feat: Add ability to use security groups for private access

[marc-slingshot]

PR o'clock

Description

Add the ability to use security groups sources as opposed to CIDR sources for private access rules

Resolves #1275

Checklist

• CI tests are passing
• README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation

[aidan-melen]

This is an excellent contribution. I would like to see this merged.

[aidan-melen]

I still think it would be nice for the module to support source sg's in addition to CIDR. That being said, I did find a workaround. We can get the additional security group from the module output and append it with a new security group rule with our source sg.

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  version         = "~> 14.0.0"

  cluster_name    = "my-cluster"
  cluster_version = "1.18"

  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = false
  
  ...
}

resource "aws_security_group_rule" "data-vpn" {
  description              = "Allow K8s API from my source security group."
  type                     = "ingress"
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  source_security_group_id = "sg-???????????"
  security_group_id        = module.eks.cluster_security_group_id
}

hope that helps.

[marc-slingshot]

The problem I am experiencing currently is I have setup the EKS cluster as only having private access and I am running terraform remotely through a VPN. This module gets stuck on the null_resource wait trying to contact the EKS cluster, which I cannot since the ACL to get to it has not been added.

I am a bit new to terraform, but if the SG resource relies on an output from the EKS module, wouldn't the EKS module need to finish first before getting that output and running that resource stanza?

[marc-slingshot]

also when adding this PR the CI linter complained about a lot of missing portions in the README that this PR did not modify. Not sure why the linter requires those now, but I added them in this PR as well.

[aidan-melen]

This will give you complete control of the security before the cluster is created and deleted after the health check (aka null resource in older versions of the module).

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  version         = "16.1.0"

  cluster_name    = "my-cluster"
  cluster_version = "1.20"

  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = false
  
  cluster_create_security_group   = false
  cluster_security_group_id       = aws_security_group.cluster.id

  ...
}

resource "aws_security_group" "cluster" {
  description = "EKS cluster security group."
  vpc_id      = var.vpc_id

  tags = { 
    "Name" = "eks_cluster_sg"
  }
}

resource "aws_security_group_rule" "data-vpn" {
  description              = "Allow K8s API from my source security group."
  type                     = "ingress"
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  source_security_group_id = "sg-???????????"
  security_group_id        = aws_security_group.cluster.id
}

[barryib]

@marc-slingshot Thanks for opening this and sorry for the delay. Can you please update your branch and resolve conflict ? I want to ship this (during the next couple of days) in the next release with other breaking changes.

[barryib]

Thanks @marc-slingshot for your contribution.

[aidan-melen]

wahoo! thanks @marc-slingshot and @barryib

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.