forked from dominik-dabrowski/terraform-aws-ecs-service
-
Notifications
You must be signed in to change notification settings - Fork 1
/
sg.tf
93 lines (75 loc) · 3.59 KB
/
sg.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# Security groups are only created for ECS services running in
# awsvpc mode (i.e. launch_type FARGATE or EC2)
locals {
lb_sg_id = length(local.lb_security_group_id) > 0 ? local.lb_security_group_id : element(concat(data.aws_security_group.lb.*.id, [""]), 0)
}
# Allow the LB to send packets to the containers
resource "aws_security_group_rule" "lb_out" {
count = local.network_mode == "awsvpc" && length(var.load_balancer) > 0 ? 1 : 0
description = "Allow outbound connections from the LB to ECS service ${var.name}"
type = "egress"
from_port = local.container_port
to_port = local.container_port
protocol = "tcp"
security_group_id = local.lb_sg_id
source_security_group_id = aws_security_group.default[0].id
}
# Default security group for the ECS service (awsvpc mode only)
resource "aws_security_group" "default" {
count = local.network_mode == "awsvpc" ? 1 : 0
description = "security group for ${var.name} service"
name = var.name
vpc_id = data.aws_subnet.selected[0].vpc_id
tags = merge({ "Name" = var.name }, var.tags)
}
# Allow the containers to receive packets from the LB
resource "aws_security_group_rule" "service_in_lb" {
count = local.network_mode == "awsvpc" && length(var.load_balancer) > 0 ? 1 : 0
description = "Allow inbound TCP connections from the LB to ECS service ${var.name}"
type = "ingress"
from_port = local.container_port
to_port = local.container_port
protocol = "tcp"
source_security_group_id = local.lb_sg_id
security_group_id = aws_security_group.default[0].id
}
# This security group rule opens the containers themselves to direct
# communication. This is mostly for testing. Avoid in prod. This
# rule is conditionally created if the ports var is populated.
resource "aws_security_group_rule" "service_in" {
# BUG: THE COUNT LINE IS A HACK TO WORK AROUND A TERRAFORM BUG...
count = local.network_mode == "awsvpc" ? length(local.ports) : 0
description = "Allow inbound TCP connections directly to ECS service ${var.name}"
type = "ingress"
from_port = element(local.ports, count.index)
to_port = element(local.ports, count.index)
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.default[0].id
}
# Allows all inbound ICMP to support ping, traceroute, and most importantly Path MTU Discovery
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html
# https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
resource "aws_security_group_rule" "service_icmp" {
count = local.network_mode == "awsvpc" ? 1 : 0
description = "Allow inbound ICMP traffic directly to ECS service ${var.name}"
type = "ingress"
from_port = -1 # Allow any ICMP type number
to_port = -1 # Allow any ICMP code
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.default[0].id
}
# Allow all outbound traffic from the containers. This is necessary
# to support pulling Docker images from Dockerhub and ECR. Ideally
# we would restrict outbound traffic to the LB and DB for CRUD apps.
resource "aws_security_group_rule" "service_out" {
count = local.network_mode == "awsvpc" ? 1 : 0
description = "Allow outbound connections for all protocols and all ports for ECS service ${var.name}"
type = "egress"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.default[0].id
}