feat: support ssh remote sg

terraform/modules/eks/eks-cluster.tf

@@ -77,7 +77,6 @@ resource "aws_cloudwatch_log_group" "eks-logs" {
 }
 
 resource "aws_eks_cluster" "eks" {
-
   depends_on = ["aws_cloudwatch_log_group.eks-logs"]
 
   name     = "${var.cluster-name}"
@@ -86,10 +85,10 @@ resource "aws_eks_cluster" "eks" {
   enabled_cluster_log_types = "${var.enabled_cluster_log_types}"
 
   vpc_config {
-    security_group_ids = ["${aws_security_group.eks-cluster.id}"]
-    subnet_ids         = ["${split(",", var.vpc["create"] ? join(",", concat(aws_subnet.eks-private.*.id, aws_subnet.eks.*.id)) : join(",", concat(split(",", var.vpc["private_subnets_id"]),split(",", var.vpc["public_subnets_id"]))))}"]
+    security_group_ids      = ["${aws_security_group.eks-cluster.id}"]
+    subnet_ids              = ["${split(",", var.vpc["create"] ? join(",", concat(aws_subnet.eks-private.*.id, aws_subnet.eks.*.id)) : join(",", concat(split(",", var.vpc["private_subnets_id"]),split(",", var.vpc["public_subnets_id"]))))}"]
     endpoint_private_access = "${var.endpoint_private_access}"
-    endpoint_public_access = "${var.endpoint_public_access}"
+    endpoint_public_access  = "${var.endpoint_public_access}"
   }
 
   version = "${var.kubernetes_version}"

terraform/modules/eks/eks-worker-nodes.tf

@@ -27,7 +27,7 @@ data "template_file" "eks-node" {
     b64_cluster_ca     = "${aws_eks_cluster.eks.certificate_authority.0.data}"
     cluster_name       = "${var.cluster-name}"
     kubelet_extra_args = "${lookup(var.node-pools[count.index],"kubelet_extra_args")}"
-    extra_user_data = "${lookup(var.node-pools[count.index],"extra_user_data")}"
+    extra_user_data    = "${lookup(var.node-pools[count.index],"extra_user_data")}"
   }
 }
 
@@ -85,11 +85,11 @@ resource "aws_autoscaling_group" "eks" {
         map("key", "eks:node-pool:name", "value", "${lookup(var.node-pools[count.index],"name")}", "propagate_at_launch", true)
       ),
       var.node-pools-tags[count.index])
-    }"
+    }",
   ]
 
   lifecycle {
     create_before_destroy = true
-    ignore_changes = ["desired_capacity"]
+    ignore_changes        = ["desired_capacity"]
   }
 }

terraform/modules/eks/eks-worker-sg.tf

@@ -19,13 +19,13 @@ resource "aws_security_group" "eks-node" {
 }
 
 resource "aws_security_group_rule" "eks-node-ingress-self" {
-  description              = "Allow node to communicate with each other"
-  from_port                = 0
-  protocol                 = "-1"
-  security_group_id        = "${aws_security_group.eks-node.id}"
-  source_security_group_id = "${aws_security_group.eks-node.id}"
-  to_port                  = 65535
-  type                     = "ingress"
+  description       = "Allow node to communicate with each other"
+  from_port         = 0
+  protocol          = "-1"
+  security_group_id = "${aws_security_group.eks-node.id}"
+  to_port           = 65535
+  type              = "ingress"
+  self              = true
 }
 
 resource "aws_security_group_rule" "eks-node-ingress-cluster" {
@@ -48,6 +48,17 @@ resource "aws_security_group_rule" "eks-node-ingress-cluster-443" {
   type                     = "ingress"
 }
 
+resource "aws_security_group_rule" "eks-node-ingress-cluster-ssh" {
+  count                    = "${var.ssh_remote_security_group_id == "" ? 0 : 1}"
+  description              = "Allow worker Kubelets and pods to receive SSH communication from a remote security group"
+  from_port                = 22
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.eks-node.id}"
+  source_security_group_id = "${var.var.ssh_remote_security_group_id}"
+  to_port                  = 22
+  type                     = "ingress"
+}
+
 output "eks-node-sg" {
   value = "${aws_security_group.eks-node.id}"
 }

terraform/modules/eks/variables.tf

@@ -101,7 +101,7 @@ variable "endpoint_private_access" {
 }
 
 variable "enabled_cluster_log_types" {
-  type = "list"
+  type    = "list"
   default = []
 }
 
@@ -110,10 +110,14 @@ variable "cluster_log_retention_in_days" {
 }
 
 variable "allowed_cidr_blocks" {
-  type = "list"
+  type    = "list"
   default = ["0.0.0.0/0"]
 }
 
+variable "ssh_remote_security_group_id" {
+  default = ""
+}
+
 variable "map_users" {
   type = "string"
 }