Update Security Group rules

.github/workflows/release-branch.yml

@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2018-2022 Cloud Posse, LLC
+   Copyright 2018-2023 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

security-group-variables.tf

@@ -44,8 +44,6 @@ variable "allowed_cidr_blocks" {
     EOT
 }
 
-
-
 variable "custom_ingress_rules" {
   type = list(object({
     description              = string

security-group.tf

@@ -2,27 +2,32 @@
 # Rules for EKS-managed Security Group
 # -----------------------------------------------------------------------
 
+locals {
+  cluster_security_group_id            = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
+  cluster_security_group_rules_enabled = local.enabled && !local.create_security_group
+}
+
 resource "aws_security_group_rule" "managed_ingress_security_groups" {
-  count = local.enabled ? length(local.allowed_security_group_ids) : 0
+  count = local.cluster_security_group_rules_enabled ? length(local.allowed_security_group_ids) : 0
 
   description              = "Allow inbound traffic from existing Security Groups"
   from_port                = 0
   to_port                  = 65535
   protocol                 = "-1"
   source_security_group_id = local.allowed_security_group_ids[count.index]
-  security_group_id        = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
+  security_group_id        = local.cluster_security_group_id
   type                     = "ingress"
 }
 
 resource "aws_security_group_rule" "managed_ingress_cidr_blocks" {
-  count = local.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
+  count = local.cluster_security_group_rules_enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
 
   description       = "Allow inbound traffic from CIDR blocks"
   from_port         = 0
   to_port           = 65535
   protocol          = "-1"
   cidr_blocks       = var.allowed_cidr_blocks
-  security_group_id = one(aws_eks_cluster.default[*].vpc_config[0].cluster_security_group_id)
+  security_group_id = local.cluster_security_group_id
   type              = "ingress"
 }
 
@@ -92,7 +97,6 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" {
 }
 
 resource "aws_security_group_rule" "custom_ingress_rules" {
-
   for_each = { for sg_rule in var.custom_ingress_rules : sg_rule.source_security_group_id => sg_rule }
 
   description              = each.value.description