diff --git a/README.md b/README.md
index c72b8fa..70396bf 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ efs-csi-controller 0 5m
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 6.16.0 |
+| [aws](#provider\_aws) | 6.27.0 |
| [null](#provider\_null) | 3.2.4 |
| [terraform](#provider\_terraform) | n/a |
@@ -113,7 +113,7 @@ efs-csi-controller 0 5m
| Name | Source | Version |
|------|--------|---------|
| [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.6.1 |
+| [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.11.0 |
| [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
| [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
| [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
@@ -129,7 +129,6 @@ efs-csi-controller 0 5m
| [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_vpc_security_group_egress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
| [aws_vpc_security_group_ingress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
-| [aws_vpc_security_group_ingress_rule.additional_ingress_rules_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -137,6 +136,7 @@ efs-csi-controller 0 5m
| [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
| [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
| [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_roles.sso_devs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
| [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
| [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
| [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
@@ -151,8 +151,6 @@ efs-csi-controller 0 5m
| [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
| [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | [
"148.129.0.0/16",
"172.16.0.0/12",
"192.168.0.0/16",
"10.0.0.0/16"
]
| no |
| [cloudwatch\_retention\_days](#input\_cloudwatch\_retention\_days) | number of days to retain logs in cloudwatch | `string` | `"14"` | no |
-| [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
-| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
| [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
| [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
diff --git a/access-entries.tf b/access-entries.tf
index d206d07..5f9c6ea 100644
--- a/access-entries.tf
+++ b/access-entries.tf
@@ -10,6 +10,11 @@ data "aws_iam_roles" "sso_admins" {
path_prefix = "/aws-reserved/sso.amazonaws.com/"
}
+data "aws_iam_roles" "sso_devs" {
+ name_regex = "AWSReservedSSO_sc-developer"
+ path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
data "aws_iam_roles" "roles" {
name_regex = "r-inf-terraform(-eks)"
}
@@ -38,7 +43,7 @@ locals {
}
}
viewers = {
- for arn in tolist(data.aws_iam_roles.sso_read.arns) :
+ for arn in concat(tolist(data.aws_iam_roles.sso_read.arns), tolist(data.aws_iam_roles.sso_devs.arns)) :
arn => {
principal_arn = arn
kubernetes_groups = ["eks-console-dashboard-restricted-access-group"]
diff --git a/additional-sg-rules.tf b/additional-sg-rules.tf
index f4f5908..f2b3c77 100644
--- a/additional-sg-rules.tf
+++ b/additional-sg-rules.tf
@@ -17,14 +17,15 @@ locals {
to_port = 9443
type = "ingress"
}
- ingress_metrics_server = {
- description = "Metrics server"
- from_port = 10251
- protocol = "tcp"
- source_cluster_security_group = true
- to_port = 10251
- type = "ingress"
- }
+ # no longer required as of k8s v1.34+
+ # ingress_metrics_server = {
+ # description = "Metrics server"
+ # from_port = 10251
+ # protocol = "tcp"
+ # source_cluster_security_group = true
+ # to_port = 10251
+ # type = "ingress"
+ # }
ingress_cert_manager_webhook = {
description = "cert-manager webhook"
from_port = 10260
@@ -34,4 +35,34 @@ locals {
type = "ingress"
}
}
+ cluster_security_group_additional_rules = {
+ api_internal_148_129 = {
+ cidr_blocks = ["148.129.0.0/16"]
+ from_port = 443
+ to_port = 443
+ ip_protocol = "tcp"
+ description = "Census Internal 148.129/16"
+ },
+ api_internal_192_168 = {
+ cidr_blocks = ["192.168.0.0/16"]
+ from_port = 443
+ to_port = 443
+ ip_protocol = "tcp"
+ description = "Census Internal 192.168/16"
+ },
+ api_internal_172_16 = {
+ cidr_blocks = ["172.16.0.0/12"]
+ from_port = 443
+ to_port = 443
+ ip_protocol = "tcp"
+ description = "Census Internal 172.16/12"
+ },
+ api_internal_10_0 = {
+ cidr_blocks = ["10.0.0.0/8"]
+ from_port = 443
+ to_port = 443
+ ip_protocol = "tcp"
+ description = "Census Internal 10/8"
+ }
+ }
}
diff --git a/main.tf b/main.tf
index 414c421..9c127fc 100644
--- a/main.tf
+++ b/main.tf
@@ -19,12 +19,12 @@ resource "terraform_data" "subnet_validation" {
}
module "cluster" {
- source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.6.1"
+ source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.11.0"
access_entries = local.access_entries
cloudwatch_log_group_retention_in_days = var.cloudwatch_retention_days
- endpoint_private_access = var.cluster_endpoint_private_access
- endpoint_public_access = var.cluster_endpoint_public_access
+ endpoint_private_access = true
+ endpoint_public_access = false
name = var.cluster_name
upgrade_policy = { support_type = "STANDARD" }
kubernetes_version = var.cluster_version
@@ -90,6 +90,8 @@ module "cluster" {
node_security_group_additional_rules = local.node_security_group_additional_rules
+ security_group_additional_rules = local.cluster_security_group_additional_rules
+
eks_managed_node_groups = {
karpenter_controllers = {
name = local.ng_name
diff --git a/securitygroup.ports.tf b/securitygroup.ports.tf
index a366d18..288178a 100644
--- a/securitygroup.ports.tf
+++ b/securitygroup.ports.tf
@@ -84,21 +84,6 @@ locals {
}
]
- sg_additional_ports_2 = [
- {
- component = "istio"
- description = "XDS and CA services (TLS and mTLS)"
- from_port = 15012
- to_port = 15012
- },
- {
- component = "istio"
- description = "Webhook container port, forwarded from 443"
- from_port = 15017
- to_port = 15017
- }
- ]
-
sg_additional_ingress_rules = {
for ikey, ivalue in local.sg_additional_ports :
"${ikey}_ingress" => {
@@ -122,18 +107,6 @@ locals {
self = true
}
}
-
- sg_additional_ingress_rules_2 = {
- for ikey, ivalue in local.sg_additional_ports_2 :
- "${ikey}_ingress" => {
- description = ivalue.description
- protocol = "tcp"
- from_port = ivalue.from_port
- to_port = ivalue.to_port
- type = "ingress"
- self = true
- }
- }
}
resource "aws_vpc_security_group_ingress_rule" "additional" {
@@ -158,13 +131,13 @@ resource "aws_vpc_security_group_egress_rule" "additional" {
referenced_security_group_id = each.value.self ? aws_security_group.additional_eks_cluster_sg.id : null
}
-resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" {
- for_each = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v }
- security_group_id = aws_security_group.extra_cluster_sg.id
+# resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" {
+# for_each = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v }
+# security_group_id = aws_security_group.extra_cluster_sg.id
- description = each.value.description
- from_port = each.value.from_port
- to_port = each.value.to_port
- ip_protocol = each.value.protocol
- referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id
-}
+# description = each.value.description
+# from_port = each.value.from_port
+# to_port = each.value.to_port
+# ip_protocol = each.value.protocol
+# referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id
+# }
diff --git a/variables.tf b/variables.tf
index cbb084f..be02865 100644
--- a/variables.tf
+++ b/variables.tf
@@ -16,18 +16,6 @@ variable "cluster_version" {
}
}
-variable "cluster_endpoint_private_access" {
- description = "Whether the EKS cluster API server endpoint is privately accessible"
- type = bool
- default = true
-}
-
-variable "cluster_endpoint_public_access" {
- description = "Whether the EKS cluster API server endpoint is publicly accessible"
- type = bool
- default = false
-}
-
variable "enable_cluster_creator_admin_permissions" {
description = "Grant admin permissions to the cluster creator"
type = bool