diff --git a/README.md b/README.md index 5931adafd2..c7fca3e552 100644 --- a/README.md +++ b/README.md @@ -335,6 +335,8 @@ We are grateful to the community for contributing bugfixes and improvements! Ple | [node\_security\_group\_description](#input\_node\_security\_group\_description) | Description of the node security group created | `string` | `"EKS node shared security group"` | no | | [node\_security\_group\_id](#input\_node\_security\_group\_id) | ID of an existing security group to attach to the node groups created | `string` | `""` | no | | [node\_security\_group\_name](#input\_node\_security\_group\_name) | Name to use on node security group created | `string` | `null` | no | +| [node\_security\_group\_ntp\_ipv4\_cidr\_block](#input\_node\_security\_group\_ntp\_ipv4\_cidr\_block) | IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `["169.254.169.123/32"]` | `list(string)` |
[| no | +| [node\_security\_group\_ntp\_ipv6\_cidr\_block](#input\_node\_security\_group\_ntp\_ipv6\_cidr\_block) | IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `["fd00:ec2::123/128"]` | `list(string)` |
"0.0.0.0/0"
]
[| no | | [node\_security\_group\_tags](#input\_node\_security\_group\_tags) | A map of additional tags to add to the node security group created | `map(string)` | `{}` | no | | [node\_security\_group\_use\_name\_prefix](#input\_node\_security\_group\_use\_name\_prefix) | Determines whether node security group name (`node_security_group_name`) is used as a prefix | `string` | `true` | no | | [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | List of OpenID Connect audience client IDs to add to the IRSA provider | `list(string)` | `[]` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 91458939b5..55fc8bf38c 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -77,6 +77,7 @@ module "eks" { } # Extend node-to-node security group rules + node_security_group_ntp_ipv4_cidr_block = ["169.254.169.123/32"] node_security_group_additional_rules = { ingress_self_all = { description = "Node to node all ports/protocols" diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf index 63da4c9954..b8f7fd60ab 100644 --- a/examples/eks_managed_node_group/main.tf +++ b/examples/eks_managed_node_group/main.tf @@ -92,6 +92,7 @@ module "eks" { } # Extend node-to-node security group rules + node_security_group_ntp_ipv4_cidr_block = ["fd00:ec2::123/128"] node_security_group_additional_rules = { ingress_self_all = { description = "Node to node all ports/protocols" diff --git a/node_groups.tf b/node_groups.tf index 1996befa28..8c0916ade3 100644 --- a/node_groups.tf +++ b/node_groups.tf @@ -130,8 +130,8 @@ locals { from_port = 123 to_port = 123 type = "egress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null + cidr_blocks = var.node_security_group_ntp_ipv4_cidr_block + ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? var.node_security_group_ntp_ipv6_cidr_block : null } egress_ntp_udp = { description = "Egress NTP/UDP to internet" @@ -139,8 +139,8 @@ locals { from_port = 123 to_port = 123 type = "egress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null + cidr_blocks = var.node_security_group_ntp_ipv4_cidr_block + ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? var.node_security_group_ntp_ipv6_cidr_block : null } } } diff --git a/variables.tf b/variables.tf index 0f2c2df99b..ad7777063f 100644 --- a/variables.tf +++ b/variables.tf @@ -322,6 +322,20 @@ variable "node_security_group_tags" { default = {} } +# TODO - at next breaking change, make 169.254.169.123/32 the default +variable "node_security_group_ntp_ipv4_cidr_block" { + description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"169.254.169.123/32\"]`" + type = list(string) + default = ["0.0.0.0/0"] +} + +# TODO - at next breaking change, make fd00:ec2::123/128 the default +variable "node_security_group_ntp_ipv6_cidr_block" { + description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"fd00:ec2::123/128\"]`" + type = list(string) + default = ["::/0"] +} + ################################################################################ # IRSA ################################################################################
"::/0"
]