PCP-4205: 🐛 fix: separate control plane logging and vpc config updates (#954)

* fix: separate control plane logging and vpc config updates

* fix: set PublicCIDRs to [] when private only EP

Author: pavansokkenagaraj

pkg/cloud/services/eks/cluster.go

@@ -353,7 +353,9 @@ func makeVpcConfig(subnets infrav1.Subnets, endpointAccess ekscontrolplanev1.End
 		SubnetIds:             subnetIDs,
 	}
 
-	if len(cidrs) > 0 {
+	isPrivateOnlyEndPoint := !aws.BoolValue(vpcConfig.EndpointPublicAccess) && aws.BoolValue(vpcConfig.EndpointPrivateAccess)
+
+	if len(cidrs) > 0 || isPrivateOnlyEndPoint {
 		vpcConfig.PublicAccessCidrs = cidrs
 	}
 	sg, ok := securityGroups[infrav1.SecurityGroupEKSNodeAdditional]

pkg/cloud/services/eks/cluster_test.go

@@ -264,6 +264,94 @@ func TestMakeVPCConfig(t *testing.T) {
 				PublicAccessCidrs: []*string{aws.String("10.0.0.0/24")},
 			},
 		},
+		{
+			name: "private only endpoint access",
+			input: input{
+				subnets: []infrav1.SubnetSpec{
+					{
+						ID:               idOne,
+						CidrBlock:        "10.0.10.0/24",
+						AvailabilityZone: "us-west-2a",
+						IsPublic:         false,
+					},
+					{
+						ID:               idTwo,
+						CidrBlock:        "10.0.10.1/24",
+						AvailabilityZone: "us-west-2b",
+						IsPublic:         false,
+					},
+				},
+				endpointAccess: ekscontrolplanev1.EndpointAccess{
+					Private:     aws.Bool(true),
+					PublicCIDRs: []*string{},
+				},
+			},
+			expect: &eks.VpcConfigRequest{
+				SubnetIds:             []*string{&idOne, &idTwo},
+				PublicAccessCidrs:     []*string{},
+				EndpointPrivateAccess: aws.Bool(true),
+			},
+		},
+		{
+			name: "public and private endpoint access",
+			input: input{
+				subnets: []infrav1.SubnetSpec{
+					{
+						ID:               idOne,
+						CidrBlock:        "10.0.10.0/24",
+						AvailabilityZone: "us-west-2a",
+						IsPublic:         false,
+					},
+					{
+						ID:               idTwo,
+						CidrBlock:        "10.0.10.1/24",
+						AvailabilityZone: "us-west-2b",
+						IsPublic:         false,
+					},
+				},
+				endpointAccess: ekscontrolplanev1.EndpointAccess{
+					Private:     aws.Bool(true),
+					Public:      aws.Bool(true),
+					PublicCIDRs: []*string{},
+				},
+			},
+			expect: &eks.VpcConfigRequest{
+				SubnetIds:             []*string{&idOne, &idTwo},
+				PublicAccessCidrs:     nil,
+				EndpointPrivateAccess: aws.Bool(true),
+				EndpointPublicAccess:  aws.Bool(true),
+			},
+		},
+		{
+			name: "public only endpoint access",
+			input: input{
+				subnets: []infrav1.SubnetSpec{
+					{
+						ID:               idOne,
+						CidrBlock:        "10.0.10.0/24",
+						AvailabilityZone: "us-west-2a",
+						IsPublic:         false,
+					},
+					{
+						ID:               idTwo,
+						CidrBlock:        "10.0.10.1/24",
+						AvailabilityZone: "us-west-2b",
+						IsPublic:         false,
+					},
+				},
+				endpointAccess: ekscontrolplanev1.EndpointAccess{
+					Private:     aws.Bool(false),
+					Public:      aws.Bool(true),
+					PublicCIDRs: []*string{},
+				},
+			},
+			expect: &eks.VpcConfigRequest{
+				SubnetIds:             []*string{&idOne, &idTwo},
+				PublicAccessCidrs:     nil,
+				EndpointPrivateAccess: aws.Bool(false),
+				EndpointPublicAccess:  aws.Bool(true),
+			},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {