fix(firewall): respect enable_ipv6 when auto-detecting IPs

mrclrchtr · claude · mrclrchtr · commit 5876e0c57e36 · 2025-11-25T21:59:14.000+01:00
- Change IPv6 data source count to require both firewall_use_current_ip AND enable_ipv6 - Restructure current_ips local to conditionally include IPv6 using concat pattern - Add retry blocks to both IPv4 and IPv6 data sources for better resilience - Update firewall_use_current_ip variable description to clarify IPv6 behavior Users without IPv6 connectivity can now safely use firewall_use_current_ip = true with enable_ipv6 = false without encountering HTTP request errors. Fixes #341 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/firewall.tf b/firewall.tf
@@ -2,18 +2,35 @@
 data "http" "personal_ipv4" {
   count = var.firewall_use_current_ip ? 1 : 0
   url   = "https://ipv4.icanhazip.com"
+
+  retry {
+    attempts     = 3
+    min_delay_ms = 1000
+    max_delay_ms = 2000
+  }
 }
 
 data "http" "personal_ipv6" {
-  count = var.firewall_use_current_ip ? 1 : 0
+  count = var.firewall_use_current_ip && var.enable_ipv6 ? 1 : 0
   url   = "https://ipv6.icanhazip.com"
+
+  retry {
+    attempts     = 3
+    min_delay_ms = 1000
+    max_delay_ms = 2000
+  }
 }
 
 locals {
-  current_ips = var.firewall_use_current_ip ? [
-    "${chomp(data.http.personal_ipv4[0].response_body)}/32",
-    "${chomp(data.http.personal_ipv6[0].response_body)}/128",
-  ] : []
+  # Current IPs list - always includes IPv4, conditionally includes IPv6
+  current_ips = var.firewall_use_current_ip ? concat(
+    [
+      "${chomp(data.http.personal_ipv4[0].response_body)}/32",
+    ],
+    var.firewall_use_current_ip && var.enable_ipv6 ? [
+      "${chomp(data.http.personal_ipv6[0].response_body)}/128",
+    ] : []
+  ) : []
 
   base_firewall_rules = concat(
     var.firewall_kube_api_source == null && !var.firewall_use_current_ip ? [] : [
diff --git a/variables.tf b/variables.tf
@@ -68,7 +68,9 @@ variable "firewall_use_current_ip" {
   default     = false
   description = <<EOF
     If true, the current IP address will be used as the source for the firewall rules.
-    ATTENTION: to determine the current IP, a request to a public service (https://ipv4.icanhazip.com) is made.
+    ATTENTION: to determine the current IP, requests to public services are made:
+    - IPv4 address is always fetched from https://ipv4.icanhazip.com
+    - IPv6 address is only fetched from https://ipv6.icanhazip.com if enable_ipv6 = true
   EOF
 }
 
