From 7eac59fbda37135eaa6750ac9eb130f3491fd25c Mon Sep 17 00:00:00 2001
From: David Hocky <david_hocky@comcast.com>
Date: Thu, 24 Feb 2022 12:06:47 -0500
Subject: [PATCH] improvement: allow eks cluster security group to be included
 in node group launch template

The behavior of EKS's launch template support today is that if any node security groups are
specified in the launch template configuration, EKS will not automatically add the cluster security group.
If no security groups are specified, the cluster security group is added by default.
(ref: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html)

For users that want to preserve similar behavior, when including additional node security groups,
optionally allow the cluster security group to be added to the launch template generated
by the EKS Cluster terraform module
---
 main.tf        | 2 +-
 node_groups.tf | 7 +++++--
 variables.tf   | 6 ++++++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 7aa426f06b4..e3489df5d51 100644
--- a/main.tf
+++ b/main.tf
@@ -13,7 +13,7 @@ resource "aws_eks_cluster" "this" {
   enabled_cluster_log_types = var.cluster_enabled_log_types
 
   vpc_config {
-    security_group_ids      = distinct(concat(var.cluster_additional_security_group_ids, [local.cluster_security_group_id]))
+    security_group_ids      = compact(distinct(concat(var.cluster_additional_security_group_ids, [local.cluster_security_group_id])))
     subnet_ids              = var.subnet_ids
     endpoint_private_access = var.cluster_endpoint_private_access
     endpoint_public_access  = var.cluster_endpoint_public_access
diff --git a/node_groups.tf b/node_groups.tf
index e59159dbbe5..826f938ab00 100644
--- a/node_groups.tf
+++ b/node_groups.tf
@@ -223,6 +223,9 @@ module "fargate_profile" {
 # EKS Managed Node Group
 ################################################################################
 
+locals {
+  cluster_base_security_group_id = var.include_cluster_security_group ? aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id : null
+}
 module "eks_managed_node_group" {
   source = "./modules/eks-managed-node-group"
 
@@ -281,7 +284,7 @@ module "eks_managed_node_group" {
 
   ebs_optimized                          = try(each.value.ebs_optimized, var.eks_managed_node_group_defaults.ebs_optimized, null)
   key_name                               = try(each.value.key_name, var.eks_managed_node_group_defaults.key_name, null)
-  vpc_security_group_ids                 = compact(concat([local.node_security_group_id], try(each.value.vpc_security_group_ids, var.eks_managed_node_group_defaults.vpc_security_group_ids, [])))
+  vpc_security_group_ids                 = compact(concat([local.cluster_base_security_group_id], [local.node_security_group_id], try(each.value.vpc_security_group_ids, var.eks_managed_node_group_defaults.vpc_security_group_ids, [])))
   launch_template_default_version        = try(each.value.launch_template_default_version, var.eks_managed_node_group_defaults.launch_template_default_version, null)
   update_launch_template_default_version = try(each.value.update_launch_template_default_version, var.eks_managed_node_group_defaults.update_launch_template_default_version, true)
   disable_api_termination                = try(each.value.disable_api_termination, var.eks_managed_node_group_defaults.disable_api_termination, null)
@@ -405,7 +408,7 @@ module "self_managed_node_group" {
   instance_type   = try(each.value.instance_type, var.self_managed_node_group_defaults.instance_type, "m6i.large")
   key_name        = try(each.value.key_name, var.self_managed_node_group_defaults.key_name, null)
 
-  vpc_security_group_ids                 = compact(concat([local.node_security_group_id], try(each.value.vpc_security_group_ids, var.self_managed_node_group_defaults.vpc_security_group_ids, [])))
+  vpc_security_group_ids                 = compact(concat([local.cluster_base_security_group_id], [local.node_security_group_id], try(each.value.vpc_security_group_ids, var.self_managed_node_group_defaults.vpc_security_group_ids, [])))
   cluster_security_group_id              = local.cluster_security_group_id
   launch_template_default_version        = try(each.value.launch_template_default_version, var.self_managed_node_group_defaults.launch_template_default_version, null)
   update_launch_template_default_version = try(each.value.update_launch_template_default_version, var.self_managed_node_group_defaults.update_launch_template_default_version, true)
diff --git a/variables.tf b/variables.tf
index 2e479acd22a..6e0c77c36c8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -181,6 +181,12 @@ variable "cluster_security_group_tags" {
   default     = {}
 }
 
+variable "include_cluster_security_group" {
+  description = "Determines if cluster security group should be included in node launch templates"
+  type        = bool
+  default     = false
+}
+
 ################################################################################
 # EKS IPV6 CNI Policy
 ################################################################################