Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

conditionally tag cluster_primary_security_group #2013

Closed
kumarpmd opened this issue Apr 12, 2022 · 3 comments · Fixed by #2034
Closed

conditionally tag cluster_primary_security_group #2013

kumarpmd opened this issue Apr 12, 2022 · 3 comments · Fixed by #2034

Comments

@kumarpmd
Copy link

kumarpmd commented Apr 12, 2022
edited
Loading

Is your request related to a new offering from AWS?

Request is for terraform-aws-eks module aws_ec2_tag resource logic and not specifically to provider feature.

Is your request related to a problem? Please describe.

Module successfully creates eks cluster and cluster primary security group. The aws_ec2_tag resource fails to tag the cluster_primary_security_group_id.

Error: error creating EC2 resource (sg-xxx) tag (TagName): error tagging resource (sg-xx): UnauthorizedOperation: You are not authorized to perform this operation.

Reason - Our IAM policy allows tagging only during creation time, and hence fails when aws_ec2_tag is executed post creation.

Describe the solution you'd like.

trigger aws_ec2_tag resource on a need basis?

variable "create_additional_tags_for_cluster_security_group" {
default = true
}

resource "aws_ec2_tag" "cluster_primary_security_group" {
  # This should not affect the name of the cluster primary security group
  # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2006
  # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2008
  for_each = var.create_additional_tags_for_cluster_security_group ? : { for k, v in merge(var.tags, var.cluster_tags) : k => v if local.create && k != "Name" } : {}

  resource_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
  key         = each.key
  value       = each.value
}

Describe alternatives you've considered.

Alternate options will be expanding our security policy or removing the tags. Removing tags is not an option, and security group actions will be a challenge since the cluster primary security group name suffix is dynamic..

Additional context

With the option to opt tagging, we can use the default 3 tags provisioned as part of cluster_security_group creation, and can start using the aws_ec2_tag once we are able to specify a static cluster_primary_security_group name.
@kumarpmd
Copy link
Author

Any thoughts on this issue/enhancement? Maybe I should have opened as a question?

In our case, we are supplying var.tags to tag the eks cluster and cluster log group. But this seems to trigger the cluster primary security group tagging after creation.

While I understand the need for the cluster_primary_security_group to have all of the tags, is it required and can be it optional?

@bryantbiggs bryantbiggs mentioned this issue Apr 21, 2022
Merged
3 tasks
@antonbabenko
Copy link
Member

This issue has been resolved in version 18.20.5 🎉

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@antonbabenko @bryantbiggs @kumarpmd