From 48bc398f48e2eecff430c5034766c7004e8658f5 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 26 Mar 2026 17:53:26 -0400
Subject: [PATCH] if in lab allow kubectl to communicate with cluster

---
 main.tf | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 47e6391..63bff73 100644
--- a/main.tf
+++ b/main.tf
@@ -5,6 +5,12 @@ locals {
   subnets             = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
   vpc_cidr_block      = data.aws_vpc.eks_vpc.cidr_block
   vpc_id              = data.aws_vpc.eks_vpc.id
+  endpoint_access     = length(regexall("lab", var.cluster_name)) > 0 ? true : false
+  disallowed_public_endpoint_cidrs = toset([
+    "10.0.0.0/16",
+    "172.16.0.0/12",
+  "192.168.0.0/16"])
+  filtered_endpoint_public_access_cidrs = distinct([for cidr in var.census_private_cidr : cidr if ! contains(local.disallowed_public_endpoint_cidrs, lower(trimspace(cidr)))])
 }
 
 resource "terraform_data" "subnet_validation" {
@@ -24,7 +30,8 @@ module "cluster" {
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
   endpoint_private_access                  = true
-  endpoint_public_access                   = false
+  endpoint_public_access                   = local.endpoint_access
+  endpoint_public_access_cidrs             = local.endpoint_access ? local.filtered_endpoint_public_access_cidrs : null
   name                                     = var.cluster_name
   upgrade_policy                           = { support_type = "STANDARD" }
   kubernetes_version                       = var.cluster_version