diff --git a/README.md b/README.md
index 89f016a..5613d11 100644
--- a/README.md
+++ b/README.md
@@ -163,13 +163,14 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| attach\_worker\_cni\_policy | Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster. | `bool` | `true` | no |
+| cluster\_create\_endpoint\_private\_access\_sg\_rule | Whether to create security group rules for the access to the Amazon EKS private API server endpoint. | `bool` | `false` | no |
| cluster\_create\_security\_group | Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`. | `bool` | `true` | no |
| cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no |
| cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no |
| cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no |
| cluster\_encryption\_config | Configuration block with encryption configuration for the cluster. See examples/secrets\_encryption/main.tf for example format | list(object({
provider_key_arn = string
resources = list(string)
})) | `[]` | no |
| cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
-| cluster\_endpoint\_private\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS private API server endpoint, when public access is disabled | `list(string)` | [
"0.0.0.0/0"
]
| no |
+| cluster\_endpoint\_private\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS private API server endpoint. | `list(string)` | `null` | no |
| cluster\_endpoint\_public\_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no |
| cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | [
"0.0.0.0/0"
]
| no |
| cluster\_iam\_role\_name | IAM role name for the cluster. Only applicable if manage\_cluster\_iam\_resources is set to false. | `string` | `""` | no |
diff --git a/cluster.tf b/cluster.tf
index 1a80470..0df121f 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -48,7 +48,7 @@ resource "aws_eks_cluster" "this" {
}
resource "aws_security_group_rule" "cluster_private_access" {
- count = var.create_eks && var.cluster_endpoint_private_access && var.cluster_endpoint_public_access == false ? 1 : 0
+ count = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access ? 1 : 0
type = "ingress"
from_port = 443
to_port = 443
diff --git a/variables.tf b/variables.tf
index 9a5e776..c14976a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -245,10 +245,16 @@ variable "iam_path" {
default = "/"
}
+variable "cluster_create_endpoint_private_access_sg_rule" {
+ description = "Whether to create security group rules for the access to the Amazon EKS private API server endpoint."
+ type = bool
+ default = false
+}
+
variable "cluster_endpoint_private_access_cidrs" {
- description = "List of CIDR blocks which can access the Amazon EKS private API server endpoint, when public access is disabled"
+ description = "List of CIDR blocks which can access the Amazon EKS private API server endpoint."
type = list(string)
- default = ["0.0.0.0/0"]
+ default = null
}
variable "cluster_endpoint_private_access" {