Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: (IAC-619) Support VPCs with private and control_plane subnets, NAT gateway is not required #238

Merged
merged 27 commits into from
Nov 2, 2023
Merged

feat!: (IAC-619) Support VPCs with private and control_plane subnets, NAT gateway is not required #238

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
c3bed14
feat: (IAC-619) Support VPCs with ONLY private subnets, NAT gateway i…
dhoucgitter Oct 9, 2023
bfb5cb4
change to support s3 vpc endpoint using Gateway type
dhoucgitter Oct 10, 2023
12989d5
restore create_subnets condition using count iterator, formatting
dhoucgitter Oct 12, 2023
1273ad1
update note to express when nat_id is optional
dhoucgitter Oct 12, 2023
7a091a8
Add a BYON 0 entry to the table
dhoucgitter Oct 16, 2023
a6fee66
Add input variable and document how to enable/disable VPC endpoint cr…
dhoucgitter Oct 17, 2023
9bde720
Add a direct link to referenced BYON scenarios per review comment
dhoucgitter Oct 18, 2023
23cde6e
Add nat_id back to table as optional variable for BYON scenarios 2 & 3
dhoucgitter Oct 18, 2023
de7babf
Update local var name per review comment
dhoucgitter Oct 18, 2023
739ac38
Don't create vpc endpoint SG ingress rule if IaC vpc endpoint creatio…
dhoucgitter Oct 18, 2023
7e0a4a5
any existing security group indicates byo_network_scenario 3 choice, …
dhoucgitter Oct 20, 2023
e952b30
Update ref to local var, allow existing workers SG input without clus…
dhoucgitter Oct 20, 2023
078d5c3
add missing SG description, correct private VPC SG rule description p…
dhoucgitter Oct 20, 2023
ce2cc34
Use private subnets for database when no db subnets provided
dhoucgitter Oct 20, 2023
9c520f7
Add output value Note: to end of BYO network table, required and opti…
dhoucgitter Oct 23, 2023
dd552f8
Add 2 private CIDR config vars and doc for 3 private CIDR variables
dhoucgitter Oct 25, 2023
894f96a
Update ingress rule descriptions
dhoucgitter Oct 25, 2023
1e62eae
Add private_cluster_ingress as dependency to 2 objects for a test
dhoucgitter Oct 26, 2023
6ba5a6c
Use in-line approach for private_cluster_ingress rule
dhoucgitter Oct 26, 2023
c22fdc3
Apply suggested Private Access CIDR edits, Part 1
dhoucgitter Oct 26, 2023
c6e93ca
Add to Private Access CIDR context descriptions per review comment
dhoucgitter Oct 27, 2023
d5997cb
update for review comment
dhoucgitter Oct 27, 2023
9f10b2a
test in-line approach for vpc_endpoint_private_access_cidrs ingress rule
dhoucgitter Oct 27, 2023
4c7c809
fix for previous commit
dhoucgitter Oct 28, 2023
adfae93
remove duplicate commented code
dhoucgitter Oct 30, 2023
4284772
change column header to 'Scenario'
dhoucgitter Oct 31, 2023
250998f
make references to the private, public, and database lists in the sub…
dhoucgitter Oct 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions docs/CONFIG-VARS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ Supported configuration variables are listed in the tables below. All variables
- [Using Static Credentials](#using-static-credentials)
- [Using AWS Profile](#using-aws-profile)
- [Admin Access](#admin-access)
- [Public Access CIDRs](#public-access-cidrs)
- [Private Access CIDRs](#private-access-cidrs)
- [Networking](#networking)
- [Use Existing](#use-existing)
- [IAM](#iam)
Expand Down Expand Up @@ -72,14 +74,27 @@ NOTE: When deploying infrastructure into a private network (e.g. a VPN), with no

NOTE: The script will either create a new Security Group, or use an existing Security Group, if specified in the `security_group_id` variable.

### Public Access CIDRS
dhoucgitter marked this conversation as resolved.
Show resolved Hide resolved

You can use `default_public_access_cidrs` to set a default range for all created resources. To set different ranges for other resources, define the appropriate variable. Use an empty list [] to disallow access explicitly.
dhoucgitter marked this conversation as resolved.
Show resolved Hide resolved

| <div style="width:50px">Name</div> | <div style="width:150px">Description</div> | <div style="width:50px">Type</div> | <div style="width:75px">Default</div> | <div style="width:150px">Notes</div> |
| :--- | :--- | :--- | :--- | :--- |
| default_public_access_cidrs | IP address ranges that are allowed to access all created cloud resources | list of strings | | Set a default for all resources. |
| cluster_endpoint_public_access_cidrs | IP address ranges that are allowed to access the AKS cluster API | list of strings | | For client admin access to the cluster api (by kubectl, for example). Only used with `cluster_api_mode=public` |
| cluster_endpoint_public_access_cidrs | IP address ranges that are allowed to access the EKS cluster API | list of strings | | For client admin access to the cluster api (by kubectl, for example). Only used with `cluster_api_mode=public` |
| vm_public_access_cidrs | IP address ranges that are allowed to access the VMs | list of strings | | Opens port 22 for SSH access to the jump server and/or NFS VM by adding Ingress Rule on the Security Group. Only used with `create_jump_public_ip=true` or `create_nfs_public_ip=true`. |
| postgres_access_cidrs | IP address ranges that are allowed to access the AWS PostgreSQL server | list of strings || Opens port 5432 by adding Ingress Rule on the Security Group. Only used when creating postgres instances.|
| postgres_public_access_cidrs | IP address ranges that are allowed to access the AWS PostgreSQL server | list of strings || Opens port 5432 by adding Ingress Rule on the Security Group. Only used when creating postgres instances.|

### Private Access CIDRS

You can use `default_private_access_cidrs` to set a default range for all created private resources. To set different ranges for other resources, define the appropriate variable. Use an empty list [] to disallow access explicitly.

| <div style="width:50px">Name</div> | <div style="width:150px">Description</div> | <div style="width:50px">Type</div> | <div style="width:75px">Default</div> | <div style="width:150px">Notes</div> |
| :--- | :--- | :--- | :--- | :--- |
| default_private_access_cidrs | IP address ranges that are allowed to access all created private cloud resources | list of strings | | Set a default for all private resources. |
| cluster_endpoint_private_access_cidrs | IP address ranges that are allowed to access the EKS cluster API | list of strings | | For client admin access to the cluster api (by kubectl, for example). Only used with `cluster_api_mode=private` |
| vpc_endpoint_private_access_cidrs | IP address ranges that are allowed to access all AWS Services targeted by the VPC endpoints | list of strings | | |
| vm_private_access_cidrs | IP address ranges that are allowed to access the private IP based VMs | list of strings | | Opens port 22 for SSH access to the jump server and/or NFS VM by adding Ingress Rule on the Workers Security Group. Only used with `create_jump_public_ip=false` or `create_nfs_public_ip=false`. |

## Networking
| Name | Description | Type | Default | Notes |
Expand Down
18 changes: 13 additions & 5 deletions locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,19 @@ locals {
aws_shared_credentials = local.use_aws_shared_credentials_file ? [var.aws_shared_credentials_file] : var.aws_shared_credentials_files

# CIDRs
default_public_access_cidrs = var.default_public_access_cidrs == null ? [] : var.default_public_access_cidrs
vm_public_access_cidrs = var.vm_public_access_cidrs == null ? local.default_public_access_cidrs : var.vm_public_access_cidrs
cluster_endpoint_public_access_cidrs = var.cluster_api_mode == "private" ? [] : (var.cluster_endpoint_public_access_cidrs == null ? local.default_public_access_cidrs : var.cluster_endpoint_public_access_cidrs)
cluster_endpoint_private_access_cidrs = var.cluster_endpoint_private_access_cidrs == null ? distinct(concat(module.vpc.public_subnet_cidrs, module.vpc.private_subnet_cidrs)) : var.cluster_endpoint_private_access_cidrs # tflint-ignore: terraform_unused_declarations
postgres_public_access_cidrs = var.postgres_public_access_cidrs == null ? local.default_public_access_cidrs : var.postgres_public_access_cidrs
default_public_access_cidrs = var.default_public_access_cidrs == null ? [] : var.default_public_access_cidrs
default_private_access_cidrs = var.default_private_access_cidrs == null ? [] : var.default_private_access_cidrs

vm_public_access_cidrs = var.vm_public_access_cidrs == null ? local.default_public_access_cidrs : var.vm_public_access_cidrs
vm_private_access_cidrs = var.vm_private_access_cidrs == null ? local.default_private_access_cidrs : var.vm_private_access_cidrs

cluster_endpoint_public_access_cidrs = var.cluster_api_mode == "private" ? [] : (var.cluster_endpoint_public_access_cidrs == null ? local.default_public_access_cidrs : var.cluster_endpoint_public_access_cidrs)

cluster_endpoint_private_access_cidrs = var.cluster_api_mode == "public" ? [] : var.cluster_endpoint_private_access_cidrs == null ? distinct(concat(module.vpc.public_subnet_cidrs, module.vpc.private_subnet_cidrs, local.default_private_access_cidrs)) : distinct(concat(module.vpc.public_subnet_cidrs, module.vpc.private_subnet_cidrs, local.default_private_access_cidrs, var.cluster_endpoint_private_access_cidrs)) # tflint-ignore: terraform_unused_declarations

vpc_endpoint_private_access_cidrs = var.vpc_endpoint_private_access_cidrs == null ? distinct(concat(module.vpc.public_subnet_cidrs, module.vpc.private_subnet_cidrs, local.default_private_access_cidrs)) : distinct(concat(module.vpc.public_subnet_cidrs, module.vpc.private_subnet_cidrs, local.default_private_access_cidrs, var.vpc_endpoint_private_access_cidrs))

postgres_public_access_cidrs = var.postgres_public_access_cidrs == null ? local.default_public_access_cidrs : var.postgres_public_access_cidrs

# Subnets
jump_vm_subnet = var.create_jump_public_ip ? module.vpc.public_subnets[0] : module.vpc.private_subnets[0]
Expand Down
34 changes: 32 additions & 2 deletions security.tf
View file
Open in desktop
dhoucgitter marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,13 @@ resource "aws_security_group" "sg" {
}

resource "aws_security_group_rule" "private_vpc" {
count = var.vpc_private_endpoints_enabled ? length(local.cluster_endpoint_private_access_cidrs) > 0 ? 1 : 0 : 0
count = var.vpc_private_endpoints_enabled ? length(local.vpc_endpoint_private_access_cidrs) > 0 ? 1 : 0 : 0
type = "ingress"
description = "Allow tcp port 443 ingress to all AWS Services targeted by the VPC endpoints"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = local.cluster_endpoint_private_access_cidrs
cidr_blocks = local.vpc_endpoint_private_access_cidrs
security_group_id = local.security_group_id
}

Expand Down Expand Up @@ -121,6 +121,17 @@ resource "aws_security_group_rule" "cluster_ingress" {
security_group_id = local.cluster_security_group_id
}

resource "aws_security_group_rule" "private_cluster_ingress" {
count = local.cluster_endpoint_private_access_cidrs != null ? length(local.cluster_endpoint_private_access_cidrs) > 0 ? 1 : 0 : 0
type = "ingress"
description = "Allow tcp port 443 ingress to EKS cluster API from cluster endpoint private access cidrs"
dhoucgitter marked this conversation as resolved.
Show resolved Hide resolved
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = local.cluster_endpoint_private_access_cidrs
security_group_id = local.cluster_security_group_id
}


resource "aws_security_group" "workers_security_group" {
name = "${var.prefix}-eks_worker_sg"
Expand Down Expand Up @@ -189,3 +200,22 @@ resource "aws_security_group_rule" "worker_cluster_api_443" {
to_port = 443
security_group_id = aws_security_group.workers_security_group[0].id
}


resource "aws_security_group_rule" "vm_private_access_22" {

count = (length(local.vm_private_access_cidrs) > 0
&& var.workers_security_group_id == null
&& ((var.create_jump_public_ip == false && var.create_jump_vm)
|| (var.create_nfs_public_ip == false && var.storage_type == "standard")
)
? 1 : 0
)
type = "ingress"
description = "Allow the client VMs to reach a private IP based Jump VM"
dhoucgitter marked this conversation as resolved.
Show resolved Hide resolved
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = local.vm_private_access_cidrs
security_group_id = aws_security_group.workers_security_group[0].id
}
24 changes: 21 additions & 3 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,15 @@ variable "iac_tooling" {
default = "terraform"
}

## Public Access
## Public & Private Access
variable "default_public_access_cidrs" {
description = "List of CIDRs to access created resources."
description = "List of CIDRs to access created resources - Public."
type = list(string)
default = null
}

variable "default_private_access_cidrs" {
description = "List of CIDRs to access created resources - Private."
type = list(string)
default = null
}
Expand All @@ -80,8 +86,20 @@ variable "cluster_endpoint_private_access_cidrs" {
default = null
}

variable "vpc_endpoint_private_access_cidrs" {
description = "List of CIDRs to access VPC endpoints - Private."
type = list(string)
default = null
}

variable "vm_public_access_cidrs" {
description = "List of CIDRs to access jump VM or NFS VM."
description = "List of CIDRs to access jump VM or NFS VM - Public."
type = list(string)
default = null
}

variable "vm_private_access_cidrs" {
description = "List of CIDRs to access jump VM or NFS VM - Private."
type = list(string)
default = null
}
Expand Down