Override the default ingress rule that allows communication with the EKS cluster API. If not given, will use current IP/32.

2026-03-11 21:11:32 +01:00 · 2018-06-27 13:12:14 -04:00
parent c5b637ac0f
commit 98ede7cca6
4 changed files with 8 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -107,6 +107,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | worker_security_group_id    | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster.                                              | string | `` | no  |
 | worker_sg_ingress_from_port | Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443).                                   | string |  `1025`  |    no    |
 | workers_group_defaults      | Default values for target groups as defined by the list of maps.                                                                                                                                                         |  map   | `<map>`  |    no    |
+| workstation-cidr            | Override the default ingress rule that allows communication with the EKS cluster API. If not given, will use current IP/32.                                                                                              | string |    -     |    no    |

 ## Outputs

--- a/cluster.tf
+++ b/cluster.tf
@@ -45,7 +45,7 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" {
 }

 resource "aws_security_group_rule" "cluster_https_cidr_ingress" {
-  cidr_blocks       = ["${local.workstation_external_cidr}"]
+  cidr_blocks       = ["${local.workstation_cidr}"]
  description       = "Allow kubectl communication with the EKS cluster API."
  protocol          = "tcp"
  security_group_id = "${aws_security_group.cluster.id}"
--- a/local.tf
+++ b/local.tf
@@ -3,6 +3,7 @@ locals {
  cluster_security_group_id = "${var.cluster_security_group_id == "" ? aws_security_group.cluster.id : var.cluster_security_group_id}"
  worker_security_group_id  = "${var.worker_security_group_id == "" ? aws_security_group.workers.id : var.worker_security_group_id}"
  workstation_external_cidr = "${chomp(data.http.workstation_external_ip.body)}/32"
+  workstation_cidr = "${coalesce(var.workstation_cidr, local.workstation_external_cidr)}"

  # Mapping from the node type that we selected and the max number of pods that it can run
  # Taken from https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
--- a/variables.tf
+++ b/variables.tf
@@ -7,6 +7,11 @@ variable "cluster_security_group_id" {
  default     = ""
 }

+variable "workstation_cidr" {
+  description = "Override the default ingress rule that allows communication with the EKS cluster API. If not given, will use current IP/32.    "
+  default     = ""
+}
+
 variable "cluster_version" {
  description = "Kubernetes version to use for the EKS cluster."
  default     = "1.10"