include the sg group

README.md

@@ -89,8 +89,8 @@ In addition you have the option to create or not :
 | ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. | <pre>list(object({<br>    field      = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | placement\_constraints | Rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. | <pre>list(object({<br>    type       = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | port | Port for target group to listen | `string` | `"80"` | no |
-| security\_group\_ecs\_nodes\_inbound\_cidrs | ECS Nodes inbound allowed CIDRs for the security group. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
-| security\_groups | The security groups associated with the task or service | `any` | `null` | no |
+| security\_group\_inbound\_cidrs | ECS Nodes inbound allowed CIDRs for the security group. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| security\_groups | The security groups associated with the task or service | `list` | `[]` | no |
 | service\_health\_check\_grace\_period\_seconds | Time until your container starts serving requests | `number` | `0` | no |
 | service\_role\_arn | Existing service role ARN created by ECS cluster module | `any` | n/a | yes |
 | subnets | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no |

_variables.tf

@@ -159,7 +159,8 @@ variable "network_mode" {
 }
 
 variable "security_groups" {
-  default     = null
+  default     = []
+  type        = list
   description = "The security groups associated with the task or service"
 }
 
@@ -191,7 +192,7 @@ variable "cloudwatch_logs_export" {
   description = "Whether to mark the log group to export to an S3 bucket (needs terraform-aws-log-exporter to be deployed in the account/region)"
 }
 
-variable "security_group_ecs_nodes_inbound_cidrs" {
+variable "security_group_inbound_cidrs" {
   type        = list(string)
   default     = ["0.0.0.0/0"]
   description = "ECS Nodes inbound allowed CIDRs for the security group."

ecs-service.tf

@@ -25,7 +25,7 @@ resource "aws_ecs_service" "default" {
     for_each = var.launch_type == "FARGATE" ? [var.subnets] : []
     content {
       subnets          = var.subnets
-      security_groups  = var.security_groups == "" ? null : var.security_groups
+      security_groups  = concat(var.security_groups || [], aws_security_group.ecs_service.id || [])
       assign_public_ip = var.assign_public_ip
     }
   }

sg.tf

@@ -0,0 +1,23 @@
+resource "aws_security_group" "ecs_service" {
+  name_prefix = "${var.name}"
+
+  description = "SG for ECS app ${var.name}"
+  vpc_id      = var.vpc_id
+
+  dynamic "ingress" {
+    for_each = var.security_group_inbound_cidrs
+    content {
+      from_port   = 3306
+      to_port     = 3306
+      protocol    = "tcp"
+      cidr_blocks = [ingress.value]
+    }
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}