Initial Commit

README.md

@@ -1,2 +1,3 @@
 # terraform-kubernetes-traefik-middleware
-A simple collection of easy to use middlewares for traefik implemented in kubernetes
+
+A simple collection of easy to use middlewares for traefik implemented in terraform.

middleware.tf

@@ -0,0 +1,104 @@
+resource "kubernetes_manifest" "default-headers-middleware" {
+    manifest = {
+        apiVersion = "traefik.containo.us/v1alpha1"
+        kind       = "Middleware"
+        metadata   = {
+            name      = "default-headers"
+            namespace = var.namespace
+        }
+        spec = {
+            headers = merge({
+                frameDeny            = true
+                sslRedirect          = true
+                browserXssFilter     = true
+                contentTypeNosniff   = true
+                forceSTSHeader       = true
+                stsIncludeSubdomains = true
+                stsPreload           = true
+            }, var.default_headers)
+        }
+    }
+}
+
+resource "kubernetes_manifest" "forward-authentication-middleware" {
+    manifest = {
+        apiVersion = "traefik.containo.us/v1alpha1"
+        kind       = "Middleware"
+        metadata   = {
+            name      = "forward-authentication"
+            namespace = var.namespace
+        }
+        spec = {
+            forwardAuth = {
+                address = var.forward_auth_address
+            }
+        }
+    }
+}
+
+resource "kubernetes_manifest" "ip-whitelist-middleware" {
+    manifest = {
+        apiVersion = "traefik.containo.us/v1alpha1"
+        kind       = "Middleware"
+        metadata   = {
+            name      = "ip-whitelist"
+            namespace = var.namespace
+        }
+        spec = {
+            ipWhiteList = {
+                sourceRange = var.ip_whitelist_addresses
+            }
+        }
+    }
+}
+
+resource "kubernetes_manifest" "rate-limit-middleware" {
+    manifest = {
+        apiVersion = "traefik.containo.us/v1alpha1"
+        kind       = "Middleware"
+        metadata   = {
+            name      = "rate-limit"
+            namespace = var.namespace
+        }
+        spec = {
+            rateLimit = {
+                average = var.rate_limit_max_rps 
+                burst   = var.rate_limit_max_burst
+            }
+        }
+    }
+}
+
+resource "kubernetes_manifest" "redirect-regex-middleware" {
+    manifest = {
+        apiVersion = "traefik.containo.us/v1alpha1"
+        kind       = "Middleware"
+        metadata   = {
+            name      = "redirect-regex"
+            namespace = var.namespace
+        }
+        spec = {
+            redirectRegex = {
+                regex       = var.redirect_regex_pattern 
+                replacement = var.redirect_regex_replacement
+            }
+        }
+    }
+}
+
+resource "kubernetes_manifest" "redirect-https-middleware" {
+    manifest = {
+        apiVersion = "traefik.containo.us/v1alpha1"
+        kind       = "Middleware"
+        metadata   = {
+            name      = "redirect-https"
+            namespace = var.namespace
+        }
+        spec = {
+            redirectScheme = {
+                scheme    = "https"
+                permanent = true
+            }
+        }
+    }
+}

provider.tf

@@ -0,0 +1,6 @@
+terraform {
+  required_version = ">= 0.12"
+  required_providers {
+    kubernetes = ">= 2.10.0"
+  }
+}

variables.tf

@@ -0,0 +1,47 @@
+variable namespace {
+  type        = string
+  default     = "default"
+  description = "namespace"
+}
+
+variable default_headers {
+  type        = object
+  default     = {}
+  description = "Headers for default-headers, can be used to overwrite defaults"
+}
+
+variable forward_auth_address {
+    type        = string
+    default     = ""
+    description = "Address for forward-authentication middleware"
+}
+
+variable ip_whitelist_addresses {
+  type        = list
+  default     = []
+  description = "List of whitelisted addreses"
+}
+
+variable rate_limit_max_rps {
+  type        = number
+  default     = 500
+  description = "the maximum rate, by default in requests per second, allowed from a given source."
+}
+
+variable rate_limit_max_burst {
+  type        = number
+  default     = 100
+  description = "the maximum number of requests allowed to go through in the same arbitrarily small period of time."
+}
+
+variable redirect_regex_pattern {
+  type        = string
+  default     = "(.*)"
+  description = "regular expression to match and capture elements from the request URL."
+}
+
+variable redirect_regex_pattern {
+  type        = string
+  default     = "${1}"
+  description = "defines how to modify the URL to have the new target URL."
+}