input variable `security_groups` is not being utilized

[wesleung]

Kafka brokers are only using the default security groups. Passing in variable security_groups is not being used.

main.tf

resource "aws_msk_cluster" "default" {
  count                  = module.this.enabled ? 1 : 0
  cluster_name           = module.this.id
  kafka_version          = var.kafka_version
  number_of_broker_nodes = var.number_of_broker_nodes
  enhanced_monitoring    = var.enhanced_monitoring

  broker_node_group_info {
    instance_type   = var.broker_instance_type
    ebs_volume_size = var.broker_volume_size
    client_subnets  = var.subnet_ids
    security_groups = aws_security_group.default.*.id
  }
}

Line security_groups = aws_security_group.default.*.id does not add variable security_groups. Maybe replace with security_groups = concat(aws_security_group.default.*.id, var.security_groups)

[purduemike]

The security_groups var is used to pass security groups you want to allow ingress into the kafka cluster. It gets utilized in the in the aws_security_group_rule ingress_security_groups.

resource "aws_security_group_rule" "ingress_security_groups" {
  count                    = module.this.enabled ? length(var.security_groups) : 0
  description              = "Allow inbound traffic from Security Groups"
  type                     = "ingress"
  from_port                = 0
  to_port                  = 65535
  protocol                 = "tcp"
  source_security_group_id = var.security_groups[count.index]
  security_group_id        = join("", aws_security_group.default.*.id)
}

I think there is a case to be made for applying additional SGs to the kafka cluster.