Skip to content

Commit

Permalink
improvement: allow eks cluster security group to be included in node …
Browse files Browse the repository at this point in the history
…group launch template

The behavior of EKS's launch template support today is that if any node security groups are
specified in the launch template configuration, EKS will not automatically add the cluster security group.
If no security groups are specified, the cluster security group is added by default.
(ref: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html)

For users that want to preserve similar behavior, when including additional node security groups,
optionally allow the cluster security group to be added to the launch template generated
by the EKS Cluster terraform module
  • Loading branch information
davidaah committed Mar 1, 2022
1 parent 9a99689 commit c38015f
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 3 deletions.
2 changes: 1 addition & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ resource "aws_eks_cluster" "this" {
enabled_cluster_log_types = var.cluster_enabled_log_types

vpc_config {
security_group_ids = distinct(concat(var.cluster_additional_security_group_ids, [local.cluster_security_group_id]))
security_group_ids = compact(distinct(concat(var.cluster_additional_security_group_ids, [local.cluster_security_group_id])))
subnet_ids = var.subnet_ids
endpoint_private_access = var.cluster_endpoint_private_access
endpoint_public_access = var.cluster_endpoint_public_access
Expand Down
7 changes: 5 additions & 2 deletions node_groups.tf
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,9 @@ module "fargate_profile" {
# EKS Managed Node Group
################################################################################

locals {
cluster_base_security_group_id = var.include_cluster_security_group ? aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id : null
}
module "eks_managed_node_group" {
source = "./modules/eks-managed-node-group"

Expand Down Expand Up @@ -281,7 +284,7 @@ module "eks_managed_node_group" {

ebs_optimized = try(each.value.ebs_optimized, var.eks_managed_node_group_defaults.ebs_optimized, null)
key_name = try(each.value.key_name, var.eks_managed_node_group_defaults.key_name, null)
vpc_security_group_ids = compact(concat([local.node_security_group_id], try(each.value.vpc_security_group_ids, var.eks_managed_node_group_defaults.vpc_security_group_ids, [])))
vpc_security_group_ids = compact(concat([local.cluster_base_security_group_id], [local.node_security_group_id], try(each.value.vpc_security_group_ids, var.eks_managed_node_group_defaults.vpc_security_group_ids, [])))
launch_template_default_version = try(each.value.launch_template_default_version, var.eks_managed_node_group_defaults.launch_template_default_version, null)
update_launch_template_default_version = try(each.value.update_launch_template_default_version, var.eks_managed_node_group_defaults.update_launch_template_default_version, true)
disable_api_termination = try(each.value.disable_api_termination, var.eks_managed_node_group_defaults.disable_api_termination, null)
Expand Down Expand Up @@ -405,7 +408,7 @@ module "self_managed_node_group" {
instance_type = try(each.value.instance_type, var.self_managed_node_group_defaults.instance_type, "m6i.large")
key_name = try(each.value.key_name, var.self_managed_node_group_defaults.key_name, null)

vpc_security_group_ids = compact(concat([local.node_security_group_id], try(each.value.vpc_security_group_ids, var.self_managed_node_group_defaults.vpc_security_group_ids, [])))
vpc_security_group_ids = compact(concat([local.cluster_base_security_group_id], [local.node_security_group_id], try(each.value.vpc_security_group_ids, var.self_managed_node_group_defaults.vpc_security_group_ids, [])))
cluster_security_group_id = local.cluster_security_group_id
launch_template_default_version = try(each.value.launch_template_default_version, var.self_managed_node_group_defaults.launch_template_default_version, null)
update_launch_template_default_version = try(each.value.update_launch_template_default_version, var.self_managed_node_group_defaults.update_launch_template_default_version, true)
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,12 @@ variable "cluster_security_group_tags" {
default = {}
}

variable "include_cluster_security_group" {
description = "Determines if cluster security group should be included in node launch templates"
type = bool
default = false
}

################################################################################
# EKS IPV6 CNI Policy
################################################################################
Expand Down

0 comments on commit c38015f

Please sign in to comment.