juspay · itsharshvb · Jan 13, 2026
diff --git a/terraform/aws/modules/composition/vpc-network/outputs.tf b/terraform/aws/modules/composition/vpc-network/outputs.tf
@@ -240,8 +240,8 @@ output "proxy_peering_nat_c_route_table_id" {
 }
 
 output "eks_worker_route_table_id" {
-  description = "ID of the EKS worker route table (S3 only, no NAT)"
-  value       = module.eks_worker_rt.route_table_id
+  description = "ID of the EKS worker route table (NAT + S3)"
+  value       = var.enable_nat_gateway ? module.eks_worker_rt[0].route_table_id : ""
 }
 
 output "common_local_nat_s3_route_table_id" {

diff --git a/terraform/aws/modules/composition/vpc-network/route-tables.tf b/terraform/aws/modules/composition/vpc-network/route-tables.tf
@@ -202,20 +202,22 @@ module "proxy_peering_nat_c_rt" {
 }
 
 
-# EKS Worker Route Table - Single route table for all EKS worker subnets (S3 only, no NAT)
+# EKS Worker Route Table - Single route table for all EKS worker subnets with NAT access
 module "eks_worker_rt" {
   source = "../../base/route-table"
+  count  = var.enable_nat_gateway ? 1 : 0
 
   vpc_id             = module.vpc.vpc_id
   route_table_name   = "${var.vpc_name}-EKSWorker"
 
-  create_nat_gateway_route = false
+  create_nat_gateway_route = true
+  nat_gateway_id           = module.external_incoming_subnets[0].nat_gateway_id
 
   tags = merge(
     var.tags,
     {
       Name = "${var.vpc_name}-EKSWorker"
-      Type = "eks-worker-s3-only"
+      Type = "eks-worker-nat"
     }
   )
 }
@@ -260,12 +262,12 @@ resource "aws_route_table_association" "management" {
   route_table_id = module.common_internet_s3_rt.route_table_id
 }
 
-# Associate EKS Worker subnets with EKSWorker route table (S3 only, no NAT)
+# Associate EKS Worker subnets with EKSWorker route table (NAT + S3)
 resource "aws_route_table_association" "eks_workers" {
-  count = length(var.eks_workers_subnet_cidrs)
+  count = var.enable_nat_gateway ? length(var.eks_workers_subnet_cidrs) : 0
 
   subnet_id      = module.eks_workers_subnets[count.index].subnet_id
-  route_table_id = module.eks_worker_rt.route_table_id
+  route_table_id = module.eks_worker_rt[0].route_table_id
 }
 
 # Associate EKS Control Plane subnets with CommonLocalRoute

diff --git a/terraform/aws/modules/composition/vpc-network/vpc-endpoints.tf b/terraform/aws/modules/composition/vpc-network/vpc-endpoints.tf
@@ -132,8 +132,8 @@ locals {
     var.enable_nat_gateway && length(var.availability_zones) > 0 ? [module.proxy_peering_nat_a_rt[0].route_table_id] : [],
     var.enable_nat_gateway && length(var.availability_zones) > 1 ? [module.proxy_peering_nat_b_rt[0].route_table_id] : [],
     var.enable_nat_gateway && length(var.availability_zones) > 2 ? [module.proxy_peering_nat_c_rt[0].route_table_id] : [],
-    # EKS Worker route table (S3 only, no NAT)
-    [module.eks_worker_rt.route_table_id],
+    # EKS Worker route table (NAT + S3)
+    var.enable_nat_gateway ? [module.eks_worker_rt[0].route_table_id] : [],
     # Common Local NAT S3 route table (NAT + S3)
     var.enable_nat_gateway ? [module.common_local_nat_s3_rt[0].route_table_id] : [],
     var.include_database_route_tables_in_gateway_endpoints ? [module.db_route_table.route_table_id] : []