🚀 Enhancements
Update Security Group rules @aknysh (#186)
what
- Update Security Group rules
why
- This module can create an additional Security Group for the EKS cluster for backwards compatibility if you are updating this module to the latest version on existing clusters
- If the cluster was created using an older version of the module, EKS did not create a managed cluster Security Group at the time, and the the cluster Security Group was the additional Security Group
- This additional Security Group is returned from the expression
one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id) - When the module tries to create
resource "aws_security_group_rule" "managed_ingress_cidr_blocks"to add the allowed ingress CIDR blocks, the following error is thrown
Error: [WARN] A duplicate Security Group rule was found on (sg-xxxxxxxxx). This may be
│ a side effect of a now-fixed Terraform issue causing two security groups with
│ identical attributes but different source_security_group_ids to overwrite each
│ other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
│ information and instructions for recovery. Error: InvalidPermission.Duplicate: the specified rule "peer: 10.222.0.0/16, ALL, ALLOW" already exists
│ status code: 400, request id: 7065e36d-ffca-4540-8e43-ed75d94d752e
│
│ with module.eks_cluster.aws_security_group_rule.managed_ingress_cidr_blocks[0],
│ on .terraform/modules/eks_cluster/security-group.tf line 17, in resource "aws_security_group_rule" "managed_ingress_cidr_blocks":
│ 17: resource "aws_security_group_rule" "managed_ingress_cidr_blocks" {
- This PR adds a variable
managed_security_group_rules_enabled. For the very old clusters (which use the custom SG as the main cluster SG), set the variable tofalseto not add the SG rules to it (since the SG is the custom SG to which the module adds the same rules anyway)