if in lab allow kubectl to communicate with cluster (#49)

SCT-Engineering · Mar 26, 2026 · 4c4b786 · 4c4b786
1 parent f42f222
commit 4c4b786
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/main.tf b/main.tf
@@ -5,6 +5,12 @@ locals {
   subnets             = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
   vpc_cidr_block      = data.aws_vpc.eks_vpc.cidr_block
   vpc_id              = data.aws_vpc.eks_vpc.id
+  endpoint_access     = length(regexall("lab", var.cluster_name)) > 0 ? true : false
+  disallowed_public_endpoint_cidrs = toset([
+    "10.0.0.0/16",
+    "172.16.0.0/12",
+  "192.168.0.0/16"])
+  filtered_endpoint_public_access_cidrs = distinct([for cidr in var.census_private_cidr : cidr if ! contains(local.disallowed_public_endpoint_cidrs, lower(trimspace(cidr)))])
 }
 
 resource "terraform_data" "subnet_validation" {
@@ -24,7 +30,8 @@ module "cluster" {
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
   endpoint_private_access                  = true
-  endpoint_public_access                   = false
+  endpoint_public_access                   = local.endpoint_access
+  endpoint_public_access_cidrs             = local.endpoint_access ? local.filtered_endpoint_public_access_cidrs : null
   name                                     = var.cluster_name
   upgrade_policy                           = { support_type = "STANDARD" }
   kubernetes_version                       = var.cluster_version