terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Providing create_cluster_security_group=false leads to invalid node SG rules

Open visit1985 opened this issue 6 months ago β€’ 1 comments

Description

I'm migrating existing clusters to this module which do not use a secondary cluster security group. When specifying create_cluster_security_group=false all aws_security_group_rule.node are generated with an empty source_security_group_id, which causes a timeout on apply.

  • [X] βœ‹ I have searched the open/closed issues and my issue is not listed.

Versions

Terraform v1.11.0
on windows_amd64
+ provider registry.terraform.io/hashicorp/archive v2.7.0
+ provider registry.terraform.io/hashicorp/aws v5.97.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.7
+ provider registry.terraform.io/hashicorp/external v2.3.5
+ provider registry.terraform.io/hashicorp/local v2.5.2
+ provider registry.terraform.io/hashicorp/null v3.2.4
+ provider registry.terraform.io/hashicorp/time v0.13.1
+ provider registry.terraform.io/hashicorp/tls v4.1.0

Reproduction Code

Steps to reproduce the behavior:

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.36.0"

  cluster_name                   = "ex-eks-auto-mode"
  cluster_version                = "1.31"
  cluster_endpoint_public_access = true

  enable_cluster_creator_admin_permissions = true

  cluster_compute_config = {
    enabled    = true
    node_pools = ["general-purpose"]
  }

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  create_cluster_security_group = false
}

Expected behavior

The node SG rules should fallback to the primary cluster SG aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id for their source_security_group_id.

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/37e3348dffe06ea4b9adf9b54512e4efdb46f425/outputs.tf#L79-L82

Actual behavior

The module tries to create all instances of aws_security_group_rule.node with an empty string supplied for source_security_group_id, leading to a timeout.

https://github.com/terraform-aws-modules/terraform-aws-eks/blob/37e3348dffe06ea4b9adf9b54512e4efdb46f425/variables.tf#L312-L316

Terminal Output

# module.eks.aws_security_group_rule.node["ingress_cluster_443"] will be created
+ resource "aws_security_group_rule" "node" {
    + description              = "Cluster API to node groups"
    + from_port                = 443
    + id                       = (known after apply)
    + prefix_list_ids          = []
    + protocol                 = "tcp"
    + security_group_id        = "sg-016986f1ca395ace6"
    + security_group_rule_id   = (known after apply)
    + self                     = false
    + source_security_group_id = (known after apply)
    + to_port                  = 443
    + type                     = "ingress"
  }
...
module.eks.aws_security_group_rule.node["ingress_cluster_443"]: Creating...
...
module.eks.aws_security_group_rule.node["ingress_cluster_443"]: Still creating... [23m20s elapsed]
...

Additional context

The cluster aws_eks_cluster.this currently defines depends_on { aws_security_group_rule.node }, which would creates a circular dependency when using aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id as a fallback source_security_group_id. But all node groups and addons, which would require the node SG to exist prior to their creation, depend on the cluster via attributes, so this dependency is unnecessary.

I proposed a possible solution for this issue in #3356

visit1985 avatar May 20 '25 08:05 visit1985