feat: worker launch templates and configurations depend on security group rules and IAM policies (#933)

In order to ensure proper ordering when running terraform destroy. This will block Terraform from removing up security group rules before the cluster has finished its clean up chores.
2026-01-17 17:22:13 +01:00 · 2020-07-12 10:14:36 -05:00
parent 9a0e548dcc
commit db9bb0b482
3 changed files with 37 additions and 3 deletions
--- a/cluster.tf
+++ b/cluster.tf
@@ -39,6 +39,8 @@ resource "aws_eks_cluster" "this" {
  }

  depends_on = [
+    aws_security_group_rule.cluster_egress_internet,
+    aws_security_group_rule.cluster_https_worker_ingress,
    aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy,
    aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy,
    aws_cloudwatch_log_group.this
--- a/workers.tf
+++ b/workers.tf
@@ -256,6 +256,22 @@ resource "aws_launch_configuration" "workers" {
  lifecycle {
    create_before_destroy = true
  }
+
+  # Prevent premature access of security group roles and policies by pods that
+  # require permissions on create/destroy that depend on workers.
+  depends_on = [
+    aws_security_group_rule.workers_egress_internet,
+    aws_security_group_rule.workers_ingress_self,
+    aws_security_group_rule.workers_ingress_cluster,
+    aws_security_group_rule.workers_ingress_cluster_kubelet,
+    aws_security_group_rule.workers_ingress_cluster_https,
+    aws_security_group_rule.workers_ingress_cluster_primary,
+    aws_security_group_rule.cluster_primary_ingress_workers,
+    aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy,
+    aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy,
+    aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly,
+    aws_iam_role_policy_attachment.workers_additional_policies
+  ]
 }

 resource "random_pet" "workers" {
@@ -271,14 +287,14 @@ resource "random_pet" "workers" {

 resource "aws_security_group" "workers" {
  count       = var.worker_create_security_group && var.create_eks ? 1 : 0
-  name_prefix = aws_eks_cluster.this[0].name
+  name_prefix = var.cluster_name
  description = "Security group for all nodes in the cluster."
  vpc_id      = var.vpc_id
  tags = merge(
    var.tags,
    {
-      "Name"                                                  = "${aws_eks_cluster.this[0].name}-eks_worker_sg"
-      "kubernetes.io/cluster/${aws_eks_cluster.this[0].name}" = "owned"
+      "Name"                                      = "${var.cluster_name}-eks_worker_sg"
+      "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    },
  )
 }
--- a/workers_launch_template.tf
+++ b/workers_launch_template.tf
@@ -423,6 +423,22 @@ resource "aws_launch_template" "workers_launch_template" {
  lifecycle {
    create_before_destroy = true
  }
+
+  # Prevent premature access of security group roles and policies by pods that
+  # require permissions on create/destroy that depend on workers.
+  depends_on = [
+    aws_security_group_rule.workers_egress_internet,
+    aws_security_group_rule.workers_ingress_self,
+    aws_security_group_rule.workers_ingress_cluster,
+    aws_security_group_rule.workers_ingress_cluster_kubelet,
+    aws_security_group_rule.workers_ingress_cluster_https,
+    aws_security_group_rule.workers_ingress_cluster_primary,
+    aws_security_group_rule.cluster_primary_ingress_workers,
+    aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy,
+    aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy,
+    aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly,
+    aws_iam_role_policy_attachment.workers_additional_policies
+  ]
 }

 resource "random_pet" "workers_launch_template" {