openshift-hyperfleet · ciaranRoche · Jan 12, 2026 · Jan 13, 2026
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -67,3 +67,27 @@ module "pubsub" {
 
   labels = local.common_labels
 }
+
+# =============================================================================
+# External API Access (optional firewall rule for LoadBalancer health checks)
+# =============================================================================
+resource "google_compute_firewall" "allow_lb_health_checks" {
+  count   = var.enable_external_api && var.cloud_provider == "gke" ? 1 : 0
+  name    = "${local.cluster_name}-allow-lb-health-checks"
+  network = var.gcp_network
+  project = var.gcp_project_id
+
+  allow {
+    protocol = "tcp"
+    ports    = ["8000"] # HyperFleet API port
+  }
+
+  # GCP Load Balancer health check source ranges
+  # https://cloud.google.com/load-balancing/docs/health-check-concepts#ip-ranges
+  source_ranges = ["35.191.0.0/16", "130.211.0.0/22"]
+
+  # Target GKE nodes
+  target_tags = ["gke-${local.cluster_name}"]
+
+  description = "Allow GCP health checks for LoadBalancer services exposing HyperFleet API"
+}
diff --git a/terraform/modules/cluster/gke/main.tf b/terraform/modules/cluster/gke/main.tf
@@ -37,11 +37,14 @@ resource "google_container_node_pool" "primary" {
   node_count = var.node_count
 
   node_config {
-    machine_type = var.machine_type
-    disk_size_gb = var.disk_size_gb
-    spot         = var.use_spot_vms
+    machine_type    = var.machine_type
+    disk_size_gb    = var.disk_size_gb
+    spot            = var.use_spot_vms
     resource_labels = var.labels
 
+    # Network tags for firewall rules (e.g., LoadBalancer health checks)
+    tags = ["gke-${var.cluster_name}"]
+
     oauth_scopes = [
       "https://www.googleapis.com/auth/cloud-platform"
     ]

diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -67,3 +67,17 @@ output "helm_values_snippet" {
   description = "Snippet to add to Helm values for Workload Identity and Pub/Sub configuration"
   value       = var.use_pubsub ? module.pubsub[0].helm_values_snippet : null
 }
+
+# =============================================================================
+# External API Access
+# =============================================================================
+
+output "external_api_enabled" {
+  description = "Whether external API access is enabled (LoadBalancer firewall rules)"
+  value       = var.enable_external_api
+}
+
+output "external_api_note" {
+  description = "Instructions for external API access"
+  value       = var.enable_external_api ? "External API access is ENABLED. Deploy with: helm install hyperfleet charts/hyperfleet-gcp --set base.hyperfleet-api.service.type=LoadBalancer -n hyperfleet-system" : "External API access is DISABLED. Set enable_external_api=true to enable."
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -162,3 +162,12 @@ variable "pubsub_topic_configs" {
     }
   }
 }
+
+# =============================================================================
+# External API Access
+# =============================================================================
+variable "enable_external_api" {
+  description = "Enable external access to HyperFleet API via LoadBalancer service"
+  type        = bool
+  default     = false
+}