From b455b86fbf87a686d7d349f07be837a5a63728fa Mon Sep 17 00:00:00 2001
From: Matt Dainty <matt@bodgit-n-scarper.com>
Date: Thu, 11 Feb 2021 17:07:41 +0000
Subject: [PATCH] feat: Override cluster and workers egress CIDRs

Add two new variables to allow the destination CIDR blocks used in
egress rules to be overridden.

Fixes #1236
---
 README.md    |  2 ++
 cluster.tf   |  2 +-
 variables.tf | 12 ++++++++++++
 workers.tf   |  2 +-
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a5134732996..c12946d034e 100644
--- a/README.md
+++ b/README.md
@@ -173,6 +173,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | cluster\_create\_security\_group | Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`. | `bool` | `true` | no |
 | cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no |
 | cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no |
+| cluster\_egress\_cidrs | List of CIDR blocks that are permitted for cluster egress traffic. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no |
 | cluster\_encryption\_config | Configuration block with encryption configuration for the cluster. See examples/secrets\_encryption/main.tf for example format | <pre>list(object({<br>    provider_key_arn = string<br>    resources        = list(string)<br>  }))</pre> | `[]` | no |
 | cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no |
@@ -226,6 +227,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | worker\_security\_group\_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster. | `string` | `""` | no |
 | worker\_sg\_ingress\_from\_port | Minimum port number from which pods will accept communication. Must be changed to a lower value if some pods in your cluster will expose a port lower than 1025 (e.g. 22, 80, or 443). | `number` | `1025` | no |
 | workers\_additional\_policies | Additional policies to be added to workers | `list(string)` | `[]` | no |
+| workers\_egress\_cidrs | List of CIDR blocks that are permitted for workers egress traffic. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | workers\_group\_defaults | Override default values for target groups. See workers\_group\_defaults\_defaults in local.tf for valid keys. | `any` | `{}` | no |
 | workers\_role\_name | User defined workers role name. | `string` | `""` | no |
 | write\_kubeconfig | Whether to write a Kubectl config file containing the cluster configuration. Saved to `config_output_path`. | `bool` | `true` | no |
diff --git a/cluster.tf b/cluster.tf
index 53a696bdeee..ae3a71fbac1 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -99,7 +99,7 @@ resource "aws_security_group_rule" "cluster_egress_internet" {
   description       = "Allow cluster egress access to the Internet."
   protocol          = "-1"
   security_group_id = local.cluster_security_group_id
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = var.cluster_egress_cidrs
   from_port         = 0
   to_port           = 0
   type              = "egress"
diff --git a/variables.tf b/variables.tf
index e49c57ca49f..38c52b43f13 100644
--- a/variables.tf
+++ b/variables.tf
@@ -375,3 +375,15 @@ variable "cluster_service_ipv4_cidr" {
   type        = string
   default     = null
 }
+
+variable "cluster_egress_cidrs" {
+  description = "List of CIDR blocks that are permitted for cluster egress traffic."
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+variable "workers_egress_cidrs" {
+  description = "List of CIDR blocks that are permitted for workers egress traffic."
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
diff --git a/workers.tf b/workers.tf
index 8143e6a304d..4bc1c123828 100644
--- a/workers.tf
+++ b/workers.tf
@@ -332,7 +332,7 @@ resource "aws_security_group_rule" "workers_egress_internet" {
   description       = "Allow nodes all egress to the Internet."
   protocol          = "-1"
   security_group_id = local.worker_security_group_id
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = var.workers_egress_cidrs
   from_port         = 0
   to_port           = 0
   type              = "egress"