API Gateway Controller add-on to update cluster SG

[allamand]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

When deploying the Gateway API controller for VPC Lattice using the eks addon, we still need to manually authorize the EKS cluster Security Group to accept traffic from the VPC Lattice managed prefix IP, if we want to enable vpc lattice to target services inside the cluster.

This is describe in the documentation:

CLUSTER_SG=$(aws eks describe-cluster --name $CLUSTER_NAME --output json| jq -r '.cluster.resourcesVpcConfig.clusterSecurityGroupId')
PREFIX_LIST_ID=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.vpc-lattice\'"].PrefixListId" | jq -r '.[]')
aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID}}],IpProtocol=-1"
PREFIX_LIST_ID_IPV6=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.ipv6.vpc-lattice\'"].PrefixListId" | jq -r '.[]')
aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID_IPV6}}],IpProtocol=-1"

Describe the solution you would like

I would like the add-on to automatically add the rule in the EKS cluster security Group, so that I don't need to manually do it.

Describe alternatives you have considered

manually apply the rule with the previous command.

[allamand]

We can add this in terraform using. Wonder if this needs to be in this module or sit outside

################################################################################
# Allow flow from VPC Lattice
################################################################################

# Lookup VPC Lattice prefix list IDs
data "aws_ec2_managed_prefix_list" "vpc_lattice" {
  name = "com.amazonaws.${local.region}.vpc-lattice"
}

data "aws_ec2_managed_prefix_list" "vpc_lattice_ipv6" {
  name = "com.amazonaws.${local.region}.ipv6.vpc-lattice"
}

# Authorize ingress from prefix lists to EKS cluster security group
resource "aws_security_group_rule" "vpc_lattice_ingress" {
  security_group_id = module.eks.cluster_primary_security_group_id

  prefix_list_ids = [
    data.aws_ec2_managed_prefix_list.vpc_lattice.id, 
    data.aws_ec2_managed_prefix_list.vpc_lattice_ipv6.id
  ]

  type = "ingress"
  from_port = 0
  to_port = 0
  protocol = "-1"
}

[bryantbiggs]

its generally not recommend to modify a Terraform controlled resource from two different locations. I think this is better suited for the user implementation - they would add these prefix list IDs into the the node security group rules (i.e. - here https://github.com/terraform-aws-modules/terraform-aws-eks/blob/ec454c51cb0026254b68cafe7aa9d05f873af990/node_groups.tf#L225)

[allamand]

Agree, will add this in the pattern for vpc lattice

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

Issue closed due to inactivity.