From cb97668b630a2cc2e53a92a21ef30c573a8588ef Mon Sep 17 00:00:00 2001
From: Felix Nehrke <felix@nehrke.info>
Date: Fri, 17 Oct 2025 01:54:32 +0200
Subject: [PATCH] Define IPs which have access to the kubernetes-API and SSH as
 variables

I liked the idea to have these IPs dynamically detected at runtime,
though some research showed that my current provider only renews these
every 180 days, nowadays. So, no need for such a hyper-dynamic solution.
Instead I use a variable now, which brings some other benefits, like
adding arbitrary IPs as well. This might become handy in cases of CI/CD.
---
 main.tf      | 12 ++----------
 variables.tf | 11 ++++++++---
 versions.tf  |  5 -----
 3 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/main.tf b/main.tf
index 817f943..3234a7e 100644
--- a/main.tf
+++ b/main.tf
@@ -24,14 +24,6 @@ resource "hcloud_primary_ip" "k8s_ipv6" {
   auto_delete   = !var.k8s_test_installation
 }
 
-data "external" "my_ip" {
-  program = [
-    "sh",
-    "-c",
-    "(dig TXT +short -4 o-o.myaddr.l.google.com @ns1.google.com && dig TXT +short -6 o-o.myaddr.l.google.com @ns1.google.com) | jq '{(.): .}' | jq -s add"
-  ]
-}
-
 module "k8s" {
   source = "./modules/hetzner/kubernetes"
 
@@ -48,8 +40,8 @@ module "k8s" {
     location = var.k8s_location
     count    = var.k8s_agent_count
   }]
-  kubernetes_exposed_ips = var.expose_kubernetes_and_ssh_ports ? values(data.external.my_ip.result) : []
-  ssh_exposed_ips        = var.expose_kubernetes_and_ssh_ports ? values(data.external.my_ip.result) : []
+  kubernetes_exposed_ips = var.kubernetes_allowed_ips
+  ssh_exposed_ips        = var.ssh_allowed_ips
   ssh_port               = 1022
   public_tcp_services = {
     git-ssh = ["22"]
diff --git a/variables.tf b/variables.tf
index 0c722e3..b73e07e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,6 +1,11 @@
-variable "expose_kubernetes_and_ssh_ports" {
-  type    = bool
-  default = false
+variable "kubernetes_allowed_ips" {
+  type        = set(string)
+  description = "A set of IPs (IPv4 and IPv6) which have access to the kubernetes API."
+}
+
+variable "ssh_allowed_ips" {
+  type        = set(string)
+  description = "A set of IPs (IPv4 and IPv6) which can access the cluster via SSH."
 }
 
 variable "hetzner_dns_apitoken" {
diff --git a/versions.tf b/versions.tf
index c26d3ff..b107119 100644
--- a/versions.tf
+++ b/versions.tf
@@ -26,10 +26,6 @@ terraform {
       source  = "hashicorp/random"
       version = "3.7.1"
     }
-    external = {
-      source  = "hashicorp/external"
-      version = "2.3.4"
-    }
   }
 }
 
@@ -42,4 +38,3 @@ provider "hcloud" {
 }
 
 provider "random" {}
-provider "external" {}