diff --git a/README.md b/README.md index 4a79af0..a70e2aa 100644 --- a/README.md +++ b/README.md @@ -89,8 +89,8 @@ In addition you have the option to create or not : | ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. |
list(object({| `[]` | no | | placement\_constraints | Rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. |
field = string
expression = string
}))
list(object({| `[]` | no | | port | Port for target group to listen | `string` | `"80"` | no | -| security\_group\_ecs\_nodes\_inbound\_cidrs | ECS Nodes inbound allowed CIDRs for the security group. | `list(string)` |
type = string
expression = string
}))
[| no | -| security\_groups | The security groups associated with the task or service | `any` | `null` | no | +| security\_group\_inbound\_cidrs | ECS Nodes inbound allowed CIDRs for the security group. | `list(string)` |
"0.0.0.0/0"
]
[| no | +| security\_groups | The security groups associated with the task or service | `list` | `[]` | no | | service\_health\_check\_grace\_period\_seconds | Time until your container starts serving requests | `number` | `0` | no | | service\_role\_arn | Existing service role ARN created by ECS cluster module | `any` | n/a | yes | | subnets | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no | diff --git a/_variables.tf b/_variables.tf index 9603d87..e804e4f 100644 --- a/_variables.tf +++ b/_variables.tf @@ -159,7 +159,8 @@ variable "network_mode" { } variable "security_groups" { - default = null + default = [] + type = list description = "The security groups associated with the task or service" } @@ -191,7 +192,7 @@ variable "cloudwatch_logs_export" { description = "Whether to mark the log group to export to an S3 bucket (needs terraform-aws-log-exporter to be deployed in the account/region)" } -variable "security_group_ecs_nodes_inbound_cidrs" { +variable "security_group_inbound_cidrs" { type = list(string) default = ["0.0.0.0/0"] description = "ECS Nodes inbound allowed CIDRs for the security group." diff --git a/ecs-service.tf b/ecs-service.tf index b7f463b..859e561 100644 --- a/ecs-service.tf +++ b/ecs-service.tf @@ -25,7 +25,7 @@ resource "aws_ecs_service" "default" { for_each = var.launch_type == "FARGATE" ? [var.subnets] : [] content { subnets = var.subnets - security_groups = var.security_groups == "" ? null : var.security_groups + security_groups = concat(var.security_groups || [], aws_security_group.ecs_service.id || []) assign_public_ip = var.assign_public_ip } } diff --git a/sg.tf b/sg.tf new file mode 100644 index 0000000..ed4a56f --- /dev/null +++ b/sg.tf @@ -0,0 +1,23 @@ +resource "aws_security_group" "ecs_service" { + name_prefix = "${var.name}" + + description = "SG for ECS app ${var.name}" + vpc_id = var.vpc_id + + dynamic "ingress" { + for_each = var.security_group_inbound_cidrs + content { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = [ingress.value] + } + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} \ No newline at end of file
"0.0.0.0/0"
]