chore: Update FAQ for security group tagging (#2695)

code-eg · bryantbiggs · web-flow · commit d4e6c153ad50 · 2023-08-03T19:16:57.000-04:00
* Add aws_eks_addons.before_compute to the cluster_addons output

* update FAQ docs for custom networking

* Rephrasing

---------

Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/docs/faq.md b/docs/faq.md
@@ -24,34 +24,16 @@ By default, EKS creates a cluster primary security group that is created outside
   attach_cluster_primary_security_group = true # default is false
 ```
 
-2. If you want to use the cluster primary security group, you can disable the tag passed to the node security group by overriding the tag expected value like:
-
-```hcl
-  attach_cluster_primary_security_group = true # default is false
-
-  node_security_group_tags = {
-    "kubernetes.io/cluster/<CLUSTER_NAME>" = null # or any other value other than "owned"
-  }
-```
-
-3. By overriding the tag expected value on the cluster primary security group like:
-
-```hcl
-  attach_cluster_primary_security_group = true # default is false
-
-  cluster_tags = {
-    "kubernetes.io/cluster/<CLUSTER_NAME>" = null # or any other value other than "owned"
-  }
-```
-
-4. By not attaching the cluster primary security group. The cluster primary security group has quite broad access and the module has instead provided a security group with the minimum amount of access to launch an empty EKS cluster successfully and users are encouraged to open up access when necessary to support their workload.
+2. By not attaching the cluster primary security group. The cluster primary security group has quite broad access and the module has instead provided a security group with the minimum amount of access to launch an empty EKS cluster successfully and users are encouraged to open up access when necessary to support their workload.
 
 ```hcl
   attach_cluster_primary_security_group = false # this is the default for the module
 ```
 
 In theory, if you are attaching the cluster primary security group, you shouldn't need to use the shared node security group created by the module. However, this is left up to users to decide for their requirements and use case.
 
+If you choose to use [Custom Networking](https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html), make sure to only attach the security groups matching your choice above in your ENIConfig resources. This will ensure you avoid redundant tags.
+
 ### Why are nodes not being registered?
 
 Nodes not being able to register with the EKS control plane is generally due to networking mis-configurations.
