diff --git a/README.md b/README.md
index 1bbe6bc3..05db4da6 100644
--- a/README.md
+++ b/README.md
@@ -73,8 +73,8 @@ The module provisions the following resources:
__NOTE:__ The module works with [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html).
-__NOTE:__ Release `0.45.0` contains breaking changes that will result in the destruction of your existing EKS cluster.
-To preserve the original cluster, follow the instructions in the [0.44.x to 0.45.x+ migration path](./docs/migration-0.44.x-0.45.x+.md).
+__NOTE:__ Release `0.45.0` contains some changes that could result in the destruction of your existing EKS cluster.
+To circumvent this, follow the instructions in the [0.45.x+ migration path](./docs/migration-0.45.x+.md).
__NOTE:__ Every Terraform module that provisions an EKS cluster has faced the challenge that access to the cluster
is partly controlled by a resource inside the cluster, a ConfigMap called `aws-auth`. You need to be able to access
@@ -265,7 +265,7 @@ Other examples:
}
```
-Module usage with two worker groups:
+Module usage with two unmanaged worker groups:
```hcl
locals {
@@ -343,7 +343,7 @@ Module usage with two worker groups:
oidc_provider_enabled = false
workers_role_arns = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn]
- workers_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
+ allowed_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
context = module.label.context
}
@@ -371,7 +371,7 @@ Available targets:
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.14.11 |
+| [terraform](#requirement\_terraform) | >= 0.14.0 |
| [aws](#requirement\_aws) | >= 3.38 |
| [kubernetes](#requirement\_kubernetes) | >= 2.7.1 |
| [null](#requirement\_null) | >= 2.0 |
@@ -390,7 +390,6 @@ Available targets:
| Name | Source | Version |
|------|--------|---------|
-| [aws\_security\_group](#module\_aws\_security\_group) | cloudposse/security-group/aws | 0.4.3 |
| [label](#module\_label) | cloudposse/label/null | 0.25.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
@@ -409,6 +408,13 @@ Available targets:
| [aws_iam_role_policy_attachment.cluster_elb_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kms_alias.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.managed_ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.managed_ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [kubernetes_config_map.aws_auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [kubernetes_config_map.aws_auth_ignore_changes](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [null_resource.wait_for_cluster](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -422,14 +428,13 @@ Available targets:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones
this module normally creates. (To suppress the module's rules, set `create_security_group` to false
and supply your own security group via `associated_security_group_ids`.)
The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no |
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| [addons](#input\_addons) | Manages [`aws_eks_addon`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) resources. | list(object({
addon_name = string
addon_version = string
resolve_conflicts = string
service_account_role_arn = string
})) | `[]` | no |
-| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | A list of IPv4 CIDRs to allow access to the security group created by this module.
The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
-| [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no |
+| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | A list of IPv4 CIDRs to allow access to the cluster.
The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
+| [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the cluster. | `list(string)` | `[]` | no |
| [allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead.
Historical description: List of Security Group IDs to be allowed to connect to the EKS cluster.
Historical default: `[]` | `list(string)` | `[]` | no |
| [apply\_config\_map\_aws\_auth](#input\_apply\_config\_map\_aws\_auth) | Whether to apply the ConfigMap to allow worker nodes to join the EKS cluster and allow additional users, accounts and roles to acces the cluster | `bool` | `true` | no |
-| [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access. | `list(string)` | `[]` | no |
+| [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the cluster with.
These security groups will not be modified. | `list(string)` | `[]` | no |
| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
| [aws\_auth\_yaml\_strip\_quotes](#input\_aws\_auth\_yaml\_strip\_quotes) | If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans | `bool` | `true` | no |
| [cluster\_encryption\_config\_enabled](#input\_cluster\_encryption\_config\_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no |
@@ -441,7 +446,7 @@ Available targets:
| [cluster\_log\_retention\_period](#input\_cluster\_log\_retention\_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `0` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
| [create\_eks\_service\_role](#input\_create\_eks\_service\_role) | Set `false` to use existing `eks_cluster_service_role_arn` instead of creating one | `bool` | `true` | no |
-| [create\_security\_group](#input\_create\_security\_group) | Set `true` to create and configure a Security Group for the cluster. | `bool` | `true` | no |
+| [create\_security\_group](#input\_create\_security\_group) | Set to `true` to create and configure an additional Security Group for the cluster.
Only for backwards compatibility, if you are updating this module to the latest version on existing clusters, not recommended for new clusters.
EKS creates a managed Security Group for the cluster automatically, places the control plane and managed nodes into the Security Group,
and you can also allow unmanaged nodes to communicate with the cluster by using the `allowed_security_group_ids` variable.
The additional Security Group is kept in the module for backwards compatibility and will be removed in future releases along with this variable.
See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html for more details. | `bool` | `false` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [dummy\_kubeapi\_server](#input\_dummy\_kubeapi\_server) | URL of a dummy API server for the Kubernetes server to use when the real one is unknown.
This is a workaround to ignore connection failures that break Terraform even though the results do not matter.
You can disable it by setting it to `null`; however, as of Kubernetes provider v2.3.2, doing so \_will\_
cause Terraform to fail in several situations unless you provide a valid `kubeconfig` file
via `kubeconfig_path` and set `kubeconfig_path_enabled` to `true`. | `string` | `"https://jsonplaceholder.typicode.com"` | no |
@@ -478,11 +483,6 @@ Available targets:
| [public\_access\_cidrs](#input\_public\_access\_cidrs) | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | `list(string)` | [
"0.0.0.0/0"
]
| no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [region](#input\_region) | AWS Region | `string` | n/a | yes |
-| [security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We recommend setting this `true` on new security groups, but default it to `false` because `true`
will cause existing security groups to be replaced, possibly requiring the resource to be deleted and recreated.
Note that changing this value will always cause the security group to be replaced. | `bool` | `false` | no |
-| [security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no |
-| [security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion from
lingering ENIs left by certain AWS services such as Elastic Load Balancing. | `string` | `"15m"` | no |
-| [security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced. | `string` | `"Security Group for EKS cluster"` | no |
-| [security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no |
| [service\_ipv4\_cidr](#input\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from.
You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. | `string` | `null` | no |
| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs to launch the cluster in | `list(string)` | n/a | yes |
@@ -491,7 +491,7 @@ Available targets:
| [vpc\_id](#input\_vpc\_id) | VPC ID for the EKS cluster | `string` | n/a | yes |
| [wait\_for\_cluster\_command](#input\_wait\_for\_cluster\_command) | `local-exec` command to execute to determine if the EKS cluster is healthy. Cluster endpoint are available as environment variable `ENDPOINT` | `string` | `"curl --silent --fail --retry 60 --retry-delay 5 --retry-connrefused --insecure --output /dev/null $ENDPOINT/healthz"` | no |
| [workers\_role\_arns](#input\_workers\_role\_arns) | List of Role ARNs of the worker nodes | `list(string)` | `[]` | no |
-| [workers\_security\_group\_ids](#input\_workers\_security\_group\_ids) | Security Group IDs of the worker nodes | `list(string)` | `[]` | no |
+| [workers\_security\_group\_ids](#input\_workers\_security\_group\_ids) | DEPRECATED: Use `allowed_security_group_ids` instead.
Historical description: Security Group IDs of the worker nodes.
Historical default: `[]` | `list(string)` | `[]` | no |
## Outputs
@@ -511,9 +511,9 @@ Available targets:
| [eks\_cluster\_role\_arn](#output\_eks\_cluster\_role\_arn) | ARN of the EKS cluster IAM role |
| [eks\_cluster\_version](#output\_eks\_cluster\_version) | The Kubernetes server version of the cluster |
| [kubernetes\_config\_map\_id](#output\_kubernetes\_config\_map\_id) | ID of `aws-auth` Kubernetes ConfigMap |
-| [security\_group\_arn](#output\_security\_group\_arn) | ARN of the EKS cluster Security Group |
-| [security\_group\_id](#output\_security\_group\_id) | ID of the EKS cluster Security Group |
-| [security\_group\_name](#output\_security\_group\_name) | Name of the EKS cluster Security Group |
+| [security\_group\_arn](#output\_security\_group\_arn) | ARN of the created Security Group for the EKS cluster |
+| [security\_group\_id](#output\_security\_group\_id) | ID of the created Security Group for the EKS cluster |
+| [security\_group\_name](#output\_security\_group\_name) | Name of the created Security Group for the EKS cluster |
@@ -612,7 +612,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
## Copyright
-Copyright © 2017-2021 [Cloud Posse, LLC](https://cpco.io/copyright)
+Copyright © 2017-2022 [Cloud Posse, LLC](https://cpco.io/copyright)
diff --git a/README.yaml b/README.yaml
index 2ac8ab5d..f0667386 100644
--- a/README.yaml
+++ b/README.yaml
@@ -1,51 +1,55 @@
name: terraform-aws-eks-cluster
+
license: APACHE2
+
github_repo: cloudposse/terraform-aws-eks-cluster
+
badges:
-- name: Latest Release
- image: https://img.shields.io/github/release/cloudposse/terraform-aws-eks-cluster.svg
- url: https://github.com/cloudposse/terraform-aws-eks-cluster/releases/latest
-- name: Slack Community
- image: https://slack.cloudposse.com/badge.svg
- url: https://slack.cloudposse.com
+ - name: Latest Release
+ image: https://img.shields.io/github/release/cloudposse/terraform-aws-eks-cluster.svg
+ url: https://github.com/cloudposse/terraform-aws-eks-cluster/releases/latest
+ - name: Slack Community
+ image: https://slack.cloudposse.com/badge.svg
+ url: https://slack.cloudposse.com
+
related:
-- name: terraform-aws-eks-workers
- description: Terraform module to provision an AWS AutoScaling Group, IAM Role, and
- Security Group for EKS Workers
- url: https://github.com/cloudposse/terraform-aws-eks-workers
-- name: terraform-aws-ec2-autoscale-group
- description: Terraform module to provision Auto Scaling Group and Launch Template
- on AWS
- url: https://github.com/cloudposse/terraform-aws-ec2-autoscale-group
-- name: terraform-aws-ecs-container-definition
- description: Terraform module to generate well-formed JSON documents (container
- definitions) that are passed to the aws_ecs_task_definition Terraform resource
- url: https://github.com/cloudposse/terraform-aws-ecs-container-definition
-- name: terraform-aws-ecs-alb-service-task
- description: Terraform module which implements an ECS service which exposes a web
- service via ALB
- url: https://github.com/cloudposse/terraform-aws-ecs-alb-service-task
-- name: terraform-aws-ecs-web-app
- description: Terraform module that implements a web app on ECS and supports autoscaling,
- CI/CD, monitoring, ALB integration, and much more
- url: https://github.com/cloudposse/terraform-aws-ecs-web-app
-- name: terraform-aws-ecs-codepipeline
- description: Terraform module for CI/CD with AWS Code Pipeline and Code Build for
- ECS
- url: https://github.com/cloudposse/terraform-aws-ecs-codepipeline
-- name: terraform-aws-ecs-cloudwatch-autoscaling
- description: Terraform module to autoscale ECS Service based on CloudWatch metrics
- url: https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-autoscaling
-- name: terraform-aws-ecs-cloudwatch-sns-alarms
- description: Terraform module to create CloudWatch Alarms on ECS Service level metrics
- url: https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-sns-alarms
-- name: terraform-aws-ec2-instance
- description: Terraform module for providing a general purpose EC2 instance
- url: https://github.com/cloudposse/terraform-aws-ec2-instance
-- name: terraform-aws-ec2-instance-group
- description: Terraform module for provisioning multiple general purpose EC2 hosts
- for stateful applications
- url: https://github.com/cloudposse/terraform-aws-ec2-instance-group
+ - name: terraform-aws-eks-workers
+ description: Terraform module to provision an AWS AutoScaling Group, IAM Role, and
+ Security Group for EKS Workers
+ url: https://github.com/cloudposse/terraform-aws-eks-workers
+ - name: terraform-aws-ec2-autoscale-group
+ description: Terraform module to provision Auto Scaling Group and Launch Template
+ on AWS
+ url: https://github.com/cloudposse/terraform-aws-ec2-autoscale-group
+ - name: terraform-aws-ecs-container-definition
+ description: Terraform module to generate well-formed JSON documents (container
+ definitions) that are passed to the aws_ecs_task_definition Terraform resource
+ url: https://github.com/cloudposse/terraform-aws-ecs-container-definition
+ - name: terraform-aws-ecs-alb-service-task
+ description: Terraform module which implements an ECS service which exposes a web
+ service via ALB
+ url: https://github.com/cloudposse/terraform-aws-ecs-alb-service-task
+ - name: terraform-aws-ecs-web-app
+ description: Terraform module that implements a web app on ECS and supports autoscaling,
+ CI/CD, monitoring, ALB integration, and much more
+ url: https://github.com/cloudposse/terraform-aws-ecs-web-app
+ - name: terraform-aws-ecs-codepipeline
+ description: Terraform module for CI/CD with AWS Code Pipeline and Code Build for
+ ECS
+ url: https://github.com/cloudposse/terraform-aws-ecs-codepipeline
+ - name: terraform-aws-ecs-cloudwatch-autoscaling
+ description: Terraform module to autoscale ECS Service based on CloudWatch metrics
+ url: https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-autoscaling
+ - name: terraform-aws-ecs-cloudwatch-sns-alarms
+ description: Terraform module to create CloudWatch Alarms on ECS Service level metrics
+ url: https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-sns-alarms
+ - name: terraform-aws-ec2-instance
+ description: Terraform module for providing a general purpose EC2 instance
+ url: https://github.com/cloudposse/terraform-aws-ec2-instance
+ - name: terraform-aws-ec2-instance-group
+ description: Terraform module for provisioning multiple general purpose EC2 hosts
+ for stateful applications
+ url: https://github.com/cloudposse/terraform-aws-ec2-instance-group
description: Terraform module to provision an [EKS](https://aws.amazon.com/eks/) cluster on AWS.
@@ -62,8 +66,8 @@ introduction: |-
__NOTE:__ The module works with [Terraform Cloud](https://www.terraform.io/docs/cloud/index.html).
- __NOTE:__ Release `0.45.0` contains breaking changes that will result in the destruction of your existing EKS cluster.
- To preserve the original cluster, follow the instructions in the [0.44.x to 0.45.x+ migration path](./docs/migration-0.44.x-0.45.x+.md).
+ __NOTE:__ Release `0.45.0` contains some changes that could result in the destruction of your existing EKS cluster.
+ To circumvent this, follow the instructions in the [0.45.x+ migration path](./docs/migration-0.45.x+.md).
__NOTE:__ Every Terraform module that provisions an EKS cluster has faced the challenge that access to the cluster
is partly controlled by a resource inside the cluster, a ConfigMap called `aws-auth`. You need to be able to access
@@ -173,7 +177,7 @@ usage: |2-
source = "cloudposse/dynamic-subnets/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
-
+
availability_zones = var.availability_zones
vpc_id = module.vpc.vpc_id
igw_id = module.vpc.igw_id
@@ -189,7 +193,7 @@ usage: |2-
source = "cloudposse/eks-node-group/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
-
+
instance_types = [var.instance_type]
subnet_ids = module.subnets.public_subnet_ids
health_check_type = var.health_check_type
@@ -201,7 +205,7 @@ usage: |2-
cluster_autoscaler_enabled = var.autoscaling_policies_enabled
context = module.label.context
-
+
# Ensure the cluster is fully created before trying to add the node group
module_depends_on = module.eks_cluster.kubernetes_config_map_id
}
@@ -221,7 +225,7 @@ usage: |2-
}
```
- Module usage with two worker groups:
+ Module usage with two unmanaged worker groups:
```hcl
locals {
@@ -256,7 +260,7 @@ usage: |2-
autoscaling_policies_enabled = var.autoscaling_policies_enabled
cpu_utilization_high_threshold_percent = var.cpu_utilization_high_threshold_percent
cpu_utilization_low_threshold_percent = var.cpu_utilization_low_threshold_percent
-
+
context = module.label.context
}
@@ -299,29 +303,30 @@ usage: |2-
oidc_provider_enabled = false
workers_role_arns = [module.eks_workers.workers_role_arn, module.eks_workers_2.workers_role_arn]
- workers_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
-
+ allowed_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
+
context = module.label.context
}
```
include:
-- docs/targets.md
-- docs/terraform.md
+ - docs/targets.md
+ - docs/terraform.md
+
contributors:
-- name: Erik Osterman
- homepage: https://github.com/osterman
- avatar: https://s.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb?s=144
- github: osterman
-- name: Andriy Knysh
- homepage: https://github.com/aknysh/
- avatar: https://avatars0.githubusercontent.com/u/7356997?v=4&u=ed9ce1c9151d552d985bdf5546772e14ef7ab617&s=144
- github: aknysh
-- name: Igor Rodionov
- homepage: https://github.com/goruha/
- avatar: https://s.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2?s=144
- github: goruha
-- name: Oscar
- homepage: https://github.com/osulli/
- avatar: https://avatars1.githubusercontent.com/u/46930728?v=4&s=144
- github: osulli
+ - name: Erik Osterman
+ homepage: https://github.com/osterman
+ avatar: https://s.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb?s=144
+ github: osterman
+ - name: Andriy Knysh
+ homepage: https://github.com/aknysh/
+ avatar: https://avatars0.githubusercontent.com/u/7356997?v=4&u=ed9ce1c9151d552d985bdf5546772e14ef7ab617&s=144
+ github: aknysh
+ - name: Igor Rodionov
+ homepage: https://github.com/goruha/
+ avatar: https://s.gravatar.com/avatar/bc70834d32ed4517568a1feb0b9be7e2?s=144
+ github: goruha
+ - name: Oscar
+ homepage: https://github.com/osulli/
+ avatar: https://avatars1.githubusercontent.com/u/46930728?v=4&s=144
+ github: osulli
diff --git a/docs/migration-0.44.x-0.45.x+.md b/docs/migration-0.44.x-0.45.x+.md
deleted file mode 100644
index baa63c32..00000000
--- a/docs/migration-0.44.x-0.45.x+.md
+++ /dev/null
@@ -1,25 +0,0 @@
-# Migration from 0.44.x to 0.45.x+
-
-Version `0.45.0` of this module introduces breaking changes that, without taking additional precautions, will cause the EKS cluster to be recreated.
-
-This is because version `0.45.0` relies on the [terraform-aws-security-group](https://github.com/cloudposse/terraform-aws-security-group)
-module for managing the cluster Security Group. This changes the Terraform resource address for the Security Group, which will cause Terraform to recreate the SG.
-
-To circumvent this, after bumping the module version to `0.45.0` (or above), run a plan to retrieve the resource address of the SG that Terraform would like to destroy, and the resource
-address of the SG which Terraform would like to create.
-
-First, make sure that the following variable is set:
-
-```hcl
-security_group_description = "Security Group for EKS cluster"
-```
-
-Setting `security_group_description` to its "legacy" value will keep the Security Group from being replaced, and hence the EKS cluster from being recreated.
-
-Finally, change the resource address of the existing Security Group.
-
-```bash
-$ terraform state mv "...aws_security_group.default[0]" "...module.eks_cluster.aws_security_group.default[0]"
-```
-
-This will result in a Terraform apply that will only destroy SG Rules, but not the Security Group itself or the EKS cluster.
diff --git a/docs/migration-0.45.x+.md b/docs/migration-0.45.x+.md
new file mode 100644
index 00000000..a1cd2962
--- /dev/null
+++ b/docs/migration-0.45.x+.md
@@ -0,0 +1,47 @@
+# Migration to 0.45.x+
+
+Version `0.45.0` of this module introduces potential breaking changes that, without taking additional precautions, could cause the EKS cluster to be recreated.
+
+## Background
+
+This module creates an EKS cluster, which automatically creates an EKS-managed Security Group in which all managed nodes are placed automatically by EKS, and unmanaged nodes could be placed
+by the user, to ensure the nodes and control plane can communicate.
+
+Before version `0.45.0`, this module, by default, created an additional Security Group. Prior to version `0.19.0` of this module, that additional Security Group was the only one exposed by
+this module (because EKS at the time did not create the managed Security Group for the cluster), and it was intended that all worker nodes (managed and unmanaged) be placed in this
+additional Security Group. With version `0.19.0`, this module exposed the managed Security Group created by the EKS cluster, in which all managed node groups are placed by default. We now
+recommend placing non-managed node groups in the EKS-created Security Group as well by using the `allowed_security_group_ids` variable, and not create an additional Security Group.
+
+See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html for more details.
+
+## Migration process
+
+If you are deploying a new EKS cluster with this module, no special steps need to be taken. Just keep the variable `create_security_group` set to `false` to not create an additional Security
+Group. Don't use the deprecated variables (see `variables-deprecated.tf`).
+
+If you are updating this module to the latest version on existing (already deployed) EKS clusters, set the variable `create_security_group` to `true` to enable the additional Security Group
+and all the rules (which were enabled by default in the previous releases of this module).
+
+## Deprecated variables
+
+Some variables have been deprecated (see `variables-deprecated.tf`), don't use them when creating new EKS clusters.
+
+- Use `allowed_security_group_ids` instead of `allowed_security_groups` and `workers_security_group_ids`
+
+- When using unmanaged worker nodes (e.g. with https://github.com/cloudposse/terraform-aws-eks-workers module), provide the worker nodes Security Groups to the cluster using
+ the `allowed_security_group_ids` variable, for example:
+
+ ```hcl
+ module "eks_workers" {
+ source = "cloudposse/eks-workers/aws"
+ }
+
+ module "eks_workers_2" {
+ source = "cloudposse/eks-workers/aws"
+ }
+
+ module "eks_cluster" {
+ source = "cloudposse/eks-cluster/aws"
+ allowed_security_group_ids = [module.eks_workers.security_group_id, module.eks_workers_2.security_group_id]
+ }
+ ```
diff --git a/docs/terraform.md b/docs/terraform.md
index 16dd195c..1b64f9a2 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -3,7 +3,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.14.11 |
+| [terraform](#requirement\_terraform) | >= 0.14.0 |
| [aws](#requirement\_aws) | >= 3.38 |
| [kubernetes](#requirement\_kubernetes) | >= 2.7.1 |
| [null](#requirement\_null) | >= 2.0 |
@@ -22,7 +22,6 @@
| Name | Source | Version |
|------|--------|---------|
-| [aws\_security\_group](#module\_aws\_security\_group) | cloudposse/security-group/aws | 0.4.3 |
| [label](#module\_label) | cloudposse/label/null | 0.25.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
@@ -41,6 +40,13 @@
| [aws_iam_role_policy_attachment.cluster_elb_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kms_alias.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.ingress_workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.managed_ingress_cidr_blocks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.managed_ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [kubernetes_config_map.aws_auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [kubernetes_config_map.aws_auth_ignore_changes](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
| [null_resource.wait_for_cluster](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -54,14 +60,13 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones
this module normally creates. (To suppress the module's rules, set `create_security_group` to false
and supply your own security group via `associated_security_group_ids`.)
The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . | `list(any)` | `[]` | no |
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| [addons](#input\_addons) | Manages [`aws_eks_addon`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) resources. | list(object({
addon_name = string
addon_version = string
resolve_conflicts = string
service_account_role_arn = string
})) | `[]` | no |
-| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | A list of IPv4 CIDRs to allow access to the security group created by this module.
The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
-| [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the security group created by this module. | `list(string)` | `[]` | no |
+| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | A list of IPv4 CIDRs to allow access to the cluster.
The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
+| [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the cluster. | `list(string)` | `[]` | no |
| [allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead.
Historical description: List of Security Group IDs to be allowed to connect to the EKS cluster.
Historical default: `[]` | `list(string)` | `[]` | no |
| [apply\_config\_map\_aws\_auth](#input\_apply\_config\_map\_aws\_auth) | Whether to apply the ConfigMap to allow worker nodes to join the EKS cluster and allow additional users, accounts and roles to acces the cluster | `bool` | `true` | no |
-| [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access. | `list(string)` | `[]` | no |
+| [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the cluster with.
These security groups will not be modified. | `list(string)` | `[]` | no |
| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
| [aws\_auth\_yaml\_strip\_quotes](#input\_aws\_auth\_yaml\_strip\_quotes) | If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans | `bool` | `true` | no |
| [cluster\_encryption\_config\_enabled](#input\_cluster\_encryption\_config\_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no |
@@ -73,7 +78,7 @@
| [cluster\_log\_retention\_period](#input\_cluster\_log\_retention\_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `0` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
| [create\_eks\_service\_role](#input\_create\_eks\_service\_role) | Set `false` to use existing `eks_cluster_service_role_arn` instead of creating one | `bool` | `true` | no |
-| [create\_security\_group](#input\_create\_security\_group) | Set `true` to create and configure a Security Group for the cluster. | `bool` | `true` | no |
+| [create\_security\_group](#input\_create\_security\_group) | Set to `true` to create and configure an additional Security Group for the cluster.
Only for backwards compatibility, if you are updating this module to the latest version on existing clusters, not recommended for new clusters.
EKS creates a managed Security Group for the cluster automatically, places the control plane and managed nodes into the Security Group,
and you can also allow unmanaged nodes to communicate with the cluster by using the `allowed_security_group_ids` variable.
The additional Security Group is kept in the module for backwards compatibility and will be removed in future releases along with this variable.
See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html for more details. | `bool` | `false` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [dummy\_kubeapi\_server](#input\_dummy\_kubeapi\_server) | URL of a dummy API server for the Kubernetes server to use when the real one is unknown.
This is a workaround to ignore connection failures that break Terraform even though the results do not matter.
You can disable it by setting it to `null`; however, as of Kubernetes provider v2.3.2, doing so \_will\_
cause Terraform to fail in several situations unless you provide a valid `kubeconfig` file
via `kubeconfig_path` and set `kubeconfig_path_enabled` to `true`. | `string` | `"https://jsonplaceholder.typicode.com"` | no |
@@ -110,11 +115,6 @@
| [public\_access\_cidrs](#input\_public\_access\_cidrs) | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | `list(string)` | [
"0.0.0.0/0"
]
| no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [region](#input\_region) | AWS Region | `string` | n/a | yes |
-| [security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We recommend setting this `true` on new security groups, but default it to `false` because `true`
will cause existing security groups to be replaced, possibly requiring the resource to be deleted and recreated.
Note that changing this value will always cause the security group to be replaced. | `bool` | `false` | no |
-| [security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no |
-| [security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion from
lingering ENIs left by certain AWS services such as Elastic Load Balancing. | `string` | `"15m"` | no |
-| [security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced. | `string` | `"Security Group for EKS cluster"` | no |
-| [security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no |
| [service\_ipv4\_cidr](#input\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from.
You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. | `string` | `null` | no |
| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs to launch the cluster in | `list(string)` | n/a | yes |
@@ -123,7 +123,7 @@
| [vpc\_id](#input\_vpc\_id) | VPC ID for the EKS cluster | `string` | n/a | yes |
| [wait\_for\_cluster\_command](#input\_wait\_for\_cluster\_command) | `local-exec` command to execute to determine if the EKS cluster is healthy. Cluster endpoint are available as environment variable `ENDPOINT` | `string` | `"curl --silent --fail --retry 60 --retry-delay 5 --retry-connrefused --insecure --output /dev/null $ENDPOINT/healthz"` | no |
| [workers\_role\_arns](#input\_workers\_role\_arns) | List of Role ARNs of the worker nodes | `list(string)` | `[]` | no |
-| [workers\_security\_group\_ids](#input\_workers\_security\_group\_ids) | Security Group IDs of the worker nodes | `list(string)` | `[]` | no |
+| [workers\_security\_group\_ids](#input\_workers\_security\_group\_ids) | DEPRECATED: Use `allowed_security_group_ids` instead.
Historical description: Security Group IDs of the worker nodes.
Historical default: `[]` | `list(string)` | `[]` | no |
## Outputs
@@ -143,7 +143,7 @@
| [eks\_cluster\_role\_arn](#output\_eks\_cluster\_role\_arn) | ARN of the EKS cluster IAM role |
| [eks\_cluster\_version](#output\_eks\_cluster\_version) | The Kubernetes server version of the cluster |
| [kubernetes\_config\_map\_id](#output\_kubernetes\_config\_map\_id) | ID of `aws-auth` Kubernetes ConfigMap |
-| [security\_group\_arn](#output\_security\_group\_arn) | ARN of the EKS cluster Security Group |
-| [security\_group\_id](#output\_security\_group\_id) | ID of the EKS cluster Security Group |
-| [security\_group\_name](#output\_security\_group\_name) | Name of the EKS cluster Security Group |
+| [security\_group\_arn](#output\_security\_group\_arn) | ARN of the created Security Group for the EKS cluster |
+| [security\_group\_id](#output\_security\_group\_id) | ID of the created Security Group for the EKS cluster |
+| [security\_group\_name](#output\_security\_group\_name) | Name of the created Security Group for the EKS cluster |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 59eb055d..69d28dd1 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -3,8 +3,9 @@ provider "aws" {
}
module "label" {
- source = "cloudposse/label/null"
- version = "0.25.0"
+ source = "cloudposse/label/null"
+ version = "0.25.0"
+
attributes = ["cluster"]
context = module.this.context
@@ -80,12 +81,26 @@ module "eks_cluster" {
addons = var.addons
+ # We need to create a new Security Group only if the EKS cluster is used with unmanaged worker nodes.
+ # EKS creates a managed Security Group for the cluster automatically, places the control plane and managed nodes into the security group,
+ # and allows all communications between the control plane and the managed worker nodes
+ # (EKS applies it to ENIs that are attached to EKS Control Plane master nodes and to any managed workloads).
+ # If only Managed Node Groups are used, we don't need to create a separate Security Group;
+ # otherwise we place the cluster in two SGs - one that is created by EKS, the other one that the module creates.
+ # See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html for more details.
+ create_security_group = false
+
+ # This is to test `allowed_security_group_ids` and `allowed_cidr_blocks`
+ # In a real cluster, these should be some other (existing) Security Groups and CIDR blocks to allow access to the cluster
+ allowed_security_group_ids = [module.vpc.vpc_default_security_group_id]
+ allowed_cidr_blocks = [module.vpc.vpc_cidr_block]
+
context = module.this.context
}
module "eks_node_group" {
source = "cloudposse/eks-node-group/aws"
- version = "0.27.0"
+ version = "0.27.1"
subnet_ids = module.subnets.private_subnet_ids
cluster_name = module.eks_cluster.eks_cluster_id
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index 1d59915e..4ba62161 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -13,21 +13,6 @@ output "vpc_cidr" {
description = "VPC ID"
}
-output "eks_cluster_security_group_id" {
- description = "ID of the EKS cluster Security Group"
- value = module.eks_cluster.security_group_id
-}
-
-output "eks_cluster_security_group_arn" {
- description = "ARN of the EKS cluster Security Group"
- value = module.eks_cluster.security_group_arn
-}
-
-output "eks_cluster_security_group_name" {
- description = "Name of the EKS cluster Security Group"
- value = module.eks_cluster.security_group_name
-}
-
output "eks_cluster_id" {
description = "The name of the cluster"
value = module.eks_cluster.eks_cluster_id
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index 787df507..7e07d149 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 0.14.11"
+ required_version = ">= 0.14.0"
required_providers {
aws = {
diff --git a/main.tf b/main.tf
index e7cb921d..48ca7bb1 100644
--- a/main.tf
+++ b/main.tf
@@ -64,7 +64,7 @@ resource "aws_eks_cluster" "default" {
}
vpc_config {
- security_group_ids = var.create_security_group ? concat(var.associated_security_group_ids, [module.aws_security_group.id]) : var.associated_security_group_ids
+ security_group_ids = var.create_security_group ? compact(concat(var.associated_security_group_ids, [join("", aws_security_group.default.*.id)])) : var.associated_security_group_ids
subnet_ids = var.subnet_ids
endpoint_private_access = var.endpoint_private_access
endpoint_public_access = var.endpoint_public_access
@@ -81,7 +81,11 @@ resource "aws_eks_cluster" "default" {
depends_on = [
aws_iam_role_policy_attachment.amazon_eks_cluster_policy,
aws_iam_role_policy_attachment.amazon_eks_service_policy,
- module.aws_security_group,
+ aws_security_group.default,
+ aws_security_group_rule.egress,
+ aws_security_group_rule.ingress_cidr_blocks,
+ aws_security_group_rule.ingress_security_groups,
+ aws_security_group_rule.ingress_workers,
aws_cloudwatch_log_group.default
]
}
diff --git a/outputs.tf b/outputs.tf
index fb72be16..6e335f85 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,16 +1,16 @@
output "security_group_id" {
- description = "ID of the EKS cluster Security Group"
- value = module.aws_security_group.id
+ description = "ID of the created Security Group for the EKS cluster"
+ value = join("", aws_security_group.default.*.id)
}
output "security_group_arn" {
- description = "ARN of the EKS cluster Security Group"
- value = module.aws_security_group.arn
+ description = "ARN of the created Security Group for the EKS cluster"
+ value = join("", aws_security_group.default.*.arn)
}
output "security_group_name" {
- description = "Name of the EKS cluster Security Group"
- value = module.aws_security_group.name
+ description = "Name of the created Security Group for the EKS cluster"
+ value = join("", aws_security_group.default.*.name)
}
output "eks_cluster_id" {
diff --git a/security-group-variables.tf b/security-group-variables.tf
index 0b57e558..3cd3d7ff 100644
--- a/security-group-variables.tf
+++ b/security-group-variables.tf
@@ -1,18 +1,29 @@
# security-group-inputs Version: 2
#
+locals {
+ allowed_security_group_ids = concat(var.allowed_security_groups, var.allowed_security_group_ids, var.workers_security_group_ids)
+}
+
variable "create_security_group" {
type = bool
- default = true
- description = "Set `true` to create and configure a Security Group for the cluster."
+ default = false
+ description = <<-EOT
+ Set to `true` to create and configure an additional Security Group for the cluster.
+ Only for backwards compatibility, if you are updating this module to the latest version on existing clusters, not recommended for new clusters.
+ EKS creates a managed Security Group for the cluster automatically, places the control plane and managed nodes into the Security Group,
+ and you can also allow unmanaged nodes to communicate with the cluster by using the `allowed_security_group_ids` variable.
+ The additional Security Group is kept in the module for backwards compatibility and will be removed in future releases along with this variable.
+ See https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html for more details.
+ EOT
}
variable "associated_security_group_ids" {
type = list(string)
default = []
description = <<-EOT
- A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
- These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access.
+ A list of IDs of Security Groups to associate the cluster with.
+ These security groups will not be modified.
EOT
}
@@ -20,78 +31,15 @@ variable "allowed_security_group_ids" {
type = list(string)
default = []
description = <<-EOT
- A list of IDs of Security Groups to allow access to the security group created by this module.
+ A list of IDs of Security Groups to allow access to the cluster.
EOT
}
-locals {
- allowed_security_group_ids = concat(var.allowed_security_groups, var.allowed_security_group_ids)
-}
-
variable "allowed_cidr_blocks" {
type = list(string)
default = []
description = <<-EOT
- A list of IPv4 CIDRs to allow access to the security group created by this module.
+ A list of IPv4 CIDRs to allow access to the cluster.
The length of this list must be known at "plan" time.
EOT
}
-
-variable "security_group_name" {
- type = list(string)
- default = []
- description = <<-EOT
- The name to assign to the created security group. Must be unique within the VPC.
- If not provided, will be derived from the `null-label.context` passed in.
- If `create_before_destroy` is true, will be used as a name prefix.
- EOT
-}
-
-variable "security_group_description" {
- type = string
- default = "Security Group for EKS cluster"
- description = <<-EOT
- The description to assign to the created Security Group.
- Warning: Changing the description causes the security group to be replaced.
- EOT
-}
-
-variable "security_group_create_before_destroy" {
- type = bool
-
- default = false
- description = <<-EOT
- Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
- We recommend setting this `true` on new security groups, but default it to `false` because `true`
- will cause existing security groups to be replaced, possibly requiring the resource to be deleted and recreated.
- Note that changing this value will always cause the security group to be replaced.
- EOT
-}
-
-variable "security_group_create_timeout" {
- type = string
- default = "10m"
- description = "How long to wait for the security group to be created."
-}
-
-variable "security_group_delete_timeout" {
- type = string
- default = "15m"
- description = <<-EOT
- How long to retry on `DependencyViolation` errors during security group deletion from
- lingering ENIs left by certain AWS services such as Elastic Load Balancing.
- EOT
-}
-
-variable "additional_security_group_rules" {
- type = list(any)
- default = []
- description = <<-EOT
- A list of Security Group rule objects to add to the created security group, in addition to the ones
- this module normally creates. (To suppress the module's rules, set `create_security_group` to false
- and supply your own security group via `associated_security_group_ids`.)
- The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
- for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
- To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule .
- EOT
-}
diff --git a/security-group.tf b/security-group.tf
index cc35c0cf..af015d0f 100644
--- a/security-group.tf
+++ b/security-group.tf
@@ -1,60 +1,92 @@
-module "aws_security_group" {
- source = "cloudposse/security-group/aws"
- version = "0.4.3"
-
- enabled = local.enabled && var.create_security_group
-
- security_group_name = length(var.security_group_name) > 0 ? var.security_group_name : [module.label.id]
- security_group_description = var.security_group_description
-
- allow_all_egress = true
-
- rules = var.additional_security_group_rules
-
- rule_matrix = [
- {
- key = "ingress-allowed-security-groups"
- source_security_group_ids = local.allowed_security_group_ids
- rules = [{
- key = "ingress-allowed-security-groups"
- type = "ingress"
- from_port = 0
- to_port = 65535
- protocol = "-1"
- description = "Allow all inbound traffic from existing Security Groups"
- }]
- },
- {
- key = "ingress-cidr-blocks"
- cidr_blocks = var.allowed_cidr_blocks
- rules = [{
- key = "ingress-cidr-blocks"
- type = "ingress"
- from_port = 0
- to_port = 65535
- protocol = "-1"
- description = "Allow all inbound traffic from CIDR blocks"
- }]
- },
- {
- key = "ingress-workers"
- source_security_group_ids = var.workers_security_group_ids
- rules = [{
- key = "ingress-workers"
- type = "ingress"
- from_port = 0
- to_port = 65535
- protocol = "-1"
- description = "Allow all inbound traffic from EKS workers Security Group"
- }]
- }
- ]
-
- vpc_id = var.vpc_id
-
- create_before_destroy = var.security_group_create_before_destroy
- security_group_create_timeout = var.security_group_create_timeout
- security_group_delete_timeout = var.security_group_delete_timeout
-
- context = module.label.context
+# -----------------------------------------------------------------------
+# Rules for EKS-managed Security Group
+# -----------------------------------------------------------------------
+
+resource "aws_security_group_rule" "managed_ingress_security_groups" {
+ count = local.enabled ? length(local.allowed_security_group_ids) : 0
+
+ description = "Allow inbound traffic from existing Security Groups"
+ from_port = 0
+ to_port = 65535
+ protocol = "-1"
+ source_security_group_id = local.allowed_security_group_ids[count.index]
+ security_group_id = join("", aws_eks_cluster.default.*.vpc_config.0.cluster_security_group_id)
+ type = "ingress"
+}
+
+resource "aws_security_group_rule" "managed_ingress_cidr_blocks" {
+ count = local.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
+
+ description = "Allow inbound traffic from CIDR blocks"
+ from_port = 0
+ to_port = 65535
+ protocol = "-1"
+ cidr_blocks = var.allowed_cidr_blocks
+ security_group_id = join("", aws_eks_cluster.default.*.vpc_config.0.cluster_security_group_id)
+ type = "ingress"
+}
+
+# -----------------------------------------------------------------------
+# DEPRECATED: Additional Security Group
+# -----------------------------------------------------------------------
+
+locals {
+ create_security_group = local.enabled && var.create_security_group
+}
+
+resource "aws_security_group" "default" {
+ count = local.create_security_group ? 1 : 0
+
+ name = module.label.id
+ description = "Security Group for EKS cluster"
+ vpc_id = var.vpc_id
+ tags = module.label.tags
+}
+
+resource "aws_security_group_rule" "egress" {
+ count = local.create_security_group ? 1 : 0
+
+ description = "Allow all egress traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ security_group_id = join("", aws_security_group.default.*.id)
+ type = "egress"
+}
+
+resource "aws_security_group_rule" "ingress_workers" {
+ count = local.create_security_group ? length(var.workers_security_group_ids) : 0
+
+ description = "Allow the cluster to receive communication from the worker nodes"
+ from_port = 0
+ to_port = 65535
+ protocol = "-1"
+ source_security_group_id = var.workers_security_group_ids[count.index]
+ security_group_id = join("", aws_security_group.default.*.id)
+ type = "ingress"
+}
+
+resource "aws_security_group_rule" "ingress_security_groups" {
+ count = local.create_security_group ? length(var.allowed_security_groups) : 0
+
+ description = "Allow inbound traffic from existing Security Groups"
+ from_port = 0
+ to_port = 65535
+ protocol = "-1"
+ source_security_group_id = var.allowed_security_groups[count.index]
+ security_group_id = join("", aws_security_group.default.*.id)
+ type = "ingress"
+}
+
+resource "aws_security_group_rule" "ingress_cidr_blocks" {
+ count = local.create_security_group && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
+
+ description = "Allow inbound traffic from CIDR blocks"
+ from_port = 0
+ to_port = 65535
+ protocol = "-1"
+ cidr_blocks = var.allowed_cidr_blocks
+ security_group_id = join("", aws_security_group.default.*.id)
+ type = "ingress"
}
diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go
index 4bc7f91a..b813bd23 100644
--- a/test/src/examples_complete_test.go
+++ b/test/src/examples_complete_test.go
@@ -101,11 +101,6 @@ func TestExamplesComplete(t *testing.T) {
// Verify we're getting back the outputs we expect
assert.Equal(t, "eg-test-eks-"+randId+"-cluster", eksClusterId)
- // Run `terraform output` to get the value of an output variable
- eksClusterSecurityGroupName := terraform.Output(t, terraformOptions, "eks_cluster_security_group_name")
- // Verify we're getting back the outputs we expect
- assert.Equal(t, "eg-test-eks-"+randId+"-cluster", eksClusterSecurityGroupName)
-
// Run `terraform output` to get the value of an output variable
eksNodeGroupId := terraform.Output(t, terraformOptions, "eks_node_group_id")
// Verify we're getting back the outputs we expect
diff --git a/variables-deprecated.tf b/variables-deprecated.tf
index 921eee9b..c3cb4a96 100644
--- a/variables-deprecated.tf
+++ b/variables-deprecated.tf
@@ -7,3 +7,13 @@ variable "allowed_security_groups" {
Historical default: `[]`
EOT
}
+
+variable "workers_security_group_ids" {
+ type = list(string)
+ default = []
+ description = <<-EOT
+ DEPRECATED: Use `allowed_security_group_ids` instead.
+ Historical description: Security Group IDs of the worker nodes.
+ Historical default: `[]`
+ EOT
+}
diff --git a/variables.tf b/variables.tf
index fd0e27c3..bff5ecd1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -13,12 +13,6 @@ variable "subnet_ids" {
type = list(string)
}
-variable "workers_security_group_ids" {
- type = list(string)
- description = "Security Group IDs of the worker nodes"
- default = []
-}
-
variable "create_eks_service_role" {
type = bool
default = true
diff --git a/versions.tf b/versions.tf
index 787df507..7e07d149 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,5 +1,5 @@
terraform {
- required_version = ">= 0.14.11"
+ required_version = ">= 0.14.0"
required_providers {
aws = {