From 99f8378322e03362c3c4e13084318c6bd53bdb1b Mon Sep 17 00:00:00 2001
From: Brent Barbachem <barbacbd@dukes.jmu.edu>
Date: Mon, 9 Jan 2023 15:44:58 -0500
Subject: [PATCH] BUG 2110982: GCP skip public loadbalancer ip addresses

** There is no need to add the public load balancer IP addresses to firewall rules when the cluster is internal.
** The internal load balancer ip addresses will be present for internal and external cluster.
---
 data/data/gcp/cluster/network/firewall.tf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/data/gcp/cluster/network/firewall.tf b/data/data/gcp/cluster/network/firewall.tf
index 9fc10e6a9a3..23e7b65a03b 100644
--- a/data/data/gcp/cluster/network/firewall.tf
+++ b/data/data/gcp/cluster/network/firewall.tf
@@ -28,8 +28,10 @@ resource "google_compute_firewall" "health_checks" {
     ports    = ["6080", "6443", "22624"]
   }
 
-  source_ranges = ["35.191.0.0/16", "130.211.0.0/22", "209.85.152.0/22", "209.85.204.0/22"]
-  target_tags   = ["${var.cluster_id}-master"]
+  # Add the public load balancer ips when the cluster is public/external
+  source_ranges = concat(["35.191.0.0/16", "130.211.0.0/22"], var.public_endpoints ? ["209.85.152.0/22", "209.85.204.0/22"] : [])
+
+  target_tags = ["${var.cluster_id}-master"]
 }
 
 resource "google_compute_firewall" "etcd" {