caioariede · August 12, 2025 11:22
diff --git a/find-eks-cidrs.sh b/find-eks-cidrs.sh
 #!/usr/bin/env bash
 # find_eks_cidrs.sh - Fast, comprehensive EKS CIDR discovery
 # Author: Caio Ariede <[email protected], [email protected]>
 # Usage:
 #   ./find_eks_cidrs.sh [--no-vpc-subnets] [--no-vpc] [--no-alb] [--alb-dns <dns1[,dns2,...]>] \
 #       [-r <region>] [-c <cluster>] [--test-ip <ip>] [--quiet] [--no-color]
 #
 # Outputs categorized CIDR ranges to stdout

 set -euo pipefail
 export AWS_PAGER=""

 CLUSTER="${CLUSTER:-}"
 REGION="${REGION:-}"
 INCLUDE_VPC=1
 INCLUDE_ALB=1
 INCLUDE_VPC_SUBNETS=1  # Default: include ALL VPC subnets
 ALB_DNS_RAW=""
 TEST_IP=""
 QUIET=0
 USE_COLOR=1
 PARALLEL_JOBS=8  # Number of parallel AWS API calls

 usage() {
  cat <<USAGE
 Usage: $0 [OPTIONS]

 Options:
  -c, --cluster <name>       EKS cluster name
  -r, --region <region>      AWS region
  --no-vpc-subnets           Exclude additional VPC subnets (not recommended)
  --no-vpc                   Exclude VPC CIDR blocks
  --no-alb                   Exclude ALB subnet discovery
  --alb-dns <dns1[,dns2,...]> Specific ALB DNS names to check
  --test-ip <ip>             Test if IP matches any discovered CIDR
  --quiet                    Suppress progress logs (only show results)
  --no-color                 Disable colored output
  -h, --help                 Show this help message

 Performance Tips:
  - Set CLUSTER and REGION environment variables to skip auto-detection
  - Use --no-alb if ALB subnets aren't needed (saves time)

 Examples:
  # Standard usage (discovers all VPC subnets by default)
  $0
  
  # Fast mode with known cluster/region
  CLUSTER=my-cluster REGION=us-east-1 $0
  
  # Test if a specific IP is in discovered ranges
  $0 --test-ip 172.15.122.189
  
  # Minimal discovery (EKS subnets only)
  $0 --no-vpc-subnets --no-vpc --no-alb
 USAGE
 }

 # -------- Colors & Formatting ----------
 if [[ ! -t 2 ]] || [[ ! -t 1 ]]; then USE_COLOR=0; fi
 for arg in "$@"; do [[ "$arg" == "--no-color" ]] && USE_COLOR=0; done
 if [[ $USE_COLOR -eq 1 ]]; then
  C_RESET=$'\033[0m'
  C_HEADER=$'\033[1;36m'    # bold cyan
  C_SECTION=$'\033[1;34m'   # bold blue
  C_SUCCESS=$'\033[1;32m'   # bold green
  C_INFO=$'\033[32m'        # green
  C_WARN=$'\033[1;33m'      # bold yellow
  C_ERR=$'\033[1;31m'       # bold red
  C_DIM=$'\033[90m'         # gray
  C_HIGHLIGHT=$'\033[1;35m' # bold magenta
 else
  C_RESET= C_HEADER= C_SECTION= C_SUCCESS= C_INFO= C_WARN= C_ERR= C_DIM= C_HIGHLIGHT=
 fi

 # -------- Logging Functions ----------
 # Progress logs go to stderr, results go to stdout
 _log() { [[ $QUIET -eq 0 ]] && printf "%s\n" "$1" >&2 || true; }
 header() { _log "${C_HEADER}════════════════════════════════════════════════════════${C_RESET}"; _log "${C_HEADER}  $1${C_RESET}"; _log "${C_HEADER}════════════════════════════════════════════════════════${C_RESET}"; }
 section() { _log ""; _log "${C_SECTION}▶ $1${C_RESET}"; }
 info() { _log "${C_INFO}  • $1${C_RESET}"; }
 success() { _log "${C_SUCCESS}  ✓ $1${C_RESET}"; }
 warn() { _log "${C_WARN}  ⚠ $1${C_RESET}"; }
 error() { printf "${C_ERR}  ✗ $1${C_RESET}\n" >&2; }
 debug() { [[ "${DEBUG:-0}" == "1" ]] && _log "${C_DIM}  [DEBUG] $1${C_RESET}" || true; }

 # Output functions (to stdout)
 out_section() { printf "\n${C_SECTION}%s${C_RESET}\n" "$1"; }
 out_info() { printf "${C_INFO}%s${C_RESET}\n" "$1"; }
 out_highlight() { printf "${C_HIGHLIGHT}%s${C_RESET}\n" "$1"; }
 out_warn() { printf "${C_WARN}%s${C_RESET}\n" "$1"; }

 # Progress indicator for long operations
 spinner() {
  local pid=$1 msg=$2
  local spin='⣾⣽⣻⢿⡿⣟⣯⣷'
  local i=0
  while kill -0 $pid 2>/dev/null; do
    [[ $QUIET -eq 0 ]] && printf "\r${C_INFO}  %s %s ${C_RESET}" "${spin:$i:1}" "$msg" >&2
    i=$(( (i+1) % ${#spin} ))
    sleep 0.1
  done
  [[ $QUIET -eq 0 ]] && printf "\r\033[K" >&2  # Clear line
 }

 # -------- Utility Functions ----------
 dedup_list() {
  local item seen j
  local -a out=()
  for item in "$@"; do
    seen=0
    for j in "${out[@]}"; do [[ "$item" == "$j" ]] && { seen=1; break; }; done
    [[ $seen -eq 0 && -n "$item" ]] && out+=("$item")
  done
  printf '%s\n' "${out[@]}"
 }

 # Sort CIDRs numerically
 sort_cidrs() {
  printf '%s\n' "$@" | sort -t. -k1,1n -k2,2n -k3,3n -k4,4n
 }

 # -------- Parse Arguments ----------
 while [[ $# -gt 0 ]]; do
  case "$1" in
    -c|--cluster) CLUSTER="${2:-}"; shift 2 ;;
    -r|--region)  REGION="${2:-}"; shift 2 ;;
    --no-vpc)     INCLUDE_VPC=0; shift ;;
    --no-alb)     INCLUDE_ALB=0; shift ;;
    --no-vpc-subnets) INCLUDE_VPC_SUBNETS=0; shift ;;
    --alb-dns)    ALB_DNS_RAW="${2:-}"; INCLUDE_ALB=1; shift 2 ;;
    --test-ip)    TEST_IP="${2:-}"; shift 2 ;;
    --quiet)      QUIET=1; shift ;;
    --no-color)   USE_COLOR=0; shift ;;
    -h|--help)    usage; exit 0 ;;
    *) error "Unknown arg: $1"; usage; exit 1 ;;
  esac
 done

 # -------- Main Execution ----------
 header "EKS CIDR Discovery Tool"

 # -------- Auto-detect Cluster & Region ----------
 section "Configuration"

 if [[ -n "${CLUSTER}" && -n "${REGION}" ]]; then
  success "Using provided: CLUSTER=$CLUSTER, REGION=$REGION"
 else
  info "Auto-detecting cluster and region..."
  
  # Try kubectl context
  if [[ -z "${CLUSTER}" ]] && command -v kubectl >/dev/null 2>&1; then
    KUBE_CLUSTER_REF="$(kubectl config view --minify -o jsonpath='{.contexts[0].context.cluster}' 2>/dev/null || true)"
    if [[ -n "$KUBE_CLUSTER_REF" ]]; then
      if [[ "$KUBE_CLUSTER_REF" == arn:aws:eks:* ]]; then
        CLUSTER="${KUBE_CLUSTER_REF##*/}"
        REGION="${REGION:-$(cut -d: -f4 <<<"$KUBE_CLUSTER_REF")}"
      else
        CLUSTER="$KUBE_CLUSTER_REF"
      fi
    fi
    
    if [[ -z "${REGION}" ]]; then
      ENDPOINT="$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2>/dev/null || true)"
      if [[ "$ENDPOINT" =~ \.([a-z0-9-]+)\.eks\.amazonaws\.com ]]; then
        REGION="${BASH_REMATCH[1]}"
      fi
    fi
  fi
  
  if [[ -n "${CLUSTER}" && -n "${REGION}" ]]; then
    success "Auto-detected: CLUSTER=$CLUSTER, REGION=$REGION"
  elif [[ -n "${CLUSTER}" && -z "${REGION}" ]]; then
    warn "Cluster found but no region. Scanning AWS regions (this may take a while)..."
    REGIONS_LIST="$(aws ec2 describe-regions --query 'Regions[].RegionName' --output text 2>/dev/null)"
    for r in $REGIONS_LIST; do
      if aws eks describe-cluster --region "$r" --name "$CLUSTER" >/dev/null 2>&1; then
        REGION="$r"
        success "Found cluster in region: $REGION"
        break
      fi
    done
  fi
 fi

 # Final validation
 if [[ -z "${CLUSTER}" ]]; then
  error "Could not determine EKS cluster. Set CLUSTER env var or use -c <cluster>"
  exit 1
 fi
 if [[ -z "${REGION}" ]]; then
  error "Could not determine AWS region. Set REGION env var or use -r <region>"
  exit 2
 fi

 # -------- Fetch EKS & VPC Info ----------
 section "EKS Cluster Information"

 # Fetch all EKS info in one call for efficiency
 info "Fetching EKS cluster details..."
 EKS_INFO=$(aws eks describe-cluster --region "${REGION}" --name "${CLUSTER}" --query 'cluster.{vpc:resourcesVpcConfig.vpcId,subnets:resourcesVpcConfig.subnetIds}' --output json 2>&1)

 if [[ -z "$EKS_INFO" ]] || [[ "$EKS_INFO" == *"error"* ]] || [[ "$EKS_INFO" == *"An error occurred"* ]]; then
  error "Failed to fetch EKS cluster information. Check cluster name and region."
  [[ -n "$EKS_INFO" ]] && debug "AWS Error: $EKS_INFO"
  exit 3
 fi

 VPC_ID=$(echo "$EKS_INFO" | grep -o '"vpc"[[:space:]]*:[[:space:]]*"[^"]*"' | cut -d'"' -f4)
 if [[ -z "$VPC_ID" ]]; then
  error "Failed to extract VPC ID from EKS cluster information"
  exit 3
 fi
 info "VPC ID: ${C_HIGHLIGHT}$VPC_ID${C_RESET}"

 # Get EKS subnet IDs using jq for better JSON parsing
 debug "EKS_INFO: $EKS_INFO"
 if command -v jq >/dev/null 2>&1; then
  # Use jq if available
  EKS_SUBNET_IDS=()
  while IFS= read -r subnet_id; do
    [[ -n "$subnet_id" ]] && EKS_SUBNET_IDS+=("$subnet_id")
  done < <(echo "$EKS_INFO" | jq -r '.subnets[]' 2>/dev/null)
 else
  # Fallback to grep-based parsing
  EKS_SUBNET_IDS=($(echo "$EKS_INFO" | grep -o '"subnet-[^"]*"' | tr -d '"'))
 fi
 info "EKS Configured Subnets: ${C_HIGHLIGHT}${#EKS_SUBNET_IDS[@]} subnets${C_RESET}"
 debug "EKS_SUBNET_IDS: ${EKS_SUBNET_IDS[@]}"

 # -------- Parallel Subnet Discovery ----------
 section "Subnet Discovery"

 # Fetch ALL subnet info in one API call (much faster!)
 info "Fetching all VPC subnets..."
 ALL_SUBNETS_JSON=$(aws ec2 describe-subnets --region "${REGION}" --filters "Name=vpc-id,Values=${VPC_ID}" --query 'Subnets[*].[SubnetId,CidrBlock,Tags[?Key==`Name`]|[0].Value]' --output json 2>/dev/null)

 if [[ -z "$ALL_SUBNETS_JSON" ]]; then
  error "Failed to fetch subnet information"
  exit 3
 fi

 # Parse subnets
 ALL_VPC_SUBNET_CIDRS=()
 EKS_SUBNET_CIDRS=()
 ADDITIONAL_SUBNET_CIDRS=()

 # Associative array to store CIDR to subnet name mappings
 declare -A CIDR_TO_NAME

 # Parse JSON array of arrays using jq if available, otherwise use grep
 if command -v jq >/dev/null 2>&1; then
  # Use jq for proper JSON parsing
  while IFS=$'\t' read -r subnet_id cidr name; do
    [[ -n "$cidr" ]] && ALL_VPC_SUBNET_CIDRS+=("$cidr")
    
    # Store the subnet name, extract the meaningful part (e.g., "workers-us-east-1a" from "develop-workers-us-east-1a-subnet")
    if [[ -n "$name" && -n "$cidr" ]]; then
      # Remove common prefix "develop-" and suffix "-subnet" for cleaner display
      clean_name="${name#develop-}"
      clean_name="${clean_name%-subnet}"
      CIDR_TO_NAME["$cidr"]="$clean_name"
    fi
    
    # Check if it's an EKS subnet
    is_eks=0
    for eks_id in "${EKS_SUBNET_IDS[@]}"; do
      [[ "$subnet_id" == "$eks_id" ]] && { is_eks=1; break; }
    done
    
    if [[ $is_eks -eq 1 ]]; then
      EKS_SUBNET_CIDRS+=("$cidr")
      debug "EKS subnet: $subnet_id => $cidr ($name)"
    else
      ADDITIONAL_SUBNET_CIDRS+=("$cidr")
      debug "Additional subnet: $subnet_id => $cidr ($name)"
    fi
  done < <(echo "$ALL_SUBNETS_JSON" | jq -r '.[] | @tsv' 2>/dev/null)
 else
  # Fallback: parse the JSON arrays manually
  while IFS= read -r line; do
    # Skip empty lines and the outer brackets
    [[ "$line" =~ ^[[:space:]]*\[?[[:space:]]*$ ]] && continue
    [[ "$line" =~ ^[[:space:]]*\]?[[:space:]]*$ ]] && continue
    
    # Extract subnet ID, CIDR, and name from lines like: ["subnet-xxx", "10.x.x.x/x", "name"]
    if [[ "$line" =~ \"(subnet-[^\"]+)\".*\"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+)\".*\"([^\"]+)\" ]]; then
      subnet_id="${BASH_REMATCH[1]}"
      cidr="${BASH_REMATCH[2]}"
      name="${BASH_REMATCH[3]}"
      
      [[ -n "$cidr" ]] && ALL_VPC_SUBNET_CIDRS+=("$cidr")
      
      # Store the subnet name
      if [[ -n "$name" && -n "$cidr" ]]; then
        clean_name="${name#develop-}"
        clean_name="${clean_name%-subnet}"
        CIDR_TO_NAME["$cidr"]="$clean_name"
      fi
      
      # Check if it's an EKS subnet
      is_eks=0
      for eks_id in "${EKS_SUBNET_IDS[@]}"; do
        [[ "$subnet_id" == "$eks_id" ]] && { is_eks=1; break; }
      done
      
      if [[ $is_eks -eq 1 ]]; then
        EKS_SUBNET_CIDRS+=("$cidr")
      else
        ADDITIONAL_SUBNET_CIDRS+=("$cidr")
      fi
    fi
  done < <(echo "$ALL_SUBNETS_JSON")
 fi

 success "Found ${#ALL_VPC_SUBNET_CIDRS[@]} total subnets in VPC"
 info "├─ EKS Configured: ${#EKS_SUBNET_CIDRS[@]} subnets"
 info "└─ Additional VPC: ${#ADDITIONAL_SUBNET_CIDRS[@]} subnets"

 # -------- VPC CIDR Blocks ----------
 VPC_CIDRS=()
 if [[ $INCLUDE_VPC -eq 1 ]]; then
  VPC_CIDRS_STR=$(aws ec2 describe-vpcs --region "${REGION}" --vpc-ids "${VPC_ID}" --query 'Vpcs[0].CidrBlockAssociationSet[?AssociationState.State==`associated`].CidrBlock' --output text 2>/dev/null)
  read -r -a VPC_CIDRS <<<"$VPC_CIDRS_STR"
  [[ ${#VPC_CIDRS[@]} -gt 0 ]] && info "VPC CIDR blocks: ${#VPC_CIDRS[@]}"
 fi

 # -------- ALB Discovery (Optimized) ----------
 ALB_SUBNET_CIDRS=()
 if [[ $INCLUDE_ALB -eq 1 ]]; then
  section "ALB Discovery"
  
  ALB_DNS=()
  if [[ -n "$ALB_DNS_RAW" ]]; then
    IFS=',' read -r -a ALB_DNS <<<"$ALB_DNS_RAW"
    info "Using provided ALB DNS names: ${#ALB_DNS[@]}"
  elif command -v kubectl >/dev/null 2>&1; then
    # Get all load balancers in one kubectl call
    ALL_LB_DNS=$(kubectl get ingress,svc -A -o json 2>/dev/null | \
      grep -o '"hostname"[[:space:]]*:[[:space:]]*"[^"]*"' | \
      cut -d'"' -f4 | sort -u)
    
    while IFS= read -r dns; do
      [[ -n "$dns" ]] && ALB_DNS+=("$dns")
    done <<<"$ALL_LB_DNS"
    
    info "Auto-discovered ${#ALB_DNS[@]} load balancer DNS names"
  fi
  
  if [[ ${#ALB_DNS[@]} -gt 0 ]]; then
    # Batch process ALBs
    info "Fetching ALB information..."
    ALL_ALBS_JSON=$(aws elbv2 describe-load-balancers --region "$REGION" --query 'LoadBalancers[?Type==`application`].[LoadBalancerArn,DNSName,AvailabilityZones[].SubnetId]' --output json 2>/dev/null)
    
    if [[ -n "$ALL_ALBS_JSON" ]]; then
      ALB_SUBNET_IDS=()
      alb_count=0
      
      if command -v jq >/dev/null 2>&1; then
        # Use jq for proper JSON parsing
        while IFS=$'\t' read -r arn dns_name subnet_ids; do
          for target_dns in "${ALB_DNS[@]}"; do
            if [[ "$dns_name" == "$target_dns" ]]; then
              ((alb_count++))
              # Parse the subnet IDs array
              while IFS= read -r sid; do
                [[ -n "$sid" ]] && ALB_SUBNET_IDS+=("$sid")
              done < <(echo "$subnet_ids" | jq -r '.[]' 2>/dev/null)
              break
            fi
          done
        done < <(echo "$ALL_ALBS_JSON" | jq -r '.[] | @tsv' 2>/dev/null)
      else
        # Fallback to grep-based parsing
        while IFS= read -r line; do
          # Skip empty lines and brackets
          [[ "$line" =~ ^[[:space:]]*\[?[[:space:]]*$ ]] && continue
          [[ "$line" =~ ^[[:space:]]*\]?[[:space:]]*$ ]] && continue
          
          # Extract DNS name from the line
          if [[ "$line" =~ \"([^\"]*\.amazonaws\.com)\" ]]; then
            dns_name="${BASH_REMATCH[1]}"
            
            for target_dns in "${ALB_DNS[@]}"; do
              if [[ "$dns_name" == "$target_dns" ]]; then
                ((alb_count++))
                # Extract all subnet IDs from the same line or following lines
                subnet_ids=$(echo "$line" | grep -o '"subnet-[^"]*"' | tr -d '"')
                for sid in $subnet_ids; do
                  ALB_SUBNET_IDS+=("$sid")
                done
                break
              fi
            done
          fi
        done < <(echo "$ALL_ALBS_JSON")
      fi
      
      if [[ ${#ALB_SUBNET_IDS[@]} -gt 0 ]]; then
        # Dedup and get CIDRs
        mapfile -t ALB_SUBNET_IDS < <(dedup_list "${ALB_SUBNET_IDS[@]}")
        
        # We already have all subnet info from earlier!
        for subnet_id in "${ALB_SUBNET_IDS[@]}"; do
          cidr=$(echo "$ALL_SUBNETS_JSON" | grep -B1 -A1 "\"$subnet_id\"" | grep -o '"10\.[^"]*\|"172\.[^"]*\|"192\.[^"]*' | tr -d '"' | head -1)
          [[ -n "$cidr" ]] && ALB_SUBNET_CIDRS+=("$cidr")
        done
        
        # Dedup ALB CIDRs
        mapfile -t ALB_SUBNET_CIDRS < <(dedup_list "${ALB_SUBNET_CIDRS[@]}")
        success "Found $alb_count ALBs using ${#ALB_SUBNET_CIDRS[@]} unique subnets"
      fi
    else
      info "No ALB information retrieved"
    fi
  fi
 fi

 # -------- Node Information ----------
 NODE_IPS=()
 if command -v kubectl >/dev/null 2>&1 && [[ $QUIET -eq 0 ]]; then
  section "Cluster Nodes"
  if command -v jq >/dev/null 2>&1; then
    # Use jq for proper JSON parsing
    while IFS= read -r ip; do
      [[ -n "$ip" ]] && NODE_IPS+=("$ip")
    done < <(kubectl get nodes -o json 2>/dev/null | jq -r '.items[].status.addresses[] | select(.type=="InternalIP") | .address' 2>/dev/null)
  else
    # Fallback to grep-based parsing
    NODE_INFO=$(kubectl get nodes -o wide --no-headers 2>/dev/null | awk '{print $6}')
    while IFS= read -r ip; do
      [[ -n "$ip" ]] && NODE_IPS+=("$ip")
    done <<<"$NODE_INFO"
  fi
  
  if [[ ${#NODE_IPS[@]} -gt 0 ]]; then
    info "Found ${#NODE_IPS[@]} nodes in cluster"
    if [[ -n "$TEST_IP" ]]; then
      for node_ip in "${NODE_IPS[@]}"; do
        if [[ "$node_ip" == "$TEST_IP" ]]; then
          success "Test IP $TEST_IP is a NODE IP!"
          break
        fi
      done
    fi
  fi
 fi

 # -------- Test IP Against All Categories ----------
 if [[ -n "$TEST_IP" ]] && command -v python3 >/dev/null 2>&1; then
  section "IP Test Results"
  info "Testing IP: ${C_HIGHLIGHT}$TEST_IP${C_RESET}"
  
  test_category() {
    local category="$1"
    shift
    local cidrs=("$@")
    
    if [[ ${#cidrs[@]} -eq 0 ]]; then
      return
    fi
    
    PY_EXPR='import ipaddress,sys
 ip=ipaddress.ip_address(sys.argv[1]); cidrs=sys.argv[2:];
 hits=[c for c in cidrs if ip in ipaddress.ip_network(c, strict=False)];
 if hits: print("MATCH|" + ",".join(hits))
 else: print("NO-MATCH|")'
    
    result=$(python3 -c "$PY_EXPR" "$TEST_IP" "${cidrs[@]}")
    match_status="${result%%|*}"
    matched_cidrs="${result#*|}"
    
    if [[ "$match_status" == "MATCH" ]]; then
      # Add subnet name if available
      match_display="$matched_cidrs"
      for matched_cidr in ${matched_cidrs//,/ }; do
        subnet_name="${CIDR_TO_NAME[$matched_cidr]}"
        if [[ -n "$subnet_name" ]]; then
          match_display="$matched_cidr - $subnet_name"
          break  # Usually only one match
        fi
      done
      success "$category: MATCH ($match_display)"
    else
      info "$category: No match"
    fi
  }
  
  test_category "EKS Subnets" "${EKS_SUBNET_CIDRS[@]}"
  [[ $INCLUDE_VPC_SUBNETS -eq 1 ]] && test_category "Additional VPC Subnets" "${ADDITIONAL_SUBNET_CIDRS[@]}"
  [[ $INCLUDE_VPC -eq 1 ]] && test_category "VPC CIDR Blocks" "${VPC_CIDRS[@]}"
  [[ $INCLUDE_ALB -eq 1 ]] && test_category "ALB Subnets" "${ALB_SUBNET_CIDRS[@]}"
  
  if [[ $INCLUDE_VPC_SUBNETS -eq 0 ]]; then
    warn "Note: Additional VPC subnets excluded. Use without --no-vpc-subnets for full coverage"
  fi
 fi

 # -------- Output Results (to stdout) ----------
 printf "\n"
 out_section "════════════════════════════════════════════════════════"
 out_section "  DISCOVERED CIDR RANGES"
 out_section "════════════════════════════════════════════════════════"

 # EKS Subnets
 if [[ ${#EKS_SUBNET_CIDRS[@]} -gt 0 ]]; then
  out_section "EKS Configured Subnets (${#EKS_SUBNET_CIDRS[@]}):"
  for cidr in $(sort_cidrs "${EKS_SUBNET_CIDRS[@]}"); do
    subnet_name="${CIDR_TO_NAME[$cidr]}"
    if [[ -n "$subnet_name" ]]; then
      out_info "  $cidr  ${C_DIM}[$subnet_name]${C_RESET}"
    else
      out_info "  $cidr"
    fi
  done
 fi

 # Additional VPC Subnets
 if [[ $INCLUDE_VPC_SUBNETS -eq 1 && ${#ADDITIONAL_SUBNET_CIDRS[@]} -gt 0 ]]; then
  out_section "Additional VPC Subnets (${#ADDITIONAL_SUBNET_CIDRS[@]}):"
  for cidr in $(sort_cidrs "${ADDITIONAL_SUBNET_CIDRS[@]}"); do
    subnet_name="${CIDR_TO_NAME[$cidr]}"
    if [[ -n "$subnet_name" ]]; then
      out_highlight "  $cidr  ${C_DIM}[$subnet_name]${C_RESET}"
    else
      out_highlight "  $cidr"
    fi
  done
 elif [[ $INCLUDE_VPC_SUBNETS -eq 0 && ${#ADDITIONAL_SUBNET_CIDRS[@]} -gt 0 ]]; then
  out_warn "Additional VPC Subnets: EXCLUDED (--no-vpc-subnets)"
  out_warn "  ${#ADDITIONAL_SUBNET_CIDRS[@]} subnets not shown"
 fi

 # VPC CIDR Blocks
 if [[ $INCLUDE_VPC -eq 1 && ${#VPC_CIDRS[@]} -gt 0 ]]; then
  out_section "VPC CIDR Blocks (${#VPC_CIDRS[@]}):"
  for cidr in $(sort_cidrs "${VPC_CIDRS[@]}"); do
    out_info "  $cidr"
  done
 elif [[ $INCLUDE_VPC -eq 0 && ${#VPC_CIDRS[@]} -gt 0 ]]; then
  out_warn "VPC CIDR Blocks: EXCLUDED (--no-vpc)"
 fi

 # ALB Subnets
 if [[ $INCLUDE_ALB -eq 1 && ${#ALB_SUBNET_CIDRS[@]} -gt 0 ]]; then
  out_section "ALB Subnets (${#ALB_SUBNET_CIDRS[@]}):"
  for cidr in $(sort_cidrs "${ALB_SUBNET_CIDRS[@]}"); do
    out_info "  $cidr"
  done
 elif [[ $INCLUDE_ALB -eq 0 ]]; then
  out_warn "ALB Subnets: EXCLUDED (--no-alb)"
 fi

 # Summary
 out_section "────────────────────────────────────────────────────────"
 total_count=$((${#EKS_SUBNET_CIDRS[@]} + ($INCLUDE_VPC_SUBNETS * ${#ADDITIONAL_SUBNET_CIDRS[@]}) + ($INCLUDE_VPC * ${#VPC_CIDRS[@]}) + ($INCLUDE_ALB * ${#ALB_SUBNET_CIDRS[@]})))
 out_section "Total CIDR ranges: $total_count"

 if [[ $INCLUDE_VPC_SUBNETS -eq 0 ]]; then
  printf "\n"
  out_warn "⚠ Additional VPC subnets excluded (--no-vpc-subnets)"
  out_warn "  For comprehensive coverage, run without --no-vpc-subnets"
 fi

 printf "\n"
	#!/usr/bin/env bash
	# find_eks_cidrs.sh - Fast, comprehensive EKS CIDR discovery
	# Author: Caio Ariede <[email protected], [email protected]>
	# Usage:
	# ./find_eks_cidrs.sh [--no-vpc-subnets] [--no-vpc] [--no-alb] [--alb-dns <dns1[,dns2,...]>] \
	# [-r <region>] [-c <cluster>] [--test-ip <ip>] [--quiet] [--no-color]
	#
	# Outputs categorized CIDR ranges to stdout

	set -euo pipefail
	export AWS_PAGER=""

	CLUSTER="${CLUSTER:-}"
	REGION="${REGION:-}"
	INCLUDE_VPC=1
	INCLUDE_ALB=1
	INCLUDE_VPC_SUBNETS=1 # Default: include ALL VPC subnets
	ALB_DNS_RAW=""
	TEST_IP=""
	QUIET=0
	USE_COLOR=1
	PARALLEL_JOBS=8 # Number of parallel AWS API calls

	usage() {
	cat <<USAGE
	Usage: $0 [OPTIONS]

	Options:
	-c, --cluster <name> EKS cluster name
	-r, --region <region> AWS region
	--no-vpc-subnets Exclude additional VPC subnets (not recommended)
	--no-vpc Exclude VPC CIDR blocks
	--no-alb Exclude ALB subnet discovery
	--alb-dns <dns1[,dns2,...]> Specific ALB DNS names to check
	--test-ip <ip> Test if IP matches any discovered CIDR
	--quiet Suppress progress logs (only show results)
	--no-color Disable colored output
	-h, --help Show this help message

	Performance Tips:
	- Set CLUSTER and REGION environment variables to skip auto-detection
	- Use --no-alb if ALB subnets aren't needed (saves time)

	Examples:
	# Standard usage (discovers all VPC subnets by default)
	$0

	# Fast mode with known cluster/region
	CLUSTER=my-cluster REGION=us-east-1 $0

	# Test if a specific IP is in discovered ranges
	$0 --test-ip 172.15.122.189

	# Minimal discovery (EKS subnets only)
	$0 --no-vpc-subnets --no-vpc --no-alb
	USAGE
	}

	# -------- Colors & Formatting ----------
	if [[ ! -t 2 ]] \|\| [[ ! -t 1 ]]; then USE_COLOR=0; fi
	for arg in "$@"; do [[ "$arg" == "--no-color" ]] && USE_COLOR=0; done
	if [[ $USE_COLOR -eq 1 ]]; then
	C_RESET=$'\033[0m'
	C_HEADER=$'\033[1;36m' # bold cyan
	C_SECTION=$'\033[1;34m' # bold blue
	C_SUCCESS=$'\033[1;32m' # bold green
	C_INFO=$'\033[32m' # green
	C_WARN=$'\033[1;33m' # bold yellow
	C_ERR=$'\033[1;31m' # bold red
	C_DIM=$'\033[90m' # gray
	C_HIGHLIGHT=$'\033[1;35m' # bold magenta
	else
	C_RESET= C_HEADER= C_SECTION= C_SUCCESS= C_INFO= C_WARN= C_ERR= C_DIM= C_HIGHLIGHT=
	fi

	# -------- Logging Functions ----------
	# Progress logs go to stderr, results go to stdout
	_log() { [[ $QUIET -eq 0 ]] && printf "%s\n" "$1" >&2 \|\| true; }
	header() { _log "${C_HEADER}════════════════════════════════════════════════════════${C_RESET}"; _log "${C_HEADER} $1${C_RESET}"; _log "${C_HEADER}════════════════════════════════════════════════════════${C_RESET}"; }
	section() { _log ""; _log "${C_SECTION}▶ $1${C_RESET}"; }
	info() { _log "${C_INFO} • $1${C_RESET}"; }
	success() { _log "${C_SUCCESS} ✓ $1${C_RESET}"; }
	warn() { _log "${C_WARN} ⚠ $1${C_RESET}"; }
	error() { printf "${C_ERR} ✗ $1${C_RESET}\n" >&2; }
	debug() { [[ "${DEBUG:-0}" == "1" ]] && _log "${C_DIM} [DEBUG] $1${C_RESET}" \|\| true; }

	# Output functions (to stdout)
	out_section() { printf "\n${C_SECTION}%s${C_RESET}\n" "$1"; }
	out_info() { printf "${C_INFO}%s${C_RESET}\n" "$1"; }
	out_highlight() { printf "${C_HIGHLIGHT}%s${C_RESET}\n" "$1"; }
	out_warn() { printf "${C_WARN}%s${C_RESET}\n" "$1"; }

	# Progress indicator for long operations
	spinner() {
	local pid=$1 msg=$2
	local spin='⣾⣽⣻⢿⡿⣟⣯⣷'
	local i=0
	while kill -0 $pid 2>/dev/null; do
	[[ $QUIET -eq 0 ]] && printf "\r${C_INFO} %s %s ${C_RESET}" "${spin:$i:1}" "$msg" >&2
	i=$(( (i+1) % ${#spin} ))
	sleep 0.1
	done
	[[ $QUIET -eq 0 ]] && printf "\r\033[K" >&2 # Clear line
	}

	# -------- Utility Functions ----------
	dedup_list() {
	local item seen j
	local -a out=()
	for item in "$@"; do
	seen=0
	for j in "${out[@]}"; do [[ "$item" == "$j" ]] && { seen=1; break; }; done
	[[ $seen -eq 0 && -n "$item" ]] && out+=("$item")
	done
	printf '%s\n' "${out[@]}"
	}

	# Sort CIDRs numerically
	sort_cidrs() {
	printf '%s\n' "$@" \| sort -t. -k1,1n -k2,2n -k3,3n -k4,4n
	}

	# -------- Parse Arguments ----------
	while [[ $# -gt 0 ]]; do
	case "$1" in
	-c\|--cluster) CLUSTER="${2:-}"; shift 2 ;;
	-r\|--region) REGION="${2:-}"; shift 2 ;;
	--no-vpc) INCLUDE_VPC=0; shift ;;
	--no-alb) INCLUDE_ALB=0; shift ;;
	--no-vpc-subnets) INCLUDE_VPC_SUBNETS=0; shift ;;
	--alb-dns) ALB_DNS_RAW="${2:-}"; INCLUDE_ALB=1; shift 2 ;;
	--test-ip) TEST_IP="${2:-}"; shift 2 ;;
	--quiet) QUIET=1; shift ;;
	--no-color) USE_COLOR=0; shift ;;
	-h\|--help) usage; exit 0 ;;
	*) error "Unknown arg: $1"; usage; exit 1 ;;
	esac
	done

	# -------- Main Execution ----------
	header "EKS CIDR Discovery Tool"

	# -------- Auto-detect Cluster & Region ----------
	section "Configuration"

	if [[ -n "${CLUSTER}" && -n "${REGION}" ]]; then
	success "Using provided: CLUSTER=$CLUSTER, REGION=$REGION"
	else
	info "Auto-detecting cluster and region..."

	# Try kubectl context
	if [[ -z "${CLUSTER}" ]] && command -v kubectl >/dev/null 2>&1; then
	KUBE_CLUSTER_REF="$(kubectl config view --minify -o jsonpath='{.contexts[0].context.cluster}' 2>/dev/null \|\| true)"
	if [[ -n "$KUBE_CLUSTER_REF" ]]; then
	if [[ "$KUBE_CLUSTER_REF" == arn:aws:eks:* ]]; then
	CLUSTER="${KUBE_CLUSTER_REF##*/}"
	REGION="${REGION:-$(cut -d: -f4 <<<"$KUBE_CLUSTER_REF")}"
	else
	CLUSTER="$KUBE_CLUSTER_REF"
	fi
	fi

	if [[ -z "${REGION}" ]]; then
	ENDPOINT="$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' 2>/dev/null \|\| true)"
	if [[ "$ENDPOINT" =~ \.([a-z0-9-]+)\.eks\.amazonaws\.com ]]; then
	REGION="${BASH_REMATCH[1]}"
	fi
	fi
	fi

	if [[ -n "${CLUSTER}" && -n "${REGION}" ]]; then
	success "Auto-detected: CLUSTER=$CLUSTER, REGION=$REGION"
	elif [[ -n "${CLUSTER}" && -z "${REGION}" ]]; then
	warn "Cluster found but no region. Scanning AWS regions (this may take a while)..."
	REGIONS_LIST="$(aws ec2 describe-regions --query 'Regions[].RegionName' --output text 2>/dev/null)"
	for r in $REGIONS_LIST; do
	if aws eks describe-cluster --region "$r" --name "$CLUSTER" >/dev/null 2>&1; then
	REGION="$r"
	success "Found cluster in region: $REGION"
	break
	fi
	done
	fi
	fi

	# Final validation
	if [[ -z "${CLUSTER}" ]]; then
	error "Could not determine EKS cluster. Set CLUSTER env var or use -c <cluster>"
	exit 1
	fi
	if [[ -z "${REGION}" ]]; then
	error "Could not determine AWS region. Set REGION env var or use -r <region>"
	exit 2
	fi

	# -------- Fetch EKS & VPC Info ----------
	section "EKS Cluster Information"

	# Fetch all EKS info in one call for efficiency
	info "Fetching EKS cluster details..."
	EKS_INFO=$(aws eks describe-cluster --region "${REGION}" --name "${CLUSTER}" --query 'cluster.{vpc:resourcesVpcConfig.vpcId,subnets:resourcesVpcConfig.subnetIds}' --output json 2>&1)

	if [[ -z "$EKS_INFO" ]] \|\| [[ "$EKS_INFO" == "error" ]] \|\| [[ "$EKS_INFO" == "An error occurred" ]]; then
	error "Failed to fetch EKS cluster information. Check cluster name and region."
	[[ -n "$EKS_INFO" ]] && debug "AWS Error: $EKS_INFO"
	exit 3
	fi

	VPC_ID=$(echo "$EKS_INFO" \| grep -o '"vpc"[[:space:]]:[[:space:]]"[^"]*"' \| cut -d'"' -f4)
	if [[ -z "$VPC_ID" ]]; then
	error "Failed to extract VPC ID from EKS cluster information"
	exit 3
	fi
	info "VPC ID: ${C_HIGHLIGHT}$VPC_ID${C_RESET}"

	# Get EKS subnet IDs using jq for better JSON parsing
	debug "EKS_INFO: $EKS_INFO"
	if command -v jq >/dev/null 2>&1; then
	# Use jq if available
	EKS_SUBNET_IDS=()
	while IFS= read -r subnet_id; do
	[[ -n "$subnet_id" ]] && EKS_SUBNET_IDS+=("$subnet_id")
	done < <(echo "$EKS_INFO" \| jq -r '.subnets[]' 2>/dev/null)
	else
	# Fallback to grep-based parsing
	EKS_SUBNET_IDS=($(echo "$EKS_INFO" \| grep -o '"subnet-[^"]*"' \| tr -d '"'))
	fi
	info "EKS Configured Subnets: ${C_HIGHLIGHT}${#EKS_SUBNET_IDS[@]} subnets${C_RESET}"
	debug "EKS_SUBNET_IDS: ${EKS_SUBNET_IDS[@]}"

	# -------- Parallel Subnet Discovery ----------
	section "Subnet Discovery"

	# Fetch ALL subnet info in one API call (much faster!)
	info "Fetching all VPC subnets..."
	ALL_SUBNETS_JSON=$(aws ec2 describe-subnets --region "${REGION}" --filters "Name=vpc-id,Values=${VPC_ID}" --query 'Subnets[*].[SubnetId,CidrBlock,Tags[?Key==`Name`]\|[0].Value]' --output json 2>/dev/null)

	if [[ -z "$ALL_SUBNETS_JSON" ]]; then
	error "Failed to fetch subnet information"
	exit 3
	fi

	# Parse subnets
	ALL_VPC_SUBNET_CIDRS=()
	EKS_SUBNET_CIDRS=()
	ADDITIONAL_SUBNET_CIDRS=()

	# Associative array to store CIDR to subnet name mappings
	declare -A CIDR_TO_NAME

	# Parse JSON array of arrays using jq if available, otherwise use grep
	if command -v jq >/dev/null 2>&1; then
	# Use jq for proper JSON parsing
	while IFS=$'\t' read -r subnet_id cidr name; do
	[[ -n "$cidr" ]] && ALL_VPC_SUBNET_CIDRS+=("$cidr")

	# Store the subnet name, extract the meaningful part (e.g., "workers-us-east-1a" from "develop-workers-us-east-1a-subnet")
	if [[ -n "$name" && -n "$cidr" ]]; then
	# Remove common prefix "develop-" and suffix "-subnet" for cleaner display
	clean_name="${name#develop-}"
	clean_name="${clean_name%-subnet}"
	CIDR_TO_NAME["$cidr"]="$clean_name"
	fi

	# Check if it's an EKS subnet
	is_eks=0
	for eks_id in "${EKS_SUBNET_IDS[@]}"; do
	[[ "$subnet_id" == "$eks_id" ]] && { is_eks=1; break; }
	done

	if [[ $is_eks -eq 1 ]]; then
	EKS_SUBNET_CIDRS+=("$cidr")
	debug "EKS subnet: $subnet_id => $cidr ($name)"
	else
	ADDITIONAL_SUBNET_CIDRS+=("$cidr")
	debug "Additional subnet: $subnet_id => $cidr ($name)"
	fi
	done < <(echo "$ALL_SUBNETS_JSON" \| jq -r '.[] \| @tsv' 2>/dev/null)
	else
	# Fallback: parse the JSON arrays manually
	while IFS= read -r line; do
	# Skip empty lines and the outer brackets
	[[ "$line" =~ ^[[:space:]]\[?[[:space:]]$ ]] && continue
	[[ "$line" =~ ^[[:space:]]\]?[[:space:]]$ ]] && continue

	# Extract subnet ID, CIDR, and name from lines like: ["subnet-xxx", "10.x.x.x/x", "name"]
	if [[ "$line" =~ \"(subnet-[^\"]+)\".\"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+)\".\"([^\"]+)\" ]]; then
	subnet_id="${BASH_REMATCH[1]}"
	cidr="${BASH_REMATCH[2]}"
	name="${BASH_REMATCH[3]}"

	[[ -n "$cidr" ]] && ALL_VPC_SUBNET_CIDRS+=("$cidr")

	# Store the subnet name
	if [[ -n "$name" && -n "$cidr" ]]; then
	clean_name="${name#develop-}"
	clean_name="${clean_name%-subnet}"
	CIDR_TO_NAME["$cidr"]="$clean_name"
	fi

	# Check if it's an EKS subnet
	is_eks=0
	for eks_id in "${EKS_SUBNET_IDS[@]}"; do
	[[ "$subnet_id" == "$eks_id" ]] && { is_eks=1; break; }
	done

	if [[ $is_eks -eq 1 ]]; then
	EKS_SUBNET_CIDRS+=("$cidr")
	else
	ADDITIONAL_SUBNET_CIDRS+=("$cidr")
	fi
	fi
	done < <(echo "$ALL_SUBNETS_JSON")
	fi

	success "Found ${#ALL_VPC_SUBNET_CIDRS[@]} total subnets in VPC"
	info "├─ EKS Configured: ${#EKS_SUBNET_CIDRS[@]} subnets"
	info "└─ Additional VPC: ${#ADDITIONAL_SUBNET_CIDRS[@]} subnets"

	# -------- VPC CIDR Blocks ----------
	VPC_CIDRS=()
	if [[ $INCLUDE_VPC -eq 1 ]]; then
	VPC_CIDRS_STR=$(aws ec2 describe-vpcs --region "${REGION}" --vpc-ids "${VPC_ID}" --query 'Vpcs[0].CidrBlockAssociationSet[?AssociationState.State==`associated`].CidrBlock' --output text 2>/dev/null)
	read -r -a VPC_CIDRS <<<"$VPC_CIDRS_STR"
	[[ ${#VPC_CIDRS[@]} -gt 0 ]] && info "VPC CIDR blocks: ${#VPC_CIDRS[@]}"
	fi

	# -------- ALB Discovery (Optimized) ----------
	ALB_SUBNET_CIDRS=()
	if [[ $INCLUDE_ALB -eq 1 ]]; then
	section "ALB Discovery"

	ALB_DNS=()
	if [[ -n "$ALB_DNS_RAW" ]]; then
	IFS=',' read -r -a ALB_DNS <<<"$ALB_DNS_RAW"
	info "Using provided ALB DNS names: ${#ALB_DNS[@]}"
	elif command -v kubectl >/dev/null 2>&1; then
	# Get all load balancers in one kubectl call
	ALL_LB_DNS=$(kubectl get ingress,svc -A -o json 2>/dev/null \| \
	grep -o '"hostname"[[:space:]]:[[:space:]]"[^"]*"' \| \
	cut -d'"' -f4 \| sort -u)

	while IFS= read -r dns; do
	[[ -n "$dns" ]] && ALB_DNS+=("$dns")
	done <<<"$ALL_LB_DNS"

	info "Auto-discovered ${#ALB_DNS[@]} load balancer DNS names"
	fi

	if [[ ${#ALB_DNS[@]} -gt 0 ]]; then
	# Batch process ALBs
	info "Fetching ALB information..."
	ALL_ALBS_JSON=$(aws elbv2 describe-load-balancers --region "$REGION" --query 'LoadBalancers[?Type==`application`].[LoadBalancerArn,DNSName,AvailabilityZones[].SubnetId]' --output json 2>/dev/null)

	if [[ -n "$ALL_ALBS_JSON" ]]; then
	ALB_SUBNET_IDS=()
	alb_count=0

	if command -v jq >/dev/null 2>&1; then
	# Use jq for proper JSON parsing
	while IFS=$'\t' read -r arn dns_name subnet_ids; do
	for target_dns in "${ALB_DNS[@]}"; do
	if [[ "$dns_name" == "$target_dns" ]]; then
	((alb_count++))
	# Parse the subnet IDs array
	while IFS= read -r sid; do
	[[ -n "$sid" ]] && ALB_SUBNET_IDS+=("$sid")
	done < <(echo "$subnet_ids" \| jq -r '.[]' 2>/dev/null)
	break
	fi
	done
	done < <(echo "$ALL_ALBS_JSON" \| jq -r '.[] \| @tsv' 2>/dev/null)
	else
	# Fallback to grep-based parsing
	while IFS= read -r line; do
	# Skip empty lines and brackets
	[[ "$line" =~ ^[[:space:]]\[?[[:space:]]$ ]] && continue
	[[ "$line" =~ ^[[:space:]]\]?[[:space:]]$ ]] && continue

	# Extract DNS name from the line
	if [[ "$line" =~ \"([^\"]*\.amazonaws\.com)\" ]]; then
	dns_name="${BASH_REMATCH[1]}"

	for target_dns in "${ALB_DNS[@]}"; do
	if [[ "$dns_name" == "$target_dns" ]]; then
	((alb_count++))
	# Extract all subnet IDs from the same line or following lines
	subnet_ids=$(echo "$line" \| grep -o '"subnet-[^"]*"' \| tr -d '"')
	for sid in $subnet_ids; do
	ALB_SUBNET_IDS+=("$sid")
	done
	break
	fi
	done
	fi
	done < <(echo "$ALL_ALBS_JSON")
	fi

	if [[ ${#ALB_SUBNET_IDS[@]} -gt 0 ]]; then
	# Dedup and get CIDRs
	mapfile -t ALB_SUBNET_IDS < <(dedup_list "${ALB_SUBNET_IDS[@]}")

	# We already have all subnet info from earlier!
	for subnet_id in "${ALB_SUBNET_IDS[@]}"; do
	cidr=$(echo "$ALL_SUBNETS_JSON" \| grep -B1 -A1 "\"$subnet_id\"" \| grep -o '"10\.[^"]\\|"172\.[^"]\\|"192\.[^"]*' \| tr -d '"' \| head -1)
	[[ -n "$cidr" ]] && ALB_SUBNET_CIDRS+=("$cidr")
	done

	# Dedup ALB CIDRs
	mapfile -t ALB_SUBNET_CIDRS < <(dedup_list "${ALB_SUBNET_CIDRS[@]}")
	success "Found $alb_count ALBs using ${#ALB_SUBNET_CIDRS[@]} unique subnets"
	fi
	else
	info "No ALB information retrieved"
	fi
	fi
	fi

	# -------- Node Information ----------
	NODE_IPS=()
	if command -v kubectl >/dev/null 2>&1 && [[ $QUIET -eq 0 ]]; then
	section "Cluster Nodes"
	if command -v jq >/dev/null 2>&1; then
	# Use jq for proper JSON parsing
	while IFS= read -r ip; do
	[[ -n "$ip" ]] && NODE_IPS+=("$ip")
	done < <(kubectl get nodes -o json 2>/dev/null \| jq -r '.items[].status.addresses[] \| select(.type=="InternalIP") \| .address' 2>/dev/null)
	else
	# Fallback to grep-based parsing
	NODE_INFO=$(kubectl get nodes -o wide --no-headers 2>/dev/null \| awk '{print $6}')
	while IFS= read -r ip; do
	[[ -n "$ip" ]] && NODE_IPS+=("$ip")
	done <<<"$NODE_INFO"
	fi

	if [[ ${#NODE_IPS[@]} -gt 0 ]]; then
	info "Found ${#NODE_IPS[@]} nodes in cluster"
	if [[ -n "$TEST_IP" ]]; then
	for node_ip in "${NODE_IPS[@]}"; do
	if [[ "$node_ip" == "$TEST_IP" ]]; then
	success "Test IP $TEST_IP is a NODE IP!"
	break
	fi
	done
	fi
	fi
	fi

	# -------- Test IP Against All Categories ----------
	if [[ -n "$TEST_IP" ]] && command -v python3 >/dev/null 2>&1; then
	section "IP Test Results"
	info "Testing IP: ${C_HIGHLIGHT}$TEST_IP${C_RESET}"

	test_category() {
	local category="$1"
	shift
	local cidrs=("$@")

	if [[ ${#cidrs[@]} -eq 0 ]]; then
	return
	fi

	PY_EXPR='import ipaddress,sys
	ip=ipaddress.ip_address(sys.argv[1]); cidrs=sys.argv[2:];
	hits=[c for c in cidrs if ip in ipaddress.ip_network(c, strict=False)];
	if hits: print("MATCH\|" + ",".join(hits))
	else: print("NO-MATCH\|")'

	result=$(python3 -c "$PY_EXPR" "$TEST_IP" "${cidrs[@]}")
	match_status="${result%%\|*}"
	matched_cidrs="${result#*\|}"

	if [[ "$match_status" == "MATCH" ]]; then
	# Add subnet name if available
	match_display="$matched_cidrs"
	for matched_cidr in ${matched_cidrs//,/ }; do
	subnet_name="${CIDR_TO_NAME[$matched_cidr]}"
	if [[ -n "$subnet_name" ]]; then
	match_display="$matched_cidr - $subnet_name"
	break # Usually only one match
	fi
	done
	success "$category: MATCH ($match_display)"
	else
	info "$category: No match"
	fi
	}

	test_category "EKS Subnets" "${EKS_SUBNET_CIDRS[@]}"
	[[ $INCLUDE_VPC_SUBNETS -eq 1 ]] && test_category "Additional VPC Subnets" "${ADDITIONAL_SUBNET_CIDRS[@]}"
	[[ $INCLUDE_VPC -eq 1 ]] && test_category "VPC CIDR Blocks" "${VPC_CIDRS[@]}"
	[[ $INCLUDE_ALB -eq 1 ]] && test_category "ALB Subnets" "${ALB_SUBNET_CIDRS[@]}"

	if [[ $INCLUDE_VPC_SUBNETS -eq 0 ]]; then
	warn "Note: Additional VPC subnets excluded. Use without --no-vpc-subnets for full coverage"
	fi
	fi

	# -------- Output Results (to stdout) ----------
	printf "\n"
	out_section "════════════════════════════════════════════════════════"
	out_section " DISCOVERED CIDR RANGES"
	out_section "════════════════════════════════════════════════════════"

	# EKS Subnets
	if [[ ${#EKS_SUBNET_CIDRS[@]} -gt 0 ]]; then
	out_section "EKS Configured Subnets (${#EKS_SUBNET_CIDRS[@]}):"
	for cidr in $(sort_cidrs "${EKS_SUBNET_CIDRS[@]}"); do
	subnet_name="${CIDR_TO_NAME[$cidr]}"
	if [[ -n "$subnet_name" ]]; then
	out_info " $cidr ${C_DIM}[$subnet_name]${C_RESET}"
	else
	out_info " $cidr"
	fi
	done
	fi

	# Additional VPC Subnets
	if [[ $INCLUDE_VPC_SUBNETS -eq 1 && ${#ADDITIONAL_SUBNET_CIDRS[@]} -gt 0 ]]; then
	out_section "Additional VPC Subnets (${#ADDITIONAL_SUBNET_CIDRS[@]}):"
	for cidr in $(sort_cidrs "${ADDITIONAL_SUBNET_CIDRS[@]}"); do
	subnet_name="${CIDR_TO_NAME[$cidr]}"
	if [[ -n "$subnet_name" ]]; then
	out_highlight " $cidr ${C_DIM}[$subnet_name]${C_RESET}"
	else
	out_highlight " $cidr"
	fi
	done
	elif [[ $INCLUDE_VPC_SUBNETS -eq 0 && ${#ADDITIONAL_SUBNET_CIDRS[@]} -gt 0 ]]; then
	out_warn "Additional VPC Subnets: EXCLUDED (--no-vpc-subnets)"
	out_warn " ${#ADDITIONAL_SUBNET_CIDRS[@]} subnets not shown"
	fi

	# VPC CIDR Blocks
	if [[ $INCLUDE_VPC -eq 1 && ${#VPC_CIDRS[@]} -gt 0 ]]; then
	out_section "VPC CIDR Blocks (${#VPC_CIDRS[@]}):"
	for cidr in $(sort_cidrs "${VPC_CIDRS[@]}"); do
	out_info " $cidr"
	done
	elif [[ $INCLUDE_VPC -eq 0 && ${#VPC_CIDRS[@]} -gt 0 ]]; then
	out_warn "VPC CIDR Blocks: EXCLUDED (--no-vpc)"
	fi

	# ALB Subnets
	if [[ $INCLUDE_ALB -eq 1 && ${#ALB_SUBNET_CIDRS[@]} -gt 0 ]]; then
	out_section "ALB Subnets (${#ALB_SUBNET_CIDRS[@]}):"
	for cidr in $(sort_cidrs "${ALB_SUBNET_CIDRS[@]}"); do
	out_info " $cidr"
	done
	elif [[ $INCLUDE_ALB -eq 0 ]]; then
	out_warn "ALB Subnets: EXCLUDED (--no-alb)"
	fi

	# Summary
	out_section "────────────────────────────────────────────────────────"
	total_count=$((${#EKS_SUBNET_CIDRS[@]} + ($INCLUDE_VPC_SUBNETS * ${#ADDITIONAL_SUBNET_CIDRS[@]}) + ($INCLUDE_VPC * ${#VPC_CIDRS[@]}) + ($INCLUDE_ALB * ${#ALB_SUBNET_CIDRS[@]})))
	out_section "Total CIDR ranges: $total_count"

	if [[ $INCLUDE_VPC_SUBNETS -eq 0 ]]; then
	printf "\n"
	out_warn "⚠ Additional VPC subnets excluded (--no-vpc-subnets)"
	out_warn " For comprehensive coverage, run without --no-vpc-subnets"
	fi

	printf "\n"
No results found