Providing create_cluster_security_group=false leads to invalid node SG rules

[visit1985]

Description

I'm migrating existing clusters to this module which do not use a secondary cluster security group. When specifying create_cluster_security_group=false all aws_security_group_rule.node are generated with an empty source_security_group_id, which causes a timeout on apply.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

Terraform v1.11.0
on windows_amd64
+ provider registry.terraform.io/hashicorp/archive v2.7.0
+ provider registry.terraform.io/hashicorp/aws v5.97.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.7
+ provider registry.terraform.io/hashicorp/external v2.3.5
+ provider registry.terraform.io/hashicorp/local v2.5.2
+ provider registry.terraform.io/hashicorp/null v3.2.4
+ provider registry.terraform.io/hashicorp/time v0.13.1
+ provider registry.terraform.io/hashicorp/tls v4.1.0

Reproduction Code

Steps to reproduce the behavior:

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.36.0"

  cluster_name                   = "ex-eks-auto-mode"
  cluster_version                = "1.31"
  cluster_endpoint_public_access = true

  enable_cluster_creator_admin_permissions = true

  cluster_compute_config = {
    enabled    = true
    node_pools = ["general-purpose"]
  }

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  create_cluster_security_group = false
}

Expected behavior

The node SG rules should fallback to the primary cluster SG aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id for their source_security_group_id.

terraform-aws-eks/outputs.tf

Lines 79 to 82 in 37e3348

	output "cluster_primary_security_group_id" {
	description = "Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console"
	value = try(aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id, null)
	}

Actual behavior

The module tries to create all instances of aws_security_group_rule.node with an empty string supplied for source_security_group_id, leading to a timeout.

terraform-aws-eks/variables.tf

Lines 312 to 316 in 37e3348

	variable "cluster_security_group_id" {
	description = "Existing security group ID to be attached to the cluster"
	type = string
	default = ""
	}

Terminal Output

# module.eks.aws_security_group_rule.node["ingress_cluster_443"] will be created
+ resource "aws_security_group_rule" "node" {
    + description              = "Cluster API to node groups"
    + from_port                = 443
    + id                       = (known after apply)
    + prefix_list_ids          = []
    + protocol                 = "tcp"
    + security_group_id        = "sg-016986f1ca395ace6"
    + security_group_rule_id   = (known after apply)
    + self                     = false
    + source_security_group_id = (known after apply)
    + to_port                  = 443
    + type                     = "ingress"
  }
...
module.eks.aws_security_group_rule.node["ingress_cluster_443"]: Creating...
...
module.eks.aws_security_group_rule.node["ingress_cluster_443"]: Still creating... [23m20s elapsed]
...

Additional context

The cluster aws_eks_cluster.this currently defines depends_on { aws_security_group_rule.node }, which would creates a circular dependency when using aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id as a fallback source_security_group_id. But all node groups and addons, which would require the node SG to exist prior to their creation, depend on the cluster via attributes, so this dependency is unnecessary.

I proposed a possible solution for this issue in #3356

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.