From 04fe4c36210c484f3f3da3c1b6d06cf4953e206a Mon Sep 17 00:00:00 2001 From: Guillaume Dussault Date: Mon, 23 Oct 2023 17:45:54 -0400 Subject: [PATCH] feat: add an argument to enable the creation of the service SG and changed the name for a more specific one --- README.md | 1 + main.tf | 70 +++++++++++++++++++++++++--------------------------- variables.tf | 6 +++++ 3 files changed, 40 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 96e7606..517dba7 100644 --- a/README.md +++ b/README.md @@ -150,6 +150,7 @@ module "ecs_app" { | [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain Cloudwatch logs. | `number` | `60` | no | | [container\_definition\_json](#input\_container\_definition\_json) | A string containing a JSON-encoded array of container definitions
(`"[{ "name": "container1", ... }, { "name": "container2", ... }]"`).
See [API\_ContainerDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html),
[cloudposse/terraform-aws-ecs-container-definition](https://github.com/cloudposse/terraform-aws-ecs-container-definition), or
[ecs\_task\_definition#container\_definitions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions) | `string` | n/a | yes | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [default\_service\_security\_group\_enabled](#input\_default\_service\_security\_group\_enabled) | Enables the creation of a default security group for the ECS Service | `bool` | `true` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [dns\_alias\_enabled](#input\_dns\_alias\_enabled) | Create a DNS alias for the CDN. Requires `parent_zone_id` or `parent_zone_name`. | `bool` | `false` | no | diff --git a/main.tf b/main.tf index a0ab163..d878831 100644 --- a/main.tf +++ b/main.tf @@ -1,10 +1,11 @@ locals { - use_acm = (var.dns_alias_enabled && length(var.aliases) != 0) || var.certificate_type == "import" - acm_alt_names = length(var.aliases) > 1 ? slice(var.aliases, 1, length(var.aliases)) : [] - protocol = aws_lb_listener.app[0].protocol == "HTTPS" ? "https" : "http" - address = var.dns_alias_enabled ? var.aliases[0] : data.aws_lb.alb.dns_name - url = "${local.protocol}://${local.address}:${aws_lb_listener.app[0].port}" - enabled = module.this.enabled + use_acm = (var.dns_alias_enabled && length(var.aliases) != 0) || var.certificate_type == "import" + acm_alt_names = length(var.aliases) > 1 ? slice(var.aliases, 1, length(var.aliases)) : [] + protocol = aws_lb_listener.app[0].protocol == "HTTPS" ? "https" : "http" + address = var.dns_alias_enabled ? var.aliases[0] : data.aws_lb.alb.dns_name + url = "${local.protocol}://${local.address}:${aws_lb_listener.app[0].port}" + enabled = module.this.enabled + ecs_service_task_sg_name = "${module.this.id}-ecs-service-task" } data "aws_lb" "alb" { @@ -87,44 +88,38 @@ resource "aws_lb_listener" "app" { tags = module.this.tags } -resource "aws_security_group" "service" { - count = local.enabled ? 1 : 0 +module "ecs_service_sg" { + count = local.enabled ? 1 : 0 + source = "cloudposse/security-group/aws" + version = "2.2.0" - name_prefix = "${module.this.id}-service-task-" - description = "ECS service task SG for ${module.this.id}" + name = local.ecs_service_task_sg_name + security_group_description = "ECS service task SG for ${module.this.id}" - vpc_id = var.vpc_id + allow_all_egress = true + create_before_destroy = true + preserve_security_group_id = true + vpc_id = var.vpc_id - ingress = [ + rules = [ { - from_port = var.service_container_port - to_port = var.service_container_port - protocol = "tcp" - cidr_blocks = [] - ipv6_cidr_blocks = [] - self = false - security_groups = [var.alb_security_group_id] - prefix_list_ids = [] - description = "Allow HTTP/S traffic from load balancer" + key = "container_ingress_port" + type = "ingress" + from_port = var.service_container_port + to_port = var.service_container_port + protocol = "tcp" + cidr_blocks = [] + source_security_group_id = var.alb_security_group_id + self = false + description = "Allow HTTP/S traffic from load balancer" } ] - egress = [ - { - type = "egress" - from_port = 0 - to_port = 0 # Use from 0 to 0 for all ports, not to 65535 or the rule will always be updated. - protocol = "all" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = [] - self = false - security_groups = null - prefix_list_ids = [] - description = "Allow egress to anywhere" - } - ] + context = module.this.context - tags = module.this.tags + tags = merge(module.this.tags, { + Name = local.ecs_service_task_sg_name + }) } resource "aws_security_group_rule" "opened_to_alb" { @@ -146,7 +141,8 @@ module "service" { ecs_cluster_arn = var.ecs_cluster_arn launch_type = var.service_launch_type vpc_id = var.vpc_id - security_groups = concat(aws_security_group.service.*.id, var.service_security_groups) + security_group_enabled = var.default_service_security_group_enabled + security_groups = concat(module.ecs_service_sg.*.id, var.service_security_groups) subnet_ids = var.subnet_ids ignore_changes_task_definition = var.service_ignore_changes_task_definition ignore_changes_desired_count = var.service_ignore_changes_desired_count diff --git a/variables.tf b/variables.tf index 04c1e21..90c20cd 100644 --- a/variables.tf +++ b/variables.tf @@ -526,3 +526,9 @@ variable "container_definition_json" { [ecs_task_definition#container_definitions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#container_definitions) EOT } + +variable "default_service_security_group_enabled" { + type = bool + default = true + description = "Enables the creation of a default security group for the ECS Service" +}