Restricting EKS API Server Access to Terraform Cloud IPs
Limiting your Amazon EKS API server endpoint to only accept requests from trusted IP ranges is a best practice, especially when you use platforms like Terraform Cloud (TFC) for automated deployment. Here’s how you can approach this:
1. Understand Terraform Cloud (TFC) IP Range Dynamics
- Dynamic IPs by Default: TFC’s standard remote execution mode does not guarantee static or published IP ranges for its runners. The underlying runner IPs, especially for workspace operations, may change over time and are not documented as a published static list[1][2].
- HCP Terraform Agent as an Alternative: For scenarios that require fixed IP addresses, use the HCP Terraform Agent execution mode. This agent runs within your own network (such as a VPC), allowing you to control its outbound IP addresses[1].
- No Public Static List for Standard Runs: If you deploy using default Terraform Cloud remote execution, there is no official static IP range you can safely whitelist on your EKS endpoint[1][2].
2. How to Restrict EKS API Server Access
Amazon EKS allows you to restrict access to its API server endpoint using one or more CIDR blocks:
Via AWS Console:
- Go to the EKS Cluster in the AWS Console.
- In the Networking section, select “Manage Endpoint Access.”
- Under “Public access CIDRs,” add allowed CIDR blocks—these should include only the IPs or ranges you trust (e.g., your corporate site and/or TFC agent IP)[3][4][5].
Via AWS CLI Example:
aws eks update-cluster-config \
--region \
--name \
--resources-vpc-config endpointPublicAccess=true,publicAccessCidrs="1.2.3.4/32",endpointPrivateAccess=true
Replace "1.2.3.4/32" with your trusted CIDR(s), such as an agent or VPN egress IP[4].
3. Obtaining IP Ranges for Terraform Cloud
- For Standard Remote Execution: No static IPs are provided for workspace operations. HashiCorp does not recommend using their published IP ranges for allow-listing API endpoints, as these covers only notification and connector infrastructure—not workspace run traffic[1][2].
- For HCP Terraform Agents: If you deploy an agent, you control its network placement, so you can specify a static, known outbound address or CIDR block, then allow that in EKS[1].
- [Official documentation on HCP Terraform Agent IP management][1].
4. Recommended Actions
- Migrate to HCP Terraform Agent Mode: Deploy your own agent (usually within a VPC or private subnet) and use its egress IP (or a NAT Gateway with Elastic IP) as the CIDR to allow in your EKS API endpoint[1].
- Avoid Allow-Listing Published “TFC IPs” for EKS: Do not use the published TFC IP ranges, as these do not cover orchestration/runs and may change without notice[1][2].
- Regular Monitoring: If you must rely on TFC’s published ranges (e.g., for webhooks), automate daily checks as the ranges may change[1].
- Lock Down Public Access: Only specify known agent, VPN, or jump host IPs as allowed CIDRs in your EKS endpoint, not open wildcard ranges.
References & Next Steps
- For TFC IP considerations: HashiCorp documentation explains which IPs are static and for which features[1][2].
- For EKS endpoint restrictions, use AWS documentation for official command syntax and detailed guidance[4][3][5].
- For best results and tight security, always run your deployments from a known IP boundary, such as a controlled agent or secure VPN.
Summary:
There is no static list of Terraform Cloud run IPs you can reliably add to EKS endpoint allow-lists. For secure, restrictive API server access, migrate to HCP Terraform Agent mode and allow only the agent’s outgoing IP in your EKS API endpoint[1][2][4].