Terraform AWS EKS security group issue

Question

I am deploying AWS EKS Cluster using a terraform script. Everything is deploying fine. But I am stuck in an issue with the security group. I have added two ports to allow ingress traffic to my application URL.

But the issue is that, after complete deployment of EKS cluster there is two security group created, one which I have created and other is created by EKS itself.

So here I have to manually add the port in EKS created security group to access my application's URL on the browser.

Here how I can add my specific ports in EKS created security group.

score 0 · Answer 1 · answered May 23 '20 at 14:42

0

This value is accessible as an attribute of the eks_cluster resource under the vpc_config.cluster_security_group_id.

Using this value you could create a security_group_rule resource and pass in the ID you retrieve back from the above attribute.

answered May 23 '20 at 14:42

Chris Williams

32,215
4
30
68

Can you give me the actual code to put in the .tf file – Albus Jun 15 '20 at 11:36
Hi @chris, can you help – Albus Jun 18 '20 at 21:39
-1, since this answer wasn't clearly helpful to others and plus contains broken links. See my answer for the comprehensive correct answer. – Daniel Viglione Jan 24 '22 at 06:25

score 0 · Answer 2 · answered Mar 25 '21 at 22:22

This can be solved using following code, add data block to import security group created by AWS EKS and add other resource block to define rules which you would like to implement.

Please keep in mind, you have to create separate rules for ingress and egress and you cannot combine these resources with inline rules definitions.


    # SG created by EKS
    data "aws_security_group" "imported_sg" {
      id = "sg-123456"
    }
    
    # SG Rule which you would like to add
    resource "aws_security_group_rule" "example" {
      type              = "ingress"
      from_port         = 0
      to_port           = 65535
      protocol          = "tcp"
      cidr_blocks       = ["10.0.0.0/16"]
    
      security_group_id = aws_security_group.imported_sg.id
    }

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group

score 0 · Answer 3 · answered Jan 24 '22 at 06:25

Here is the appropriate answer. If you scroll down the page in the terraform docs, it gives a list of attributes (which are exportable): https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster. You will notice vpc_config attributes has a member cluster_security_group_id:

vpc_config Attributes cluster_security_group_id - Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.

To actually gain access to this property, given that vpc_config is a list, you will need to access it as so:

 aws_eks_cluster.cluster.vpc_config[0].cluster_security_group_id

If you do not specify a cluster security group, then AWS will autogenerate a cluster security group which contains the rules to allow the cluster and the cluster node group to communicate. Consequently, it is a common pattern to export this property like so:

output "cluster_security_group_id" {
    value   = aws_eks_cluster.cluster.vpc_config[0].cluster_security_group_id
}

Terraform AWS EKS security group issue

3 Answers3