align with upstream

README.md

@@ -123,6 +123,7 @@ efs-csi-controller    0         5m
 | [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -142,7 +143,7 @@ efs-csi-controller    0         5m
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
-| <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16"<br/>]</pre> | no |
+| <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16",<br/>  "10.0.0.0/16"<br/>]</pre> | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |

security_groups.tf

@@ -4,6 +4,47 @@ locals {
   additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name)
 }
 
+resource "aws_security_group" "additional_eks_cluster_sg" {
+  name = local.additional_eks_cluster_sg_name
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    tomap({ "Name" = local.additional_eks_cluster_sg_name }),
+  )
+
+  vpc_id = data.aws_vpc.eks_vpc.id
+
+  ingress {
+    from_port = 0
+    to_port   = 0
+    protocol  = -1
+
+    security_groups = [
+      aws_security_group.all_worker_mgmt.id,
+    ]
+  }
+
+  # in-VPC access to K8s API
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
+}
+
+
 resource "aws_security_group" "all_worker_mgmt" {
   name = local.all_worker_mgmt_name
 
@@ -28,15 +69,19 @@ resource "aws_security_group" "all_worker_mgmt" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
 }
 
-resource "aws_security_group" "additional_eks_cluster_sg" {
-  name = local.additional_eks_cluster_sg_name
+resource "aws_security_group" "extra_cluster_sg" {
+  name        = format("%v%v-extra", local._prefixes["eks-security-group"], var.cluster_name)
+  description = format("Security group for additional access for EKS cluster %v", var.cluster_name)
 
   tags = merge(
     local.base_tags,
     var.tags,
-    tomap({ "Name" = local.additional_eks_cluster_sg_name }),
+    { "Name" = format("%v%v-extra", local._prefixes["eks-security-group"], var.cluster_name) },
   )
 
   vpc_id = data.aws_vpc.eks_vpc.id
@@ -45,10 +90,7 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
     from_port = 0
     to_port   = 0
     protocol  = -1
-
-    security_groups = [
-      aws_security_group.all_worker_mgmt.id,
-    ]
+    self      = true
   }
 
   ingress {
@@ -58,10 +100,21 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
     cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
   }
 
+  # kubectl logs
+  ingress {
+    from_port   = 10250
+    to_port     = 10250
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
 }

variables.tf

@@ -133,7 +133,7 @@ variable "access_entries" {
 variable "census_private_cidr" {
   description = "Census Private CIR Blocks"
   type        = list(string)
-  default     = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"]
+  default     = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16", "10.0.0.0/16"]
   validation {
     condition = alltrue([
       for cidr in var.census_private_cidr : can(cidrhost(cidr, 0))