Skip to content

feat: expose EKS cluster primary security group ID#236

Merged
agustincelentano merged 1 commit into
mainfrom
feature/eks-primary-sg-output
Feb 27, 2026
Merged

feat: expose EKS cluster primary security group ID#236
agustincelentano merged 1 commit into
mainfrom
feature/eks-primary-sg-output

Conversation

@agustincelentano

Copy link
Copy Markdown
Collaborator

Summary

  • Add eks_cluster_primary_security_group_id output to the EKS module wrapper
  • This exposes the EKS-managed primary SG (auto-created by EKS, attached to all nodes and pod ENIs)
  • The existing eks_cluster_security_group_id only exposes the additional SG managed by Terraform, which is NOT attached to pod ENIs

Context

When using NLBs with IP target type (Gateway API + ALB controller), traffic goes directly to pod IPs. The ENIs holding those IPs only have the primary cluster SG, not the additional one. Without this output, consumers cannot create ingress rules on the correct SG to allow NLB health checks and traffic to reach pods.

Test plan

  • Verified module.eks.cluster_primary_security_group_id is exposed by the upstream terraform-aws-eks module
  • Tested in implementation-aws - NLB targets went from unhealthy to healthy after using this output for cluster SG ingress rules

Expose the EKS primary security group ID (auto-created by EKS) which is
attached to all nodes and pod ENIs. This is needed for creating ingress
rules that allow NLB traffic to reach pods when using IP target type.
@agustincelentano agustincelentano merged commit 46412f8 into main Feb 27, 2026
41 checks passed
@agustincelentano agustincelentano deleted the feature/eks-primary-sg-output branch February 27, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants