Terraform-provider-aws: Referencing security group created by aws_eks_node_group resource

Created on 2 Jan 2020  ·  5Comments  ·  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

terraform version -> 0.12.18
aws provider version -> 2.43.0

Affected Resource(s)

resource "aws_eks_node_group" "managed_workers" {
  cluster_name    = aws_eks_cluster.cluster.name
  node_group_name = "managed_workers"
  node_role_arn   = aws_iam_role.managed_workers.arn
  subnet_ids      = flatten(module.vpc.private_subnets)

  scaling_config {
    desired_size = 1
    max_size     = 1
    min_size     = 1
  }
}

Expected Behavior

I would expect to be able to reference security group id created by this resource.

Actual Behavior

Resource outputs/references don't provider security group id.

Steps to Reproduce

  1. terraform apply

General Issue

When using VPC endpoints, I need to create ingress rule on port 443 for security group created by aws_eks_node_group resource. I have raised it as a bug or missing feature as I can't see a solution to this problem. If anyone has something to propose please let me know.

needs-triage serviceks
Source
picture marcincuber

Most helpful comment

Hi @marcincuber 👋 The EKS DescribeNodegroup API Reference does not list any other security group related fields. Can you please point to AWS documentation that talks about the creation of this security group when working with managed node groups or confirm that you're not looking for the vpc_config.0.cluster_security_group_id attribute of the aws_eks_cluster resource? The creation of a security group with EKS Clusters (or at least exposing its ID in the API) is a fairly recent change to the EKS service. Additional information about the new EKS Cluster Security Group in 1.14 eks.3

picture bflad on 2 Jan 2020
👍3 🎉1

All 5 comments

@marcincuber is that not what this is? https://www.terraform.io/docs/providers/aws/r/eks_node_group.html#remote_access_security_group_id

thatderek picture thatderek on 2 Jan 2020

@thatderek Unfortunately it is not. The block you are referring to is only available when you specify remote_access Configuration Block and set -> source_security_group_ids - (Optional) Set of EC2 Security Group IDs to allow SSH access (port 22) from on the worker nodes. If you specify ec2_ssh_key, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0)..

By default aws_eks_node_group creates a security group which I need to reference for vpc endpoints to work.

I suspect the remote_access_security_group_id is another security group created by the resource in question.

marcincuber picture marcincuber on 2 Jan 2020

Hi @marcincuber 👋 The EKS DescribeNodegroup API Reference does not list any other security group related fields. Can you please point to AWS documentation that talks about the creation of this security group when working with managed node groups or confirm that you're not looking for the vpc_config.0.cluster_security_group_id attribute of the aws_eks_cluster resource? The creation of a security group with EKS Clusters (or at least exposing its ID in the API) is a fairly recent change to the EKS service. Additional information about the new EKS Cluster Security Group in 1.14 eks.3

bflad picture bflad on 2 Jan 2020
👍3 🎉1

@bflad So, the output I am seeing is as follows:

aws_eks_node_group = {
  "ami_type" = "AL2_x86_64"
  "arn" = "arn:aws:eks:eu-west-1:238957861234:nodegroup/eks-test/managed_workers/e0b7b369-3fdd-40f5-9edd-d88d466238b9"
  "cluster_name" = "eks-test"
  "disk_size" = 20
  "id" = "eks-test:managed_workers"
  "instance_types" = [
    "t3.medium",
  ]
  "labels" = {}
  "node_group_name" = "managed_workers"
  "node_role_arn" = "arn:aws:iam::238957812345:role/eks-test-managed-node-group"
  "release_version" = "1.14.7-20190927"
  "remote_access" = []
  "resources" = [
    {
      "autoscaling_groups" = [
        {
          "name" = "eks-e0b7b369-3fdd-40f5-9edd-d88d466238b9"
        },
      ]
      "remote_access_security_group_id" = ""
    },
  ]
  "scaling_config" = [
    {
      "desired_size" = 1
      "max_size" = 1
      "min_size" = 1
    },
  ]
  "status" = "ACTIVE"
  "subnet_ids" = [
    "subnet-026c7cbf911b1f601",
    "subnet-0a7fed637e80da926",
    "subnet-0fb2db2eddd663b16",
  ]
  "tags" = {
    "Environment" = "test"
    "Service" = "eks"
    "Terraform" = "true"
  }
  "version" = "1.14"
}

After testing vpc_config.0.cluster_security_group_id attribute of the aws_eks_cluster resource. It is in fact what I need! Nice. Thanks a lot.

marcincuber picture marcincuber on 3 Jan 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 27 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
dvishniakov picture dvishniakov  ·  3Comments
hazmeister picture hazmeister  ·  3Comments
hashibot picture hashibot  ·  3Comments