feat: Add example for Private EKS cluster endpoint access thru AWS PrivateLink (#1687)

Co-authored-by: Bryant Biggs <[email protected]>

Author: vchintal

.gitignore

@@ -43,3 +43,6 @@ terraform.rc
 # local env
 *.envrc
 *kube-config.yaml
+
+# Generated files
+builds

docs/blueprints/aws-eks-privatelink.md

@@ -0,0 +1,7 @@
+---
+title: AWS EKS PrivateLink
+---
+
+{%
+   include-markdown "../../examples/aws-eks-privatelink/README.md"
+%}

examples/fully-private-cluster/main.tf

@@ -77,39 +77,22 @@ module "vpc" {
   tags = local.tags
 }
 
-module "vpc_endpoints_sg" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 5.0"
-
-  name        = "${local.name}-vpc-endpoints"
-  description = "Security group for VPC endpoint access"
-  vpc_id      = module.vpc.vpc_id
-
-  ingress_with_cidr_blocks = [
-    {
-      rule        = "https-443-tcp"
-      description = "VPC CIDR HTTPS"
-      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
-    },
-  ]
-
-  egress_with_cidr_blocks = [
-    {
-      rule        = "https-443-tcp"
-      description = "All egress HTTPS"
-      cidr_blocks = "0.0.0.0/0"
-    },
-  ]
-
-  tags = local.tags
-}
-
 module "vpc_endpoints" {
   source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
-  version = "~> 5.0"
-
-  vpc_id             = module.vpc.vpc_id
-  security_group_ids = [module.vpc_endpoints_sg.security_group_id]
+  version = "~> 5.1"
+
+  vpc_id = module.vpc.vpc_id
+
+  # Security group
+  create_security_group      = true
+  security_group_name_prefix = "${local.name}-vpc-endpoints-"
+  security_group_description = "VPC endpoint security group"
+  security_group_rules = {
+    ingress_https = {
+      description = "HTTPS from VPC"
+      cidr_blocks = [module.vpc.vpc_cidr_block]
+    }
+  }
 
   endpoints = merge({
     s3 = {

examples/privatelink-access/README.md

@@ -0,0 +1,101 @@
+# Private EKS cluster access via AWS PrivateLink
+
+This example demonstrates how to access a private EKS cluster using AWS PrivateLink.
+
+Refer to the [documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html) for further details on  `AWS PrivateLink`.
+
+## Prerequisites:
+
+Ensure that you have the following tools installed locally:
+
+1. [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
+2. [kubectl](https://Kubernetes.io/docs/tasks/tools/)
+3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli)
+
+## Deploy
+
+To provision this example, first deploy the Lambda function that responds to `CreateNetworkInterface` API calls. This needs to exist before the cluster is created so that it can respond to the ENIs created by the EKS control plane:
+
+```sh
+terraform init
+terraform apply -target=module.create_eni_lambda -target=module.nlb
+```
+
+Enter `yes` at command prompt to apply
+
+Next, deploy the remaining resources:
+
+```sh
+terraform apply
+```
+
+Enter `yes` at command prompt to apply
+
+## Validate
+
+### Network Connectivity
+
+1. An output `ssm_test` has been provided to aid in quickly testing the connectivity from the client EC2 instance to the private EKS cluster via AWS Privatelink. Copy the output value and paste it into your terminal to execute and check the connectivity. If configured correctly, the value returned should be `ok`.
+
+```sh
+COMMAND_ID=$(aws ssm send-command --region us-west-2 --document-name "AWS-RunShellScript" \
+--parameters 'commands=["curl -ks https://0218D48323E3E7D404D98659F1D097DD.gr7.us-west-2.eks.amazonaws.com/readyz"]' \
+--targets "Key=instanceids,Values=i-0280cf604085f4a44" --query 'Command.CommandId' --output text)
+
+aws ssm get-command-invocation --region us-west-2 --command-id $COMMAND_ID --instance-id i-0280cf604085f4a44 --query 'StandardOutputContent' --output text
+```
+
+### Cluster Access
+
+To test access to the cluster, you will need to execute Kubernetes API calls from within the private network to access the cluster. An EC2 instance has been deployed to simulate this scenario, where the EC2 is deployed into a "client" VPC. However, since the EKS cluster was created with your local IAM identity, the `aws-auth` ConfigMap will only have your local identity that is permitted to access the cluster. Since cluster's API endpoint is private, we cannot use Terraform to reach it to additional entries to the ConfigMap; we can only access the cluster from within the private network of the cluster's VPC or from the client VPC using AWS PrivateLink access.
+
+:warning: The "client" EC2 instance provided and copying of AWS credentials to that instance are merely for demonstration purposes only. Please consider alternate methods of network access such as AWS Client VPN to provide more secure access.
+
+Perform the following steps to access the cluster with `kubectl` from the provided "client" EC2 instance.
+
+1. Execute the command below on your local machine to get temporary credentials that will be used on the "client" EC2 instance:
+
+```sh
+aws sts get-session-token --duration-seconds 3600 --output yaml
+```
+
+2. Start a new SSM session on the "client" EC2 instance using the provided `ssm_start_session` output value. Your terminal will now be connected to the "client" EC2 instance.
+
+```sh
+ssm_start_session = "aws ssm start-session --region us-west-2 --target i-0280cf604085f4a44"
+```
+
+3. Once logged in, export the following environment variables from the output of step 1. Note - the session credentials are only valid for 1 hour; you can adjust the session duration in the command provided in step 1:
+
+```sh
+export AWS_ACCESS_KEY_ID=XXXX
+export AWS_SECRET_ACCESS_KEY=YYYY
+export AWS_SESSION_TOKEN=ZZZZ
+```
+
+4. Update the local `~/.kube/config` file to enable access to the cluster:
+
+```sh
+aws eks update-kubeconfig --region us-west-2 --name privatelink-access
+```
+
+5. Test access by listing the pods running on the clsuter:
+
+```sh
+sh-4.2$ kubectl get pods -A
+
+# Output
+NAMESPACE     NAME                       READY   STATUS    RESTARTS   AGE
+kube-system   aws-node-4f8g8             1/1     Running   0          1m
+kube-system   coredns-6ff9c46cd8-59sqp   1/1     Running   0          1m
+kube-system   coredns-6ff9c46cd8-svnpb   1/1     Running   0          2m
+kube-system   kube-proxy-mm2zc           1/1     Running   0          1m
+```
+
+## Destroy
+
+Run the following command to destroy all the resources created by Terraform:
+
+```sh
+terraform destroy --auto-approve
+```

examples/privatelink-access/client.tf

@@ -0,0 +1,88 @@
+# The resources defined in this file are only used for demonstrating private connectivity
+# They are not required for the solution
+
+locals {
+  client_name = "${local.name}-client"
+}
+
+################################################################################
+# VPC
+################################################################################
+
+module "client_vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.client_name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k + 10)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  manage_default_network_acl    = true
+  default_network_acl_tags      = { Name = "${local.client_name}-default" }
+  manage_default_route_table    = true
+  default_route_table_tags      = { Name = "${local.client_name}-default" }
+  manage_default_security_group = true
+  default_security_group_tags   = { Name = "${local.client_name}-default" }
+
+  tags = local.tags
+}
+
+################################################################################
+# EC2 Instance
+################################################################################
+
+module "client_ec2_instance" {
+  source = "terraform-aws-modules/ec2-instance/aws"
+
+  name = local.client_name
+
+  create_iam_instance_profile = true
+  iam_role_policies = {
+    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
+
+  vpc_security_group_ids = [module.client_security_group.security_group_id]
+  subnet_id              = element(module.client_vpc.private_subnets, 0)
+
+  user_data = <<-EOT
+    #!/bin/bash
+
+    # Install kubectl
+    curl -LO https://dl.k8s.io/release/v${module.eks.cluster_version}.0/bin/linux/amd64/kubectl
+    install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+
+    # Remove default awscli which is v1 - we want latest v2
+    yum remove awscli -y
+    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+    unzip -qq awscliv2.zip
+    ./aws/install
+  EOT
+
+  tags = local.tags
+}
+
+module "client_security_group" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = local.client_name
+  description = "Security group for SSM access to private cluster"
+  vpc_id      = module.client_vpc.vpc_id
+
+  egress_with_cidr_blocks = [
+    {
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_blocks = "0.0.0.0/0"
+    },
+  ]
+
+  tags = local.tags
+}

examples/privatelink-access/eks.tf

@@ -0,0 +1,121 @@
+################################################################################
+# EKS Cluster
+################################################################################
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 19.15"
+
+  cluster_name    = local.name
+  cluster_version = "1.27"
+
+  cluster_addons = {
+    coredns    = {}
+    kube-proxy = {}
+    vpc-cni    = {}
+  }
+
+  cluster_security_group_additional_rules = {
+    # Allow tcp/443 from the NLB IP addresses
+    for ip_addr in data.dns_a_record_set.nlb.addrs : "nlb_ingress_${replace(ip_addr, ".", "")}" => {
+      description = "Allow ingress from NLB"
+      type        = "ingress"
+      from_port   = 443
+      to_port     = 443
+      protocol    = "tcp"
+      cidr_blocks = ["${ip_addr}/32"]
+    }
+  }
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  eks_managed_node_groups = {
+    default = {
+      instance_types = ["c5.large"]
+
+      min_size     = 1
+      max_size     = 3
+      desired_size = 1
+    }
+  }
+
+  tags = local.tags
+}
+
+################################################################################
+# VPC
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+
+  # Disable NAT gateway for fully private networking
+  enable_nat_gateway = false
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}
+
+# Explicitly create a Internet Gateway here in the Private EKS VPC as without an
+# internet gateway, a NLB cannot be created. Config option of create_igw = true
+# (default) did not work during the VPC creation as it requires public subnets
+# and the related routes that connect them to IGW
+resource "aws_internet_gateway" "igw" {
+  vpc_id = module.vpc.vpc_id
+  tags   = local.tags
+}
+
+################################################################################
+# VPC Endpoints
+################################################################################
+
+module "vpc_endpoints" {
+  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  version = "~> 5.1"
+
+  vpc_id = module.vpc.vpc_id
+
+  # Security group
+  create_security_group      = true
+  security_group_name_prefix = "${local.name}-vpc-endpoints-"
+  security_group_description = "VPC endpoint security group"
+  security_group_rules = {
+    ingress_https = {
+      description = "HTTPS from VPC"
+      cidr_blocks = [module.vpc.vpc_cidr_block]
+    }
+  }
+
+  endpoints = merge({
+    s3 = {
+      service         = "s3"
+      service_type    = "Gateway"
+      route_table_ids = module.vpc.private_route_table_ids
+      tags = {
+        Name = "${local.name}-s3"
+      }
+    }
+    },
+    { for service in toset(["autoscaling", "ecr.api", "ecr.dkr", "ec2", "ec2messages", "elasticloadbalancing", "sts", "kms", "logs", "ssm", "ssmmessages"]) :
+      replace(service, ".", "_") =>
+      {
+        service             = service
+        subnet_ids          = module.vpc.private_subnets
+        private_dns_enabled = true
+        tags                = { Name = "${local.name}-${service}" }
+      }
+  })
+
+  tags = local.tags
+}