Adding worker_additional_security_group_ids doesn't change existing nodes

[dooferlad]

Description

I tried to add security groups to the workers in our cluster by setting worker_additional_security_group_ids. This resulted in a change in launch configuration but the existing worker was not replaced, so the new security groups weren't picked up. After killing that node off and letting the ASG sort itself out the new node got the correct security groups.

Versions

• Terraform: 0.13.5
• Provider(s):
  • provider registry.terraform.io/hashicorp/aws v3.37.0
  • provider registry.terraform.io/hashicorp/helm v2.1.2
  • provider registry.terraform.io/hashicorp/kubernetes v2.1.0
  • provider registry.terraform.io/hashicorp/local v2.1.0
  • provider registry.terraform.io/hashicorp/null v3.1.0
  • provider registry.terraform.io/hashicorp/random v3.1.0
  • provider registry.terraform.io/hashicorp/template v2.1.2
• Module: terraform-aws-modules/eks/aws

Reproduction

Steps to reproduce the behavior:

1. Create cluster without worker_additional_security_group_ids set
2. add SGs to worker_additional_security_group_ids

I am using workspaces on TF Cloud

Expected behavior

When changing worker_additional_security_group_ids the existing workers are updated or replaced (respecting ASG rules) so they have the correct security groups.

Actual behavior

Additional security groups are not seen until nodes are forcibly to be replaced.

[kostyaplis]

I think thats an expected behaviour for worker group launch template and not related to the module.

[toytown]

I am experiencing the same issue with v0.17 and terraform 1.01 even when creating new EKS cluster. Providing worker_additional_security_group_ids with SG is not taking any effect. I wanted to use private cluster and open port for my CICD to access the k8 control plane

module "eks" {

  source  = "terraform-aws-modules/eks/aws"
  version = "17.1.0"

  enable_irsa     = var.enable_irsa
  manage_aws_auth = var.manage_aws_auth

  write_kubeconfig       = var.write_aws_config
  kubeconfig_output_path = "~/.kube/config"

  map_users = var.map_users
  map_roles = var.map_roles

  cluster_name                                 = var.cluster_name
  cluster_version                              = var.cluster_version
  subnets                                      = var.private_subnets
  vpc_id                                       = var.vpc_id
  cluster_enabled_log_types                    = var.cluster_enabled_log_types
  worker_additional_security_group_ids         = var.additional_security_groups

  tags = var.required_tags

 
  node_groups = {
    managed_node_grp = {
      name_prefix      = "ng-"
      desired_capacity = var.asg_desired_capacity
      max_capacity     = var.asg_max_size
      min_capacity     = var.asg_min_size

      instance_types          = []
      enable_monitoring       = true
      launch_template_id      = aws_launch_template.managed_group_lt.id
      launch_template_version = aws_launch_template.managed_group_lt.default_version

      additional_tags = {
        "k8s.io/cluster-autoscaler/${var.cluster_name}" = "owned",
        "k8s.io/cluster-autoscaler/enabled"             = "TRUE"
      }
    }
  }
}

[ailichev]

I've faced the similar issue as @toytown. Is there a way to assign the additional security group to node_groups?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[hejkerooo]

issue still occurs

[daroga0002]

it should be solved in #1370

I see in your config that you dont have instance_refresh* inputs. Please check example

terraform-aws-eks/examples/instance_refresh/main.tf

Lines 240 to 245 in 926af35

	instance_refresh_enabled = true
	instance_refresh_instance_warmup = 60
	public_ip = true
	metadata_http_put_response_hop_limit = 3
	update_default_version = true
	instance_refresh_triggers = ["tag"]

how to make it

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had recent activity since being marked as stale.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.