fix: Correct conditional map for cluster security group additional rules

README.md

@@ -695,7 +695,7 @@ Full contributing [guidelines are covered here](https:/terraform-aws
 | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_cluster_identity_providers"></a> [cluster\_identity\_providers](#input\_cluster\_identity\_providers) | Map of cluster identity provider configurations to enable for the cluster. Note - this is different/separate from IRSA | `any` | `{}` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |
-| <a name="input_cluster_security_group_additional_rules"></a> [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created | `map(any)` | `{}` | no |
+| <a name="input_cluster_security_group_additional_rules"></a> [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created | `any` | `{}` | no |
 | <a name="input_cluster_security_group_description"></a> [cluster\_security\_group\_description](#input\_cluster\_security\_group\_description) | Description of the cluster security group created | `string` | `"EKS cluster security group"` | no |
 | <a name="input_cluster_security_group_id"></a> [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | Existing security group ID to be attached to the cluster. Required if `create_cluster_security_group` = `false` | `string` | `""` | no |
 | <a name="input_cluster_security_group_name"></a> [cluster\_security\_group\_name](#input\_cluster\_security\_group\_name) | Name to use on cluster security group created | `string` | `null` | no |

examples/eks_managed_node_group/main.tf

@@ -44,6 +44,17 @@ module "eks" {
  resources = ["secrets"]
  }]
 
+ cluster_security_group_additional_rules = {
+ admin_access = {
+ description = "Admin ingress to Kubernetes API"
+ cidr_blocks = ["10.97.0.0/30"]
+ protocol = "tcp"
+ from_port = 443
+ to_port = 443
+ type = "ingress"
+ }
+ }
+
  vpc_id = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets
 

main.tf

@@ -119,7 +119,7 @@ resource "aws_security_group" "cluster" {
 }
 
 resource "aws_security_group_rule" "cluster" {
- for_each = local.create_cluster_sg ? merge(local.cluster_security_group_rules, var.cluster_security_group_additional_rules) : {}
+ for_each = { for k, v in merge(local.cluster_security_group_rules, var.cluster_security_group_additional_rules) : k => v if local.create_cluster_sg }
 
  # Required
  security_group_id = aws_security_group.cluster[0].id

variables.tf

@@ -153,7 +153,7 @@ variable "cluster_security_group_description" {
 
 variable "cluster_security_group_additional_rules" {
  description = "List of additional security group rules to add to the cluster security group created"
- type = map(any)
+ type = any
  default = {}
 }