terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Node to Node communication SG Rule is poorly documented

Open matisiekpl opened this issue 6 months ago β€’ 0 comments

Is your request related to a new offering from AWS?

No

Is your request related to a problem? Please describe.

When configuring ALB Controller, I've missed Node-to-Node communication SG rule, because I've assumed this module creates SG rules as described in official AWS docs: https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html#security-group-default-rules. As AWS Team reported that eksctl creates this rule by default (https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/4179#issuecomment-2885288575), I can't understand why this module does not create it automatically.

Due to that I've wasted couple of hours figuring out the bug. This is not only my case, as other users suggested they also had troubles with fixing the issue: https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2562 https://github.com/terraform-aws-modules/terraform-aws-eks/issues/3121

Describe the solution you'd like.

Better documentation. There should be a visible note that this SG rule is not configured by default and maybe some suggestion in examples to configure:

node_security_group_additional_rules = {
    self_rule = {
      description = "Allow all from self"
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      self        = true
      type        = "ingress"
    }
  }

matisiekpl avatar May 16 '25 09:05 matisiekpl