Merge pull request #191 from stephgosling/feature/conditional_securit…

…y_group_creation Feature/conditional security group creation
trussworks · May 19, 2021 · fb5d8d1 · fb5d8d1
2 parents 3907476 + 735dc03
commit fb5d8d1
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -176,6 +176,7 @@ No modules.
 | <a name="input_lb_target_groups"></a> [lb\_target\_groups](#input\_lb\_target\_groups) | List of load balancer target group objects containing the lb\_target\_group\_arn, container\_port and container\_health\_check\_port. The container\_port is the port on which the container will receive traffic. The container\_health\_check\_port is an additional port on which the container can receive a health check. The lb\_target\_group\_arn is either Application Load Balancer (ALB) or Network Load Balancer (NLB) target group ARN tasks will register with. | <pre>list(<br>    object({<br>      container_port              = number<br>      container_health_check_port = number<br>      lb_target_group_arn         = string<br>      }<br>    )<br>  )</pre> | `[]` | no |
 | <a name="input_logs_cloudwatch_group"></a> [logs\_cloudwatch\_group](#input\_logs\_cloudwatch\_group) | CloudWatch log group to create and use. Default: /ecs/{name}-{environment} | `string` | `""` | no |
 | <a name="input_logs_cloudwatch_retention"></a> [logs\_cloudwatch\_retention](#input\_logs\_cloudwatch\_retention) | Number of days you want to retain log events in the log group. | `number` | `90` | no |
+| <a name="input_manage_ecs_security_group"></a> [manage\_ecs\_security\_group](#input\_manage\_ecs\_security\_group) | Enable creation and management of the ECS security group and rules | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | The service name. | `string` | n/a | yes |
 | <a name="input_nlb_subnet_cidr_blocks"></a> [nlb\_subnet\_cidr\_blocks](#input\_nlb\_subnet\_cidr\_blocks) | List of Network Load Balancer (NLB) CIDR blocks to allow traffic from. | `list(string)` | `[]` | no |
 | <a name="input_service_registries"></a> [service\_registries](#input\_service\_registries) | List of service registry objects as per <https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1>. List can only have a single object until <https://github.com/terraform-providers/terraform-provider-aws/issues/9573> is resolved. | <pre>list(object({<br>    registry_arn   = string<br>    container_name = string<br>    container_port = number<br>    port           = number<br>  }))</pre> | `[]` | no |

diff --git a/main.tf b/main.tf
@@ -147,6 +147,7 @@ resource "aws_cloudwatch_metric_alarm" "alarm_mem" {
 #
 
 resource "aws_security_group" "ecs_sg" {
+  count       = var.manage_ecs_security_group ? 1 : 0
   name        = "ecs-${var.name}-${var.environment}"
   description = "${var.name}-${var.environment} container security group"
   vpc_id      = var.ecs_vpc_id
@@ -159,8 +160,9 @@ resource "aws_security_group" "ecs_sg" {
 }
 
 resource "aws_security_group_rule" "app_ecs_allow_outbound" {
+  count             = var.manage_ecs_security_group ? 1 : 0
   description       = "All outbound"
-  security_group_id = aws_security_group.ecs_sg.id
+  security_group_id = aws_security_group.ecs_sg[0].id
 
   type        = "egress"
   from_port   = 0
@@ -172,10 +174,10 @@ resource "aws_security_group_rule" "app_ecs_allow_outbound" {
 resource "aws_security_group_rule" "app_ecs_allow_https_from_alb" {
   # if we have an alb, then create security group rules for the container
   # ports
-  count = var.associate_alb ? length(local.lb_ingress_container_ports) : 0
+  count = var.manage_ecs_security_group && var.associate_alb ? length(local.lb_ingress_container_ports) : 0
 
   description       = "Allow in ALB"
-  security_group_id = aws_security_group.ecs_sg.id
+  security_group_id = aws_security_group.ecs_sg[0].id
 
   type                     = "ingress"
   from_port                = element(local.lb_ingress_container_ports, count.index)
@@ -187,10 +189,10 @@ resource "aws_security_group_rule" "app_ecs_allow_https_from_alb" {
 resource "aws_security_group_rule" "app_ecs_allow_health_check_from_alb" {
   # if we have an alb, then create security group rules for the container
   # health check ports
-  count = var.associate_alb ? length(local.lb_ingress_container_health_check_ports) : 0
+  count = var.manage_ecs_security_group && var.associate_alb ? length(local.lb_ingress_container_health_check_ports) : 0
 
   description       = "Allow in health check from ALB"
-  security_group_id = aws_security_group.ecs_sg.id
+  security_group_id = aws_security_group.ecs_sg[0].id
 
   type                     = "ingress"
   from_port                = element(local.lb_ingress_container_health_check_ports, count.index)
@@ -200,10 +202,10 @@ resource "aws_security_group_rule" "app_ecs_allow_health_check_from_alb" {
 }
 
 resource "aws_security_group_rule" "app_ecs_allow_tcp_from_nlb" {
-  count = var.associate_nlb ? length(local.lb_ingress_container_ports) : 0
+  count = var.manage_ecs_security_group && var.associate_nlb ? length(local.lb_ingress_container_ports) : 0
 
   description       = "Allow in NLB"
-  security_group_id = aws_security_group.ecs_sg.id
+  security_group_id = aws_security_group.ecs_sg[0].id
 
   type        = "ingress"
   from_port   = element(local.lb_ingress_container_ports, count.index)
@@ -213,10 +215,10 @@ resource "aws_security_group_rule" "app_ecs_allow_tcp_from_nlb" {
 }
 
 resource "aws_security_group_rule" "app_ecs_allow_health_check_from_nlb" {
-  count = var.associate_nlb ? length(local.lb_ingress_container_health_check_ports) : 0
+  count = var.manage_ecs_security_group && var.associate_nlb ? length(local.lb_ingress_container_health_check_ports) : 0
 
   description       = "Allow in health check from NLB"
-  security_group_id = aws_security_group.ecs_sg.id
+  security_group_id = aws_security_group.ecs_sg[0].id
 
   type        = "ingress"
   from_port   = element(local.lb_ingress_container_health_check_ports, count.index)
@@ -432,7 +434,7 @@ locals {
     FARGATE = []
   }
 
-  ecs_service_agg_security_groups = compact(concat([aws_security_group.ecs_sg.id], var.additional_security_group_ids))
+  ecs_service_agg_security_groups = var.manage_ecs_security_group ? compact(concat(tolist([aws_security_group.ecs_sg[0].id]), var.additional_security_group_ids)) : compact(var.additional_security_group_ids)
 }
 
 resource "aws_ecs_service" "main" {

diff --git a/outputs.tf b/outputs.tf
@@ -1,6 +1,6 @@
 output "ecs_security_group_id" {
   description = "Security Group ID assigned to the ECS tasks."
-  value       = aws_security_group.ecs_sg.id
+  value       = join("", aws_security_group.ecs_sg.*.id)
 }
 
 output "task_execution_role_arn" {

diff --git a/variables.tf b/variables.tf
@@ -217,6 +217,12 @@ variable "service_registries" {
   default = []
 }
 
+variable "manage_ecs_security_group" {
+  description = "Enable creation and management of the ECS security group and rules"
+  default     = true
+  type        = bool
+}
+
 variable "health_check_grace_period_seconds" {
   description = "Grace period within which failed health checks will be ignored at container start. Only applies to services with an attached loadbalancer."
   default     = null