[DOM-62849] Add S3 Private endpoint Interface (#331)

dominodatalab · Feb 20, 2025 · a831ebd · a831ebd
1 parent fd32560
commit a831ebd
Show file tree

Hide file tree

Showing 14 changed files with 71 additions and 7 deletions.
diff --git a/examples/tfvars/ecr_endpoint.tfvars b/examples/tfvars/ecr_endpoint.tfvars
@@ -16,4 +16,5 @@ default_node_groups = {
 
 network = {
   create_ecr_endpoint = true
+  create_s3_interface = true
 }
diff --git a/modules/eks/README.md b/modules/eks/README.md
@@ -53,6 +53,7 @@
 | [aws_security_group_rule.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.netapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.s3_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [null_resource.kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [terraform_data.run_k8s_pre_setup](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -84,7 +85,7 @@
 | <a name="input_ignore_tags"></a> [ignore\_tags](#input\_ignore\_tags) | Tag keys to be ignored by the aws provider. | `list(string)` | `[]` | no |
 | <a name="input_karpenter"></a> [karpenter](#input\_karpenter) | karpenter = {<br/>      enabled = Toggle installation of Karpenter.<br/>      namespace = Namespace to install Karpenter.<br/>      version = Configure the version for Karpenter.<br/>    } | <pre>object({<br/>    enabled   = optional(bool, false)<br/>    namespace = optional(string, "karpenter")<br/>    version   = optional(string, "1.0.6")<br/>  })</pre> | `{}` | no |
 | <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | key\_id  = KMS key id.<br/>    key\_arn = KMS key arn.<br/>    enabled = KMS key is enabled | <pre>object({<br/>    key_id  = string<br/>    key_arn = string<br/>    enabled = bool<br/>  })</pre> | n/a | yes |
-| <a name="input_network_info"></a> [network\_info](#input\_network\_info) | id = VPC ID.<br/>    ecr\_endpoint = {<br/>      security\_group\_id = ECR Endpoint security group id.<br/>    }<br/>    subnets = {<br/>      public = List of public Subnets.<br/>      [{<br/>        name = Subnet name.<br/>        subnet\_id = Subnet ud<br/>        az = Subnet availability\_zone<br/>        az\_id = Subnet availability\_zone\_id<br/>      }]<br/>      private = List of private Subnets.<br/>      [{<br/>        name = Subnet name.<br/>        subnet\_id = Subnet ud<br/>        az = Subnet availability\_zone<br/>        az\_id = Subnet availability\_zone\_id<br/>      }]<br/>      pod = List of pod Subnets.<br/>      [{<br/>        name = Subnet name.<br/>        subnet\_id = Subnet ud<br/>        az = Subnet availability\_zone<br/>        az\_id = Subnet availability\_zone\_id<br/>      }]<br/>    } | <pre>object({<br/>    vpc_id = string<br/>    ecr_endpoint = optional(object({<br/>      security_group_id = optional(string, null)<br/>    }), null)<br/>    subnets = object({<br/>      public = list(object({<br/>        name      = string<br/>        subnet_id = string<br/>        az        = string<br/>        az_id     = string<br/>      }))<br/>      private = list(object({<br/>        name      = string<br/>        subnet_id = string<br/>        az        = string<br/>        az_id     = string<br/>      }))<br/>      pod = list(object({<br/>        name      = string<br/>        subnet_id = string<br/>        az        = string<br/>        az_id     = string<br/>      }))<br/>    })<br/>    vpc_cidrs = optional(string, "10.0.0.0/16")<br/>  })</pre> | n/a | yes |
+| <a name="input_network_info"></a> [network\_info](#input\_network\_info) | id = VPC ID.<br/>    ecr\_endpoint = {<br/>      security\_group\_id = ECR Endpoint security group id.<br/>    }<br/>    s3\_endpoint = {<br/>      security\_group\_id = S3 Endpoint security group id.<br/>    }<br/>    subnets = {<br/>      public = List of public Subnets.<br/>      [{<br/>        name = Subnet name.<br/>        subnet\_id = Subnet ud<br/>        az = Subnet availability\_zone<br/>        az\_id = Subnet availability\_zone\_id<br/>      }]<br/>      private = List of private Subnets.<br/>      [{<br/>        name = Subnet name.<br/>        subnet\_id = Subnet ud<br/>        az = Subnet availability\_zone<br/>        az\_id = Subnet availability\_zone\_id<br/>      }]<br/>      pod = List of pod Subnets.<br/>      [{<br/>        name = Subnet name.<br/>        subnet\_id = Subnet ud<br/>        az = Subnet availability\_zone<br/>        az\_id = Subnet availability\_zone\_id<br/>      }]<br/>    } | <pre>object({<br/>    vpc_id = string<br/>    ecr_endpoint = optional(object({<br/>      security_group_id = optional(string, null)<br/>    }), null)<br/>    s3_endpoint = optional(object({<br/>      security_group_id = optional(string, null)<br/>    }), null)<br/>    subnets = object({<br/>      public = list(object({<br/>        name      = string<br/>        subnet_id = string<br/>        az        = string<br/>        az_id     = string<br/>      }))<br/>      private = list(object({<br/>        name      = string<br/>        subnet_id = string<br/>        az        = string<br/>        az_id     = string<br/>      }))<br/>      pod = list(object({<br/>        name      = string<br/>        subnet_id = string<br/>        az        = string<br/>        az_id     = string<br/>      }))<br/>    })<br/>    vpc_cidrs = optional(string, "10.0.0.0/16")<br/>  })</pre> | n/a | yes |
 | <a name="input_node_iam_policies"></a> [node\_iam\_policies](#input\_node\_iam\_policies) | Additional IAM Policy Arns for Nodes | `list(string)` | n/a | yes |
 | <a name="input_privatelink"></a> [privatelink](#input\_privatelink) | {<br/>      enabled = Enable Private Link connections.<br/>      namespace = Namespace for IAM Policy conditions.<br/>      monitoring\_bucket = Bucket for NLBs monitoring.<br/>      route53\_hosted\_zone\_name = Hosted zone for External DNS zone.<br/>      vpc\_endpoint\_services = [{<br/>        name      = Name of the VPC Endpoint Service.<br/>        ports     = List of ports exposing the VPC Endpoint Service. i.e [8080, 8081]<br/>        cert\_arn  = Certificate ARN used by the NLB associated for the given VPC Endpoint Service.<br/>        private\_dns = Private DNS for the VPC Endpoint Service.<br/>      }]<br/>    } | <pre>object({<br/>    enabled                  = optional(bool, false)<br/>    namespace                = optional(string, "domino-platform")<br/>    monitoring_bucket        = optional(string, null)<br/>    route53_hosted_zone_name = optional(string, null)<br/>    vpc_endpoint_services = optional(list(object({<br/>      name        = optional(string)<br/>      ports       = optional(list(number))<br/>      cert_arn    = optional(string)<br/>      private_dns = optional(string)<br/>    })), [])<br/>  })</pre> | `{}` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |

diff --git a/modules/eks/node-group.tf b/modules/eks/node-group.tf
@@ -95,3 +95,14 @@ resource "aws_security_group_rule" "ecr_endpoint" {
   description              = "ECR Endpoint access from EKS nodes."
   source_security_group_id = aws_security_group.eks_nodes.id
 }
+
+resource "aws_security_group_rule" "s3_endpoint" {
+  count                    = var.network_info.s3_endpoint != null ? 1 : 0
+  security_group_id        = var.network_info.s3_endpoint.security_group_id
+  protocol                 = "tcp"
+  from_port                = 443
+  to_port                  = 443
+  type                     = "ingress"
+  description              = "S3 Endpoint access from EKS nodes."
+  source_security_group_id = aws_security_group.eks_nodes.id
+}
diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
@@ -24,6 +24,9 @@ variable "network_info" {
     ecr_endpoint = {
       security_group_id = ECR Endpoint security group id.
     }
+    s3_endpoint = {
+      security_group_id = S3 Endpoint security group id.
+    }
     subnets = {
       public = List of public Subnets.
       [{
@@ -53,6 +56,9 @@ variable "network_info" {
     ecr_endpoint = optional(object({
       security_group_id = optional(string, null)
     }), null)
+    s3_endpoint = optional(object({
+      security_group_id = optional(string, null)
+    }), null)
     subnets = object({
       public = list(object({
         name      = string