cloudposse · nustiueudinastea · Apr 16, 2021 · Apr 16, 2021 · Apr 16, 2021 · Apr 16, 2021
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -15,8 +15,8 @@
 
 # Cloud Posse must review any changes to standard context definition,
 # but some changes can be rubber-stamped.
-**/*.tf       @cloudposse/engineering @cloudposse/approvers
-README.yaml   @cloudposse/engineering @cloudposse/approvers
+**/*.tf       @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
+README.yaml   @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 README.md     @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 docs/*.md     @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
 

diff --git a/.github/auto-release.yml b/.github/auto-release.yml
@@ -46,7 +46,7 @@ template: |
 
 replacers:
 # Remove irrelevant information from Renovate bot
-- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm'
+- search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
   replace: ''
 # Remove Renovate bot banner image
 - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -3,7 +3,9 @@ name: auto-release
 on:
   push:
     branches:
+      - main
       - master
+      - production
 
 jobs:
   publish:
@@ -14,7 +16,7 @@ jobs:
         id: get-merged-pull-request
         with:
           github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
-      # Drafts your next Release notes as Pull Requests are merged into "master"
+      # Drafts your next Release notes as Pull Requests are merged into "main"
       - uses: release-drafter/release-drafter@v5
         if: "!contains(steps.get-merged-pull-request.outputs.labels, 'no-release')"
         with:

diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
@@ -1,5 +1,7 @@
 name: Validate Codeowners
 on:
+  workflow_dispatch:
+
   pull_request:
 
 jobs:

diff --git a/README.md b/README.md
diff --git a/docs/terraform.md b/docs/terraform.md
diff --git a/launch-template.tf b/launch-template.tf
@@ -38,8 +38,11 @@ locals {
   launch_template_ami = length(local.configured_ami_image_id) == 0 ? (local.features_require_ami ? data.aws_ami.selected[0].image_id : "") : local.configured_ami_image_id
 
   launch_template_vpc_security_group_ids = (
-    local.need_remote_access_sg ?
-    concat(data.aws_eks_cluster.this[0].vpc_config[*].cluster_security_group_id, aws_security_group.remote_access.*.id) : []
+    concat(
+      local.ng.additional_security_group_ids,
+      local.get_cluster_data ? data.aws_eks_cluster.this[0].vpc_config[*].cluster_security_group_id : [],
+      local.need_remote_access_sg ? aws_security_group.remote_access.*.id : []
+    )
   )
 
   # launch_template_key = join(":", coalescelist(local.launch_template_vpc_security_group_ids, ["closed"]))

diff --git a/main.tf b/main.tf
@@ -6,13 +6,13 @@ locals {
   configured_ami_image_id          = var.ami_image_id == null ? "" : var.ami_image_id
   need_ami_id                      = local.enabled ? local.features_require_ami && length(local.configured_ami_image_id) == 0 : false
   need_imds_settings               = var.metadata_http_endpoint != "enabled" || var.metadata_http_put_response_hop_limit != 1 || var.metadata_http_tokens != "optional"
-  features_require_launch_template = local.enabled ? length(var.resources_to_tag) > 0 || local.need_userdata || local.features_require_ami || local.need_imds_settings : false
+  features_require_launch_template = local.enabled ? length(var.resources_to_tag) > 0 || local.need_userdata || local.features_require_ami || local.need_imds_settings || length(var.additional_security_group_ids) : false
 
   have_ssh_key = var.ec2_ssh_key != null && var.ec2_ssh_key != ""
 
   need_remote_access_sg = local.enabled && local.have_ssh_key && local.generate_launch_template
 
-  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg) : false
+  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg || length(var.additional_security_group_ids) > 0) : false
-  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg || length(var.additional_security_group_ids) > 0) : false
+  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg) : false
-  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg || length(var.additional_security_group_ids) > 0) : false
+  get_cluster_data = local.enabled ? (local.need_cluster_kubernetes_version || local.need_bootstrap || local.need_remote_access_sg) : false
 
   autoscaler_enabled = var.enable_cluster_autoscaler != null ? var.enable_cluster_autoscaler : var.cluster_autoscaler_enabled == true
   #
@@ -86,6 +86,7 @@ locals {
     ec2_ssh_key        = local.have_ssh_key ? var.ec2_ssh_key : "none"
     # Keep sorted so that change in order does not trigger replacement via random_pet
     source_security_group_ids = local.ng_needs_remote_access ? sort(var.source_security_group_ids) : []
+    additional_security_group_ids = sort(var.additional_security_group_ids)
   }
 }
 
@@ -114,7 +115,8 @@ resource "random_pet" "cbd" {
     #       actually track security groups by using
     #       source_security_group_ids = join(",", local.ng.source_security_group_ids, aws_security_group.remote_access.*.id)
     #
-    source_security_group_ids = local.need_remote_access_sg ? "generated for launch template" : join(",", local.ng.source_security_group_ids)
+    source_security_group_ids     = local.need_remote_access_sg ? "generated for launch template" : join(",", local.ng.source_security_group_ids)
+    additional_security_group_ids = join(",", local.ng.additional_security_group_ids)
 
     launch_template_id = local.use_launch_template ? local.launch_template_id : "none"
   }

diff --git a/variables.tf b/variables.tf
@@ -46,6 +46,12 @@ variable "source_security_group_ids" {
   description = "Set of EC2 Security Group IDs to allow SSH access (port 22) to the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0)"
 }
 
+variable "additional_security_group_ids" {
-variable "additional_security_group_ids" {
+variable "associated_security_group_ids" {
-variable "additional_security_group_ids" {
+variable "associated_security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = "Set of additional EC2 Security Group IDs that will be associated with the EKS Node Group"
+}
+
 variable "desired_size" {
   type        = number
   description = "Initial desired number of worker nodes (external changes ignored)"