resource, as there can only be one per cluster.
66+
67+
~> **Important:** Updates to `cluster_id` will recreate the ACL.
68+
69+
- `no_ip_allowed` - (Optional) If set to true, no IP will be allowed and the cluster will be in full-isolation.
70+
71+
~> **Important:** This field cannot be set to true if the `acl_rules` block is defined.
72+
73+
- `acl_rules` - (Optional) A list of ACLs (structure is described below)
74+
75+
~> **Important:** This block cannot be defined if the `no_ip_allowed` field is set to true.
76+
77+
- `region` - (Defaults to [provider](../index.md#arguments-reference) `region`) The [region](../guides/regions_and_zones.md#regions) in which the ACL rule should be created.
78+
79+
The `acl_rules` block supports:
80+
81+
- `ip` - (Optional) The IP range to whitelist in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)
82+
83+
~> **Important:** If the `ip` field is set, `scaleway_ranges` cannot be set to true in the same rule.
84+
85+
- `scaleway_ranges` - (Optional) Allow access to cluster from all Scaleway ranges as defined in [Scaleway Network Information - IP ranges used by Scaleway](https://www.scaleway.com/en/docs/console/account/reference-content/scaleway-network-information/#ip-ranges-used-by-scaleway).
86+
Only one rule with this field set to true can be added.
87+
88+
~> **Important:** If the `scaleway_ranges` field is set to true, the `ip` field cannot be set on the same rule.
89+
90+
- `description` - (Optional) A text describing this rule.
91+
92+
## Attributes Reference
93+
94+
In addition to all arguments above, the following attributes are exported:
95+
96+
- `id` - The ID of the ACL resource. It is the same as the ID of the cluster.
97+
98+
~> **Important:** Kubernetes ACLs' IDs are [regional](../guides/regions_and_zones.md#resource-ids), which means they are of the form `{region}/{id}`, e.g. `fr-par/11111111-1111-1111-1111-111111111111`
99+
100+
- `acl_rules.#.id` - The ID of each individual ACL rule.
101+
102+
## Import
103+
104+
Kubernetes ACLs can be imported using the `{region}/{cluster-id}`, e.g.
105+
106+
```bash
107+
terraform import scaleway_k8s_acl.acl01 fr-par/11111111-1111-1111-1111-111111111111
108+
```

internal/provider/provider.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -185,6 +185,7 @@ func Provider(config *Config) plugin.ProviderFunc {
185185
"scaleway_ipam_ip": ipam.ResourceIP(),
186186
"scaleway_ipam_ip_reverse_dns": ipam.ResourceIPReverseDNS(),
187187
"scaleway_job_definition": jobs.ResourceDefinition(),
188+
"scaleway_k8s_acl": k8s.ResourceACL(),
188189
"scaleway_k8s_cluster": k8s.ResourceCluster(),
189190
"scaleway_k8s_pool": k8s.ResourcePool(),
190191
"scaleway_lb": lb.ResourceLb(),

0 commit comments

Comments
 (0)