🐛 fix(security_groups): Adds census private networks to sgs so kubect…

…l works with only private access

README.md

@@ -104,7 +104,7 @@ efs-csi-controller    0         5m
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.16.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.27.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
@@ -113,7 +113,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.6.1 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.11.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
@@ -129,14 +129,14 @@ efs-csi-controller    0         5m
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_vpc_security_group_egress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
-| [aws_vpc_security_group_ingress_rule.additional_ingress_rules_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_roles.sso_devs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
@@ -151,8 +151,6 @@ efs-csi-controller    0         5m
 | <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
 | <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16",<br/>  "10.0.0.0/16"<br/>]</pre> | no |
 | <a name="input_cloudwatch_retention_days"></a> [cloudwatch\_retention\_days](#input\_cloudwatch\_retention\_days) | number of days to retain logs in cloudwatch | `string` | `"14"` | no |
-| <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
-| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |

access-entries.tf

@@ -10,6 +10,11 @@ data "aws_iam_roles" "sso_admins" {
   path_prefix = "/aws-reserved/sso.amazonaws.com/"
 }
 
+data "aws_iam_roles" "sso_devs" {
+  name_regex  = "AWSReservedSSO_sc-developer"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
 data "aws_iam_roles" "roles" {
   name_regex = "r-inf-terraform(-eks)"
 }
@@ -38,7 +43,7 @@ locals {
     }
   }
   viewers = {
-    for arn in tolist(data.aws_iam_roles.sso_read.arns) :
+    for arn in concat(tolist(data.aws_iam_roles.sso_read.arns), tolist(data.aws_iam_roles.sso_devs.arns)) :
     arn => {
       principal_arn     = arn
       kubernetes_groups = ["eks-console-dashboard-restricted-access-group"]

additional-sg-rules.tf

@@ -17,14 +17,15 @@ locals {
       to_port                       = 9443
       type                          = "ingress"
     }
-    ingress_metrics_server = {
-      description                   = "Metrics server"
-      from_port                     = 10251
-      protocol                      = "tcp"
-      source_cluster_security_group = true
-      to_port                       = 10251
-      type                          = "ingress"
-    }
+    # no longer required as of k8s v1.34+
+    # ingress_metrics_server = {
+    #   description                   = "Metrics server"
+    #   from_port                     = 10251
+    #   protocol                      = "tcp"
+    #   source_cluster_security_group = true
+    #   to_port                       = 10251
+    #   type                          = "ingress"
+    # }
     ingress_cert_manager_webhook = {
       description                   = "cert-manager webhook"
       from_port                     = 10260
@@ -34,4 +35,34 @@ locals {
       type                          = "ingress"
     }
   }
+  cluster_security_group_additional_rules = {
+    api_internal_148_129 = {
+      cidr_blocks = ["148.129.0.0/16"]
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "Census Internal 148.129/16"
+    },
+    api_internal_192_168 = {
+      cidr_blocks = ["192.168.0.0/16"]
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "Census Internal 192.168/16"
+    },
+    api_internal_172_16 = {
+      cidr_blocks = ["172.16.0.0/12"]
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "Census Internal 172.16/12"
+    },
+    api_internal_10_0 = {
+      cidr_blocks = ["10.0.0.0/8"]
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "Census Internal 10/8"
+    }
+  }
 }

main.tf

@@ -19,12 +19,12 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.6.1"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.11.0"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
-  endpoint_private_access                  = var.cluster_endpoint_private_access
-  endpoint_public_access                   = var.cluster_endpoint_public_access
+  endpoint_private_access                  = true
+  endpoint_public_access                   = false
   name                                     = var.cluster_name
   upgrade_policy                           = { support_type = "STANDARD" }
   kubernetes_version                       = var.cluster_version
@@ -90,6 +90,8 @@ module "cluster" {
 
   node_security_group_additional_rules = local.node_security_group_additional_rules
 
+  security_group_additional_rules = local.cluster_security_group_additional_rules
+
   eks_managed_node_groups = {
     karpenter_controllers = {
       name          = local.ng_name

securitygroup.ports.tf

@@ -84,21 +84,6 @@ locals {
     }
   ]
 
-  sg_additional_ports_2 = [
-    {
-      component   = "istio"
-      description = "XDS and CA services (TLS and mTLS)"
-      from_port   = 15012
-      to_port     = 15012
-    },
-    {
-      component   = "istio"
-      description = "Webhook container port, forwarded from 443"
-      from_port   = 15017
-      to_port     = 15017
-    }
-  ]
-
   sg_additional_ingress_rules = {
     for ikey, ivalue in local.sg_additional_ports :
     "${ikey}_ingress" => {
@@ -122,18 +107,6 @@ locals {
       self        = true
     }
   }
-
-  sg_additional_ingress_rules_2 = {
-    for ikey, ivalue in local.sg_additional_ports_2 :
-    "${ikey}_ingress" => {
-      description = ivalue.description
-      protocol    = "tcp"
-      from_port   = ivalue.from_port
-      to_port     = ivalue.to_port
-      type        = "ingress"
-      self        = true
-    }
-  }
 }
 
 resource "aws_vpc_security_group_ingress_rule" "additional" {
@@ -158,13 +131,13 @@ resource "aws_vpc_security_group_egress_rule" "additional" {
   referenced_security_group_id = each.value.self ? aws_security_group.additional_eks_cluster_sg.id : null
 }
 
-resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" {
-  for_each          = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v }
-  security_group_id = aws_security_group.extra_cluster_sg.id
+# resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" {
+#   for_each          = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v }
+#   security_group_id = aws_security_group.extra_cluster_sg.id
 
-  description                  = each.value.description
-  from_port                    = each.value.from_port
-  to_port                      = each.value.to_port
-  ip_protocol                  = each.value.protocol
-  referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id
-}
+#   description                  = each.value.description
+#   from_port                    = each.value.from_port
+#   to_port                      = each.value.to_port
+#   ip_protocol                  = each.value.protocol
+#   referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id
+# }

variables.tf

@@ -16,18 +16,6 @@ variable "cluster_version" {
   }
 }
 
-variable "cluster_endpoint_private_access" {
-  description = "Whether the EKS cluster API server endpoint is privately accessible"
-  type        = bool
-  default     = true
-}
-
-variable "cluster_endpoint_public_access" {
-  description = "Whether the EKS cluster API server endpoint is publicly accessible"
-  type        = bool
-  default     = false
-}
-
 variable "enable_cluster_creator_admin_permissions" {
   description = "Grant admin permissions to the cluster creator"
   type        = bool