feat: Add support for specifiying NTP address to use private Amazon Time Sync Service (#2125)

2026-01-18 17:47:31 +01:00 · 2022-06-28 12:16:20 -04:00
parent 62b776f142
commit 4543ab454b
5 changed files with 22 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -335,6 +335,8 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_node_security_group_description"></a> [node\_security\_group\_description](#input\_node\_security\_group\_description) | Description of the node security group created | `string` | `"EKS node shared security group"` | no |
 | <a name="input_node_security_group_id"></a> [node\_security\_group\_id](#input\_node\_security\_group\_id) | ID of an existing security group to attach to the node groups created | `string` | `""` | no |
 | <a name="input_node_security_group_name"></a> [node\_security\_group\_name](#input\_node\_security\_group\_name) | Name to use on node security group created | `string` | `null` | no |
 | <a name="input_node_security_group_ntp_ipv4_cidr_block"></a> [node\_security\_group\_ntp\_ipv4\_cidr\_block](#input\_node\_security\_group\_ntp\_ipv4\_cidr\_block) | IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `["169.254.169.123/32"]` | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_node_security_group_ntp_ipv6_cidr_block"></a> [node\_security\_group\_ntp\_ipv6\_cidr\_block](#input\_node\_security\_group\_ntp\_ipv6\_cidr\_block) | IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `["fd00:ec2::123/128"]` | `list(string)` | <pre>[<br>  "::/0"<br>]</pre> | no |
 | <a name="input_node_security_group_tags"></a> [node\_security\_group\_tags](#input\_node\_security\_group\_tags) | A map of additional tags to add to the node security group created | `map(string)` | `{}` | no |
 | <a name="input_node_security_group_use_name_prefix"></a> [node\_security\_group\_use\_name\_prefix](#input\_node\_security\_group\_use\_name\_prefix) | Determines whether node security group name (`node_security_group_name`) is used as a prefix | `string` | `true` | no |
 | <a name="input_openid_connect_audiences"></a> [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | List of OpenID Connect audience client IDs to add to the IRSA provider | `list(string)` | `[]` | no |
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -77,6 +77,7 @@ module "eks" {
  }
  # Extend node-to-node security group rules
  node_security_group_ntp_ipv4_cidr_block = ["169.254.169.123/32"]
  node_security_group_additional_rules = {
    ingress_self_all = {
      description = "Node to node all ports/protocols"
--- a/examples/eks_managed_node_group/main.tf
+++ b/examples/eks_managed_node_group/main.tf
@@ -92,6 +92,7 @@ module "eks" {
  }
  # Extend node-to-node security group rules
  node_security_group_ntp_ipv4_cidr_block = ["fd00:ec2::123/128"]
  node_security_group_additional_rules = {
    ingress_self_all = {
      description = "Node to node all ports/protocols"
--- a/node_groups.tf
+++ b/node_groups.tf
@@ -130,8 +130,8 @@ locals {
      from_port        = 123
      to_port          = 123
      type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
+      cidr_blocks      = var.node_security_group_ntp_ipv4_cidr_block
-      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
+      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? var.node_security_group_ntp_ipv6_cidr_block : null
    }
    egress_ntp_udp = {
      description      = "Egress NTP/UDP to internet"
@@ -139,8 +139,8 @@ locals {
      from_port        = 123
      to_port          = 123
      type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
+      cidr_blocks      = var.node_security_group_ntp_ipv4_cidr_block
-      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
+      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? var.node_security_group_ntp_ipv6_cidr_block : null
    }
  }
 }
--- a/variables.tf
+++ b/variables.tf
@@ -322,6 +322,20 @@ variable "node_security_group_tags" {
  default     = {}
 }
 # TODO - at next breaking change, make 169.254.169.123/32 the default
 variable "node_security_group_ntp_ipv4_cidr_block" {
  description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"169.254.169.123/32\"]`"
  type        = list(string)
  default     = ["0.0.0.0/0"]
 }
 # TODO - at next breaking change, make fd00:ec2::123/128 the default
 variable "node_security_group_ntp_ipv6_cidr_block" {
  description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"fd00:ec2::123/128\"]`"
  type        = list(string)
  default     = ["::/0"]
 }
 ################################################################################
 # IRSA
 ################################################################################