Skip to content

Commit

Permalink
refactor: Updated code with IAM access entries (#1906)
Browse files Browse the repository at this point in the history
  • Loading branch information
vchintal authored Mar 15, 2024
1 parent d5c9253 commit 1ce59fc
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 65 deletions.
35 changes: 1 addition & 34 deletions patterns/privatelink-access/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,9 @@ terraform apply -target=module.eventbridge -target=module.nlb --auto-approve
terraform apply --auto-approve
```

Once the pattern has successfully deployed, you will be provided with multiple
output values.

Review the output value for `cluster_endpoint_private`, it should look similar
to snippet below:

```sh
aws eks update-cluster-config \
--region us-west-2 \
--name privatelink-access \
--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true
```

Copy the command and run it in a terminal session to take cluster API
endpoint private.

## Test access to EKS Kubernetes API server endpoint

Of the other output values, the value `ssm_test` is provided to aid in quickly
Of the output values, the value `ssm_test` is provided to aid in quickly
testing the connectivity from the client EC2 instance to the private EKS cluster
via AWS PrivateLink. Copy the output value, which looks like the snippet shown
below (as an example) and paste it into your terminal to execute and check the
Expand Down Expand Up @@ -96,23 +80,6 @@ kube-system kube-proxy-mm2zc 1/1 Running 0 1m

## Destroy

Before we could destroy/teardown all the resources created, we need to ensure
that the cluster state is restored for the Terraform to do a complete cleanup.
This would mean that we make cluster API endpoint public again.

Review the output value for `cluster_endpoint_public`, it should look similar
to snippet below:

```sh
aws eks update-cluster-config \
--region us-west-2 \
--name privatelink-access \
--resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true
```

Copy the command and run it in a terminal session to take cluster API
endpoint public.

{%
include-markdown "../../docs/_partials/destroy.md"
%}
27 changes: 18 additions & 9 deletions patterns/privatelink-access/eks.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,28 @@ provider "kubernetes" {

module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 19.21"
version = "~> 20.0"

cluster_name = local.name
cluster_version = "1.29"

cluster_endpoint_public_access = true
manage_aws_auth_configmap = true

aws_auth_roles = [{
rolearn = module.client_ec2_instance.iam_role_arn
username = "ec2-client"
groups = ["system:masters"]
}]
cluster_endpoint_public_access = false
enable_cluster_creator_admin_permissions = true

access_entries = {
ec2-access-entry = {
principal_arn = module.client_ec2_instance.iam_role_arn
policy_associations = {
cluster-admin-policy = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
namespaces = []
type = "cluster"
}
}
}
}
}

cluster_addons = {
coredns = {}
Expand Down
22 changes: 0 additions & 22 deletions patterns/privatelink-access/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,25 +23,3 @@ output "ssm_test" {
--output text
EOT
}

output "cluster_endpoint_private" {
description = "Command to set the EKS API server endpoint access private"
value = <<-EOT
aws eks update-cluster-config \
--region ${local.region} \
--name ${module.eks.cluster_name} \
--resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true
EOT
}

output "cluster_endpoint_public" {
description = "Command to set the EKS API server endpoint access private"
value = <<-EOT
aws eks update-cluster-config \
--region ${local.region} \
--name ${module.eks.cluster_name} \
--resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true
EOT
}

0 comments on commit 1ce59fc

Please sign in to comment.