diff --git a/main.tf b/main.tf index 853df4ba1e7..acd807a970c 100644 --- a/main.tf +++ b/main.tf @@ -13,7 +13,7 @@ resource "aws_eks_cluster" "this" { enabled_cluster_log_types = var.cluster_enabled_log_types vpc_config { - security_group_ids = distinct(concat(var.cluster_additional_security_group_ids, [local.cluster_security_group_id])) + security_group_ids = compact(distinct(concat(var.cluster_additional_security_group_ids, [local.cluster_security_group_id]))) subnet_ids = var.subnet_ids endpoint_private_access = var.cluster_endpoint_private_access endpoint_public_access = var.cluster_endpoint_public_access diff --git a/node_groups.tf b/node_groups.tf index e59159dbbe5..826f938ab00 100644 --- a/node_groups.tf +++ b/node_groups.tf @@ -223,6 +223,9 @@ module "fargate_profile" { # EKS Managed Node Group ################################################################################ +locals { + cluster_base_security_group_id = var.include_cluster_security_group ? aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id : null +} module "eks_managed_node_group" { source = "./modules/eks-managed-node-group" @@ -281,7 +284,7 @@ module "eks_managed_node_group" { ebs_optimized = try(each.value.ebs_optimized, var.eks_managed_node_group_defaults.ebs_optimized, null) key_name = try(each.value.key_name, var.eks_managed_node_group_defaults.key_name, null) - vpc_security_group_ids = compact(concat([local.node_security_group_id], try(each.value.vpc_security_group_ids, var.eks_managed_node_group_defaults.vpc_security_group_ids, []))) + vpc_security_group_ids = compact(concat([local.cluster_base_security_group_id], [local.node_security_group_id], try(each.value.vpc_security_group_ids, var.eks_managed_node_group_defaults.vpc_security_group_ids, []))) launch_template_default_version = try(each.value.launch_template_default_version, var.eks_managed_node_group_defaults.launch_template_default_version, null) update_launch_template_default_version = try(each.value.update_launch_template_default_version, var.eks_managed_node_group_defaults.update_launch_template_default_version, true) disable_api_termination = try(each.value.disable_api_termination, var.eks_managed_node_group_defaults.disable_api_termination, null) @@ -405,7 +408,7 @@ module "self_managed_node_group" { instance_type = try(each.value.instance_type, var.self_managed_node_group_defaults.instance_type, "m6i.large") key_name = try(each.value.key_name, var.self_managed_node_group_defaults.key_name, null) - vpc_security_group_ids = compact(concat([local.node_security_group_id], try(each.value.vpc_security_group_ids, var.self_managed_node_group_defaults.vpc_security_group_ids, []))) + vpc_security_group_ids = compact(concat([local.cluster_base_security_group_id], [local.node_security_group_id], try(each.value.vpc_security_group_ids, var.self_managed_node_group_defaults.vpc_security_group_ids, []))) cluster_security_group_id = local.cluster_security_group_id launch_template_default_version = try(each.value.launch_template_default_version, var.self_managed_node_group_defaults.launch_template_default_version, null) update_launch_template_default_version = try(each.value.update_launch_template_default_version, var.self_managed_node_group_defaults.update_launch_template_default_version, true) diff --git a/variables.tf b/variables.tf index 709bc270bde..69dc04e8e6e 100644 --- a/variables.tf +++ b/variables.tf @@ -175,6 +175,12 @@ variable "cluster_security_group_tags" { default = {} } +variable "include_cluster_security_group" { + description = "Determines if cluster security group should be included in node launch templates" + type = bool + default = false +} + ################################################################################ # EKS IPV6 CNI Policy ################################################################################