error updating Security Group (sg-0d1ac8eec59cbf1a2): error authorizing Security Group (ingress) rul-CodePudding

I'm using the EKS module and I'm electing to create my own cluster and node group security groups. For some reason, when trying to deploy my cluster I'm getting this error for my cluster security group resource

 Error: error updating Security Group (sg-0d1ac8eec59cbf1a2): error authorizing Security Group (ingress) rules: InvalidGroupId.Malformed: Invalid id: "0" (expecting "sg-...")
│       status code: 400, request id: b8b2f4c3-f44f-4918-b47e-5077295530fd
│
│   with module.eks.aws_security_group.cluster_sg,
│   on eks\managed.tf line 68, in resource "aws_security_group" "cluster_sg":
│   68: resource "aws_security_group" "cluster_sg" {

Here's my entire main.tf for my EKS cluster and node-group, including the security groups.

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 18.0"

  cluster_name    = var.name
  cluster_version = var.k8s_version

  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = true

  create_cluster_security_group = false
  create_node_security_group  = false
  cluster_security_group_id = aws_security_group.cluster_sg.id
  node_security_group_id = aws_security_group.node_sg.id

  create_iam_role = false
  iam_role_arn = aws_iam_role.eks_cluster.arn


  vpc_id     = var.vpc_id
  subnet_ids = [
    var.private_subnets[0],
    var.private_subnets[1],
    var.private_subnets[2],
  ]

    depends_on = [
    aws_iam_role_policy_attachment.amazon_eks_cluster_policy,
    aws_security_group.node_sg,
    aws_security_group.cluster_sg
  ]

}

module "eks_managed_node_group" {
  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"

  name            = "${var.name}-eks-mng"
  cluster_name    = module.eks.cluster_id
  cluster_version = var.k8s_version

  vpc_id     = var.vpc_id
  subnet_ids = [
    var.private_subnets[0],
    var.private_subnets[1],
    var.private_subnets[2],
  ]

  // The following variables are necessary if you decide to use the module outside of the parent EKS module context.
  // Without it, the security groups of the nodes are empty and thus won't join the cluster.
  cluster_primary_security_group_id = aws_security_group.cluster_sg.id
  cluster_security_group_id = aws_security_group.node_sg.id

  min_size     = 3
  max_size     = 6
  desired_size = 3

  instance_types = [var.node_instance_type]
  capacity_type  = "SPOT"
  disk_size = 20

  user_data_template_path = "${path.module}/node_user_data.tpl"

  key_name            = var.bastion_ssh_key

}

resource "aws_security_group" "cluster_sg" {
  name   = "${var.name}-cluster-security-group"
  vpc_id = var.vpc_id

  ingress {
    protocol        = -1
    from_port       = 0
    to_port         = 0
    security_groups = ["0.0.0.0/0"]
  }

  egress {
    protocol    = -1
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_security_group" "node_sg" {
  name   = "${var.name}-node-security-group"
  vpc_id = var.vpc_id

  ingress {
    protocol        = "tcp"
    from_port       = 22
    to_port         = 22
    security_groups = [var.bastion_sg]
  }

  egress {
    protocol    = -1
    from_port   = 0
    to_port     = 0
    cidr_blocks = ["0.0.0.0/0"]
  }
}

CodePudding user response：

In your cluster security group you have

security_groups = [“0.0.0.0/0”]

You need to either specify a security group for that value, or change it to

cidr_blocks = [“0.0.0.0/0”]

If your goal is to have a CIDR value

CodePudding user response：

Whatever you are passing as var.bastion_sg in

security_groups = [var.bastion_sg]

is incorrect. It should be security group id starting with sg-. Thus, you are passing some wrong value in var.bastion_sg.