AWS EMR resource - Support for Service Access Security Group

[ddcprg]

EMR Service Access Security Group is required when a cluster is spun up on a private subnet. At the moment the EMR resource doesn't support setting this value and any attempt of spinning clusters in a private subnet will fail.

[catsby]

Thanks @ddcprg – I have a small request, can we name the field service_access_security_group_id so that it is explicit that this value is the ID?

[ddcprg]

Sure @catsby, I'll push the change shortly

[ddcprg]

Is this not going to cause confusion with the other properties? They all end with _group or _groups:

emr_managed_master_security_group
emr_managed_slave_security_group
additional_master_security_groups
additional_slave_security_groups

but they all are either IDs or array of IDs.

I could clarify in the docs if you think that'd be better.

[catsby]

Is this not going to cause confusion with the other properties?

This is a very good point; let's keep things consistent. Thanks!

[baannee]

In v0.8.8 using next code I successfully start cluster. this was just a testing. Not sure if this is the right way?

`resource "aws_emr_cluster" "hbase-cluster" {
name = "hbase-cluster"
release_label = "emr-5.3.1"
applications = ["Hadoop", "Pig", "ZooKeeper", "Hive", "HBase"]

termination_protection = false
keep_job_flow_alive_when_no_steps = true

ec2_attributes {
key_name = "${var.key_name}"
subnet_id = "${aws_subnet.private_subnet_emr.id}"
emr_managed_master_security_group = "${aws_security_group.sec_emr.id}"
emr_managed_slave_security_group = "${aws_security_group.sec_emr.id}"
instance_profile = "${aws_iam_instance_profile.emr_profile.arn}"
}
master_instance_type = "c1.medium"
core_instance_type = "c1.medium"
core_instance_count = 1

tags {
role = "HBase Cluster"
env = "dev"
}

service_role = "${aws_iam_role.iam_emr_service_role.arn}"
}`

[ddcprg]

You only need service_access_security_group_id if the EMR is going to be spun up in a private subnet. Refer to the EMR Management Guide for details

[N-CP]

serviceaccesssecuritygroup emr
I am getting error for above. My all security group are in private subnet. It is asking for service access security group. what should i need to do here??
anybody can help me in this??

[eschwartz]

Can we document how to use this? I'm guessing we need to configure a new security group, to pass in here. What rules does the SG need?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.