client_cidrs for OCI

chadgeary · Nov 17, 2020 · 595c710 · 595c710
1 parent f8e2e4e
commit 595c710
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/oci/oci-network.tf b/oci/oci-network.tf
@@ -121,4 +121,26 @@ resource "oci_core_default_security_list" "ph-security-list-directdns" {
       min                          = "53"
     }
   }
+  dynamic ingress_security_rules {
+    for_each                     = var.client_cidrs
+    content {
+      protocol                     = 6
+      source                       = ingress_security_rules.value
+      tcp_options {
+        max                          = "53"
+        min                          = "53"
+      }
+    }
+  }
+  dynamic ingress_security_rules {
+    for_each                     = var.client_cidrs
+    content {
+      protocol                     = 17
+      source                       = ingress_security_rules.value
+      udp_options {
+        max                          = "53"
+        min                          = "53"
+      }
+    }
+  }
 }
diff --git a/oci/oci.tfvars b/oci/oci.tfvars
@@ -19,9 +19,13 @@ doh_provider = "opendns"
 # either "dns" "peers" or "all"
 vpn_traffic = "dns"
 
-# a value of 1 permits mgmt_cidr access to DNS without the VPN
+# a value of 1 permits mgmt_cidr and client_cidrs access to DNS without the VPN
 dns_novpn = 1
 
+# additional client networks granted access pihole DNS without the VPN, example format:
+# client_cidrs = ["127.0.0.1/32","8.8.8.8/32"]
+client_cidrs = []
+
 ## UNCOMMON ##
 # If you're using the free-tier, see which region/ad is free-tier compatible run the following two commands and look for value: 2
 # OCI_TENANCY_OCID=$(oci iam compartment list --all --compartment-id-in-subtree true --access-level ACCESSIBLE --include-root --raw-output --query "data[?contains(\"id\",'tenancy')].id | [0]")