Add amazon_web_services configuration option to specify EKS cluster a…

…pi server endpoint access setting (#2618)
nebari-dev · Sep 9, 2024 · aed2b92 · aed2b92
1 parent f61af76
commit aed2b92
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 3 deletions.
diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py
@@ -6,7 +6,7 @@
 import re
 import sys
 import tempfile
-from typing import Annotated, Any, Dict, List, Optional, Tuple, Type, Union
+from typing import Annotated, Any, Dict, List, Literal, Optional, Tuple, Type, Union
 
 from pydantic import Field, field_validator, model_validator
 
@@ -146,6 +146,9 @@ class AWSInputVars(schema.Base):
     existing_subnet_ids: Optional[List[str]] = None
     region: str
     kubernetes_version: str
+    eks_endpoint_access: Optional[
+        Literal["private", "public", "public_and_private"]
+    ] = "public"
     node_groups: List[AWSNodeGroupInputVars]
     availability_zones: List[str]
     vpc_cidr_block: str
@@ -465,6 +468,9 @@ class AmazonWebServicesProvider(schema.Base):
     kubernetes_version: str
     availability_zones: Optional[List[str]]
     node_groups: Dict[str, AWSNodeGroup] = DEFAULT_AWS_NODE_GROUPS
+    eks_endpoint_access: Optional[
+        Literal["private", "public", "public_and_private"]
+    ] = "public"
     existing_subnet_ids: Optional[List[str]] = None
     existing_security_group_id: Optional[str] = None
     vpc_cidr_block: str = "10.10.0.0/16"
@@ -808,6 +814,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
             return AWSInputVars(
                 name=self.config.escaped_project_name,
                 environment=self.config.namespace,
+                eks_endpoint_access=self.config.amazon_web_services.eks_endpoint_access,
                 existing_subnet_ids=self.config.amazon_web_services.existing_subnet_ids,
                 existing_security_group_id=self.config.amazon_web_services.existing_security_group_id,
                 region=self.config.amazon_web_services.region,

diff --git a/src/_nebari/stages/infrastructure/template/aws/main.tf b/src/_nebari/stages/infrastructure/template/aws/main.tf
@@ -97,7 +97,8 @@ module "kubernetes" {
 
   node_groups = var.node_groups
 
-  endpoint_private_access = var.eks_endpoint_private_access
+  endpoint_public_access  = var.eks_endpoint_access == "private" ? false : true
+  endpoint_private_access = var.eks_endpoint_access == "public" ? false : true
   public_access_cidrs     = var.eks_public_access_cidrs
   permissions_boundary    = var.permissions_boundary
 }
diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf
@@ -8,7 +8,8 @@ resource "aws_eks_cluster" "main" {
   vpc_config {
     security_group_ids = var.cluster_security_groups
     subnet_ids         = var.cluster_subnets
-
+    #trivy:ignore:AVD-AWS-0040
+    endpoint_public_access  = var.endpoint_public_access
     endpoint_private_access = var.endpoint_private_access
     public_access_cidrs     = var.public_access_cidrs
   }

diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf
@@ -60,6 +60,11 @@ variable "node_group_instance_type" {
   default     = "m5.large"
 }
 
+variable "endpoint_public_access" {
+  type    = bool
+  default = true
+}
+
 variable "endpoint_private_access" {
   type    = bool
   default = false

diff --git a/src/_nebari/stages/infrastructure/template/aws/variables.tf b/src/_nebari/stages/infrastructure/template/aws/variables.tf
@@ -56,6 +56,12 @@ variable "kubeconfig_filename" {
   type        = string
 }
 
+variable "eks_endpoint_access" {
+  description = "EKS cluster api server endpoint access setting"
+  type        = string
+  default     = "public"
+}
+
 variable "eks_endpoint_private_access" {
   type    = bool
   default = false