The module creates a default security group that allows blanket access

[benorgil]

The module creates a security group allowing all traffic from everywhere. Not sure that's a safe default.

There should at least be a warning about this behavior (I don't think its enough to just mention this in the allowed_cidr_blocks bullet point.

[tfhartmann]

We left the default open because we couldn't predict what ports someones tasks might require. For example, a task that launches on an ephemeral port and registers to an alb. My reading of the ECS docs https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group leaves me thinking that the SG on the instance would need to know what ports the tasks might need. Also in part because of the way the SG is implanted, because I used ingress and egress blocks rather then the TF Security Group Rule resource, refactoring this will be a breaking change. 😢 I've added a refactor to our backlog, and we could add a default of something like "open to only my VPC" but in general I think I prefer providing an interface where the end user can apply appropriate rules rather then predict what those might be..

However, I'd be totally happy if you wanted to update the README to call that our a bit more! That would be fantastic!

[arshdeeptinna]

Can we modify the security group to not have any rules and expose the security group so users can attach security group rules?