Kubernetes Cluster creates firewall automatically

[gfmio]

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Affected Resource(s)

Please list the resources as a list, for example:

• kubernetes_cluster
• kubernetes_node_pool
• firewall

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "digitalocean_vpc" "vpc" {
  name     = "${var.name}-vpc"
  region   = var.region
  ip_range = var.vpc_ip_range
}

resource "digitalocean_loadbalancer" "lb_1" {
  name     = "${var.name}-lb-1"
  region   = var.region
  vpc_uuid = digitalocean_vpc.vpc.id

  forwarding_rule {
    entry_port     = 80
    entry_protocol = "http"

    target_port = 32080
    target_protocol = "http"
  }

  forwarding_rule {
    entry_port     = 443
    entry_protocol = "https"

    target_port = 32443
    target_protocol = "https"

    tls_passthrough = true
  }

  healthcheck {
    path     = "/healthz"
    port     = 32080
    protocol = "http"
  }

  droplet_tag = var.droplet_tag
}

resource "digitalocean_kubernetes_cluster" "cluster" {
  auto_upgrade = true
  name         = "${var.name}-k8s-cluster"
  region       = var.region
  version      = var.kubernetes_version
  vpc_uuid     = digitalocean_vpc.vpc.id

  node_pool {
    name       = "${var.name}-worker-pool"
    size       = "s-2vcpu-4gb"
    auto_scale = true
    min_nodes  = 3
    max_nodes  = 5
    tags       = [var.droplet_tag]
  }
}

resource "digitalocean_firewall" "firewall" {
  name = "vpc-only"

  tags = [var.droplet_tag]

  inbound_rule {
    port_range       = "1-65535"
    protocol         = "tcp"
    source_addresses      = [digitalocean_vpc.vpc.ip_range]
  }

  inbound_rule {
    port_range       = "1-65535"
    protocol         = "udp"
    source_addresses      = [digitalocean_vpc.vpc.ip_range]
  }

  inbound_rule {
    protocol         = "icmp"
    source_addresses      = [digitalocean_vpc.vpc.ip_range]
  }
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

What should have happened?

The VPC is created, the load balancer is created, the kubernetes cluster with the default node pool is created and the firewall is created. Nodes are only accessible via the load balancer. When trying to use a public port of the nodes, there's no response.

Actual Behavior

What actually happened?

The resources are created, but DO always creates a default firewall for the cluster. This cannot be prevented, it seems, because it also happens when creating the resources in the UI. The DO firewalls are whitelists. Anything that is whitelisted in any of the DO firewalls is permitted. Hence, I cannot make the firewall any stricter than what the default firewall allows.

As a workaround, I can go into the UI and manually delete the auto-created firewall, but that's not ideal.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• GH-1234

[zeppelinen]

Terraform should handle autocreated firewall the same way it does with digitalocean_database_firewall resource