change default public access to false, change SG to allow access to a…

…ll on-prem and cloud
terraform-modules · Aug 16, 2022 · a9019a6 · a9019a6
1 parent 4ff479e
commit a9019a6
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 6 deletions.
diff --git a/examples/efs-persistent-volumes/efs-access-points.tf b/examples/efs-persistent-volumes/efs-access-points.tf
@@ -28,7 +28,7 @@ resource "kubernetes_persistent_volume" "efs_ap" {
       storage = "1Gi"
     }
     claim_ref {
-      name      = format("%v-%v-claim", var.cluster_name, each.key)
+      name      = format("%v-%v-%v-claim", var.cluster_name, each.value.claim_namespace, each.key)
       namespace = format("%v-%v", var.cluster_name, each.value.claim_namespace)
     }
     access_modes                     = ["ReadWriteMany"]

diff --git a/examples/full-cluster/main.tf b/examples/full-cluster/main.tf
@@ -48,6 +48,10 @@ locals {
 
 }
 
+# we changed endpoint_public_access to false by default. This is so we can reach the EKS API through private IPs
+# from on-prem and from the cloud.  Otherwise, another account outside of where this is created will be unable to 
+# access teh API. This also requires a SG change in securitygroup.tf
+
 resource "aws_eks_cluster" "eks_cluster" {
   name                      = var.cluster_name
   version                   = var.cluster_version
@@ -58,7 +62,7 @@ resource "aws_eks_cluster" "eks_cluster" {
     subnet_ids              = local.subnets
     security_group_ids      = [aws_security_group.additional_eks_cluster_sg.id]
     endpoint_private_access = true
-    endpoint_public_access  = true
+    endpoint_public_access  = false
     public_access_cidrs     = var.census_public_cidr
   }
 

diff --git a/examples/full-cluster/securitygroup.tf b/examples/full-cluster/securitygroup.tf
@@ -22,11 +22,15 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
     ]
   }
   # this grants in-VPC access to the K8S api
+  # updated to get all census private cidrs to get on-prem, as we are now sending the interface traffic over
+  # a private IP only (disabling public access). This is to reach a cluster api from another account and VPC
+  # so we open all the cloud accounts too
   ingress {
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc_cidr_block]
+    from_port = 443
+    to_port   = 443
+    protocol  = "tcp"
+    #    cidr_blocks = [ var.vpc_cidr_block ]
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
   }
 
   egress {