feat: Override cluster and workers egress CIDRs

Add two new variables to allow the destination CIDR blocks used in egress rules to be overridden. Fixes #1236
terraform-aws-modules · Apr 20, 2021 · 9e44288 · 9e44288
1 parent 81bc7a2
commit 9e44288
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -234,6 +234,7 @@ MIT Licensed. See [LICENSE](https:/terraform-aws-modules/terraform-a
 | <a name="input_cluster_create_security_group"></a> [cluster\_create\_security\_group](#input\_cluster\_create\_security\_group) | Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`. | `bool` | `true` | no |
 | <a name="input_cluster_create_timeout"></a> [cluster\_create\_timeout](#input\_cluster\_create\_timeout) | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no |
 | <a name="input_cluster_delete_timeout"></a> [cluster\_delete\_timeout](#input\_cluster\_delete\_timeout) | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no |
+| <a name="input_cluster_egress_cidrs"></a> [cluster\_egress\_cidrs](#input\_cluster\_egress_cidrs) | List of CIDR blocks that are permitted for cluster egress traffic. | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_cluster_enabled_log_types"></a> [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no |
 | <a name="input_cluster_encryption_config"></a> [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster. See examples/secrets\_encryption/main.tf for example format | <pre>list(object({<br> provider_key_arn = string<br> resources = list(string)<br> }))</pre> | `[]` | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
@@ -287,6 +288,7 @@ MIT Licensed. See [LICENSE](https:/terraform-aws-modules/terraform-a
 | <a name="input_worker_security_group_id"></a> [worker\_security\_group\_id](#input\_worker\_security\_group\_id) | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster. | `string` | `""` | no |
 | <a name="input_worker_sg_ingress_from_port"></a> [worker\_sg\_ingress\_from\_port](#input\_worker\_sg\_ingress\_from\_port) | Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443). | `number` | `1025` | no |
 | <a name="input_workers_additional_policies"></a> [workers\_additional\_policies](#input\_workers\_additional\_policies) | Additional policies to be added to workers | `list(string)` | `[]` | no |
+| <a name="input_workers_egress_cidrs"></a> [workers\_egress\_cidrs](#input\_workers\_egress\_cidrs) | List of CIDR blocks that are permitted for workers egress traffic. | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_workers_group_defaults"></a> [workers\_group\_defaults](#input\_workers\_group\_defaults) | Override default values for target groups. See workers\_group\_defaults\_defaults in local.tf for valid keys. | `any` | `{}` | no |
 | <a name="input_workers_role_name"></a> [workers\_role\_name](#input\_workers\_role\_name) | User defined workers role name. | `string` | `""` | no |
 | <a name="input_write_kubeconfig"></a> [write\_kubeconfig](#input\_write\_kubeconfig) | Whether to write a Kubectl config file containing the cluster configuration. Saved to `config_output_path`. | `bool` | `true` | no |

diff --git a/cluster.tf b/cluster.tf
@@ -99,7 +99,7 @@ resource "aws_security_group_rule" "cluster_egress_internet" {
  description = "Allow cluster egress access to the Internet."
  protocol = "-1"
  security_group_id = local.cluster_security_group_id
- cidr_blocks = ["0.0.0.0/0"]
+ cidr_blocks = var.cluster_egress_cidrs
  from_port = 0
  to_port = 0
  type = "egress"

diff --git a/variables.tf b/variables.tf
@@ -375,3 +375,15 @@ variable "cluster_service_ipv4_cidr" {
  type = string
  default = null
 }
+
+variable "cluster_egress_cidrs" {
+ description = "List of CIDR blocks that are permitted for cluster egress traffic."
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
+
+variable "workers_egress_cidrs" {
+ description = "List of CIDR blocks that are permitted for workers egress traffic."
+ type = list(string)
+ default = ["0.0.0.0/0"]
+}
diff --git a/workers.tf b/workers.tf
@@ -360,7 +360,7 @@ resource "aws_security_group_rule" "workers_egress_internet" {
  description = "Allow nodes all egress to the Internet."
  protocol = "-1"
  security_group_id = local.worker_security_group_id
- cidr_blocks = ["0.0.0.0/0"]
+ cidr_blocks = var.workers_egress_cidrs
  from_port = 0
  to_port = 0
  type = "egress"