diff --git a/terraform/main.tf b/terraform/main.tf index f762a6b..ef5f4af 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -67,3 +67,27 @@ module "pubsub" { labels = local.common_labels } + +# ============================================================================= +# External API Access (optional firewall rule for LoadBalancer health checks) +# ============================================================================= +resource "google_compute_firewall" "allow_lb_health_checks" { + count = var.enable_external_api && var.cloud_provider == "gke" ? 1 : 0 + name = "${local.cluster_name}-allow-lb-health-checks" + network = var.gcp_network + project = var.gcp_project_id + + allow { + protocol = "tcp" + ports = ["8000"] # HyperFleet API port + } + + # GCP Load Balancer health check source ranges + # https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges + source_ranges = ["35.191.0.0/16", "130.211.0.0/22"] + + # Target GKE nodes + target_tags = ["gke-${local.cluster_name}"] + + description = "Allow GCP health checks for LoadBalancer services exposing HyperFleet API" +} diff --git a/terraform/modules/cluster/gke/main.tf b/terraform/modules/cluster/gke/main.tf index 6abfd54..9c11a3e 100644 --- a/terraform/modules/cluster/gke/main.tf +++ b/terraform/modules/cluster/gke/main.tf @@ -37,11 +37,14 @@ resource "google_container_node_pool" "primary" { node_count = var.node_count node_config { - machine_type = var.machine_type - disk_size_gb = var.disk_size_gb - spot = var.use_spot_vms + machine_type = var.machine_type + disk_size_gb = var.disk_size_gb + spot = var.use_spot_vms resource_labels = var.labels + # Network tags for firewall rules (e.g., LoadBalancer health checks) + tags = ["gke-${var.cluster_name}"] + oauth_scopes = [ "https://www.googleapis.com/auth/cloud-platform" ] diff --git a/terraform/outputs.tf b/terraform/outputs.tf index 8cdbb8f..b63b502 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -67,3 +67,17 @@ output "helm_values_snippet" { description = "Snippet to add to Helm values for Workload Identity and Pub/Sub configuration" value = var.use_pubsub ? module.pubsub[0].helm_values_snippet : null } + +# ============================================================================= +# External API Access +# ============================================================================= + +output "external_api_enabled" { + description = "Whether external API access is enabled (LoadBalancer firewall rules)" + value = var.enable_external_api +} + +output "external_api_note" { + description = "Instructions for external API access" + value = var.enable_external_api ? "External API access is ENABLED. Deploy with: helm install hyperfleet charts/hyperfleet-gcp --set base.hyperfleet-api.service.type=LoadBalancer -n hyperfleet-system" : "External API access is DISABLED. Set enable_external_api=true to enable." +} diff --git a/terraform/variables.tf b/terraform/variables.tf index 32921be..08fbb6c 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -162,3 +162,12 @@ variable "pubsub_topic_configs" { } } } + +# ============================================================================= +# External API Access +# ============================================================================= +variable "enable_external_api" { + description = "Enable external access to HyperFleet API via LoadBalancer service" + type = bool + default = false +}