From 9a615dbf74180c6c8f7ec547a0a82b1905e30e26 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Tue, 23 Jan 2024 14:58:52 +0900 Subject: [PATCH] Makes security group rule id to be optional in eks-node-group --- modules/eks-node-group/README.md | 2 +- modules/eks-node-group/security-group.tf | 4 ++-- modules/eks-node-group/variables.tf | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/eks-node-group/README.md b/modules/eks-node-group/README.md index 49cf2a9..da31826 100644 --- a/modules/eks-node-group/README.md +++ b/modules/eks-node-group/README.md @@ -53,7 +53,7 @@ This module creates following resources. | [bootstrap\_extra\_args](#input\_bootstrap\_extra\_args) | (Optional) Extra arguments to add to the `/etc/eks/bootstrap.sh`. | `list(string)` | `[]` | no | | [cni\_custom\_networking\_enabled](#input\_cni\_custom\_networking\_enabled) | (Optional) Whether to use EKS CNI Custom Networking. | `bool` | `false` | no | | [cni\_eni\_prefix\_mode\_enabled](#input\_cni\_eni\_prefix\_mode\_enabled) | (Optional) Whether to use ENI Prefix Mode of EKS CNI. | `bool` | `false` | no | -| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the EKS node group. `default_security_group` block as defined below.
(Optional) `enabled` - Whether to use the default security group. Defaults to `true`.
(Optional) `name` - The name of the default security group. If not provided, the node group name is used for the name of security group.
(Optional) `description` - The description of the default security group.
(Optional) `ingress_rules` - A list of ingress rules in a security group. Defaults to `[]`. Each block of `ingress_rules` as defined below.
(Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `egress_rules` - A list of egress rules in a security group. Defaults to `[{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `egress_rules` as defined below.
(Required) `id` - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. | 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
    ingress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      []
    )
    egress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      [{
        id          = "default"
        description = "Allow all outbound traffic."
        protocol    = "-1"
        from_port   = 1
        to_port     = 65535
        ipv4_cidrs  = ["0.0.0.0/0"]
      }]
    )
  })
| `{}` | no | +| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the EKS node group. `default_security_group` block as defined below.
(Optional) `enabled` - Whether to use the default security group. Defaults to `true`.
(Optional) `name` - The name of the default security group. If not provided, the node group name is used for the name of security group.
(Optional) `description` - The description of the default security group.
(Optional) `ingress_rules` - A list of ingress rules in a security group. Defaults to `[]`. Each block of `ingress_rules` as defined below.
(Optional) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `egress_rules` - A list of egress rules in a security group. Defaults to `[{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `egress_rules` as defined below.
(Optional) `id` - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. | 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
    ingress_rules = optional(
      list(object({
        id              = optional(string)
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      []
    )
    egress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      [{
        id          = "default"
        description = "Allow all outbound traffic."
        protocol    = "-1"
        from_port   = 1
        to_port     = 65535
        ipv4_cidrs  = ["0.0.0.0/0"]
      }]
    )
  })
| `{}` | no | | [desired\_size](#input\_desired\_size) | (Optional) The number of instances that should be running in the group. | `number` | `null` | no | | [ebs\_optimized](#input\_ebs\_optimized) | (Optional) If true, the launched EC2 instance will be EBS-optimized. | `bool` | `false` | no | | [enabled\_metrics](#input\_enabled\_metrics) | (Optional) A list of metrics to collect. The allowed values are GroupDesiredCapacity, GroupInServiceCapacity, GroupPendingCapacity, GroupMinSize, GroupMaxSize, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupStandbyCapacity, GroupTerminatingCapacity, GroupTerminatingInstances, GroupTotalCapacity, GroupTotalInstances. | `list(string)` | 
[
  "GroupMinSize",
  "GroupMaxSize",
  "GroupDesiredCapacity",
  "GroupInServiceCapacity",
  "GroupInServiceInstances",
  "GroupPendingCapacity",
  "GroupPendingInstances",
  "GroupStandbyCapacity",
  "GroupStandbyInstances",
  "GroupTerminatingCapacity",
  "GroupTerminatingInstances",
  "GroupTotalCapacity",
  "GroupTotalInstances"
]
| no | diff --git a/modules/eks-node-group/security-group.tf b/modules/eks-node-group/security-group.tf index ee06889..3f5853e 100644 --- a/modules/eks-node-group/security-group.tf +++ b/modules/eks-node-group/security-group.tf @@ -28,13 +28,13 @@ module "security_group" { ingress_rules = [ for i, rule in var.default_security_group.ingress_rules : merge(rule, { - id = try(rule.id, "eks-node-group-${i}") + id = coalesce(rule.id, "eks-node-group-${i}") }) ] egress_rules = [ for i, rule in var.default_security_group.egress_rules : merge(rule, { - id = try(rule.id, "eks-node-group-${i}") + id = coalesce(rule.id, "eks-node-group-${i}") }) ] diff --git a/modules/eks-node-group/variables.tf b/modules/eks-node-group/variables.tf index 59ee11f..50fe8f5 100644 --- a/modules/eks-node-group/variables.tf +++ b/modules/eks-node-group/variables.tf @@ -157,7 +157,7 @@ variable "default_security_group" { (Optional) `name` - The name of the default security group. If not provided, the node group name is used for the name of security group. (Optional) `description` - The description of the default security group. (Optional) `ingress_rules` - A list of ingress rules in a security group. Defaults to `[]`. Each block of `ingress_rules` as defined below. - (Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code. + (Optional) `id` - The ID of the ingress rule. This value is only used internally within Terraform code. (Optional) `description` - The description of the rule. (Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined. (Required) `from_port` - The start of port range for the protocols. @@ -168,7 +168,7 @@ variable "default_security_group" { (Optional) `security_groups` - The source security group IDs to allow. (Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. (Optional) `egress_rules` - A list of egress rules in a security group. Defaults to `[{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `egress_rules` as defined below. - (Required) `id` - The ID of the egress rule. This value is only used internally within Terraform code. + (Optional) `id` - The ID of the egress rule. This value is only used internally within Terraform code. (Optional) `description` - The description of the rule. (Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined. (Required) `from_port` - The start of port range for the protocols. @@ -185,7 +185,7 @@ variable "default_security_group" { description = optional(string, "Managed by Terraform.") ingress_rules = optional( list(object({ - id = string + id = optional(string) description = optional(string, "Managed by Terraform.") protocol = string from_port = number