From 9d6740e1167158cd5c1ae8fb3acabd9c5bc14210 Mon Sep 17 00:00:00 2001
From: rmakram-ims <43446736+rmakram-ims@users.noreply.github.com>
Date: Thu, 13 Dec 2018 11:00:48 -0500
Subject: [PATCH] Add ability to pass computed values to
 cluster_security_group_id and worker_security_group_id (#186)

* Add ability to pass computer values to cluster_security_group_id and worker_security_group_id

* Fix contributer name in CHANGELOG.md

* Format variables.tf file
---
 CHANGELOG.md |  1 +
 README.md    |  2 ++
 cluster.tf   |  6 +++---
 variables.tf | 10 ++++++++++
 workers.tf   | 10 +++++-----
 5 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4a543c5..6d7bad9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 - `target_group_arns` to `worker_groups` input (by @zihaoyu)
 - `force_detach_policies` to `aws_iam_role` `cluster` and `workers` (by @marky-mark)
 - Added sleep while trying to apply the kubernetes configurations if failed, up to 50 seconds (by @rmakram-ims)
+- `cluster_create_security_group` and `worker_create_security_group`. This allows using computed cluster and worker security groups. (by @rmakram-ims)
 
 ### Changed
 
diff --git a/README.md b/README.md
index 9636e60..953e3df 100644
--- a/README.md
+++ b/README.md
@@ -101,6 +101,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| cluster\_create\_security\_group | Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`. | string | `true` | no |
 | cluster\_create\_timeout | Timeout value when creating the EKS cluster. | string | `15m` | no |
 | cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | string | `15m` | no |
 | cluster\_name | Name of the EKS cluster. Also used as a prefix in names of related resources. | string | - | yes |
@@ -124,6 +125,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | tags | A map of tags to add to all resources. | map | `<map>` | no |
 | vpc\_id | VPC where the cluster and workers will be deployed. | string | - | yes |
 | worker\_additional\_security\_group\_ids | A list of additional security group ids to attach to worker instances | list | `<list>` | no |
+| worker\_create\_security\_group | Whether to create a security group for the workers or attach the workers to `worker_security_group_id`. | string | `true` | no |
 | worker\_group\_count | The number of maps contained within the worker_groups list. | string | `1` | no |
 | worker\_groups | A list of maps defining worker group configurations. See workers_group_defaults for valid keys. | list | `<list>` | no |
 | worker\_security\_group\_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingres/egress to work with the EKS cluster. | string | `` | no |
diff --git a/cluster.tf b/cluster.tf
index fa5ca28..9903882 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -24,7 +24,7 @@ resource "aws_security_group" "cluster" {
   description = "EKS cluster security group."
   vpc_id      = "${var.vpc_id}"
   tags        = "${merge(var.tags, map("Name", "${var.cluster_name}-eks_cluster_sg"))}"
-  count       = "${var.cluster_security_group_id == "" ? 1 : 0}"
+  count       = "${var.cluster_create_security_group ? 1 : 0}"
 }
 
 resource "aws_security_group_rule" "cluster_egress_internet" {
@@ -35,7 +35,7 @@ resource "aws_security_group_rule" "cluster_egress_internet" {
   from_port         = 0
   to_port           = 0
   type              = "egress"
-  count             = "${var.cluster_security_group_id == "" ? 1 : 0}"
+  count             = "${var.cluster_create_security_group ? 1 : 0}"
 }
 
 resource "aws_security_group_rule" "cluster_https_worker_ingress" {
@@ -46,7 +46,7 @@ resource "aws_security_group_rule" "cluster_https_worker_ingress" {
   from_port                = 443
   to_port                  = 443
   type                     = "ingress"
-  count                    = "${var.cluster_security_group_id == "" ? 1 : 0}"
+  count                    = "${var.cluster_create_security_group ? 1 : 0}"
 }
 
 resource "aws_iam_role" "cluster" {
diff --git a/variables.tf b/variables.tf
index 0f4ba2c..fbb7d6a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -158,3 +158,13 @@ variable "local_exec_interpreter" {
   type        = "list"
   default     = ["/bin/sh", "-c"]
 }
+
+variable "cluster_create_security_group" {
+  description = "Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`."
+  default     = true
+}
+
+variable "worker_create_security_group" {
+  description = "Whether to create a security group for the workers or attach the workers to `worker_security_group_id`."
+  default     = true
+}
diff --git a/workers.tf b/workers.tf
index 73fd746..b44ed04 100644
--- a/workers.tf
+++ b/workers.tf
@@ -55,7 +55,7 @@ resource "aws_security_group" "workers" {
   name_prefix = "${aws_eks_cluster.this.name}"
   description = "Security group for all nodes in the cluster."
   vpc_id      = "${var.vpc_id}"
-  count       = "${var.worker_security_group_id == "" ? 1 : 0}"
+  count       = "${var.worker_create_security_group ? 1 : 0}"
   tags        = "${merge(var.tags, map("Name", "${aws_eks_cluster.this.name}-eks_worker_sg", "kubernetes.io/cluster/${aws_eks_cluster.this.name}", "owned"
   ))}"
 }
@@ -68,7 +68,7 @@ resource "aws_security_group_rule" "workers_egress_internet" {
   from_port         = 0
   to_port           = 0
   type              = "egress"
-  count             = "${var.worker_security_group_id == "" ? 1 : 0}"
+  count             = "${var.worker_create_security_group ? 1 : 0}"
 }
 
 resource "aws_security_group_rule" "workers_ingress_self" {
@@ -79,7 +79,7 @@ resource "aws_security_group_rule" "workers_ingress_self" {
   from_port                = 0
   to_port                  = 65535
   type                     = "ingress"
-  count                    = "${var.worker_security_group_id == "" ? 1 : 0}"
+  count                    = "${var.worker_create_security_group ? 1 : 0}"
 }
 
 resource "aws_security_group_rule" "workers_ingress_cluster" {
@@ -90,7 +90,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster" {
   from_port                = "${var.worker_sg_ingress_from_port}"
   to_port                  = 65535
   type                     = "ingress"
-  count                    = "${var.worker_security_group_id == "" ? 1 : 0}"
+  count                    = "${var.worker_create_security_group ? 1 : 0}"
 }
 
 resource "aws_security_group_rule" "workers_ingress_cluster_https" {
@@ -101,7 +101,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster_https" {
   from_port                = 443
   to_port                  = 443
   type                     = "ingress"
-  count                    = "${var.worker_security_group_id == "" ? 1 : 0}"
+  count                    = "${var.worker_create_security_group ? 1 : 0}"
 }
 
 resource "aws_iam_role" "workers" {