wordpress-fargate: lock down security group permissions #32
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jre21
changed the title
peterkc
added a commit
to peterkc-devops/terraform-examples
that referenced
this pull request
Jul 25, 2021
commit c2189f7335b5dc6b6c2cf387d2dab82d66f1a557 Author: Peter C <[email protected]> Date: Sat Jul 24 18:57:48 2021 -0700 Lock down security group permissions
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change tightens down all the security group definitions. The wordpress security group previously went unused. I've now assigned it to the ecs cluster and reworked the security group rules to correctly model all expected traffic flows. The new logic describes traffic as being allowed between two security groups when one resource needs to communicate with another, instead of assigning every security group to the ecs cluster so that both sides of a connection reside within the same group. I also modified several rules which previously allowed incoming connections on all ports to restrict them to only ports that our intended services are listening on.