Making security group creation step optional

[krlydm]

Hi,

I'm facing with an issue on using this solution for our use cases at my company. My company is restricting who has access to create VPC or Security groups in AWS, so implicit security group creating in not allowed due to security concerns. Removing VPC creation is easy, but I can't find any good option to do it for SG. As a workaround to test this, I removed the security group creation, compiled an own runners.zip and pass my pre-created security group ID via runner_additional_security_group_ids.

Is it possible to solve this differently or this would be a new feature request instead?

It would be nice if there is option to treat security groups in a same way as VPC and subnets are handed.

[npalm]

Sounds like a valid option to me, today setting up the runner require several permissions. We use permission boundaries to limit the scope of the deployment role in AWS. Just wondering, is creating IAM roles allowed?

Feel free to create a PR to optional disable the security group creation of the runner module (default should be true). Suggestion for variable name enable_managed_runner_security_group

[krlydm]

Sounds good to me, I'm open to create a PR, seems like a simple change what you recommended.
Handling IAM roles are bit different in my case, because we have more room to play with limiting permission boundaries to a specific role via ARN. Security group is like a firewall, they are handled org-wide to make sure we are applying approved restrictions everywhere.

[krlydm]

I have created the pull request for addressing this request: #1718