aws.eks_cluster shouldn't require security_groups during new EKS cluster creation

[yukccy]

Summary

When I am trying to create an EKS cluster by using the community.aws.eks_cluster module, it showed an error that I need to specify the security groups. After I specified the security group in playbook, the result showed that the specified groups become the additional security groups of the cluster according to AWS console. And AWS created a new security group as the cluster security group.

According to AWS docs here, AWS will create a security group automatically during EKS cluster creation. In my perspective, AWS is always handling the default cluster level security group.

Moreover, according to Ansible documentation here, security_groups has not stated to be mandatory while state is present.

Therefore, if AWS is always creating security group for the new cluster, why we need the security_groups field when we are creating a new EKS cluster? It can be an option to allow us adding additional security group but should not be required.

Issue Type

Bug Report

Component Name

community.aws.eks_cluster

Ansible Version

ansible [core 2.15.0]
  config file = None
  configured module search path = ['/Users/tonychan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/8.0.0/libexec/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/tonychan/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.11.4 (main, Jun 15 2023, 07:55:38) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/opt/homebrew/Cellar/ansible/8.0.0/libexec/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True

Collection Versions

Collection                    Version
----------------------------- -------
amazon.aws                    6.0.1  
ansible.netcommon             5.1.1  
ansible.posix                 1.5.4  
ansible.utils                 2.10.3 
ansible.windows               1.14.0 
arista.eos                    6.0.1  
awx.awx                       22.2.0 
azure.azcollection            1.15.0 
check_point.mgmt              5.0.0  
chocolatey.chocolatey         1.4.0  
cisco.aci                     2.6.0  
cisco.asa                     4.0.0  
cisco.dnac                    6.7.2  
cisco.intersight              1.0.27 
cisco.ios                     4.5.0  
cisco.iosxr                   5.0.2  
cisco.ise                     2.5.12 
cisco.meraki                  2.15.1 
cisco.mso                     2.4.0  
cisco.nso                     1.0.3  
cisco.nxos                    4.3.0  
cisco.ucs                     1.8.0  
cloud.common                  2.1.3  
cloudscale_ch.cloud           2.2.4  
community.aws                 6.0.0  
community.azure               2.0.0  
community.ciscosmb            1.0.5  
community.crypto              2.13.1 
community.digitalocean        1.23.0 
community.dns                 2.5.4  
community.docker              3.4.6  
community.fortios             1.0.0  
community.general             7.0.1  
community.google              1.0.0  
community.grafana             1.5.4  
community.hashi_vault         5.0.0  
community.hrobot              1.8.0  
community.libvirt             1.2.0  
community.mongodb             1.5.2  
community.mysql               3.7.1  
community.network             5.0.0  
community.okd                 2.3.0  
community.postgresql          2.4.1  
community.proxysql            1.5.1  
community.rabbitmq            1.2.3  
community.routeros            2.8.0  
community.sap                 1.0.0  
community.sap_libs            1.4.1  
community.skydive             1.0.0  
community.sops                1.6.1  
community.vmware              3.6.0  
community.windows             1.13.0 
community.zabbix              2.0.0  
containers.podman             1.10.1 
cyberark.conjur               1.2.0  
cyberark.pas                  1.0.19 
dellemc.enterprise_sonic      2.0.0  
dellemc.openmanage            7.5.0  
dellemc.powerflex             1.6.0  
dellemc.unity                 1.6.0  
f5networks.f5_modules         1.24.0 
fortinet.fortimanager         2.1.7  
fortinet.fortios              2.2.3  
frr.frr                       2.0.2  
gluster.gluster               1.0.2  
google.cloud                  1.1.3  
grafana.grafana               2.0.0  
hetzner.hcloud                1.11.0 
hpe.nimble                    1.1.4  
ibm.qradar                    2.1.0  
ibm.spectrum_virtualize       1.12.0 
infinidat.infinibox           1.3.12 
infoblox.nios_modules         1.5.0  
inspur.ispim                  1.3.0  
inspur.sm                     2.3.0  
junipernetworks.junos         5.1.0  
kubernetes.core               2.4.0  
lowlydba.sqlserver            2.0.0  
microsoft.ad                  1.1.0  
netapp.aws                    21.7.0 
netapp.azure                  21.10.0
netapp.cloudmanager           21.22.0
netapp.elementsw              21.7.0 
netapp.ontap                  22.6.0 
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0 
netapp_eseries.santricity     1.4.0  
netbox.netbox                 3.13.0 
ngine_io.cloudstack           2.3.0  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.3  
openstack.cloud               2.1.0  
openvswitch.openvswitch       2.1.1  
ovirt.ovirt                   3.1.2  
purestorage.flasharray        1.18.0 
purestorage.flashblade        1.11.0 
purestorage.fusion            1.4.2  
sensu.sensu_go                1.13.2 
servicenow.servicenow         1.0.6  
splunk.es                     2.1.0  
t_systems_mms.icinga_director 1.32.2 
theforeman.foreman            3.10.0 
vmware.vmware_rest            2.3.1  
vultr.cloud                   1.7.1  
vyos.vyos                     4.0.2  
wti.remote                    1.0.4

AWS SDK versions

Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /opt/homebrew/lib/python3.11/site-packages
Requires: 
Required-by: 
---
Name: boto3
Version: 1.26.165
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /opt/homebrew/lib/python3.11/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: 
---
Name: botocore
Version: 1.29.165
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /opt/homebrew/lib/python3.11/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ CONFIG_FILE() = None
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False

OS / Environment

Playbook running on MacOS Ventura 13.3.1 (a)

Steps to Reproduce

- name: Create EKS cluster
  community.aws.eks_cluster:
    name: "{{ eks_cluster.name }}"
    state: present
    version: "{{ eks_cluster.version }}"
    role_arn: "{{ eks_role_created.iam_role.arn }}"
    subnets:
      - "{{ subnet1_id }}"
      - "{{ subnet2_id }}"
    wait: true

Expected Results

An EKS cluster will be created.

Actual Results

fatal: [localhost]: FAILED! => {"changed": false, "msg": "state is present but all of the following are missing: security_groups"}

Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct

[yukccy]

Can anyone follow up?

[KamilBlaz]

Hello, I think you need define security group. Look here https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/eks/client/create_cluster.html resourcesVpcConfig section is required and it contains SG

[yukccy]

Hello, I think you need define security group. Look here https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/eks/client/create_cluster.html resourcesVpcConfig section is required and it contains SG

I agree a new cluster definitely need a SG. Just according to AWS docs, they said a SG will be created automatically. And I have tested the one AWS auto-created will be the default SG of the EKS cluster. Also, even if I define one in Ansible script, it will go to additional SG instead of default SG of EKS cluster. There's still one default SG created by AWS.

Also in your link, seems this field is not mandatory.

securityGroupIds (list) –

Specify one or more security groups for the cross-account elastic network interfaces that Amazon EKS creates to use that allow communication between your nodes and the Kubernetes control plane. If you don’t specify any security groups, then familiarize yourself with the difference between Amazon EKS defaults for clusters deployed with Kubernetes.