diff --git a/README.md b/README.md
index 96e7606..517dba7 100644
--- a/README.md
+++ b/README.md
@@ -150,6 +150,7 @@ module "ecs_app" {
| [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain Cloudwatch logs. | `number` | `60` | no |
| [container\_definition\_json](#input\_container\_definition\_json) | A string containing a JSON-encoded array of container definitions
(`"[{ "name": "container1", ... }, { "name": "container2", ... }]"`).
See [API\_ContainerDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html),
[cloudposse/terraform-aws-ecs-container-definition](https://github.com/cloudposse/terraform-aws-ecs-container-definition), or
[ecs\_task\_definition#container\_definitions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions) | `string` | n/a | yes |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
+| [default\_service\_security\_group\_enabled](#input\_default\_service\_security\_group\_enabled) | Enables the creation of a default security group for the ECS Service | `bool` | `true` | no |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [dns\_alias\_enabled](#input\_dns\_alias\_enabled) | Create a DNS alias for the CDN. Requires `parent_zone_id` or `parent_zone_name`. | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index a0ab163..d878831 100644
--- a/main.tf
+++ b/main.tf
@@ -1,10 +1,11 @@
locals {
- use_acm = (var.dns_alias_enabled && length(var.aliases) != 0) || var.certificate_type == "import"
- acm_alt_names = length(var.aliases) > 1 ? slice(var.aliases, 1, length(var.aliases)) : []
- protocol = aws_lb_listener.app[0].protocol == "HTTPS" ? "https" : "http"
- address = var.dns_alias_enabled ? var.aliases[0] : data.aws_lb.alb.dns_name
- url = "${local.protocol}://${local.address}:${aws_lb_listener.app[0].port}"
- enabled = module.this.enabled
+ use_acm = (var.dns_alias_enabled && length(var.aliases) != 0) || var.certificate_type == "import"
+ acm_alt_names = length(var.aliases) > 1 ? slice(var.aliases, 1, length(var.aliases)) : []
+ protocol = aws_lb_listener.app[0].protocol == "HTTPS" ? "https" : "http"
+ address = var.dns_alias_enabled ? var.aliases[0] : data.aws_lb.alb.dns_name
+ url = "${local.protocol}://${local.address}:${aws_lb_listener.app[0].port}"
+ enabled = module.this.enabled
+ ecs_service_task_sg_name = "${module.this.id}-ecs-service-task"
}
data "aws_lb" "alb" {
@@ -87,44 +88,38 @@ resource "aws_lb_listener" "app" {
tags = module.this.tags
}
-resource "aws_security_group" "service" {
- count = local.enabled ? 1 : 0
+module "ecs_service_sg" {
+ count = local.enabled ? 1 : 0
+ source = "cloudposse/security-group/aws"
+ version = "2.2.0"
- name_prefix = "${module.this.id}-service-task-"
- description = "ECS service task SG for ${module.this.id}"
+ name = local.ecs_service_task_sg_name
+ security_group_description = "ECS service task SG for ${module.this.id}"
- vpc_id = var.vpc_id
+ allow_all_egress = true
+ create_before_destroy = true
+ preserve_security_group_id = true
+ vpc_id = var.vpc_id
- ingress = [
+ rules = [
{
- from_port = var.service_container_port
- to_port = var.service_container_port
- protocol = "tcp"
- cidr_blocks = []
- ipv6_cidr_blocks = []
- self = false
- security_groups = [var.alb_security_group_id]
- prefix_list_ids = []
- description = "Allow HTTP/S traffic from load balancer"
+ key = "container_ingress_port"
+ type = "ingress"
+ from_port = var.service_container_port
+ to_port = var.service_container_port
+ protocol = "tcp"
+ cidr_blocks = []
+ source_security_group_id = var.alb_security_group_id
+ self = false
+ description = "Allow HTTP/S traffic from load balancer"
}
]
- egress = [
- {
- type = "egress"
- from_port = 0
- to_port = 0 # Use from 0 to 0 for all ports, not to 65535 or the rule will always be updated.
- protocol = "all"
- cidr_blocks = ["0.0.0.0/0"]
- ipv6_cidr_blocks = []
- self = false
- security_groups = null
- prefix_list_ids = []
- description = "Allow egress to anywhere"
- }
- ]
+ context = module.this.context
- tags = module.this.tags
+ tags = merge(module.this.tags, {
+ Name = local.ecs_service_task_sg_name
+ })
}
resource "aws_security_group_rule" "opened_to_alb" {
@@ -146,7 +141,8 @@ module "service" {
ecs_cluster_arn = var.ecs_cluster_arn
launch_type = var.service_launch_type
vpc_id = var.vpc_id
- security_groups = concat(aws_security_group.service.*.id, var.service_security_groups)
+ security_group_enabled = var.default_service_security_group_enabled
+ security_groups = concat(module.ecs_service_sg.*.id, var.service_security_groups)
subnet_ids = var.subnet_ids
ignore_changes_task_definition = var.service_ignore_changes_task_definition
ignore_changes_desired_count = var.service_ignore_changes_desired_count
diff --git a/variables.tf b/variables.tf
index 04c1e21..90c20cd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -526,3 +526,9 @@ variable "container_definition_json" {
[ecs_task_definition#container_definitions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions)
EOT
}
+
+variable "default_service_security_group_enabled" {
+ type = bool
+ default = true
+ description = "Enables the creation of a default security group for the ECS Service"
+}