Enable SSH to Nomad configuration for GCP (#8)

CircleCI-Public · Nov 25, 2020 · 6a6ac55 · 6a6ac55
1 parent 2d19055
commit 6a6ac55
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 22 deletions.
diff --git a/gke/.gitignore b/gke/.gitignore
@@ -0,0 +1,3 @@
+.terraform
+remote-state.tf
+terraform.tfvars
diff --git a/gke/main.tf b/gke/main.tf
@@ -51,13 +51,15 @@ module "kube_private_cluster" {
 }
 
 module "nomad" {
-  source          = "./nomad"
-  project_loc     = var.project_loc
-  project_id      = var.project_id
-  basename        = var.basename
-  service_account = var.service_account
-  nomad_count     = var.nomad_count
-  network_name    = google_compute_network.circleci_net.name
+  source                  = "./nomad"
+  project_loc             = var.project_loc
+  project_id              = var.project_id
+  basename                = var.basename
+  service_account         = var.service_account
+  nomad_count             = var.nomad_count
+  ssh_enabled             = var.nomad_ssh_enabled
+  ssh_allowed_cidr_blocks = var.allowed_cidr_blocks
+  network_name            = google_compute_network.circleci_net.name
 }
 
 resource "google_storage_bucket" "data_bucket" {

diff --git a/gke/nomad/nomad.tf b/gke/nomad/nomad.tf
@@ -96,11 +96,8 @@ resource "google_compute_instance_template" "nomad_template" {
   tags = ["ssh", "nomad"]
 
   network_interface {
-
     network = var.network_name
-
     access_config {}
-
   }
 
   lifecycle {
@@ -113,15 +110,17 @@ resource "google_compute_instance_template" "nomad_template" {
 }
 
 resource "google_compute_firewall" "nomad_ssh" {
+  count       = var.ssh_enabled ? 1 : 0
   name        = "${local.basename}-nomad-ssh"
   description = "${local.basename} firewall rule for CircleCI Server Nomand component"
 
   allow {
     protocol = "tcp"
-    ports    = ["80"]
+    ports    = ["22"]
   }
-  target_tags = ["ssh", "nomad"]
-  network     = var.network_name
+  source_ranges = var.ssh_allowed_cidr_blocks
+  target_tags   = ["ssh", "nomad"]
+  network       = var.network_name
 }
 
 resource "google_compute_instance_group_manager" "nomad_manager" {
@@ -140,4 +139,4 @@ resource "google_compute_instance_group_manager" "nomad_manager" {
 
 resource "time_sleep" "wait_120_seconds" {
   create_duration = "120s"
-}
+}
diff --git a/gke/nomad/variables.tf b/gke/nomad/variables.tf
@@ -32,8 +32,19 @@ variable "nomad_count" {
   description = "The number of nomad clients to create"
 }
 
+variable "ssh_allowed_cidr_blocks" {
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+  description = "List of allowed source IP addresses that can access Nomad clients via SSH. Has no effect if `ssh_enabled` is not true."
+}
+
+variable "ssh_enabled" {
+  type        = bool
+  default     = false
+  description = "If true, SSH access to Nomad clients is enabled. If enabled, use `gcloud compute ssh` to manage keys."
+}
+
 variable "network_name" {
   type        = string
   description = "Name of the GCP network to attach to nomad"
 }
-
diff --git a/gke/terraform.tfvars.template b/gke/terraform.tfvars.template
@@ -19,10 +19,11 @@ enable_istio                   = false
 enable_intranode_communication = false
 enable_dashboard               = false
 
-# The CIDR ranges that are allowed to access the Kubernetes cluster.
-# Developers, this is typically the public IP address of your home/office network
-# IE ["1.2.3.4/32"]
-# The default is ["0.0.0.0/0"], which implements no IP restrictions
+# The CIDR ranges that are allowed to access the Kubernetes cluster and Nomad
+# clients if `nomad_ssh_enabled` is true.  Developers, this is typically the
+# public IP address of your home/office network IE ["1.2.3.4/32"] The default
+# is ["0.0.0.0/0"], which implements no IP restrictions
 # allowed_cidr_blocks = []
 
-nomad_count = 1
+nomad_count   = 1
+nomad_ssh_enabled = false # Set to true to allow SSH access to Nomad clients. Use `gcloud compute ssh` to manage keys
diff --git a/gke/variables.tf b/gke/variables.tf
@@ -101,10 +101,16 @@ variable "enable_dashboard" {
 variable "allowed_cidr_blocks" {
   type        = list(string)
   default     = ["0.0.0.0/0"]
-  description = "List of blocks allowed to access the kubernetes cluster"
+  description = "List of blocks allowed to access the kubernetes cluster. This list also limits access to Nomad clients if `nomad_ssh_enabled` is true."
 }
 
 variable "nomad_count" {
   type    = number
   default = 1
-}
+}
+
+variable "nomad_ssh_enabled" {
+  type        = bool
+  default     = false
+  description = "Enables SSH to Nomad clients. If enabled, use `gcloud compute ssh` to manage SSH keys"
+}