I’d like to restrict my kubernetes cluster to only allow master api access from a range of ip addresses. In our configuration, this would be either from the SRE VPN or from Terraform Cloud (via the kubernetes provider)
On this page IP Ranges - API Docs - Terraform Cloud and Terraform Enterprise - Terraform by HashiCorp - it details ip ranges for ‘api’, ‘notifications’, ‘sentinel’ and ‘vcs.’ - do any of them cover the ip ranges of outbound connections coming FROM the providers in a terraform run on Terraform Cloud? That way, I can include these cidrs on the kubernetes cluster configuration
I believe the outgoing IP for the cloud runners don’t have a defined IP range, so if you want something more defined you’d need to take at running your own hosted runners.
This is correct! The transient execution environments Terraform Cloud uses by default have highly-dynamic source IP addresses and so there is no small range to restrict to.
The intended way to meet the use-case you described is to run Terraform Cloud Agents in your private network and have them access your Kubernetes cluster via internal network, rather than over the Internet. You can then avoid exposing your cluster to the public Internet at all. (However, the agents will still need to be able to make outgoing requests to Terraform Cloud in order to access their job queues.)
Thank you all for the replies! I will definitely go with the on site runner
Yes, but the agents are supported only on Business plan, and we don’t even know how much it costs as it says “contact sales”