FIX - AWS Kubernetes module - allow connections to the api from the c…

…reation host - root variable "disable_eks_public_access" added as a workaround flag to refresh the public access list - disable public access when not in use and rely on bastion hosts for long-term access since private access is always enabled
EnterpriseDB · Dec 13, 2024 · 01cbbc5 · 01cbbc5
1 parent 4631f5a
commit 01cbbc5
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 0 deletions.
diff --git a/edbterraform/data/templates/aws/kubernetes.tf.j2 b/edbterraform/data/templates/aws/kubernetes.tf.j2
@@ -11,6 +11,10 @@ module "kubernetes_{{ region_ }}" {
   name_id                 = module.spec.hex_id
   tags                    = each.value.spec.tags
 
+  runtime_service_cidrblocks = local.kubernetes_service_cidrblocks
+  config_service_cidrblocks  = each.value.spec.service_cidrblocks
+  disable_public_access      = var.disable_eks_public_access
+
   providers = {
     aws = aws.{{ region_ }}
   }

diff --git a/edbterraform/data/terraform/aws/modules/kubernetes/main.tf b/edbterraform/data/terraform/aws/modules/kubernetes/main.tf
@@ -46,6 +46,11 @@ module "eks" {
     }
   }
 
+  enable_cluster_creator_admin_permissions = true
+  cluster_endpoint_private_access = true
+  cluster_endpoint_public_access = local.public_access
+  cluster_endpoint_public_access_cidrs = local.public_access_cidrs
+
   tags = var.tags
 }
 

diff --git a/edbterraform/data/terraform/aws/modules/kubernetes/variables.tf b/edbterraform/data/terraform/aws/modules/kubernetes/variables.tf
@@ -18,6 +18,42 @@ locals {
   vpc_name = format("eks-%s", local.name)
 }
 
+variable "runtime_service_cidrblocks" {
+  description = "CIDRs to allow access to the kubernetes api from a public network. Private networking (reused vpc, peered vpc, private endpoints) access enabled by default"
+  type = list(string)
+  default = []
+  nullable = false
+}
+
+variable "config_service_cidrblocks" {
+  description = "CIDRs to allow access to the kubernetes api from a public network. Private networking (reused vpc, peered vpc, private endpoints) access enabled by default"
+  type = list(string)
+  default = []
+  nullable = false
+}
+
+variable "disable_public_access" {
+  description = "Disable public access to the kubernetes api. Required to force refresh of the public access cidrs for eks"
+  type = bool
+  default = false
+  nullable = false
+}
+
+locals {
+  # If the service_cidrblocks list is an empty list then disable public access to the kubernetes api.
+  # This ensures that the kubernetes api is not accidentally exposed to all of the internet and forces the use of a bastion host.
+  # This also works as a workaround for the bug in the aws_eks_cluster resource which does not allow for the public_access_cidrs to be updated.
+  # Error:
+  # | module.kubernetes_us_west_2["mydb2"].module.eks.aws_eks_cluster.this[0]: Modifying... [id=mydb2-2f7a3a82]
+  # | Error: updating EKS Cluster (mydb2-2f7a3a82) VPC configuration: operation error EKS: UpdateClusterConfig, https response error StatusCode: 400, RequestID: 9ec38b4f-3a0f-4b44-9e4c-a58c84dea2a8, InvalidParameterException: Cluster is already at the desired configuration with endpointPrivateAccess: true , endpointPublicAccess: true, and Public Endpoint Restrictions: [0.0.0.0/0]
+  # Workaround:
+  # - disable public access by setting an empty access list or set disable_public_access to 'true' and 'terraform apply'
+  # - re-enable public access by adding the new access list and set disable_public_access to 'false' and 'terraform apply'
+  service_cidrblocks = setunion(var.runtime_service_cidrblocks, var.config_service_cidrblocks)
+  public_access = var.disable_public_access || (local.service_cidrblocks) == 0 ? false : true
+  public_access_cidrs = local.public_access ? local.service_cidrblocks : null
+}
+
 variable "clusterVersion" {
   default = "1.24"
 }

diff --git a/edbterraform/data/terraform/aws/modules/specification/variables.tf b/edbterraform/data/terraform/aws/modules/specification/variables.tf
@@ -209,6 +209,7 @@ variable "spec" {
       node_count    = number
       instance_type = string
       tags          = optional(map(string), {})
+      service_cidrblocks = optional(list(string), [])
     })), {})
   })
 }

diff --git a/edbterraform/data/terraform/common_vars.tf b/edbterraform/data/terraform/common_vars.tf
@@ -84,6 +84,18 @@ variable "force_service_biganimal" {
   default = true
 }
 
+variable "force_service_kubernetes" {
+  description = "Force the use of service_cidrblocks for public access of the kubernetes api instead of private networking and a bastion host"
+  type = bool
+  default = true
+}
+
+variable "disable_eks_public_access" {
+  description = "Temporarily disable eks public access to allow refreshing of the public_access_cidrs"
+  type = bool
+  default = false
+}
+
 variable "dynamic_service_ip_mask" {
   type = number
   default = 32
@@ -121,4 +133,5 @@ locals {
   ] : []
   service_cidrblocks = concat(var.service_cidrblocks, local.dynamic_ip)
   biganimal_service_cidrblocks = var.force_service_biganimal ? local.service_cidrblocks : []
+  kubernetes_service_cidrblocks = var.force_service_kubernetes ? local.service_cidrblocks : []
 }