From a9019a67455fcf038bc475e83c97d9d986df1f2c Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 16 Aug 2022 15:58:10 -0400
Subject: [PATCH] change default public access to false, change SG to allow
 access to all on-prem and cloud

---
 examples/efs-persistent-volumes/efs-access-points.tf |  2 +-
 examples/full-cluster/main.tf                        |  6 +++++-
 examples/full-cluster/securitygroup.tf               | 12 ++++++++----
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/examples/efs-persistent-volumes/efs-access-points.tf b/examples/efs-persistent-volumes/efs-access-points.tf
index 8d6e596..659b6d7 100644
--- a/examples/efs-persistent-volumes/efs-access-points.tf
+++ b/examples/efs-persistent-volumes/efs-access-points.tf
@@ -28,7 +28,7 @@ resource "kubernetes_persistent_volume" "efs_ap" {
       storage = "1Gi"
     }
     claim_ref {
-      name      = format("%v-%v-claim", var.cluster_name, each.key)
+      name      = format("%v-%v-%v-claim", var.cluster_name, each.value.claim_namespace, each.key)
       namespace = format("%v-%v", var.cluster_name, each.value.claim_namespace)
     }
     access_modes                     = ["ReadWriteMany"]
diff --git a/examples/full-cluster/main.tf b/examples/full-cluster/main.tf
index 2edc6a5..7489367 100644
--- a/examples/full-cluster/main.tf
+++ b/examples/full-cluster/main.tf
@@ -48,6 +48,10 @@ locals {
 
 }
 
+# we changed endpoint_public_access to false by default. This is so we can reach the EKS API through private IPs
+# from on-prem and from the cloud.  Otherwise, another account outside of where this is created will be unable to 
+# access teh API. This also requires a SG change in securitygroup.tf
+
 resource "aws_eks_cluster" "eks_cluster" {
   name                      = var.cluster_name
   version                   = var.cluster_version
@@ -58,7 +62,7 @@ resource "aws_eks_cluster" "eks_cluster" {
     subnet_ids              = local.subnets
     security_group_ids      = [aws_security_group.additional_eks_cluster_sg.id]
     endpoint_private_access = true
-    endpoint_public_access  = true
+    endpoint_public_access  = false
     public_access_cidrs     = var.census_public_cidr
   }
 
diff --git a/examples/full-cluster/securitygroup.tf b/examples/full-cluster/securitygroup.tf
index 0a233d6..b66be01 100644
--- a/examples/full-cluster/securitygroup.tf
+++ b/examples/full-cluster/securitygroup.tf
@@ -22,11 +22,15 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
     ]
   }
   # this grants in-VPC access to the K8S api
+  # updated to get all census private cidrs to get on-prem, as we are now sending the interface traffic over
+  # a private IP only (disabling public access). This is to reach a cluster api from another account and VPC
+  # so we open all the cloud accounts too
   ingress {
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc_cidr_block]
+    from_port = 443
+    to_port   = 443
+    protocol  = "tcp"
+    #    cidr_blocks = [ var.vpc_cidr_block ]
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
   }
 
   egress {