eks-managed-node-group module: vpc_security_group_ids is not working when use_custom_launch_template = false

[cnEasYin]

Description

My tf file sample:

module "eks_managed_node_group_work_node" {
  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"

  name            = "ng-${var.env}-${var.prd}-performance-test"
  use_name_prefix = false
  cluster_name    = data.aws_eks_cluster.eks-cluster.name
  cluster_version = data.aws_eks_cluster.eks-cluster.version
  subnet_ids      = data.aws_subnets.subnet-private.ids

  // The following variables are necessary if you use the module outside the parent EKS module context.
  // Without it, the security groups of the nodes are empty and thus won't join the cluster.
  cluster_primary_security_group_id = data.aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id
  vpc_security_group_ids            = [data.aws_security_group.ec2-sg.id]

  min_size                   = 1
  max_size                   = 10
  desired_size               = 1
  disk_size                  = 50
  use_custom_launch_template = false

  instance_types = ["t3.xlarge"]
  capacity_type  = "ON_DEMAND"

  create_iam_role = false
  iam_role_arn    = data.aws_iam_role.eks-default-nodegroup-ec2role.arn

  labels = {
    project_name = "${var.prd}-wecom"
  }
}

Version info:

terraform-aws-modules/eks/aws 19.15.3

hashicorp/aws v5.3.0
hashicorp/kubernetes v2.21.1
hashicorp/cloudinit v2.3.2

The generated ec2 node will only have the "data.aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id" part security group, but the vpc_security_group_ids sg hasn't been included.

When I removed "use_custom_launch_template = false", the vpc_security_group_ids will work. But I can't change the node volume size.

How can I make them work both?

Thanks, Eason