Add EKS Deny Public Resources Policy Pack #956
Conversation
This commit introduces a new policy pack for AWS EKS that enforces private endpoint access by denying clusters with public endpoint access. It includes a custom approval mechanism allowing exceptions through tagging, along with comprehensive documentation and Terraform configuration files for deployment.
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new Terraform policy pack for AWS EKS that enforces private endpoint access by denying clusters with public endpoint access enabled, while providing an exception mechanism through tagging.
- Implements a custom approval policy that evaluates EKS clusters based on their public endpoint access configuration
- Provides exception handling through a specific tag (
turbot:deny-public-resources:exception = "true") - Includes comprehensive documentation and deployment configuration files
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| providers.tf | Defines Terraform provider requirements for the Turbot provider |
| policies.tf | Implements the main policy logic with custom approval template for EKS cluster evaluation |
| main.tf | Creates the policy pack resource with title and description |
| README.md | Provides comprehensive documentation including usage, policy logic, and security benefits |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| resource "turbot_policy_setting" "aws_eks_cluster_approved" { | ||
| resource = turbot_policy_pack.main.id | ||
| type = "tmod:@turbot/aws-eks#/policy/types/clusterApproved" | ||
| value = "Check: Approved" |
There was a problem hiding this comment.
This commented line should be removed or expanded with proper documentation explaining when to use enforcement vs check mode, as it provides incomplete guidance for users.
| value = "Check: Approved" | |
| value = "Check: Approved" | |
| # To change the policy from "Check" mode to "Enforce" mode, uncomment the line below. | |
| # | |
| # "Check" mode will only report on clusters that are not approved, without taking any action. | |
| # "Enforce" mode will automatically delete any new EKS clusters that are not approved according to the policy logic. | |
| # | |
| # Use "Enforce" mode only if you want Turbot to actively remove unapproved clusters, which may impact running workloads. | |
| # Recommended: Start with "Check" mode to review findings before enabling enforcement. |
|
This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
This commit introduces a new policy pack for AWS EKS that enforces private endpoint access by denying clusters with public endpoint access. It includes a custom approval mechanism allowing exceptions through tagging, along with comprehensive documentation and Terraform configuration files for deployment.