fix: Add conditional variable to allow users to opt out of tagging cluster primary security group (terraform-aws-modules#2034)

Author: bryantbiggs

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.64.1
+    rev: v1.68.1
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

README.md

@@ -296,6 +296,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="input_create"></a> [create](#input\_create) | Controls if EKS resources should be created (affects nearly all resources) | `bool` | `true` | no |
 | <a name="input_create_aws_auth_configmap"></a> [create\_aws\_auth\_configmap](#input\_create\_aws\_auth\_configmap) | Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap` | `bool` | `false` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
+| <a name="input_create_cluster_primary_security_group_tags"></a> [create\_cluster\_primary\_security\_group\_tags](#input\_create\_cluster\_primary\_security\_group\_tags) | Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation | `bool` | `true` | no |
 | <a name="input_create_cluster_security_group"></a> [create\_cluster\_security\_group](#input\_create\_cluster\_security\_group) | Determines if a security group is created for the cluster or use the existing `cluster_security_group_id` | `bool` | `true` | no |
 | <a name="input_create_cni_ipv6_iam_policy"></a> [create\_cni\_ipv6\_iam\_policy](#input\_create\_cni\_ipv6\_iam\_policy) | Determines whether to create an [`AmazonEKS_CNI_IPv6_Policy`](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy) | `bool` | `false` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether a an IAM role is created or to use an existing IAM role | `bool` | `true` | no |

examples/complete/main.tf

@@ -125,7 +125,6 @@ module "eks" {
   # EKS Managed Node Group(s)
   eks_managed_node_group_defaults = {
     ami_type       = "AL2_x86_64"
-    disk_size      = 50
     instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
 
     attach_cluster_primary_security_group = true

examples/eks_managed_node_group/main.tf

@@ -114,7 +114,6 @@ module "eks" {
 
   eks_managed_node_group_defaults = {
     ami_type       = "AL2_x86_64"
-    disk_size      = 50
     instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
 
     # We are using the IRSA created below for permissions
@@ -133,6 +132,8 @@ module "eks" {
       create_launch_template = false
       launch_template_name   = ""
 
+      disk_size = 50
+
       # Remote access cannot be specified with a launch template
       remote_access = {
         ec2_ssh_key               = aws_key_pair.this.key_name
@@ -254,7 +255,6 @@ module "eks" {
       EOT
 
       capacity_type        = "SPOT"
-      disk_size            = 256
       force_update_version = true
       instance_types       = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"]
       labels = {

examples/self_managed_node_group/main.tf

@@ -96,7 +96,7 @@ module "eks" {
   }
 
   self_managed_node_group_defaults = {
-    disk_size = 50
+    create_security_group = false
   }
 
   self_managed_node_groups = {
@@ -216,7 +216,6 @@ module "eks" {
       echo "you are free little kubelet!"
       EOT
 
-      disk_size     = 256
       instance_type = "m6i.large"
 
       launch_template_name            = "self-managed-ex"

main.tf

@@ -63,7 +63,7 @@ resource "aws_ec2_tag" "cluster_primary_security_group" {
   # This should not affect the name of the cluster primary security group
   # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2006
   # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2008
-  for_each = { for k, v in merge(var.tags, var.cluster_tags) : k => v if local.create && k != "Name" }
+  for_each = { for k, v in merge(var.tags, var.cluster_tags) : k => v if local.create && k != "Name" && var.create_cluster_primary_security_group_tags }
 
   resource_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
   key         = each.key

variables.tf

@@ -101,6 +101,12 @@ variable "cluster_tags" {
   default     = {}
 }
 
+variable "create_cluster_primary_security_group_tags" {
+  description = "Indicates whether or not to tag the cluster's primary security group. This security group is created by the EKS service, not the module, and therefore tagging is handled after cluster creation"
+  type        = bool
+  default     = true
+}
+
 variable "cluster_timeouts" {
   description = "Create, update, and delete timeout configurations for the cluster"
   type        = map(string)