add ability to use security groups for private access

terraform-aws-modules · Mar 13, 2021 · 5634bf6 · 5634bf6
1 parent a26c9fd
commit 5634bf6
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/cluster.tf b/cluster.tf
@@ -52,8 +52,8 @@ resource "aws_eks_cluster" "this" {
   ]
 }
 
-resource "aws_security_group_rule" "cluster_private_access" {
-  count       = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access ? 1 : 0
+resource "aws_security_group_rule" "cluster_private_access_cidrs_source" {
+  count       = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && (var.cluster_endpoint_private_access_cidrs != null) ? 1 : 0
   type        = "ingress"
   from_port   = 443
   to_port     = 443
@@ -63,13 +63,24 @@ resource "aws_security_group_rule" "cluster_private_access" {
   security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
 }
 
+resource "aws_security_group_rule" "cluster_private_access_sg_source" {
+  count       = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && (var.cluster_endpoint_private_access_sg != null) ? length(var.cluster_endpoint_private_access_sg) : 0
+  type        = "ingress"
+  from_port   = 443
+  to_port     = 443
+  protocol    = "tcp"
+  source_security_group_id = var.cluster_endpoint_private_access_sg[count.index]
+
+  security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
+}
 
 resource "null_resource" "wait_for_cluster" {
   count = var.create_eks && var.manage_aws_auth ? 1 : 0
 
   depends_on = [
     aws_eks_cluster.this,
-    aws_security_group_rule.cluster_private_access,
+    aws_security_group_rule.cluster_private_access_cidrs_source,
+    aws_security_group_rule.cluster_private_access_sg_source
   ]
 
   provisioner "local-exec" {

diff --git a/variables.tf b/variables.tf
@@ -265,6 +265,12 @@ variable "cluster_endpoint_private_access_cidrs" {
   default     = null
 }
 
+variable "cluster_endpoint_private_access_sg" {
+  description = "List of security group IDs which can access the Amazon EKS private API server endpoint."
+  type        = list(string)
+  default     = null
+}
+
 variable "cluster_endpoint_private_access" {
   description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled."
   type        = bool