From 5634bf6e3dbe2ee4a2191a58bc75793fea1af411 Mon Sep 17 00:00:00 2001
From: Marc Haase <marchaase@slingshotaerospace.com>
Date: Fri, 12 Mar 2021 19:44:39 -0800
Subject: [PATCH] add ability to use security groups for private access

---
 cluster.tf   | 17 ++++++++++++++---
 variables.tf |  6 ++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/cluster.tf b/cluster.tf
index 53a696bdeee..46b07563f1b 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -52,8 +52,8 @@ resource "aws_eks_cluster" "this" {
   ]
 }
 
-resource "aws_security_group_rule" "cluster_private_access" {
-  count       = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access ? 1 : 0
+resource "aws_security_group_rule" "cluster_private_access_cidrs_source" {
+  count       = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && (var.cluster_endpoint_private_access_cidrs != null) ? 1 : 0
   type        = "ingress"
   from_port   = 443
   to_port     = 443
@@ -63,13 +63,24 @@ resource "aws_security_group_rule" "cluster_private_access" {
   security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
 }
 
+resource "aws_security_group_rule" "cluster_private_access_sg_source" {
+  count       = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && (var.cluster_endpoint_private_access_sg != null) ? length(var.cluster_endpoint_private_access_sg) : 0
+  type        = "ingress"
+  from_port   = 443
+  to_port     = 443
+  protocol    = "tcp"
+  source_security_group_id = var.cluster_endpoint_private_access_sg[count.index]
+
+  security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
+}
 
 resource "null_resource" "wait_for_cluster" {
   count = var.create_eks && var.manage_aws_auth ? 1 : 0
 
   depends_on = [
     aws_eks_cluster.this,
-    aws_security_group_rule.cluster_private_access,
+    aws_security_group_rule.cluster_private_access_cidrs_source,
+    aws_security_group_rule.cluster_private_access_sg_source
   ]
 
   provisioner "local-exec" {
diff --git a/variables.tf b/variables.tf
index e49c57ca49f..68bf5d30ec0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -265,6 +265,12 @@ variable "cluster_endpoint_private_access_cidrs" {
   default     = null
 }
 
+variable "cluster_endpoint_private_access_sg" {
+  description = "List of security group IDs which can access the Amazon EKS private API server endpoint."
+  type        = list(string)
+  default     = null
+}
+
 variable "cluster_endpoint_private_access" {
   description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled."
   type        = bool