Merge pull request #892 from vineetjp/feature/custom-cni-sgid

Provision add custom security group to secondary eni in vpc cni addon custom networking

lib/addons/vpc-cni/eniConfig.ytpl

@@ -4,5 +4,5 @@ metadata:
   name: "{{availabilityZone}}"
 spec: 
   securityGroups: 
-    - "{{clusterSecurityGroupId}}"
+    - "{{securityGroupId}}"
   subnet: "{{subnetId}}"

lib/addons/vpc-cni/index.ts

@@ -1,4 +1,4 @@
-import { ISubnet } from "aws-cdk-lib/aws-ec2";
+import { ISecurityGroup, ISubnet } from "aws-cdk-lib/aws-ec2";
 import * as eks from "aws-cdk-lib/aws-eks";
 import * as iam from "aws-cdk-lib/aws-iam";
 import { Construct } from 'constructs';
@@ -295,6 +295,10 @@ export interface CustomNetworkingConfig {
    * Secondary subnets of your VPC
    */
   readonly subnets?: ISubnet[];
+  /**
+   * Security group of secondary ENI
+   */
+  readonly securityGroup?: ISecurityGroup;
 }
 
 const defaultProps: CoreAddOnProps = {
@@ -323,15 +327,19 @@ export class VpcCniAddOn extends CoreAddOn {
 
   deploy(clusterInfo: ClusterInfo): Promise<Construct> {
     const cluster = clusterInfo.cluster;
-    let clusterSecurityGroupId = cluster.clusterSecurityGroupId;
+    let securityGroupId = cluster.clusterSecurityGroupId;
+
+    if (this.vpcCniAddOnProps.customNetworkingConfig?.securityGroup) {
+      securityGroupId = this.vpcCniAddOnProps.customNetworkingConfig.securityGroup.securityGroupId;
+    }
 
     if ((this.vpcCniAddOnProps.customNetworkingConfig?.subnets)) {
       for (let subnet of this.vpcCniAddOnProps.customNetworkingConfig.subnets) {
         const doc = readYamlDocument(__dirname + '/eniConfig.ytpl');
         const manifest = doc.split("---").map(e => loadYaml(e));
         const values: Values = {
           availabilityZone: subnet.availabilityZone,
-          clusterSecurityGroupId: clusterSecurityGroupId,
+          securityGroupId: securityGroupId,
           subnetId: subnet.subnetId
         };
         const manifestDeployment: ManifestDeployment = {