From 82aefb20f5dc1e4d195a3d19d6c091e1ed405932 Mon Sep 17 00:00:00 2001
From: Siddarth Prakash <1428486+sidprak@users.noreply.github.com>
Date: Thu, 9 Jan 2020 18:53:33 -0500
Subject: [PATCH] Add public access endpoint CIDRs option
 (terraform-aws-eks#647) (#673)

* Add public access endpoint CIDRs option (terraform-aws-eks#647)

* Update required provider version to 2.44.0

* Fix formatting in docs
---
 CHANGELOG.md | 1 +
 README.md    | 1 +
 cluster.tf   | 1 +
 variables.tf | 6 ++++++
 versions.tf  | 2 +-
 5 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34c1538..63cf796 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 ## [[v8.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...HEAD)] - 2019-12-11]
 
 - Write your awesome change here (by @you)
+- Add support for restricting access to the public API endpoint (@sidprak)
 
 # History
 
diff --git a/README.md b/README.md
index 05dbed1..b22f573 100644
--- a/README.md
+++ b/README.md
@@ -157,6 +157,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | list(string) | `[]` | no |
 | cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | bool | `"false"` | no |
 | cluster\_endpoint\_public\_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | bool | `"true"` | no |
+| cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | list(string) | `[ "0.0.0.0/0" ]` | no |
 | cluster\_iam\_role\_name | IAM role name for the cluster. Only applicable if manage_cluster_iam_resources is set to false. | string | `""` | no |
 | cluster\_log\_kms\_key\_id | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | string | `""` | no |
 | cluster\_log\_retention\_in\_days | Number of days to retain log events. Default retention - 90 days. | number | `"90"` | no |
diff --git a/cluster.tf b/cluster.tf
index 764c737..877ddda 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -19,6 +19,7 @@ resource "aws_eks_cluster" "this" {
     subnet_ids              = var.subnets
     endpoint_private_access = var.cluster_endpoint_private_access
     endpoint_public_access  = var.cluster_endpoint_public_access
+    public_access_cidrs     = var.cluster_endpoint_public_access_cidrs
   }
 
   timeouts {
diff --git a/variables.tf b/variables.tf
index 2b64a9a..92b906e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -234,6 +234,12 @@ variable "cluster_endpoint_public_access" {
   default     = true
 }
 
+variable "cluster_endpoint_public_access_cidrs" {
+  description = "List of CIDR blocks which can access the Amazon EKS public API server endpoint."
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
 variable "manage_cluster_iam_resources" {
   description = "Whether to let the module manage cluster IAM resources. If set to false, cluster_iam_role_name must be specified."
   type        = bool
diff --git a/versions.tf b/versions.tf
index e95ea3e..95fb1ef 100644
--- a/versions.tf
+++ b/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 0.12.9"
 
   required_providers {
-    aws        = ">= 2.38.0"
+    aws        = ">= 2.44.0"
     local      = ">= 1.2"
     null       = ">= 2.1"
     template   = ">= 2.1"