feat: Add support for specifiying NTP address to use private Amazon Time Sync Service (terraform-aws-modules#2125)

Author: bryantbiggs

README.md

@@ -335,6 +335,8 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_node_security_group_description"></a> [node\_security\_group\_description](#input\_node\_security\_group\_description) | Description of the node security group created | `string` | `"EKS node shared security group"` | no |
 | <a name="input_node_security_group_id"></a> [node\_security\_group\_id](#input\_node\_security\_group\_id) | ID of an existing security group to attach to the node groups created | `string` | `""` | no |
 | <a name="input_node_security_group_name"></a> [node\_security\_group\_name](#input\_node\_security\_group\_name) | Name to use on node security group created | `string` | `null` | no |
+| <a name="input_node_security_group_ntp_ipv4_cidr_block"></a> [node\_security\_group\_ntp\_ipv4\_cidr\_block](#input\_node\_security\_group\_ntp\_ipv4\_cidr\_block) | IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `["169.254.169.123/32"]` | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_node_security_group_ntp_ipv6_cidr_block"></a> [node\_security\_group\_ntp\_ipv6\_cidr\_block](#input\_node\_security\_group\_ntp\_ipv6\_cidr\_block) | IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `["fd00:ec2::123/128"]` | `list(string)` | <pre>[<br>  "::/0"<br>]</pre> | no |
 | <a name="input_node_security_group_tags"></a> [node\_security\_group\_tags](#input\_node\_security\_group\_tags) | A map of additional tags to add to the node security group created | `map(string)` | `{}` | no |
 | <a name="input_node_security_group_use_name_prefix"></a> [node\_security\_group\_use\_name\_prefix](#input\_node\_security\_group\_use\_name\_prefix) | Determines whether node security group name (`node_security_group_name`) is used as a prefix | `string` | `true` | no |
 | <a name="input_openid_connect_audiences"></a> [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | List of OpenID Connect audience client IDs to add to the IRSA provider | `list(string)` | `[]` | no |

examples/complete/main.tf

@@ -77,6 +77,7 @@ module "eks" {
   }
 
   # Extend node-to-node security group rules
+  node_security_group_ntp_ipv4_cidr_block = ["169.254.169.123/32"]
   node_security_group_additional_rules = {
     ingress_self_all = {
       description = "Node to node all ports/protocols"

examples/eks_managed_node_group/main.tf

@@ -92,6 +92,7 @@ module "eks" {
   }
 
   # Extend node-to-node security group rules
+  node_security_group_ntp_ipv4_cidr_block = ["fd00:ec2::123/128"]
   node_security_group_additional_rules = {
     ingress_self_all = {
       description = "Node to node all ports/protocols"

node_groups.tf

@@ -130,17 +130,17 @@ locals {
       from_port        = 123
       to_port          = 123
       type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
+      cidr_blocks      = var.node_security_group_ntp_ipv4_cidr_block
+      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? var.node_security_group_ntp_ipv6_cidr_block : null
     }
     egress_ntp_udp = {
       description      = "Egress NTP/UDP to internet"
       protocol         = "udp"
       from_port        = 123
       to_port          = 123
       type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
+      cidr_blocks      = var.node_security_group_ntp_ipv4_cidr_block
+      ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? var.node_security_group_ntp_ipv6_cidr_block : null
     }
   }
 }

variables.tf

@@ -322,6 +322,20 @@ variable "node_security_group_tags" {
   default     = {}
 }
 
+# TODO - at next breaking change, make 169.254.169.123/32 the default
+variable "node_security_group_ntp_ipv4_cidr_block" {
+  description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"169.254.169.123/32\"]`"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
+# TODO - at next breaking change, make fd00:ec2::123/128 the default
+variable "node_security_group_ntp_ipv6_cidr_block" {
+  description = "IPv4 CIDR block to allow NTP egress. Default is public IP space, but [Amazon Time Sync Service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html) can be used as well with `[\"fd00:ec2::123/128\"]`"
+  type        = list(string)
+  default     = ["::/0"]
+}
+
 ################################################################################
 # IRSA
 ################################################################################