From 01cbbc57b23bf203179b8c190ead71e3449e941a Mon Sep 17 00:00:00 2001 From: Bryan Barajas Date: Fri, 13 Dec 2024 01:44:17 +0000 Subject: [PATCH] FIX - AWS Kubernetes module - allow connections to the api from the creation host - root variable "disable_eks_public_access" added as a workaround flag to refresh the public access list - disable public access when not in use and rely on bastion hosts for long-term access since private access is always enabled --- .../data/templates/aws/kubernetes.tf.j2 | 4 +++ .../terraform/aws/modules/kubernetes/main.tf | 5 +++ .../aws/modules/kubernetes/variables.tf | 36 +++++++++++++++++++ .../aws/modules/specification/variables.tf | 1 + edbterraform/data/terraform/common_vars.tf | 13 +++++++ 5 files changed, 59 insertions(+) diff --git a/edbterraform/data/templates/aws/kubernetes.tf.j2 b/edbterraform/data/templates/aws/kubernetes.tf.j2 index db02a3c4..2f267be7 100644 --- a/edbterraform/data/templates/aws/kubernetes.tf.j2 +++ b/edbterraform/data/templates/aws/kubernetes.tf.j2 @@ -11,6 +11,10 @@ module "kubernetes_{{ region_ }}" { name_id = module.spec.hex_id tags = each.value.spec.tags + runtime_service_cidrblocks = local.kubernetes_service_cidrblocks + config_service_cidrblocks = each.value.spec.service_cidrblocks + disable_public_access = var.disable_eks_public_access + providers = { aws = aws.{{ region_ }} } diff --git a/edbterraform/data/terraform/aws/modules/kubernetes/main.tf b/edbterraform/data/terraform/aws/modules/kubernetes/main.tf index 0c701f83..7361df63 100644 --- a/edbterraform/data/terraform/aws/modules/kubernetes/main.tf +++ b/edbterraform/data/terraform/aws/modules/kubernetes/main.tf @@ -46,6 +46,11 @@ module "eks" { } } + enable_cluster_creator_admin_permissions = true + cluster_endpoint_private_access = true + cluster_endpoint_public_access = local.public_access + cluster_endpoint_public_access_cidrs = local.public_access_cidrs + tags = var.tags } diff --git a/edbterraform/data/terraform/aws/modules/kubernetes/variables.tf b/edbterraform/data/terraform/aws/modules/kubernetes/variables.tf index d266eafb..358b9a0b 100644 --- a/edbterraform/data/terraform/aws/modules/kubernetes/variables.tf +++ b/edbterraform/data/terraform/aws/modules/kubernetes/variables.tf @@ -18,6 +18,42 @@ locals { vpc_name = format("eks-%s", local.name) } +variable "runtime_service_cidrblocks" { + description = "CIDRs to allow access to the kubernetes api from a public network. Private networking (reused vpc, peered vpc, private endpoints) access enabled by default" + type = list(string) + default = [] + nullable = false +} + +variable "config_service_cidrblocks" { + description = "CIDRs to allow access to the kubernetes api from a public network. Private networking (reused vpc, peered vpc, private endpoints) access enabled by default" + type = list(string) + default = [] + nullable = false +} + +variable "disable_public_access" { + description = "Disable public access to the kubernetes api. Required to force refresh of the public access cidrs for eks" + type = bool + default = false + nullable = false +} + +locals { + # If the service_cidrblocks list is an empty list then disable public access to the kubernetes api. + # This ensures that the kubernetes api is not accidentally exposed to all of the internet and forces the use of a bastion host. + # This also works as a workaround for the bug in the aws_eks_cluster resource which does not allow for the public_access_cidrs to be updated. + # Error: + # | module.kubernetes_us_west_2["mydb2"].module.eks.aws_eks_cluster.this[0]: Modifying... [id=mydb2-2f7a3a82] + # | Error: updating EKS Cluster (mydb2-2f7a3a82) VPC configuration: operation error EKS: UpdateClusterConfig, https response error StatusCode: 400, RequestID: 9ec38b4f-3a0f-4b44-9e4c-a58c84dea2a8, InvalidParameterException: Cluster is already at the desired configuration with endpointPrivateAccess: true , endpointPublicAccess: true, and Public Endpoint Restrictions: [0.0.0.0/0] + # Workaround: + # - disable public access by setting an empty access list or set disable_public_access to 'true' and 'terraform apply' + # - re-enable public access by adding the new access list and set disable_public_access to 'false' and 'terraform apply' + service_cidrblocks = setunion(var.runtime_service_cidrblocks, var.config_service_cidrblocks) + public_access = var.disable_public_access || (local.service_cidrblocks) == 0 ? false : true + public_access_cidrs = local.public_access ? local.service_cidrblocks : null +} + variable "clusterVersion" { default = "1.24" } diff --git a/edbterraform/data/terraform/aws/modules/specification/variables.tf b/edbterraform/data/terraform/aws/modules/specification/variables.tf index dd87047e..c26d758e 100644 --- a/edbterraform/data/terraform/aws/modules/specification/variables.tf +++ b/edbterraform/data/terraform/aws/modules/specification/variables.tf @@ -209,6 +209,7 @@ variable "spec" { node_count = number instance_type = string tags = optional(map(string), {}) + service_cidrblocks = optional(list(string), []) })), {}) }) } diff --git a/edbterraform/data/terraform/common_vars.tf b/edbterraform/data/terraform/common_vars.tf index 9d96530c..298929da 100644 --- a/edbterraform/data/terraform/common_vars.tf +++ b/edbterraform/data/terraform/common_vars.tf @@ -84,6 +84,18 @@ variable "force_service_biganimal" { default = true } +variable "force_service_kubernetes" { + description = "Force the use of service_cidrblocks for public access of the kubernetes api instead of private networking and a bastion host" + type = bool + default = true +} + +variable "disable_eks_public_access" { + description = "Temporarily disable eks public access to allow refreshing of the public_access_cidrs" + type = bool + default = false +} + variable "dynamic_service_ip_mask" { type = number default = 32 @@ -121,4 +133,5 @@ locals { ] : [] service_cidrblocks = concat(var.service_cidrblocks, local.dynamic_ip) biganimal_service_cidrblocks = var.force_service_biganimal ? local.service_cidrblocks : [] + kubernetes_service_cidrblocks = var.force_service_kubernetes ? local.service_cidrblocks : [] }