Merge pull request #5 from dodevops/feature/te/DO-1067-tfsec

feat(DO-1067): Security improvements due to tfsec findings

Author: timdeluxe

README.md

@@ -49,6 +49,12 @@ The following resources are used by this module:
 
 The following input variables are required:
 
+### api\_server\_ip\_ranges
+
+Description: The IP ranges to allow for incoming traffic to the server nodes. To disable the limitation, set an empty list as value.
+
+Type: `list(string)`
+
 ### client\_id
 
 Description: Azure client ID to use to manage Azure resources from the cluster, like f.e. load balancers
@@ -91,6 +97,12 @@ Description: Three letter project key
 
 Type: `string`
 
+### rbac\_managed\_admin\_groups
+
+Description: The group IDs that have admin access to the cluster. Have to be specified if rbac\_enabled is true
+
+Type: `list(string)`
+
 ### resource\_group
 
 Description: Azure Resource Group to use
@@ -225,15 +237,7 @@ Description: Enables RBAC on the cluster. If true, rbac\_managed\_admin\_groups
 
 Type: `bool`
 
-Default: `false`
-
-### rbac\_managed\_admin\_groups
-
-Description: The group IDs that have admin access to the cluster. Have to be specified if rbac\_enabled is true
-
-Type: `list(string)`
-
-Default: `[]`
+Default: `true`
 
 ### sku\_tier
 

main.tf

@@ -11,14 +11,22 @@ locals {
   cluster_name = "${lower(var.project)}${lower(var.stage)}k8s"
 }
 
+# Log analytics required for OMS Agent result processing - usually other logging solutions are used. Hence the affected tfsec rule is
+# ignored here
+#
+# IP limit for API is not really ignored, since the variable requires to enter something. However one can decide to disable the limitation
+# and it would trigger the tfsec rule. Hence the affected tfsec rule is ignored here
+#
+#tfsec:ignore:azure-container-logging tfsec:ignore:azure-container-limit-authorized-ips
 resource "azurerm_kubernetes_cluster" "k8s" {
-  name                = local.cluster_name
-  location            = var.location
-  resource_group_name = var.resource_group
-  tags                = var.tags
-  dns_prefix          = var.dns_prefix == "NONE" ? local.cluster_name : var.dns_prefix
-  sku_tier            = var.sku_tier
-  kubernetes_version  = var.kubernetes_version
+  name                            = local.cluster_name
+  location                        = var.location
+  resource_group_name             = var.resource_group
+  tags                            = var.tags
+  dns_prefix                      = var.dns_prefix == "NONE" ? local.cluster_name : var.dns_prefix
+  sku_tier                        = var.sku_tier
+  kubernetes_version              = var.kubernetes_version
+  api_server_authorized_ip_ranges = var.api_server_ip_ranges
 
   default_node_pool {
     name                 = var.default_node_pool_name

vars.tf

@@ -69,13 +69,12 @@ variable "node_storage" {
 variable "rbac_enabled" {
   type        = bool
   description = "Enables RBAC on the cluster. If true, rbac_managed_admin_groups have to be specified."
-  default     = false
+  default     = true
 }
 
 variable "rbac_managed_admin_groups" {
   type        = list(string)
   description = "The group IDs that have admin access to the cluster. Have to be specified if rbac_enabled is true"
-  default     = []
 }
 
 variable "default_node_pool_name" {
@@ -172,3 +171,7 @@ variable "ssh_public_key" {
   description = "SSH public key to access the kubernetes node with"
 }
 
+variable "api_server_ip_ranges" {
+  type        = list(string)
+  description = "The IP ranges to allow for incoming traffic to the server nodes. To disable the limitation, set an empty list as value."
+}