vpc_config.security_group_ids should not includes cluster_security_group_id

[RainaWLK]

Description

I am tried to upgrade my EKS cluster from terraform EKS module v17.24.0 to latest version (v18.17.0)

Because we cannot change security groups of cluster after EKS created. I must update .tfstate file to make the latest version EKS module works.

But terraform says my EKS cluster must be replaced because security group changed.

I tried to describe-cluster using AWS CLI and got vpc_config of EKS.
The "security_group_ids" is only included "cluster_additional_security_group_ids".
But it also included "cluster_security_group_id" in behavior of terraform EKS module. It's different with data structures from AWS API.

• [ V ] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: v18.17.0
• Terraform version: v1.1.7
• Provider version(s): v4.8.0

Reproduction Code [Required]

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  cluster_version = "1.21"
  cluster_name    = "${local.prefix}-cluster"
  vpc_id          = module.vpc.vpc_id
  subnet_ids         = module.vpc.eks_cluster_subnets
  cluster_service_ipv4_cidr = "192.168.0.0/16"

  cluster_endpoint_public_access = false
  cluster_endpoint_private_access = true

  create_cluster_security_group = false
  create_node_security_group = false
  cluster_security_group_id = "<current cluster security group id>"
  cluster_additional_security_group_ids = ["<current additional security group id>"]
  cluster_enabled_log_types = []

  create_cloudwatch_log_group = false
}

Steps to reproduce the behavior:

no

yes

no

Expected behavior

terraform reports "nothing changed"

Actual behavior

  # module.eks.aws_eks_cluster.this[0] must be replaced
+/- resource "aws_eks_cluster" "this" {
      ........
        name                      = "my-eks-cluster"
      ~ platform_version          = "eks.4" -> (known after apply)
      ~ status                    = "ACTIVE" -> (known after apply)

      ~ vpc_config {
          ~ cluster_security_group_id = "<current cluster security group id>" -> (known after apply)
          ~ security_group_ids        = [ # forces replacement
              + "<current cluster security group id>",
                # (1 unchanged element hidden)
            ]
          ~ vpc_id                    = "vpc-000000000000000" -> (known after apply)
            # (4 unchanged attributes hidden)
        }
        # (2 unchanged blocks hidden)
    }

rainawlk$ aws eks describe-cluster --name my-eks-cluster
{
    "cluster": {
        "name": "my-eks-cluster",
         ......
        "resourcesVpcConfig": {
            "subnetIds": [
                "subnet-0000000000000",
                "subnet-111111111111111",
                "subnet-22222222222222"
            ],
            "securityGroupIds": [
                "<current additional security group id>"
            ],
            "clusterSecurityGroupId": "<current cluster security group id>",
            "vpcId": "vpc-000000000000000",
            "endpointPublicAccess": false,
            "endpointPrivateAccess": true,
            "publicAccessCidrs": [
                "0.0.0.0/0"
            ]
        },
        ......
}

[RainaWLK]

When I marked "cluster_security_group_id", terraform reports "No changes. Your infrastructure matches the configuration."

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  cluster_version = "1.21"
  cluster_name    = "${local.prefix}-cluster"
  vpc_id          = module.vpc.vpc_id
  subnet_ids         = module.vpc.eks_cluster_subnets
  cluster_service_ipv4_cidr = "192.168.0.0/16"

  cluster_endpoint_public_access = false
  cluster_endpoint_private_access = true

  create_cluster_security_group = false
  create_node_security_group = false
  # cluster_security_group_id = "<current cluster security group id>"
  cluster_additional_security_group_ids = ["<current additional security group id>"]
  cluster_enabled_log_types = []

  create_cloudwatch_log_group = false
}

But this behavior is not expected with document.
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest
cluster_security_group_id should be a required input.

cluster_security_group_id string
Description: Existing security group ID to be attached to the cluster. Required if `create_cluster_security_group` = `false`
Default: ""

[bryantbiggs]

hi @RainaWLK - please see the respective docs and links for upgrade guidance:

• https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-18.0.md
• Release 18+ Upgrade Guide Breaks Existing Deployments #1744 (comment)

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.