diff --git a/cluster_regional.tf b/cluster_regional.tf
index 7db0002ce3..e4ec412bcd 100644
--- a/cluster_regional.tf
+++ b/cluster_regional.tf
@@ -30,6 +30,8 @@ resource "google_container_cluster" "primary" {
   subnetwork         = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}"
   min_master_version = "${local.kubernetes_version}"
 
+  master_authorized_networks_config = "${var.master_authorized_networks_config}"
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"
diff --git a/cluster_zonal.tf b/cluster_zonal.tf
index 8fe2df3cdc..fcf8c58889 100644
--- a/cluster_zonal.tf
+++ b/cluster_zonal.tf
@@ -30,6 +30,8 @@ resource "google_container_cluster" "zonal_primary" {
   subnetwork         = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}"
   min_master_version = "${local.kubernetes_version}"
 
+  master_authorized_networks_config = "${var.master_authorized_networks_config}"
+
   addons_config {
     http_load_balancing {
       disabled = "${var.http_load_balancing ? 0 : 1}"
diff --git a/main.tf b/main.tf
index b7cb7341bf..c6f6ee6125 100644
--- a/main.tf
+++ b/main.tf
@@ -73,6 +73,11 @@ locals {
     zonal    = "${element(concat(google_container_cluster.zonal_primary.*.min_master_version, list("")), 0)}"
   }
 
+  cluster_type_output_master_authorized_networks_config = {
+    regional = "${element(concat(google_container_cluster.primary.*.master_authorized_networks_config, list("")), 0)}"
+    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.master_authorized_networks_config, list("")), 0)}"
+  }
+
   cluster_type_output_network_policy_enabled = {
     regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
     zonal    = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.network_policy_config.0.disabled, list("")), 0)}"
@@ -108,16 +113,17 @@ locals {
   cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
 
   # cluster locals
-  cluster_name                = "${local.cluster_type_output_name[local.cluster_type]}"
-  cluster_location            = "${local.cluster_type_output_location[local.cluster_type]}"
-  cluster_region              = "${local.cluster_type_output_region[local.cluster_type]}"
-  cluster_zones               = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
-  cluster_endpoint            = "${local.cluster_type_output_endpoint[local.cluster_type]}"
-  cluster_ca_certificate      = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
-  cluster_master_version      = "${local.cluster_type_output_master_version[local.cluster_type]}"
-  cluster_min_master_version  = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
-  cluster_node_pools_names    = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
-  cluster_node_pools_versions = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
+  cluster_name                              = "${local.cluster_type_output_name[local.cluster_type]}"
+  cluster_location                          = "${local.cluster_type_output_location[local.cluster_type]}"
+  cluster_region                            = "${local.cluster_type_output_region[local.cluster_type]}"
+  cluster_zones                             = "${sort(local.cluster_type_output_zones[local.cluster_type])}"
+  cluster_endpoint                          = "${local.cluster_type_output_endpoint[local.cluster_type]}"
+  cluster_ca_certificate                    = "${lookup(local.cluster_master_auth_map, "cluster_ca_certificate")}"
+  cluster_master_version                    = "${local.cluster_type_output_master_version[local.cluster_type]}"
+  cluster_min_master_version                = "${local.cluster_type_output_min_master_version[local.cluster_type]}"
+  cluster_master_authorized_networks_config = "${local.cluster_type_output_master_authorized_networks_config[local.cluster_type]}"
+  cluster_node_pools_names                  = "${local.cluster_type_output_node_pools_names[local.cluster_type]}"
+  cluster_node_pools_versions               = "${local.cluster_type_output_node_pools_versions[local.cluster_type]}"
 
   cluster_network_policy_enabled             = "${local.cluster_type_output_network_policy_enabled[local.cluster_type] ? false : true}"
   cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
diff --git a/outputs.tf b/outputs.tf
index 4f5ec6435c..8a8c0c9f3d 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -50,6 +50,11 @@ output "min_master_version" {
   value       = "${local.cluster_min_master_version}"
 }
 
+output "master_authorized_networks_config" {
+  description = "Networks from which access to master is permitted"
+  value       = "${local.cluster_master_authorized_networks_config}"
+}
+
 output "master_version" {
   description = "Current master kubernetes version"
   value       = "${local.cluster_master_version}"
diff --git a/variables.tf b/variables.tf
index f6e9b1f192..9c8ffb4b30 100644
--- a/variables.tf
+++ b/variables.tf
@@ -65,6 +65,12 @@ variable "node_version" {
   default     = ""
 }
 
+variable "master_authorized_networks_config" {
+  description = "The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists)."
+  type        = "list"
+  default     = []
+}
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = false