kubernetes-sigs
diff --git a/‎api/v1beta1/awsmachine_conversion.go‎
Lines changed: 4 additions & 0 deletions b/‎api/v1beta1/awsmachine_conversion.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎api/v1beta1/zz_generated.conversion.go‎
Lines changed: 2 additions & 0 deletions b/‎api/v1beta1/zz_generated.conversion.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎api/v1beta2/awsmachine_types.go‎
Lines changed: 10 additions & 0 deletions b/‎api/v1beta2/awsmachine_types.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎api/v1beta2/zz_generated.deepcopy.go‎
Lines changed: 12 additions & 0 deletions b/‎api/v1beta2/zz_generated.deepcopy.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml‎
Lines changed: 37 additions & 0 deletions b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml‎
Lines changed: 40 additions & 0 deletions b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎pkg/cloud/services/ec2/instances.go‎
Lines changed: 42 additions & 5 deletions b/‎pkg/cloud/services/ec2/instances.go‎
Lines changed: 42 additions & 5 deletions
@@ -39,6 +39,8 @@ func (src *AWSMachine) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.InstanceMetadataOptions = restored.Spec.InstanceMetadataOptions
 	dst.Spec.PlacementGroupName = restored.Spec.PlacementGroupName
 	dst.Spec.PrivateDNSName = restored.Spec.PrivateDNSName
+	dst.Spec.VPC = restored.Spec.VPC
+	dst.Spec.SecurityGroupOverrides = restored.Spec.SecurityGroupOverrides
 
 	return nil
 }
@@ -87,6 +89,8 @@ func (r *AWSMachineTemplate) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.Template.Spec.InstanceMetadataOptions = restored.Spec.Template.Spec.InstanceMetadataOptions
 	dst.Spec.Template.Spec.PlacementGroupName = restored.Spec.Template.Spec.PlacementGroupName
 	dst.Spec.Template.Spec.PrivateDNSName = restored.Spec.Template.Spec.PrivateDNSName
+	dst.Spec.Template.Spec.VPC = restored.Spec.Template.Spec.VPC
+	dst.Spec.Template.Spec.SecurityGroupOverrides = restored.Spec.Template.Spec.SecurityGroupOverrides
 
 	return nil
 }
 
@@ -109,11 +109,21 @@ type AWSMachineSpec struct {
 	// +optional
 	AdditionalSecurityGroups []AWSResourceReference `json:"additionalSecurityGroups,omitempty"`
 
+	// VPC is a reference to the VPC to use when picking a subnet to use for this
+	// instance. Only valid if the subnet (id or filters) is also specified.
+	// +optional
+	VPC *AWSResourceReference `json:"vpc,omitempty"`
+
 	// Subnet is a reference to the subnet to use for this instance. If not specified,
 	// the cluster subnet will be used.
 	// +optional
 	Subnet *AWSResourceReference `json:"subnet,omitempty"`
 
+	// SecurityGroupOverrides is an optional set of security groups to use for the node.
+	// This is optional - if not provided security groups from the cluster will be used.
+	// +optional
+	SecurityGroupOverrides map[SecurityGroupRole]string `json:"securityGroupOverrides,omitempty"`
+
 	// SSHKeyName is the name of the ssh key to attach to the instance. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)
 	// +optional
 	SSHKeyName *string `json:"sshKeyName,omitempty"`
 
@@ -848,6 +848,13 @@ spec:
                 required:
                 - size
                 type: object
+              securityGroupOverrides:
+                additionalProperties:
+                  type: string
+                description: SecurityGroupOverrides is an optional set of security
+                  groups to use for the node. This is optional - if not provided security
+                  groups from the cluster will be used.
+                type: object
               spotMarketOptions:
                 description: SpotMarketOptions allows users to configure instances
                   to be run using AWS Spot instances.
@@ -905,6 +912,36 @@ spec:
                   built-in support for gzip-compressed user data user data stored
                   in aws secret manager is always gzip-compressed.
                 type: boolean
+              vpc:
+                description: VPC is a reference to the VPC to use when picking a subnet
+                  to use for this instance. Only valid if the subnet (id or filters)
+                  is also specified.
+                properties:
+                  filters:
+                    description: 'Filters is a set of key/value pairs used to identify
+                      a resource They are applied according to the rules defined by
+                      the AWS API: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html'
+                    items:
+                      description: Filter is a filter used to identify an AWS resource.
+                      properties:
+                        name:
+                          description: Name of the filter. Filter names are case-sensitive.
+                          type: string
+                        values:
+                          description: Values includes one or more filter values.
+                            Filter values are case-sensitive.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - name
+                      - values
+                      type: object
+                    type: array
+                  id:
+                    description: ID of resource
+                    type: string
+                type: object
             required:
             - instanceType
             type: object
 
@@ -807,6 +807,14 @@ spec:
                         required:
                         - size
                         type: object
+                      securityGroupOverrides:
+                        additionalProperties:
+                          type: string
+                        description: SecurityGroupOverrides is an optional set of
+                          security groups to use for the node. This is optional -
+                          if not provided security groups from the cluster will be
+                          used.
+                        type: object
                       spotMarketOptions:
                         description: SpotMarketOptions allows users to configure instances
                           to be run using AWS Spot instances.
@@ -868,6 +876,38 @@ spec:
                           cloud-init has built-in support for gzip-compressed user
                           data user data stored in aws secret manager is always gzip-compressed.
                         type: boolean
+                      vpc:
+                        description: VPC is a reference to the VPC to use when picking
+                          a subnet to use for this instance. Only valid if the subnet
+                          (id or filters) is also specified.
+                        properties:
+                          filters:
+                            description: 'Filters is a set of key/value pairs used
+                              to identify a resource They are applied according to
+                              the rules defined by the AWS API: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html'
+                            items:
+                              description: Filter is a filter used to identify an
+                                AWS resource.
+                              properties:
+                                name:
+                                  description: Name of the filter. Filter names are
+                                    case-sensitive.
+                                  type: string
+                                values:
+                                  description: Values includes one or more filter
+                                    values. Filter values are case-sensitive.
+                                  items:
+                                    type: string
+                                  type: array
+                              required:
+                              - name
+                              - values
+                              type: object
+                            type: array
+                          id:
+                            description: ID of resource
+                            type: string
+                        type: object
                     required:
                     - instanceType
                     type: object
 
@@ -43,9 +43,13 @@ import (
 func (s *Service) GetRunningInstanceByTags(scope *scope.MachineScope) (*infrav1.Instance, error) {
 	s.scope.Debug("Looking for existing machine instance by tags")
 
+	vpcID, err := s.getVPCID(scope)
+	if err != nil {
+		return nil, err
+	}
 	input := &ec2.DescribeInstancesInput{
 		Filters: []*ec2.Filter{
-			filter.EC2.VPC(s.scope.VPC().ID),
+			filter.EC2.VPC(vpcID),
 			filter.EC2.ClusterOwned(s.scope.Name()),
 			filter.EC2.Name(scope.Name()),
 			filter.EC2.InstanceStates(ec2.InstanceStateNamePending, ec2.InstanceStateNameRunning),
@@ -309,7 +313,11 @@ func (s *Service) findSubnet(scope *scope.MachineScope) (string, error) {
 			filter.EC2.SubnetStates(ec2.SubnetStatePending, ec2.SubnetStateAvailable),
 		}
 		if !scope.IsExternallyManaged() {
-			criteria = append(criteria, filter.EC2.VPC(s.scope.VPC().ID))
+			vpcID, err := s.getVPCID(scope)
+			if err != nil {
+				return "", fmt.Errorf("failed to lookup vpc for subnets: %w", err)
+			}
+			criteria = append(criteria, filter.EC2.VPC(vpcID))
 		}
 		if scope.AWSMachine.Spec.Subnet.ID != nil {
 			criteria = append(criteria, &ec2.Filter{Name: aws.String("subnet-id"), Values: aws.StringSlice([]string{*scope.AWSMachine.Spec.Subnet.ID})})
@@ -395,6 +403,30 @@ func (s *Service) findSubnet(scope *scope.MachineScope) (string, error) {
 	}
 }
 
+func (s *Service) getVPCID(scope *scope.MachineScope) (string, error) {
+	if scope.AWSMachine.Spec.VPC == nil {
+		return s.scope.VPC().ID, nil
+	}
+	if scope.AWSMachine.Spec.VPC.ID != nil {
+		return *scope.AWSMachine.Spec.VPC.ID, nil
+	}
+	filters := make([]*ec2.Filter, 0, len(scope.AWSMachine.Spec.VPC.Filters))
+	for _, filter := range scope.AWSMachine.Spec.VPC.Filters {
+		filters = append(filters, &ec2.Filter{
+			Name:   aws.String(filter.Name),
+			Values: aws.StringSlice(filter.Values),
+		})
+	}
+	out, err := s.EC2Client.DescribeVpcsWithContext(context.TODO(), &ec2.DescribeVpcsInput{Filters: filters})
+	if err != nil {
+		return "", err
+	}
+	if out != nil && len(out.Vpcs) == 1 {
+		return *out.Vpcs[0].VpcId, nil
+	}
+	return "", fmt.Errorf("ambigious VPC filters, only one VPC expected, got %v", out)
+}
+
 // getFilteredSubnets fetches subnets filtered based on the criteria passed.
 func (s *Service) getFilteredSubnets(criteria ...*ec2.Filter) ([]*ec2.Subnet, error) {
 	out, err := s.EC2Client.DescribeSubnetsWithContext(context.TODO(), &ec2.DescribeSubnetsInput{Filters: criteria})
@@ -440,10 +472,15 @@ func (s *Service) GetCoreSecurityGroups(scope *scope.MachineScope) ([]string, er
 	}
 	ids := make([]string, 0, len(sgRoles))
 	for _, sg := range sgRoles {
-		if _, ok := s.scope.SecurityGroups()[sg]; !ok {
-			return nil, awserrors.NewFailedDependency(fmt.Sprintf("%s security group not available", sg))
+		if _, ok := scope.AWSMachine.Spec.SecurityGroupOverrides[sg]; ok {
+			ids = append(ids, scope.AWSMachine.Spec.SecurityGroupOverrides[sg])
+			continue
 		}
-		ids = append(ids, s.scope.SecurityGroups()[sg].ID)
+		if _, ok := s.scope.SecurityGroups()[sg]; ok {
+			ids = append(ids, s.scope.SecurityGroups()[sg].ID)
+			continue
+		}
+		return nil, awserrors.NewFailedDependency(fmt.Sprintf("%s security group not available", sg))
 	}
 	return ids, nil
 }