cloudera-labs · jimright · Dec 6, 2023 · Nov 29, 2023
diff --git a/modules/terraform-cdp-deploy/README.md b/modules/terraform-cdp-deploy/README.md
@@ -51,6 +51,7 @@ No resources.
 | <a name="input_aws_private_subnet_ids"></a> [aws\_private\_subnet\_ids](#input\_aws\_private\_subnet\_ids) | List of private subnet ids. Required for CDP deployment on AWS. | `list(string)` | `null` | no |
 | <a name="input_aws_public_subnet_ids"></a> [aws\_public\_subnet\_ids](#input\_aws\_public\_subnet\_ids) | List of public subnet ids. Required for CDP deployment on AWS. | `list(string)` | `null` | no |
 | <a name="input_aws_ranger_audit_role_arn"></a> [aws\_ranger\_audit\_role\_arn](#input\_aws\_ranger\_audit\_role\_arn) | Ranger Audit Role ARN. Required for CDP deployment on AWS. | `string` | `null` | no |
+| <a name="input_aws_security_access_cidr"></a> [aws\_security\_access\_cidr](#input\_aws\_security\_access\_cidr) | CIDR range for inbound traffic. With this option security groups will be automatically created. Only used for CDP deployment on AWS. Note it is recommended to specify pre-existing security groups instead of this option. | `string` | `null` | no |
 | <a name="input_aws_security_group_default_id"></a> [aws\_security\_group\_default\_id](#input\_aws\_security\_group\_default\_id) | ID of the Default Security Group for CDP environment. Required for CDP deployment on AWS. | `string` | `null` | no |
 | <a name="input_aws_security_group_knox_id"></a> [aws\_security\_group\_knox\_id](#input\_aws\_security\_group\_knox\_id) | ID of the Knox Security Group for CDP environment. Required for CDP deployment on AWS. | `string` | `null` | no |
 | <a name="input_aws_vpc_id"></a> [aws\_vpc\_id](#input\_aws\_vpc\_id) | AWS Virtual Private Network ID. Required for CDP deployment on AWS. | `string` | `null` | no |

diff --git a/modules/terraform-cdp-deploy/main.tf b/modules/terraform-cdp-deploy/main.tf
@@ -28,6 +28,7 @@ module "cdp_on_aws" {
 
   security_group_default_id = var.aws_security_group_default_id
   security_group_knox_id    = var.aws_security_group_knox_id
+  security_access_cidr      = var.aws_security_access_cidr
 
   datalake_scale         = local.datalake_scale
   datalake_version       = var.datalake_version

diff --git a/modules/terraform-cdp-deploy/modules/aws/main.tf b/modules/terraform-cdp-deploy/modules/aws/main.tf
@@ -26,6 +26,7 @@ resource "cdp_environments_aws_environment" "cdp_env" {
   region           = var.region
 
   security_access = {
+    cidr                       = var.security_access_cidr
     default_security_group_id  = var.security_group_default_id
     security_group_id_for_knox = var.security_group_knox_id
   }

diff --git a/modules/terraform-cdp-deploy/modules/aws/variables.tf b/modules/terraform-cdp-deploy/modules/aws/variables.tf
@@ -266,6 +266,13 @@ variable "subnets_for_cdp" {
 
 }
 
+
+variable "security_access_cidr" {
+  type = string
+
+  description = "CIDR range for inbound traffic. With this option security groups will be automatically created."
+}
+
 variable "security_group_default_id" {
   type = string
 

diff --git a/modules/terraform-cdp-deploy/variables.tf b/modules/terraform-cdp-deploy/variables.tf
@@ -403,6 +403,14 @@ variable "aws_security_group_knox_id" {
   default = null
 }
 
+variable "aws_security_access_cidr" {
+  type = string
+
+  description = "CIDR range for inbound traffic. With this option security groups will be automatically created. Only used for CDP deployment on AWS. Note it is recommended to specify pre-existing security groups instead of this option."
+
+  default = null
+}
+
 variable "aws_datalake_admin_role_arn" {
   type = string