Merge pull request #42 from base2Services/security-groups

use new lib-ec2 security group rules
theonestack · Dec 16, 2019 · fb2f27e · fb2f27e
2 parents 83ea65c + c8dc951
commit fb2f27e
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 7 deletions.
diff --git a/ecs-service.cfhighlander.rb b/ecs-service.cfhighlander.rb
@@ -1,6 +1,12 @@
 CfhighlanderTemplate do
 
-  DependsOn 'vpc' if ((defined? network_mode) && (network_mode == "awsvpc"))
+  if ((defined? network_mode) && (network_mode == "awsvpc"))
+    if ((defined? securityGroups) && (securityGroups.has_key?(component_name)))
+      DependsOn 'vpc'
+    elsif ((defined? security_group_rules) && security_group_rules.any?)
+      DependsOn 'lib-ec2'
+    end
+  end
 
   Description "ecs-service - #{component_name} - #{component_version}"
 

diff --git a/ecs-service.cfndsl.rb b/ecs-service.cfndsl.rb
@@ -364,20 +364,23 @@
     end
   end
 
-  has_security_group = false
-  if ((defined? securityGroups) && (securityGroups.has_key?(component_name)))
-    has_security_group = true
-  end
-
   if awsvpc_enabled == true
     sg_name = 'SecurityGroupBackplane'
-    if has_security_group == true
+    if ((defined? securityGroups) && (securityGroups.has_key?(component_name)))
       EC2_SecurityGroup('ServiceSecurityGroup') do
         VpcId Ref('VPCId')
         GroupDescription "#{component_name} ECS service"
         SecurityGroupIngress sg_create_rules(securityGroups[component_name], ip_blocks)
       end
       sg_name = 'ServiceSecurityGroup'
+    elsif ((defined? security_group_rules) && security_group_rules.any?)
+      EC2_SecurityGroup(:ServiceSecurityGroup) {
+        VpcId Ref(:VPCId)
+        GroupDescription "#{component_name} ECS service"
+        SecurityGroupIngress generate_security_group_rules(security_group_rules,ip_blocks)
+        Tags tags
+      }
+      sg_name = 'ServiceSecurityGroup'
     end
   end
 

diff --git a/tests/security_group.test.yaml b/tests/security_group.test.yaml
@@ -0,0 +1,34 @@
+test_metadata:
+  type: config
+  name: security_group
+  description: set the description for your test
+
+network_mode: awsvpc
+cpu: 1024
+memory: 2048
+
+task_definition:
+  nginx:
+    repo: nginx
+    image: nginx
+
+targetgroup:
+  name: nginx
+  container: nginx
+  port: 80
+  protocol: http
+  listener: http
+  healthcheck:
+    path: /
+    code: 200
+
+ip_blocks:
+  vpc:
+    - 10.0.0.0/16
+
+security_group_rules:
+  -
+    from: 8080
+    ips:
+      - vpc 
+    desc: Access to nginx from inside vpc