Merge pull request #1 from Apollo-Systems/additional_security_groups

Additional security groups
DreamLab · Apr 26, 2021 · 79debfb · 79debfb
2 parents 61ac930 + 414b925
commit 79debfb
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -251,6 +251,7 @@ Available targets:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| additional\_security\_group\_ids | Additional list of security groups that will be attached to the node group | `list(string)` | `[]` | no |
 | additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
 | after\_cluster\_joining\_userdata | Additional `bash` commands to execute on each worker node after joining the EKS cluster (after executing the `bootstrap.sh` script). For more info, see https://kubedex.com/90-days-of-aws-eks-in-production | `string` | `""` | no |
 | ami\_image\_id | AMI to use. Ignored of `launch_template_id` is supplied. | `string` | `null` | no |

diff --git a/launch-template.tf b/launch-template.tf
@@ -38,8 +38,11 @@ locals {
   launch_template_ami = length(local.configured_ami_image_id) == 0 ? (local.features_require_ami ? data.aws_ami.selected[0].image_id : "") : local.configured_ami_image_id
 
   launch_template_vpc_security_group_ids = (
-    local.need_remote_access_sg ?
-    concat(data.aws_eks_cluster.this[0].vpc_config[*].cluster_security_group_id, aws_security_group.remote_access.*.id) : []
+    concat(
+      local.ng.additional_security_group_ids,
+      local.get_cluster_data ? data.aws_eks_cluster.this[0].vpc_config[*].cluster_security_group_id : [],
+      local.need_remote_access_sg ? aws_security_group.remote_access.*.id : []
+    )
   )
 
   # launch_template_key = join(":", coalescelist(local.launch_template_vpc_security_group_ids, ["closed"]))

diff --git a/main.tf b/main.tf
@@ -6,13 +6,13 @@ locals {
   configured_ami_image_id = var.ami_image_id == null ? "" : var.ami_image_id
   need_ami_id             = local.enabled ? local.features_require_ami && length(local.configured_ami_image_id) == 0 : false
 
-  features_require_launch_template = local.enabled ? length(var.resources_to_tag) > 0 || local.need_userdata || local.features_require_ami : false
+  features_require_launch_template = local.enabled ? length(var.resources_to_tag) > 0 || local.need_userdata || local.features_require_ami || length(var.additional_security_group_ids) > 0 : false
 
   have_ssh_key = var.ec2_ssh_key != null && var.ec2_ssh_key != ""
 
   need_remote_access_sg = local.enabled && local.have_ssh_key && local.generate_launch_template
 
-  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg) : false
+  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg || length(var.additional_security_group_ids) > 0) : false
 
   autoscaler_enabled = var.enable_cluster_autoscaler != null ? var.enable_cluster_autoscaler : var.cluster_autoscaler_enabled == true
   #
@@ -86,6 +86,7 @@ locals {
     ec2_ssh_key        = local.have_ssh_key ? var.ec2_ssh_key : "none"
     # Keep sorted so that change in order does not trigger replacement via random_pet
     source_security_group_ids = local.ng_needs_remote_access ? sort(var.source_security_group_ids) : []
+    additional_security_group_ids = sort(var.additional_security_group_ids)
   }
 }
 
@@ -114,7 +115,8 @@ resource "random_pet" "cbd" {
     #       actually track security groups by using
     #       source_security_group_ids = join(",", local.ng.source_security_group_ids, aws_security_group.remote_access.*.id)
     #
-    source_security_group_ids = local.need_remote_access_sg ? "generated for launch template" : join(",", local.ng.source_security_group_ids)
+    source_security_group_ids     = local.need_remote_access_sg ? "generated for launch template" : join(",", local.ng.source_security_group_ids)
+    additional_security_group_ids = join(",", local.ng.additional_security_group_ids)
 
     launch_template_id = local.use_launch_template ? local.launch_template_id : "none"
   }

diff --git a/variables.tf b/variables.tf
@@ -46,6 +46,12 @@ variable "source_security_group_ids" {
   description = "Set of EC2 Security Group IDs to allow SSH access (port 22) to the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0)"
 }
 
+variable "additional_security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = "Set of additional EC2 Security Group IDs that will be associated with the EKS Node Group"
+}
+
 variable "desired_size" {
   type        = number
   description = "Initial desired number of worker nodes (external changes ignored)"