fix: Call to lookup() closed too early, breaks sg rule creation in cluster sg if custom source sg is defined. (#2319)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
2026-03-11 21:11:32 +01:00 · 2022-12-06 20:10:29 +01:00
parent 4bb83e0165
commit 7bc4a2743f
3 changed files with 30 additions and 14 deletions
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -84,6 +84,15 @@ module "eks" {
      type                       = "ingress"
      source_node_security_group = true
    }
+    # Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319
+    ingress_source_security_group_id = {
+      description              = "Ingress from another computed security group"
+      protocol                 = "tcp"
+      from_port                = 22
+      to_port                  = 22
+      type                     = "ingress"
+      source_security_group_id = aws_security_group.additional.id
+    }
  }

  # Extend node-to-node security group rules
@@ -96,6 +105,15 @@ module "eks" {
      type        = "ingress"
      self        = true
    }
+    # Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319
+    ingress_source_security_group_id = {
+      description              = "Ingress from another computed security group"
+      protocol                 = "tcp"
+      from_port                = 22
+      to_port                  = 22
+      type                     = "ingress"
+      source_security_group_id = aws_security_group.additional.id
+    }
  }

  # Self Managed Node Group(s)
--- a/main.tf
+++ b/main.tf
@@ -191,13 +191,12 @@ resource "aws_security_group_rule" "cluster" {
  type              = each.value.type

  # Optional
-  description      = lookup(each.value, "description", null)
-  cidr_blocks      = lookup(each.value, "cidr_blocks", null)
-  ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", null)
-  prefix_list_ids  = lookup(each.value, "prefix_list_ids", [])
-  self             = lookup(each.value, "self", null)
-  source_security_group_id = lookup(each.value, "source_security_group_id",
-  lookup(each.value, "source_node_security_group", false)) ? local.node_security_group_id : null
+  description              = lookup(each.value, "description", null)
+  cidr_blocks              = lookup(each.value, "cidr_blocks", null)
+  ipv6_cidr_blocks         = lookup(each.value, "ipv6_cidr_blocks", null)
+  prefix_list_ids          = lookup(each.value, "prefix_list_ids", null)
+  self                     = lookup(each.value, "self", null)
+  source_security_group_id = try(each.value.source_node_security_group, false) ? local.node_security_group_id : lookup(each.value, "source_security_group_id", null)
 }

 ################################################################################
--- a/node_groups.tf
+++ b/node_groups.tf
@@ -180,13 +180,12 @@ resource "aws_security_group_rule" "node" {
  type              = each.value.type

  # Optional
-  description      = lookup(each.value, "description", null)
-  cidr_blocks      = lookup(each.value, "cidr_blocks", null)
-  ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", null)
-  prefix_list_ids  = lookup(each.value, "prefix_list_ids", [])
-  self             = lookup(each.value, "self", null)
-  source_security_group_id = lookup(each.value, "source_security_group_id",
-  lookup(each.value, "source_cluster_security_group", false)) ? local.cluster_security_group_id : null
+  description              = lookup(each.value, "description", null)
+  cidr_blocks              = lookup(each.value, "cidr_blocks", null)
+  ipv6_cidr_blocks         = lookup(each.value, "ipv6_cidr_blocks", null)
+  prefix_list_ids          = lookup(each.value, "prefix_list_ids", [])
+  self                     = lookup(each.value, "self", null)
+  source_security_group_id = try(each.value.source_cluster_security_group, false) ? local.cluster_security_group_id : lookup(each.value, "source_security_group_id", null)
 }

 ################################################################################