From 68533eb142555863e68afb349d05b5f26539c815 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Thu, 6 Jun 2024 17:31:08 +0100 Subject: [PATCH] Custom ECS Cluster security group rules * Allows adding custom security group rules to the ECS Cluster security group, using the same format as `aws_security_group_rule` --- README.md | 2 ++ ecs-cluster-infrastructure-security-group.tf | 13 +++++++++++++ locals.tf | 1 + variables.tf | 13 +++++++++++++ 4 files changed, 29 insertions(+) diff --git a/README.md b/README.md index e006e43..91bbdda 100644 --- a/README.md +++ b/README.md @@ -274,6 +274,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_security_group.infrastructure_ecs_cluster_service_alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.infrastructure_elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.infrastructure_rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.infrastructure_ecs_cluster_container_instances_custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_dns_tcp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_dns_udp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_https_tcp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | @@ -340,6 +341,7 @@ This project creates and manages resources within an AWS account for infrastruct | [infrastructure\_ecs\_cluster\_autoscaling\_time\_based\_custom](#input\_infrastructure\_ecs\_cluster\_autoscaling\_time\_based\_custom) | List of objects with min/max sizes and cron expressions to scale the ECS cluster. Min size will be used as desired. | 
list(
    object({
      cron = string
      min  = number
      max  = number
    })
  )
| n/a | yes | | [infrastructure\_ecs\_cluster\_autoscaling\_time\_based\_max](#input\_infrastructure\_ecs\_cluster\_autoscaling\_time\_based\_max) | List of cron expressions to scale the ECS cluster to the configured max size | `list(string)` | n/a | yes | | [infrastructure\_ecs\_cluster\_autoscaling\_time\_based\_min](#input\_infrastructure\_ecs\_cluster\_autoscaling\_time\_based\_min) | List of cron expressions to scale the ECS cluster to the configured min size | `list(string)` | n/a | yes | +| [infrastructure\_ecs\_cluster\_custom\_security\_group\_rules](#input\_infrastructure\_ecs\_cluster\_custom\_security\_group\_rules) | Map of custom security group rules to add to the ECS Cluster security group (eg. { rule-name = {type = "egress", ... } }) | 
map(object({
    description              = string
    type                     = string
    from_port                = number
    to_port                  = number
    protocol                 = string
    source_security_group_id = optional(string, "")
    cidr_blocks              = optional(list(string), [])
  }))
| n/a | yes | | [infrastructure\_ecs\_cluster\_draining\_lambda\_enabled](#input\_infrastructure\_ecs\_cluster\_draining\_lambda\_enabled) | Enable the Lambda which ensures all containers have drained before terminating ECS cluster instances | `bool` | n/a | yes | | [infrastructure\_ecs\_cluster\_draining\_lambda\_log\_retention](#input\_infrastructure\_ecs\_cluster\_draining\_lambda\_log\_retention) | Log retention for the ECS cluster draining Lambda | `number` | n/a | yes | | [infrastructure\_ecs\_cluster\_ebs\_docker\_storage\_volume\_size](#input\_infrastructure\_ecs\_cluster\_ebs\_docker\_storage\_volume\_size) | Size of EBS volume for Docker storage on the infrastructure ECS instances | `number` | n/a | yes | diff --git a/ecs-cluster-infrastructure-security-group.tf b/ecs-cluster-infrastructure-security-group.tf index 9976393..eb60ea5 100644 --- a/ecs-cluster-infrastructure-security-group.tf +++ b/ecs-cluster-infrastructure-security-group.tf @@ -113,3 +113,16 @@ resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instanc source_security_group_id = aws_security_group.infrastructure_rds[each.key].id security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id } + +resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_custom" { + for_each = local.enable_infrastructure_ecs_cluster ? local.infrastructure_ecs_cluster_custom_security_group_rules : {} + + description = each.value["description"] + type = each.value["type"] + from_port = each.value["from_port"] + to_port = each.value["to_port"] + protocol = each.value["protocol"] + source_security_group_id = each.value["source_security_group_id"] != "" ? each.value["source_security_group_id"] : null + cidr_blocks = length(each.value["cidr_blocks"]) > 0 ? each.value["cidr_blocks"] : null + security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id +} diff --git a/locals.tf b/locals.tf index a34250f..77dedc7 100644 --- a/locals.tf +++ b/locals.tf @@ -118,6 +118,7 @@ locals { infrastructure_ecs_cluster_ebs_docker_storage_volume_size = var.infrastructure_ecs_cluster_ebs_docker_storage_volume_size infrastructure_ecs_cluster_ebs_docker_storage_volume_type = var.infrastructure_ecs_cluster_ebs_docker_storage_volume_type infrastructure_ecs_cluster_publicly_avaialble = var.infrastructure_ecs_cluster_publicly_avaialble && local.infrastructure_vpc_network_enable_public + infrastructure_ecs_cluster_custom_security_group_rules = var.infrastructure_ecs_cluster_custom_security_group_rules infrastructure_ecs_cluster_instance_type = var.infrastructure_ecs_cluster_instance_type infrastructure_ecs_cluster_termination_timeout = var.infrastructure_ecs_cluster_termination_timeout infrastructure_ecs_cluster_draining_lambda_enabled = var.infrastructure_ecs_cluster_draining_lambda_enabled && local.enable_infrastructure_ecs_cluster diff --git a/variables.tf b/variables.tf index 1e2876e..d3e250d 100644 --- a/variables.tf +++ b/variables.tf @@ -244,6 +244,19 @@ variable "infrastructure_ecs_cluster_publicly_avaialble" { type = bool } +variable "infrastructure_ecs_cluster_custom_security_group_rules" { + description = "Map of custom security group rules to add to the ECS Cluster security group (eg. { rule-name = {type = \"egress\", ... } })" + type = map(object({ + description = string + type = string + from_port = number + to_port = number + protocol = string + source_security_group_id = optional(string, "") + cidr_blocks = optional(list(string), []) + })) +} + variable "infrastructure_ecs_cluster_instance_type" { description = "The instance type for EC2 instances launched in the ECS cluster" type = string