User Story:

Quoted from Ethan Howell in https://github.com/openshift/installer/issues/9268

In our environment, we're not allowed to create new security groups which essentially forces us into the UPI model even though we have permissions to do everything else the installer needs. Using the UPI model makes things difficult because we then have to break apart the documented cloudformation to separate out actions based on IAM roles we have to assume.

I've been able to generate the capi manifests from the installer and patch those to get a working deployment using the securityGroupOverrides, but being able to handle this purely through the install-config would significantly simplify things and make OpenShift a more viable solution for our environments.

Acceptance Criteria:

Description of criteria:

• An install-config field to allow specifying security group (SG) overrides by roles (i.e. CAPA-defined).
• If an SG override for a role is present, use that SG instead of the default one generated by CAPA.

(optional) Out of Scope:

Detail about what is specifically not being delivered in the story

Engineering Details:

• GitHub issue: https://github.com/openshift/installer/issues/9268
• AWSCluster for overriding security groups: https://github.com/kubernetes-sigs/cluster-api-provider-aws/blob/e7313b0dc9dd6266b7d3f01d2031ce6259b6c8ee/api/v1beta2/network_types.go#L349 

This requires/does not require a design proposal.
This requires/does not require a feature gate.