From fa701cdc596a7c68b1187e9401f733ad14d3db8f Mon Sep 17 00:00:00 2001 From: Harshvardhan Bahukhandi Date: Tue, 13 Jan 2026 13:25:18 +0530 Subject: [PATCH] chore: added support for nat connectivity to the eks worker node subnets for sts calls --- .../aws/modules/composition/vpc-network/outputs.tf | 4 ++-- .../composition/vpc-network/route-tables.tf | 14 ++++++++------ .../composition/vpc-network/vpc-endpoints.tf | 4 ++-- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/terraform/aws/modules/composition/vpc-network/outputs.tf b/terraform/aws/modules/composition/vpc-network/outputs.tf index aff3847..984f671 100644 --- a/terraform/aws/modules/composition/vpc-network/outputs.tf +++ b/terraform/aws/modules/composition/vpc-network/outputs.tf @@ -240,8 +240,8 @@ output "proxy_peering_nat_c_route_table_id" { } output "eks_worker_route_table_id" { - description = "ID of the EKS worker route table (S3 only, no NAT)" - value = module.eks_worker_rt.route_table_id + description = "ID of the EKS worker route table (NAT + S3)" + value = var.enable_nat_gateway ? module.eks_worker_rt[0].route_table_id : "" } output "common_local_nat_s3_route_table_id" { diff --git a/terraform/aws/modules/composition/vpc-network/route-tables.tf b/terraform/aws/modules/composition/vpc-network/route-tables.tf index 127cd86..8bda0b2 100644 --- a/terraform/aws/modules/composition/vpc-network/route-tables.tf +++ b/terraform/aws/modules/composition/vpc-network/route-tables.tf @@ -202,20 +202,22 @@ module "proxy_peering_nat_c_rt" { } -# EKS Worker Route Table - Single route table for all EKS worker subnets (S3 only, no NAT) +# EKS Worker Route Table - Single route table for all EKS worker subnets with NAT access module "eks_worker_rt" { source = "../../base/route-table" + count = var.enable_nat_gateway ? 1 : 0 vpc_id = module.vpc.vpc_id route_table_name = "${var.vpc_name}-EKSWorker" - create_nat_gateway_route = false + create_nat_gateway_route = true + nat_gateway_id = module.external_incoming_subnets[0].nat_gateway_id tags = merge( var.tags, { Name = "${var.vpc_name}-EKSWorker" - Type = "eks-worker-s3-only" + Type = "eks-worker-nat" } ) } @@ -260,12 +262,12 @@ resource "aws_route_table_association" "management" { route_table_id = module.common_internet_s3_rt.route_table_id } -# Associate EKS Worker subnets with EKSWorker route table (S3 only, no NAT) +# Associate EKS Worker subnets with EKSWorker route table (NAT + S3) resource "aws_route_table_association" "eks_workers" { - count = length(var.eks_workers_subnet_cidrs) + count = var.enable_nat_gateway ? length(var.eks_workers_subnet_cidrs) : 0 subnet_id = module.eks_workers_subnets[count.index].subnet_id - route_table_id = module.eks_worker_rt.route_table_id + route_table_id = module.eks_worker_rt[0].route_table_id } # Associate EKS Control Plane subnets with CommonLocalRoute diff --git a/terraform/aws/modules/composition/vpc-network/vpc-endpoints.tf b/terraform/aws/modules/composition/vpc-network/vpc-endpoints.tf index 0594a2e..e79edc2 100644 --- a/terraform/aws/modules/composition/vpc-network/vpc-endpoints.tf +++ b/terraform/aws/modules/composition/vpc-network/vpc-endpoints.tf @@ -132,8 +132,8 @@ locals { var.enable_nat_gateway && length(var.availability_zones) > 0 ? [module.proxy_peering_nat_a_rt[0].route_table_id] : [], var.enable_nat_gateway && length(var.availability_zones) > 1 ? [module.proxy_peering_nat_b_rt[0].route_table_id] : [], var.enable_nat_gateway && length(var.availability_zones) > 2 ? [module.proxy_peering_nat_c_rt[0].route_table_id] : [], - # EKS Worker route table (S3 only, no NAT) - [module.eks_worker_rt.route_table_id], + # EKS Worker route table (NAT + S3) + var.enable_nat_gateway ? [module.eks_worker_rt[0].route_table_id] : [], # Common Local NAT S3 route table (NAT + S3) var.enable_nat_gateway ? [module.common_local_nat_s3_rt[0].route_table_id] : [], var.include_database_route_tables_in_gateway_endpoints ? [module.db_route_table.route_table_id] : []