feat: use security-group module instead of resource (#68)

* feat: use security-group module instead of resource

* Auto Format

Co-authored-by: cloudpossebot <[email protected]>

Author: SweetOps

README.md

@@ -129,7 +129,6 @@ usage: |2-
         oidc_provider_enabled = var.oidc_provider_enabled
 
         workers_role_arns          = [module.eks_node_group.eks_node_group_role_arn]
-        workers_security_group_ids = []
       }
 
       module "eks_node_group" {
@@ -161,3 +160,5 @@ contributors:
     github: "aknysh"
   - name: "Igor Rodionov"
     github: "goruha"
+  - name: Vladimir Syromyatnikov
+    github: SweetOps

README.yaml

@@ -33,3 +33,5 @@ kubernetes_labels = {}
 before_cluster_joining_userdata = <<-EOT
   printf "\n\n###\nExample output from before_cluster_joining_userdata\n###\n\n"
   EOT
+
+remote_access_enabled = true

docs/terraform.md

@@ -54,6 +54,16 @@ module "subnets" {
   context = module.this.context
 }
 
+module "ssh_key_pair" {
+  source  = "cloudposse/key-pair/aws"
+  version = "0.18.0"
+
+  ssh_public_key_path = "./"
+  generate_ssh_key    = "true"
+
+  context = module.this.context
+}
+
 module "eks_cluster" {
   source  = "cloudposse/eks-cluster/aws"
   version = "0.28.0"
@@ -79,23 +89,31 @@ data "null_data_source" "wait_for_cluster_and_kubernetes_configmap" {
   inputs = {
     cluster_name             = module.eks_cluster.eks_cluster_id
     kubernetes_config_map_id = module.eks_cluster.kubernetes_config_map_id
+    ec2_ssh_key              = module.ssh_key_pair.key_name
   }
 }
 
 module "eks_node_group" {
   source = "../../"
 
-  subnet_ids         = module.subnets.public_subnet_ids
-  cluster_name       = data.null_data_source.wait_for_cluster_and_kubernetes_configmap.outputs["cluster_name"]
-  instance_types     = var.instance_types
-  desired_size       = var.desired_size
-  min_size           = var.min_size
-  max_size           = var.max_size
-  kubernetes_version = var.kubernetes_version
-  kubernetes_labels  = var.kubernetes_labels
-  disk_size          = var.disk_size
-
+  subnet_ids                      = module.subnets.public_subnet_ids
+  cluster_name                    = data.null_data_source.wait_for_cluster_and_kubernetes_configmap.outputs["cluster_name"]
+  instance_types                  = var.instance_types
+  desired_size                    = var.desired_size
+  min_size                        = var.min_size
+  max_size                        = var.max_size
+  kubernetes_version              = var.kubernetes_version
+  kubernetes_labels               = var.kubernetes_labels
+  disk_size                       = var.disk_size
+  ec2_ssh_key                     = module.ssh_key_pair.key_name
+  remote_access_enabled           = var.remote_access_enabled
   before_cluster_joining_userdata = var.before_cluster_joining_userdata
 
   context = module.this.context
+
+  depends_on = [
+    module.ssh_key_pair,
+    module.eks_cluster,
+    data.null_data_source.wait_for_cluster_and_kubernetes_configmap
+  ]
 }

examples/complete/fixtures.us-east-2.tfvars

@@ -87,3 +87,18 @@ output "eks_node_group_status" {
   description = "Status of the EKS Node Group"
   value       = module.eks_node_group.eks_node_group_status
 }
+
+output "eks_node_group_security_group_id" {
+  description = "ID of the EKS cluster Security Group for remote access to EKS Node Group"
+  value       = module.eks_node_group.eks_node_group_remote_access_security_group_id
+}
+
+output "eks_node_group_security_group_arn" {
+  description = "ARN of the EKS cluster Security Group for remote access to EKS Node Group"
+  value       = module.eks_node_group.eks_node_group_remote_access_security_group_arn
+}
+
+output "eks_node_group_security_group_name" {
+  description = "Name of the EKS cluster Security Group for remote access to EKS Node Group"
+  value       = module.eks_node_group.eks_node_group_remote_access_security_group_name
+}

examples/complete/main.tf

@@ -116,3 +116,8 @@ variable "before_cluster_joining_userdata" {
   default     = ""
   description = "Additional commands to execute on each worker node before joining the EKS cluster (before executing the `bootstrap.sh` script). For more info, see https://kubedex.com/90-days-of-aws-eks-in-production"
 }
+
+variable "remote_access_enabled" {
+  type        = bool
+  description = "Whether to enable remote access to EKS node group, requires `ec2_ssh_key` to be defined."
+}

examples/complete/outputs.tf

@@ -39,7 +39,7 @@ locals {
 
   launch_template_vpc_security_group_ids = (
     local.need_remote_access_sg ?
-    concat(data.aws_eks_cluster.this[0].vpc_config[*].cluster_security_group_id, aws_security_group.remote_access.*.id) : []
+    concat(data.aws_eks_cluster.this[0].vpc_config[*].cluster_security_group_id, module.security_group.*.id, var.security_groups) : []
   )
 
   # launch_template_key = join(":", coalescelist(local.launch_template_vpc_security_group_ids, ["closed"]))
@@ -74,7 +74,7 @@ resource "aws_launch_template" "default" {
   # Never include instance type in launch template because it is limited to just one
   # https://docs.aws.amazon.com/eks/latest/APIReference/API_CreateNodegroup.html#API_CreateNodegroup_RequestSyntax
   image_id = local.launch_template_ami == "" ? null : local.launch_template_ami
-  key_name = local.have_ssh_key ? var.ec2_ssh_key : null
+  key_name = local.remote_access_enabled ? var.ec2_ssh_key : null
 
   dynamic "tag_specifications" {
     for_each = var.resources_to_tag

examples/complete/variables.tf

@@ -7,14 +7,10 @@ locals {
   need_ami_id                      = local.enabled ? local.features_require_ami && length(local.configured_ami_image_id) == 0 : false
   need_imds_settings               = var.metadata_http_endpoint != "enabled" || var.metadata_http_put_response_hop_limit != 1 || var.metadata_http_tokens != "optional"
   features_require_launch_template = local.enabled ? length(var.resources_to_tag) > 0 || local.need_userdata || local.features_require_ami || local.need_imds_settings : false
-
-  have_ssh_key = var.ec2_ssh_key != null && var.ec2_ssh_key != ""
-
-  need_remote_access_sg = local.enabled && local.have_ssh_key && local.generate_launch_template
-
-  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg) : false
-
-  autoscaler_enabled = var.enable_cluster_autoscaler != null ? var.enable_cluster_autoscaler : var.cluster_autoscaler_enabled == true
+  remote_access_enabled            = local.enabled && var.remote_access_enabled
+  need_remote_access_sg            = local.generate_launch_template && local.remote_access_enabled
+  get_cluster_data                 = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg) : false
+  autoscaler_enabled               = var.enable_cluster_autoscaler != null ? var.enable_cluster_autoscaler : var.cluster_autoscaler_enabled == true
   #
   # Set up tags for autoscaler and other resources
   #
@@ -37,6 +33,9 @@ locals {
     }
   )
   node_group_tags = merge(local.node_tags, local.autoscaler_enabled ? local.autoscaler_tags : {})
+
+  # hack to prevent failure when var.remote_access_enabled is false
+  vpc_id = try(data.aws_eks_cluster.this[0].vpc_config[0].vpc_id, null)
 }
 
 module "label" {
@@ -55,7 +54,7 @@ data "aws_eks_cluster" "this" {
 
 # Support keeping 2 node groups in sync by extracting common variable settings
 locals {
-  ng_needs_remote_access = local.have_ssh_key && ! local.use_launch_template
+  ng_needs_remote_access = local.remote_access_enabled && ! local.use_launch_template
   ng = {
     cluster_name  = var.cluster_name
     node_role_arn = join("", aws_iam_role.default.*.arn)
@@ -82,10 +81,9 @@ locals {
     }
 
     # Configure remote access via Launch Template if we are using one
-    need_remote_access = local.ng_needs_remote_access
-    ec2_ssh_key        = local.have_ssh_key ? var.ec2_ssh_key : "none"
-    # Keep sorted so that change in order does not trigger replacement via random_pet
-    source_security_group_ids = local.ng_needs_remote_access ? sort(var.source_security_group_ids) : []
+    need_remote_access        = local.ng_needs_remote_access
+    ec2_ssh_key               = local.remote_access_enabled ? var.ec2_ssh_key : "none"
+    source_security_group_ids = local.ng_needs_remote_access ? sort(concat(module.security_group.*.id, var.security_groups)) : []
   }
 }
 
@@ -96,15 +94,14 @@ resource "random_pet" "cbd" {
   length    = 1
 
   keepers = {
-    node_role_arn   = local.ng.node_role_arn
-    subnet_ids      = join(",", local.ng.subnet_ids)
-    disk_size       = local.ng.disk_size
-    instance_types  = join(",", local.ng.instance_types)
-    ami_type        = local.ng.ami_type
-    release_version = local.ng.release_version
-    version         = local.ng.version
-    capacity_type   = local.ng.capacity_type
-
+    node_role_arn      = local.ng.node_role_arn
+    subnet_ids         = join(",", local.ng.subnet_ids)
+    disk_size          = local.ng.disk_size
+    instance_types     = join(",", local.ng.instance_types)
+    ami_type           = local.ng.ami_type
+    release_version    = local.ng.release_version
+    version            = local.ng.version
+    capacity_type      = local.ng.capacity_type
     need_remote_access = local.ng.need_remote_access
     ec2_ssh_key        = local.ng.need_remote_access ? local.ng.ec2_ssh_key : "handled by launch template"
     # Any change in security groups requires a new node group, because you cannot delete a security group while it is in use
@@ -115,8 +112,7 @@ resource "random_pet" "cbd" {
     #       source_security_group_ids = join(",", local.ng.source_security_group_ids, aws_security_group.remote_access.*.id)
     #
     source_security_group_ids = local.need_remote_access_sg ? "generated for launch template" : join(",", local.ng.source_security_group_ids)
-
-    launch_template_id = local.use_launch_template ? local.launch_template_id : "none"
+    launch_template_id        = local.use_launch_template ? local.launch_template_id : "none"
   }
 }
 
@@ -180,7 +176,7 @@ resource "aws_eks_node_group" "default" {
     aws_iam_role_policy_attachment.amazon_eks_worker_node_autoscale_policy,
     aws_iam_role_policy_attachment.amazon_eks_cni_policy,
     aws_iam_role_policy_attachment.amazon_ec2_container_registry_read_only,
-    aws_security_group.remote_access,
+    module.security_group,
     # Also allow calling module to create an explicit dependency
     # This is useful in conjunction with terraform-aws-eks-cluster to ensure
     # the cluster is fully created and configured before creating any node groups
@@ -243,7 +239,7 @@ resource "aws_eks_node_group" "cbd" {
     aws_iam_role_policy_attachment.amazon_eks_worker_node_autoscale_policy,
     aws_iam_role_policy_attachment.amazon_eks_cni_policy,
     aws_iam_role_policy_attachment.amazon_ec2_container_registry_read_only,
-    aws_security_group.remote_access,
+    module.security_group,
     # Also allow calling module to create an explicit dependency
     # This is useful in conjunction with terraform-aws-eks-cluster to ensure
     # the cluster is fully created and configured before creating any node groups

launch-template.tf

@@ -29,6 +29,16 @@ output "eks_node_group_status" {
 }
 
 output "eks_node_group_remote_access_security_group_id" {
-  description = "The ID of the security group generated to allow SSH access to the nodes, if this module generated one"
-  value       = join("", aws_security_group.remote_access.*.id)
+  description = "ID of the EKS cluster Security Group for remote access to EKS Node Group"
+  value       = module.security_group.id
+}
+
+output "eks_node_group_remote_access_security_group_arn" {
+  description = "ARN of the EKS cluster Security Group for remote access to EKS Node Group"
+  value       = module.security_group.arn
+}
+
+output "eks_node_group_remote_access_security_group_name" {
+  description = "Name of the EKS cluster Security Group for remote access to EKS Node Group"
+  value       = module.security_group.name
 }