feat: move karpenter secuity group selector from id to tags (#145)

uchinda-sph · web-flow · commit 9fb991fdcfbe · 2024-11-25T16:00:58.000+08:00
* feat: move karpenter secuity group selector from id to tags

* feat: add karpenter discovery tag to node security group
diff --git a/karpenter.tf b/karpenter.tf
@@ -12,10 +12,11 @@ locals {
         }
       ]
       karpenter_node_role = aws_iam_role.workers.name
-      karpenter_security_group_selector_maps = flatten(concat([{
-        "id" = module.eks.cluster_primary_security_group_id
-        }, local.additional_karpenter_security_group_id_maps
-      ]))
+      karpenter_security_group_selector_maps = [{
+        tags = merge({
+          "karpenter.sh/discovery" = module.eks.cluster_name
+        }, var.additional_karpenter_security_group_selector_tags)
+      }]
       karpenter_node_metadata_options = {
         httpEndpoint            = "enabled"
         httpProtocolIPv6        = var.cluster_ip_family != "ipv6" ? "disabled" : "enabled"
@@ -54,12 +55,6 @@ locals {
     },
   ])
 
-  additional_karpenter_security_group_id_maps = [
-    for val in var.additional_karpenter_security_group_ids : {
-      "id" = val
-    }
-  ]
-
   # Kaprenter Upgrade
   karpenter_upgrade_nodeclasses = concat([
     for nodeclass in local.karpenter_nodeclasses : merge(nodeclass, {
diff --git a/main.tf b/main.tf
@@ -73,6 +73,10 @@ locals {
     }
   }
   addon_aws_ebs_csi_driver_lookup = var.enable_pod_identity_for_eks_addons ? "pod_identity" : "irsa"
+
+  node_security_group_tags = merge({
+    "karpenter.sh/discovery" = var.cluster_name
+  }, var.node_security_group_tags)
 }
 #tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr
 #tfsec:ignore:aws-eks-no-public-cluster-access
@@ -130,6 +134,7 @@ module "eks" {
     }
   }, var.node_security_group_additional_rules)
   node_security_group_enable_recommended_rules = var.node_security_group_enable_recommended_rules
+  node_security_group_tags                     = local.node_security_group_tags
 
   create_kms_key = false # Created in kms.tf
   cluster_encryption_config = {
diff --git a/variables.tf b/variables.tf
@@ -195,6 +195,12 @@ variable "create_node_security_group" {
   default     = true
 }
 
+variable "node_security_group_tags" {
+  description = "A map of additional tags to add to the node security group created"
+  type        = map(string)
+  default     = {}
+}
+
 variable "worker_security_group_name" {
   description = "Worker security group name"
   type        = string
@@ -576,10 +582,10 @@ variable "karpenter_default_subnet_selector_tags" {
   }
 }
 
-variable "additional_karpenter_security_group_ids" {
-  description = "Additional security group IDs to add to the Karpenter node groups"
-  type        = list(string)
-  default     = []
+variable "additional_karpenter_security_group_selector_tags" {
+  description = "Additional security group tags to add to the Karpenter node groups"
+  type        = map(string)
+  default     = {}
 }
 
 variable "karpenter_pod_resources" {

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,10 @@ locals {`
`73`	`73`	`}`
`74`	`74`	`}`
`75`	`75`	`addon_aws_ebs_csi_driver_lookup = var.enable_pod_identity_for_eks_addons ? "pod_identity" : "irsa"`
	`76`	`+`
	`77`	`+ node_security_group_tags = merge({`
	`78`	`+ "karpenter.sh/discovery" = var.cluster_name`
	`79`	`+ }, var.node_security_group_tags)`
`76`	`80`	`}`
`77`	`81`	`#tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr`
`78`	`82`	`#tfsec:ignore:aws-eks-no-public-cluster-access`
`@@ -130,6 +134,7 @@ module "eks" {`
`130`	`134`	`}`
`131`	`135`	`}, var.node_security_group_additional_rules)`
`132`	`136`	`node_security_group_enable_recommended_rules = var.node_security_group_enable_recommended_rules`
	`137`	`+ node_security_group_tags = local.node_security_group_tags`
`133`	`138`
`134`	`139`	`create_kms_key = false # Created in kms.tf`
`135`	`140`	`cluster_encryption_config = {`
Original file line number	Diff line number	Diff line change
`@@ -195,6 +195,12 @@ variable "create_node_security_group" {`
`195`	`195`	`default = true`
`196`	`196`	`}`
`197`	`197`
	`198`	`+variable "node_security_group_tags" {`
	`199`	`+ description = "A map of additional tags to add to the node security group created"`
	`200`	`+ type = map(string)`
	`201`	`+ default = {}`
	`202`	`+}`
	`203`	`+`
`198`	`204`	`variable "worker_security_group_name" {`
`199`	`205`	`description = "Worker security group name"`
`200`	`206`	`type = string`
`@@ -576,10 +582,10 @@ variable "karpenter_default_subnet_selector_tags" {`
`576`	`582`	`}`
`577`	`583`	`}`
`578`	`584`
`579`		`-variable "additional_karpenter_security_group_ids" {`
`580`		`- description = "Additional security group IDs to add to the Karpenter node groups"`
`581`		`- type = list(string)`
`582`		`- default = []`
	`585`	`+variable "additional_karpenter_security_group_selector_tags" {`
	`586`	`+ description = "Additional security group tags to add to the Karpenter node groups"`
	`587`	`+ type = map(string)`
	`588`	`+ default = {}`
`583`	`589`	`}`
`584`	`590`
`585`	`591`	`variable "karpenter_pod_resources" {`