Merge pull request #28 from cmdlabs/additional-sg

Additional security groups support to EKS API server
cmdlabs · Sep 3, 2019 · 4d819a1 · 4d819a1
2 parents 84e7336 + 92fcebb
commit 4d819a1
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.0] - 2019-08-31
+### Added
+- Specify additional security groups or IP ranges that can have access to the cluster in private EKS mode.
+
 ## [0.7.0] - 2019-07-09
 ### Breaking
 - KIAM no longer has dedicated nodes. This is possible now that KIAM has an option to not remove the iptables rule on shutdown resulting in a fail secure design.

diff --git a/README.md b/README.md
@@ -9,20 +9,22 @@ To improve the security of your clusters this module defaults to expecting KIAM
 |------|-------------|:----:|:-----:|:-----:|
 | autotag\_subnets | Automatically add Kubernetes tags to subnets. Requires aws-cli to be available. | string | `"false"` | no |
 | autotag\_profile | Defines an optional AWS profile to use with aws-cli when auto-tagging subnets | string | `"false"` | no |
+| cluster\_access\_additional\_sg | Security groups allowed access to the API server | list | `[]` | no |
+| cluster\_access\_additional\_ip | CIDRs allowed access to the API server | list | `[]` | no |
 | cluster\_endpoint\_private\_access | Enable Amazon EKS private API server endpoint. | string | `"false"` | no |
 | cluster\_endpoint\_public\_access | Enable Amazon EKS public API server endpoint. | string | `"true"` | no |
 | cluster\_name | Name of the EKS Cluster | string | n/a | yes |
 | cluster\_version | EKS Cluster Version | string | n/a | yes |
 | enable\_alb\_ingress | Enable required components for ALB Ingress | string | `"true"` | no |
 | enable\_cert\_manager | Enable required components for Cert-Manager | string | `"true"` | no |
+| enable\_container\_insights | Enable required components for Cloudwatch Container Insights | string | `"true"` | no |
 | enable\_cluster\_autoscaler | Enable required components for Cluster Autoscaler | string | `"true"` | no |
 | enabled\_cluster\_log\_types | A list of the desired control plane logging to enable | list | `["api", "audit", "authenticator", "controllerManager", "scheduler"] ` | no |
 | enable\_ecr | Enable required components for Amazon ECR Read Only | string | `"true"` | no |
 | enable\_external\_dns | Enable required components for External-DNS | string | `"true"` | no |
 | enable\_kiam | Create IAM roles to be used by KIAM. Enabling this requires KIAM to be active and deployed to your cluster for IAM roles to work. | string | `"true"` | no |
 | enable\_ssm | Enable required components for SSM | string | `"true"` | no |
 | enable\_velero | Enable required components for Velero | string | `"true"` | no |
-| enable\_container\_insights | Enable required components for Cloudwatch Container Insights | string | `"true"` | no |
 | private\_subnets | Private tier subnet list | list | n/a | yes |
 | public\_subnets | Public tier subnet list | list | n/a | yes |
 | vpc\_id | VPC ID for EKS Cluster | string | n/a | yes |
@@ -34,26 +36,26 @@ It is possible to customise individual parameters on the the workers list.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|----------|
+| additional\_userdata | Userdata to append to the standard userdata | string | `""` | no |
 | ami\_id | AMI ID | string | Most Recent EKS Optimized AMI | no |
-| root\_volume\_size | Root EBS volume size | string | `"100"` | no |
 | autoscaling\_enabled | Allows cluster-autoscaler to manage this ASG | string | `"true"` | no |
 | desired\_capacity | ASG desired capacity. Ignored after creation | string | `"1"` | no |
-| min\_size | ASG minimum size | string | `"1"` | no |
-| max\_size | ASG maximum size | string | `"10"` | no |
-| suspended\_processes | A list of processes to suspend for the worker group | list(string) | `null` | no |
+| detailed\_monitoring | Enable EC2 detailed monitoring | string | `"false"` | no |
 | enabled\_metrics | A list of ASG metrics to enable | list(string) | `null` | no |
+| iam\_role\_name | Override the role that this module generates | string | `""` | no |
+| instance\_types | Instance types used in the ASG | list(string) | `["m5.large", "m4.large"]` | no |
+| kubelet\_extra\_args | Additional arguments to pass to the kubelet | string| `""` | no |
+| max\_size | ASG maximum size | string | `"10"` | no |
+| min\_size | ASG minimum size | string | `"1"` | no |
 | on\_demand\_allocation\_strategy | Strategy to use when launching on-demand instances | string | `"prioritized"` | no |
 | on\_demand\_base\_capacity | Absolute minimum amount of desired capacity that must be fulfilled by on-demand instances | string | `"0"` | no |
 | on\_demand\_percentage\_above\_base_capacity | Percentage split between on-demand and spot instances above the base on-demand capacity | string | `"0"` | no |
+| pre\_userdata | Userdata to prepend to the standard userdata | string | `""` | no |
+| root\_volume\_size | Root EBS volume size | string | `"100"` | no |
 | spot\_allocation\_strategy | How to allocate capacity across the Spot pools | string | `"lowest-price"` | no |
 | spot\_instance\_pools | Number of Spot pools per availability zone to allocate capacity | string | `"10"` | no |
 | spot\_max\_price | Maximum price youre willing to pay for spot instances. Defaults to the on demand price if blank | string | `""` | no |
-| instance\_types | Instance types used in the ASG | list(string) | `["m5.large", "m4.large"]` | no |
-| detailed\_monitoring | Enable EC2 detailed monitoring | string | `"false"` | no |
-| iam\_role\_name | Override the role that this module generates | string | `""` | no |
-| kubelet\_extra\_args | Additional arguments to pass to the kubelet | string| `""` | no |
-| pre\_userdata | Userdata to prepend to the standard userdata | string | `""` | no |
-| additional\_userdata | Userdata to append to the standard userdata | string | `""` | no |
+| suspended\_processes | A list of processes to suspend for the worker group | list(string) | `null` | no |
 | vpc\_subnets | A list of subnets for the ASG to place instances in | list(string) | `var.private_subnets` | no
 
 ## Outputs

diff --git a/cluster.tf b/cluster.tf
@@ -71,3 +71,22 @@ resource "aws_security_group_rule" "master_to_worker" {
   source_security_group_id = aws_security_group.workers.id
 }
 
+resource "aws_security_group_rule" "additional_sg_ingress" {
+  count                    = length(var.cluster_access_additional_sg)
+  security_group_id        = aws_security_group.cluster.id
+  type                     = "ingress"
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+  source_security_group_id = var.cluster_access_additional_sg[count.index]
+}
+
+resource "aws_security_group_rule" "additional_ip_ingress" {
+  count             = length(var.cluster_access_additional_ip) > 0 ? 1 : 0
+  security_group_id = aws_security_group.cluster.id
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = var.cluster_access_additional_ip
+}
diff --git a/variables.tf b/variables.tf
@@ -100,3 +100,15 @@ variable "enabled_cluster_log_types" {
   type        = list(string)
   default     = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
 }
+
+variable "cluster_access_additional_sg" {
+  description = "A list of additional security groups that are allowed access to the API server"
+  type        = list(string)
+  default     = []
+}
+
+variable "cluster_access_additional_ip" {
+  description = "A list of additional ip ranges that are allowed access to the API server"
+  type        = list(string)
+  default     = []
+}