Skip to content

Commit

Permalink
feat: Add support for specifiying NTP address to use private Amazon T…
Browse files Browse the repository at this point in the history
…ime Sync Service (terraform-aws-modules#2125)
  • Loading branch information
bryantbiggs authored and spr-mweber3 committed Jul 11, 2022
1 parent 618699a commit 91e504a
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 4 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,8 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
| <a name="input_node_security_group_description"></a> [node\_security\_group\_description](#input\_node\_security\_group\_description) | Description of the node security group created | `string` | `"EKS node shared security group"` | no |
| <a name="input_node_security_group_id"></a> [node\_security\_group\_id](#input\_node\_security\_group\_id) | ID of an existing security group to attach to the node groups created | `string` | `""` | no |
| <a name="input_node_security_group_name"></a> [node\_security\_group\_name](#input\_node\_security\_group\_name) | Name to use on node security group created | `string` | `null` | no |
| <a name="input_node_security_group_ntp_ipv4_cidr_block"></a> [node\_security\_group\_ntp\_ipv4\_cidr\_block](#input\_node\_security\_group\_ntp\_ipv4\_cidr\_block) | IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `["169.254.169.123/32"]` | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
| <a name="input_node_security_group_ntp_ipv6_cidr_block"></a> [node\_security\_group\_ntp\_ipv6\_cidr\_block](#input\_node\_security\_group\_ntp\_ipv6\_cidr\_block) | IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `["fd00:ec2::123/128"]` | `list(string)` | <pre>[<br> "::/0"<br>]</pre> | no |
| <a name="input_node_security_group_tags"></a> [node\_security\_group\_tags](#input\_node\_security\_group\_tags) | A map of additional tags to add to the node security group created | `map(string)` | `{}` | no |
| <a name="input_node_security_group_use_name_prefix"></a> [node\_security\_group\_use\_name\_prefix](#input\_node\_security\_group\_use\_name\_prefix) | Determines whether node security group name (`node_security_group_name`) is used as a prefix | `string` | `true` | no |
| <a name="input_openid_connect_audiences"></a> [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | List of OpenID Connect audience client IDs to add to the IRSA provider | `list(string)` | `[]` | no |
Expand Down
1 change: 1 addition & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ module "eks" {
}

# Extend node-to-node security group rules
node_security_group_ntp_ipv4_cidr_block = ["169.254.169.123/32"]
node_security_group_additional_rules = {
ingress_self_all = {
description = "Node to node all ports/protocols"
Expand Down
1 change: 1 addition & 0 deletions examples/eks_managed_node_group/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ module "eks" {
}

# Extend node-to-node security group rules
node_security_group_ntp_ipv4_cidr_block = ["fd00:ec2::123/128"]
node_security_group_additional_rules = {
ingress_self_all = {
description = "Node to node all ports/protocols"
Expand Down
8 changes: 4 additions & 4 deletions node_groups.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,17 +130,17 @@ locals {
from_port = 123
to_port = 123
type = "egress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
cidr_blocks = var.node_security_group_ntp_ipv4_cidr_block
ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? var.node_security_group_ntp_ipv6_cidr_block : null
}
egress_ntp_udp = {
description = "Egress NTP/UDP to internet"
protocol = "udp"
from_port = 123
to_port = 123
type = "egress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
cidr_blocks = var.node_security_group_ntp_ipv4_cidr_block
ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? var.node_security_group_ntp_ipv6_cidr_block : null
}
}
}
Expand Down
14 changes: 14 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,20 @@ variable "node_security_group_tags" {
default = {}
}

# TODO - at next breaking change, make 169.254.169.123/32 the default
variable "node_security_group_ntp_ipv4_cidr_block" {
description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"169.254.169.123/32\"]`"
type = list(string)
default = ["0.0.0.0/0"]
}

# TODO - at next breaking change, make fd00:ec2::123/128 the default
variable "node_security_group_ntp_ipv6_cidr_block" {
description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"fd00:ec2::123/128\"]`"
type = list(string)
default = ["::/0"]
}

################################################################################
# IRSA
################################################################################
Expand Down

0 comments on commit 91e504a

Please sign in to comment.