feat: add an argument to enable the creation of the service SG and ch…

…anged the name for a more specific one

README.md

@@ -150,6 +150,7 @@ module "ecs_app" {
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain Cloudwatch logs. | `number` | `60` | no |
 | <a name="input_container_definition_json"></a> [container\_definition\_json](#input\_container\_definition\_json) | A string containing a JSON-encoded array of container definitions<br>(`"[{ "name": "container1", ... }, { "name": "container2", ... }]"`).<br>See [API\_ContainerDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html),<br>[cloudposse/terraform-aws-ecs-container-definition](https://github.com/cloudposse/terraform-aws-ecs-container-definition), or<br>[ecs\_task\_definition#container\_definitions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions) | `string` | n/a | yes |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
+| <a name="input_default_service_security_group_enabled"></a> [default\_service\_security\_group\_enabled](#input\_default\_service\_security\_group\_enabled) | Enables the creation of a default security group for the ECS Service | `bool` | `true` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_dns_alias_enabled"></a> [dns\_alias\_enabled](#input\_dns\_alias\_enabled) | Create a DNS alias for the CDN. Requires `parent_zone_id` or `parent_zone_name`. | `bool` | `false` | no |

main.tf

@@ -1,10 +1,11 @@
 locals {
-  use_acm       = (var.dns_alias_enabled && length(var.aliases) != 0) || var.certificate_type == "import"
-  acm_alt_names = length(var.aliases) > 1 ? slice(var.aliases, 1, length(var.aliases)) : []
-  protocol      = aws_lb_listener.app[0].protocol == "HTTPS" ? "https" : "http"
-  address       = var.dns_alias_enabled ? var.aliases[0] : data.aws_lb.alb.dns_name
-  url           = "${local.protocol}://${local.address}:${aws_lb_listener.app[0].port}"
-  enabled       = module.this.enabled
+  use_acm                  = (var.dns_alias_enabled && length(var.aliases) != 0) || var.certificate_type == "import"
+  acm_alt_names            = length(var.aliases) > 1 ? slice(var.aliases, 1, length(var.aliases)) : []
+  protocol                 = aws_lb_listener.app[0].protocol == "HTTPS" ? "https" : "http"
+  address                  = var.dns_alias_enabled ? var.aliases[0] : data.aws_lb.alb.dns_name
+  url                      = "${local.protocol}://${local.address}:${aws_lb_listener.app[0].port}"
+  enabled                  = module.this.enabled
+  ecs_service_task_sg_name = "${module.this.id}-ecs-service-task"
 }
 
 data "aws_lb" "alb" {
@@ -87,44 +88,38 @@ resource "aws_lb_listener" "app" {
   tags = module.this.tags
 }
 
-resource "aws_security_group" "service" {
-  count = local.enabled ? 1 : 0
+module "ecs_service_sg" {
+  count   = local.enabled ? 1 : 0
+  source  = "cloudposse/security-group/aws"
+  version = "2.2.0"
 
-  name_prefix = "${module.this.id}-service-task-"
-  description = "ECS service task SG for ${module.this.id}"
+  name                       = local.ecs_service_task_sg_name
+  security_group_description = "ECS service task SG for ${module.this.id}"
 
-  vpc_id = var.vpc_id
+  allow_all_egress           = true
+  create_before_destroy      = true
+  preserve_security_group_id = true
+  vpc_id                     = var.vpc_id
 
-  ingress = [
+  rules = [
     {
-      from_port        = var.service_container_port
-      to_port          = var.service_container_port
-      protocol         = "tcp"
-      cidr_blocks      = []
-      ipv6_cidr_blocks = []
-      self             = false
-      security_groups  = [var.alb_security_group_id]
-      prefix_list_ids  = []
-      description      = "Allow HTTP/S traffic from load balancer"
+      key                      = "container_ingress_port"
+      type                     = "ingress"
+      from_port                = var.service_container_port
+      to_port                  = var.service_container_port
+      protocol                 = "tcp"
+      cidr_blocks              = []
+      source_security_group_id = var.alb_security_group_id
+      self                     = false
+      description              = "Allow HTTP/S traffic from load balancer"
     }
   ]
 
-  egress = [
-    {
-      type             = "egress"
-      from_port        = 0
-      to_port          = 0 # Use from 0 to 0 for all ports, not to 65535 or the rule will always be updated.
-      protocol         = "all"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = []
-      self             = false
-      security_groups  = null
-      prefix_list_ids  = []
-      description      = "Allow egress to anywhere"
-    }
-  ]
+  context = module.this.context
 
-  tags = module.this.tags
+  tags = merge(module.this.tags, {
+    Name = local.ecs_service_task_sg_name
+  })
 }
 
 resource "aws_security_group_rule" "opened_to_alb" {
@@ -146,7 +141,8 @@ module "service" {
   ecs_cluster_arn                    = var.ecs_cluster_arn
   launch_type                        = var.service_launch_type
   vpc_id                             = var.vpc_id
-  security_groups                    = concat(aws_security_group.service.*.id, var.service_security_groups)
+  security_group_enabled             = var.default_service_security_group_enabled
+  security_groups                    = concat(module.ecs_service_sg.*.id, var.service_security_groups)
   subnet_ids                         = var.subnet_ids
   ignore_changes_task_definition     = var.service_ignore_changes_task_definition
   ignore_changes_desired_count       = var.service_ignore_changes_desired_count

variables.tf

@@ -526,3 +526,9 @@ variable "container_definition_json" {
     [ecs_task_definition#container_definitions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions)
     EOT
 }
+
+variable "default_service_security_group_enabled" {
+  type        = bool
+  default     = true
+  description = "Enables the creation of a default security group for the ECS Service"
+}