fix: Call to lookup() closed too early, breaks sg rule creation in cluster sg if custom source sg is defined. (#2319)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>

examples/complete/main.tf

@@ -84,6 +84,15 @@ module "eks" {
       type                       = "ingress"
       source_node_security_group = true
     }
+    # Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319
+    ingress_source_security_group_id = {
+      description              = "Ingress from another computed security group"
+      protocol                 = "tcp"
+      from_port                = 22
+      to_port                  = 22
+      type                     = "ingress"
+      source_security_group_id = aws_security_group.additional.id
+    }
   }
 
   # Extend node-to-node security group rules
@@ -96,6 +105,15 @@ module "eks" {
       type        = "ingress"
       self        = true
     }
+    # Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319
+    ingress_source_security_group_id = {
+      description              = "Ingress from another computed security group"
+      protocol                 = "tcp"
+      from_port                = 22
+      to_port                  = 22
+      type                     = "ingress"
+      source_security_group_id = aws_security_group.additional.id
+    }
   }
 
   # Self Managed Node Group(s)

main.tf

@@ -191,13 +191,12 @@ resource "aws_security_group_rule" "cluster" {
   type              = each.value.type
 
   # Optional
-  description      = lookup(each.value, "description", null)
+  description              = lookup(each.value, "description", null)
-  cidr_blocks      = lookup(each.value, "cidr_blocks", null)
+  cidr_blocks              = lookup(each.value, "cidr_blocks", null)
-  ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", null)
+  ipv6_cidr_blocks         = lookup(each.value, "ipv6_cidr_blocks", null)
-  prefix_list_ids  = lookup(each.value, "prefix_list_ids", [])
+  prefix_list_ids          = lookup(each.value, "prefix_list_ids", null)
-  self             = lookup(each.value, "self", null)
+  self                     = lookup(each.value, "self", null)
-  source_security_group_id = lookup(each.value, "source_security_group_id",
+  source_security_group_id = try(each.value.source_node_security_group, false) ? local.node_security_group_id : lookup(each.value, "source_security_group_id", null)
-  lookup(each.value, "source_node_security_group", false)) ? local.node_security_group_id : null
 }
 
 ################################################################################

node_groups.tf

@@ -180,13 +180,12 @@ resource "aws_security_group_rule" "node" {
   type              = each.value.type
 
   # Optional
-  description      = lookup(each.value, "description", null)
+  description              = lookup(each.value, "description", null)
-  cidr_blocks      = lookup(each.value, "cidr_blocks", null)
+  cidr_blocks              = lookup(each.value, "cidr_blocks", null)
-  ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", null)
+  ipv6_cidr_blocks         = lookup(each.value, "ipv6_cidr_blocks", null)
-  prefix_list_ids  = lookup(each.value, "prefix_list_ids", [])
+  prefix_list_ids          = lookup(each.value, "prefix_list_ids", [])
-  self             = lookup(each.value, "self", null)
+  self                     = lookup(each.value, "self", null)
-  source_security_group_id = lookup(each.value, "source_security_group_id",
+  source_security_group_id = try(each.value.source_cluster_security_group, false) ? local.cluster_security_group_id : lookup(each.value, "source_security_group_id", null)
-  lookup(each.value, "source_cluster_security_group", false)) ? local.cluster_security_group_id : null
 }
 
 ################################################################################