Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to use security groups for private access rules #1275

Closed
marc-slingshot opened this issue Mar 13, 2021 · 6 comments · Fixed by #1274
Closed

Ability to use security groups for private access rules #1275

marc-slingshot opened this issue Mar 13, 2021 · 6 comments · Fixed by #1274

Comments

@marc-slingshot
Copy link
Contributor

Is your request related to a new offering from AWS?

No

Is your request related to a problem? Please describe.

Unable to use security groups for private access rules.

Describe the solution you'd like.

Add configuration option to use security groups for private access rules.

Describe alternatives you've considered.

Use CIDR rules.

Additional context

We are trying to setup a private access only EKS cluster. We have a VPN setup inside of the AWS profile and it has a security group associated with it. We would like to be able to use that security group ID to access the cluster provisioned by terraform.

Added a PR here - #1274
@marc-slingshot marc-slingshot mentioned this issue Mar 15, 2021
Merged
2 tasks
@schollii
Copy link

Do you mean that you would like to use kubectl from an ec2 inside that vpc? (or otherwise make requests to api server eg from a lambda in vpc)

@marc-slingshot
Copy link
Contributor Author

marc-slingshot commented Mar 29, 2021
edited
Loading

Do you mean that you would like to use kubectl from an ec2 inside that vpc? (or otherwise make requests to api server eg from a lambda in vpc)

Yes more or less, kubernetes API access into a private-only VPC EKS cluster.

@schollii
Copy link

schollii commented Mar 29, 2021
edited
Loading

Have you tried adding the CIDR block of the VPC? There is a parameter for it cluster_endpoint_private_access_cidrs (actually I am just about to submit a PR towards clarifying its use), that has worked for me.

Although, that's not quite as tight as a separate SG (since any instance in the VPC would be allowed ACCESS, even a bastion host; whereas for sg approach, an attacker would have to find a way to add SG to the instance they have compromised).

@marc-slingshot
Copy link
Contributor Author

yes I am currently implementing it with CIDR rules (see above issue description in the alternatives section), but would prefer to use a SG.

@iaacautomation
Copy link

I don't think that's such a bit problem. The cluster_security_group_id is in outputs you can technically just use aws_security_group_rule https://tf-registry.herokuapp.com/providers/hashicorp/aws/latest/docs/resources/security_group_rule to get your desired result.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add ability to use security groups for private access marc-slingshot/terraform-aws-eks
3 participants
@schollii @iaacautomation @marc-slingshot