Add amazon_web_services configuration option to specify EKS cluster api server endpoint access setting

src/_nebari/stages/infrastructure/__init__.py

@@ -133,6 +133,7 @@ class AWSInputVars(schema.Base):
     existing_subnet_ids: Optional[List[str]] = None
     region: str
     kubernetes_version: str
+    eks_endpoint_access: str = 'public'
     node_groups: List[AWSNodeGroupInputVars]
     availability_zones: List[str]
     vpc_cidr_block: str
@@ -451,6 +452,7 @@ class AmazonWebServicesProvider(schema.Base):
     kubernetes_version: str
     availability_zones: Optional[List[str]]
     node_groups: Dict[str, AWSNodeGroup] = DEFAULT_AWS_NODE_GROUPS
+    eks_endpoint_access: str = 'public'
     existing_subnet_ids: Optional[List[str]] = None
     existing_security_group_id: Optional[str] = None
     vpc_cidr_block: str = "10.10.0.0/16"
@@ -506,6 +508,18 @@ def _check_input(cls, data: Any) -> Any:
                     raise ValueError(
                         f"Amazon Web Services instance {node_group.instance} not one of available instance types={available_instances}"
                     )
+
+        # check if eks cluster endpoint access config is valid
+        available_endpoint_options = ['private', 'public', 'public_and_private']
+        if "eks_endpoint_access" not in data:
+            data["eks_endpoint_access"] = 'public'
+        else:
+            if data["eks_endpoint_access"] is None:
+                data["eks_endpoint_access"] = 'public'
+            elif data["eks_endpoint_access"] not in available_endpoint_options:
+                raise ValueError(
+                    f"\nInvalid `eks-endpoint-access` provided: {data['eks_endpoint_access']}.\nPlease select from one of the following supported EKS cluster endpoint access options: {available_endpoint_options}"
+                )
         return data
 
 
@@ -789,6 +803,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
             return AWSInputVars(
                 name=self.config.escaped_project_name,
                 environment=self.config.namespace,
+                eks_endpoint_access=self.config.amazon_web_services.eks_endpoint_access,
                 existing_subnet_ids=self.config.amazon_web_services.existing_subnet_ids,
                 existing_security_group_id=self.config.amazon_web_services.existing_security_group_id,
                 region=self.config.amazon_web_services.region,

src/_nebari/stages/infrastructure/template/aws/main.tf

@@ -92,7 +92,8 @@ module "kubernetes" {
 
   node_groups = var.node_groups
 
-  endpoint_private_access = var.eks_endpoint_private_access
+  endpoint_public_access  = var.eks_endpoint_access == "private" ? false : true
+  endpoint_private_access = var.eks_endpoint_access == "public" ? false : true
   public_access_cidrs     = var.eks_public_access_cidrs
   permissions_boundary    = var.permissions_boundary
 }

src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf

@@ -9,6 +9,7 @@
     security_group_ids = var.cluster_security_groups
     subnet_ids         = var.cluster_subnets
 
+    endpoint_public_access  = var.endpoint_public_access
     endpoint_private_access = var.endpoint_private_access
     public_access_cidrs     = var.public_access_cidrs
   }

src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf

@@ -60,6 +60,11 @@ variable "node_group_instance_type" {
   default     = "m5.large"
 }
 
+variable "endpoint_public_access" {
+  type    = bool
+  default = true
+}
+
 variable "endpoint_private_access" {
   type    = bool
   default = false

src/_nebari/stages/infrastructure/template/aws/variables.tf

@@ -56,6 +56,12 @@ variable "kubeconfig_filename" {
   type        = string
 }
 
+variable "eks_endpoint_access" {
+  description = "EKS cluster api server endpoint access setting"
+  type        = string
+  default     = "public"
+}
+
 variable "eks_endpoint_private_access" {
   type    = bool
   default = false