From a2c7caac9f01ef167994d8b62afb5f997d0fac66 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Thu, 6 Jan 2022 06:27:04 -0500 Subject: [PATCH] fix: Correct conditional map for cluster security group additional rules (#1738) --- README.md | 2 +- examples/eks_managed_node_group/main.tf | 11 +++++++++++ main.tf | 2 +- variables.tf | 2 +- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c93a37a8d8..b519f58933 100644 --- a/README.md +++ b/README.md @@ -695,7 +695,7 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws | [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [cluster\_identity\_providers](#input\_cluster\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | `any` | `{}` | no | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no | -| [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created | `map(any)` | `{}` | no | +| [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created | `any` | `{}` | no | | [cluster\_security\_group\_description](#input\_cluster\_security\_group\_description) | Description of the cluster security group created | `string` | `"EKS cluster security group"` | no | | [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | Existing security group ID to be attached to the cluster. Required if `create_cluster_security_group` = `false` | `string` | `""` | no | | [cluster\_security\_group\_name](#input\_cluster\_security\_group\_name) | Name to use on cluster security group created | `string` | `null` | no | diff --git a/examples/eks_managed_node_group/main.tf b/examples/eks_managed_node_group/main.tf index fb801c1eb1..68d3868a56 100644 --- a/examples/eks_managed_node_group/main.tf +++ b/examples/eks_managed_node_group/main.tf @@ -44,6 +44,17 @@ module "eks" { resources = ["secrets"] }] + cluster_security_group_additional_rules = { + admin_access = { + description = "Admin ingress to Kubernetes API" + cidr_blocks = ["10.97.0.0/30"] + protocol = "tcp" + from_port = 443 + to_port = 443 + type = "ingress" + } + } + vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets diff --git a/main.tf b/main.tf index 286e23b5a4..4817f96047 100644 --- a/main.tf +++ b/main.tf @@ -119,7 +119,7 @@ resource "aws_security_group" "cluster" { } resource "aws_security_group_rule" "cluster" { - for_each = local.create_cluster_sg ? merge(local.cluster_security_group_rules, var.cluster_security_group_additional_rules) : {} + for_each = { for k, v in merge(local.cluster_security_group_rules, var.cluster_security_group_additional_rules) : k => v if local.create_cluster_sg } # Required security_group_id = aws_security_group.cluster[0].id diff --git a/variables.tf b/variables.tf index 12ff69ee33..6c69760d52 100644 --- a/variables.tf +++ b/variables.tf @@ -153,7 +153,7 @@ variable "cluster_security_group_description" { variable "cluster_security_group_additional_rules" { description = "List of additional security group rules to add to the cluster security group created" - type = map(any) + type = any default = {} }