Merge pull request #21 from DNXLabs/feature/sg_for_nlb

include sg for nlb and own service

README.md

@@ -70,21 +70,14 @@ In addition you have the option to create or not :
 | cloudwatch\_logs\_export | Whether to mark the log group to export to an S3 bucket (needs terraform-aws-log-exporter to be deployed in the account/region) | `bool` | `false` | no |
 | cloudwatch\_logs\_retention | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `120` | no |
 | cluster\_name | n/a | `string` | `"Name of existing ECS Cluster to deploy this app to"` | no |
-| codedeploy\_deployment\_config\_name | Specifies the deployment configuration for CodeDeploy | `string` | `"CodeDeployDefault.ECSAllAtOnce"` | no |
-| codedeploy\_role\_arn | Existing IAM CodeDeploy role ARN created by ECS cluster module | `any` | `null` | no |
-| codedeploy\_wait\_time\_for\_cutover | Time in minutes to route the traffic to the new application deployment | `number` | `0` | no |
-| codedeploy\_wait\_time\_for\_termination | Time in minutes to terminate the new deployment | `number` | `0` | no |
 | container\_port | Port your container listens (used in the placeholder task definition) | `string` | `"8080"` | no |
 | cpu | Hard limit for CPU for the container | `string` | `"0"` | no |
-| create\_iam\_codedeployrole | Create Codedeploy IAM Role for ECS or not. | `bool` | `true` | no |
-| deployment\_controller | Type of deployment controller. Valid values: CODE\_DEPLOY, ECS, EXTERNAL. | `string` | `"CODE_DEPLOY"` | no |
-| efs\_mapping | A map of efs volume ids and paths to mount into the default task definition | `map(string)` | `{}` | no |
 | fargate\_spot | Set true to use FARGATE\_SPOT capacity provider by default (only when launch\_type=FARGATE) | `bool` | `false` | no |
 | hosted\_zone | Hosted Zone to create DNS record for this app | `string` | `""` | no |
 | hostname | Hostname to create DNS record for this app | `string` | `""` | no |
 | hostname\_create | Optional parameter to create or not a Route53 record | `string` | `"true"` | no |
 | image | Docker image to deploy (can be a placeholder) | `string` | `"dnxsolutions/nginx-hello:latest"` | no |
-| launch\_type | The launch type on which to run your service. The valid values are EC2 and FARGATE. Defaults to EC2. | `string` | `"FARGATE"` | no |
+| launch\_type | The launch type on which to run your service. The valid values are EC2 and FARGATE. Defaults to EC2. | `string` | `"EC2"` | no |
 | memory | Hard memory of the container | `string` | `"512"` | no |
 | name | Name of your ECS service | `any` | n/a | yes |
 | network\_mode | The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no |
@@ -95,14 +88,14 @@ In addition you have the option to create or not :
 | nlb\_subnets\_ids | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no |
 | ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. | <pre>list(object({<br>    field      = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | placement\_constraints | Rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. | <pre>list(object({<br>    type       = string<br>    expression = string<br>  }))</pre> | `[]` | no |
-| ports | Port for target group to listen | <pre>list(object({<br>    port = number<br>    protocol = string<br>  }))</pre> | <pre>[<br>  {<br>    "port": 80,<br>    "protocol": "tcp"<br>  }<br>]</pre> | no |
+| port | Port for target group to listen | `string` | `"80"` | no |
 | security\_group\_ecs\_nodes\_inbound\_cidrs | ECS Nodes inbound allowed CIDRs for the security group. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| security\_group\_nlb\_inbound\_cidrs | NLB inbound allowed CIDRs for the security group. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | security\_groups | The security groups associated with the task or service | `any` | `null` | no |
 | service\_health\_check\_grace\_period\_seconds | Time until your container starts serving requests | `number` | `0` | no |
 | service\_role\_arn | Existing service role ARN created by ECS cluster module | `any` | n/a | yes |
 | subnets | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no |
 | task\_role\_arn | Existing task role ARN created by ECS cluster module | `any` | n/a | yes |
-| ulimits | Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit" | <pre>list(object({<br>    name      = string<br>    hardLimit = number<br>    softLimit = number<br>  }))</pre> | `null` | no |
 | vpc\_id | VPC ID to deploy this app to | `any` | n/a | yes |
 
 ## Outputs

_variables.tf

@@ -49,18 +49,9 @@ variable "nlb_arn" {
   description = "Networking LoadBalance ARN - Required if nlb=false or nlb_internal=false"
 }
 
-variable "ports" {
-  default     = [
-    {
-      port = 80
-      protocol      = "tcp"
-    }
-  ]
+variable "port" {
+  default     = "80"
   description = "Port for target group to listen"
-  type = list(object({
-    port = number
-    protocol = string
-  }))
 }
 
 variable "container_port" {
@@ -138,7 +129,7 @@ variable "placement_constraints" {
 }
 
 variable "launch_type" {
-  default     = "FARGATE"
+  default     = "EC2"
   description = "The launch type on which to run your service. The valid values are EC2 and FARGATE. Defaults to EC2."
 }
 
@@ -206,49 +197,8 @@ variable "security_group_ecs_nodes_inbound_cidrs" {
   description = "ECS Nodes inbound allowed CIDRs for the security group."
 }
 
-variable "efs_mapping" {
-  type        = map(string)
-  description = "A map of efs volume ids and paths to mount into the default task definition"
-  default     = {}
-}
-
-variable "ulimits" {
-  type = list(object({
-    name      = string
-    hardLimit = number
-    softLimit = number
-  }))
-  description = "Container ulimit settings. This is a list of maps, where each map should contain \"name\", \"hardLimit\" and \"softLimit\""
-  default     = null
-}
-
-variable "deployment_controller" {
-  default     = "CODE_DEPLOY"
-  description = "Type of deployment controller. Valid values: CODE_DEPLOY, ECS, EXTERNAL."
-}
-
-variable "codedeploy_wait_time_for_cutover" {
-  default     = 0
-  description = "Time in minutes to route the traffic to the new application deployment"
-}
-
-variable "codedeploy_wait_time_for_termination" {
-  default     = 0
-  description = "Time in minutes to terminate the new deployment"
-}
-
-variable "codedeploy_deployment_config_name" {
-  default     = "CodeDeployDefault.ECSAllAtOnce"
-  description = "Specifies the deployment configuration for CodeDeploy"
-}
-
-variable "create_iam_codedeployrole" {
-  type        = bool
-  default     = true
-  description = "Create Codedeploy IAM Role for ECS or not."
+variable "security_group_nlb_inbound_cidrs" {
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+  description = "NLB inbound allowed CIDRs for the security group."
 }
-
-variable "codedeploy_role_arn" {
-  default     = null
-  description = "Existing IAM CodeDeploy role ARN created by ECS cluster module"
-}

ecs-service.tf

@@ -7,13 +7,10 @@ resource "aws_ecs_service" "default" {
   health_check_grace_period_seconds = var.service_health_check_grace_period_seconds
   enable_execute_command            = true
 
-  dynamic load_balancer {
-    for_each = {for port in var.ports : port.port => port}
-    content {
-      target_group_arn = aws_lb_target_group.ecs_default_tcp[load_balancer.value.port].arn
-      container_name   = var.name
-      container_port   =  load_balancer.value.port
-    }
+  load_balancer {
+    target_group_arn = aws_lb_target_group.ecs_default_tcp.arn
+    container_name   = var.name
+    container_port   = var.container_port
   }
 
   dynamic "placement_constraints" {
@@ -28,7 +25,7 @@ resource "aws_ecs_service" "default" {
     for_each = var.launch_type == "FARGATE" ? [var.subnets] : []
     content {
       subnets          = var.subnets
-      security_groups  = var.security_groups == "" ? null : var.security_groups
+      security_groups  = toset(concat([aws_security_group.ecs_service.id], var.security_groups))
       assign_public_ip = var.assign_public_ip
     }
   }
@@ -48,6 +45,31 @@ resource "aws_ecs_service" "default" {
   }
 
   lifecycle {
-    ignore_changes = [load_balancer, task_definition, desired_count, capacity_provider_strategy]
+    ignore_changes = [load_balancer, task_definition, desired_count]
+  }
+}
+
+resource "aws_security_group" "ecs_service" {
+  name_prefix = var.name
+
+  description = "SG for ecs service app ${var.name}"
+  vpc_id      = var.vpc_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
   }
-}
+}
+
+
+resource "aws_security_group_rule" "ecs_service_from_nlb" {
+  count                    = var.nlb ? 1 : 0
+  type                     = "ingress"
+  from_port                = var.port
+  to_port                  = var.port
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.ecs_service.id
+  source_security_group_id = aws_security_group.nlb[0].id
+}

nlb.tf

@@ -4,10 +4,39 @@ resource "random_string" "nlb_prefix" {
   special = false
 }
 
+locals {
+  name = var.nlb_internal ? format("%s-%s-int", substr("${var.cluster_name}-${var.name}", 0, 23), random_string.nlb_prefix.result) : format("%s-%s", substr("${var.cluster_name}-${var.name}", 0, 27), random_string.nlb_prefix.result)
+}
+
 resource "aws_lb" "default" {
   count              = var.nlb ? 1 : 0
-  name               = var.nlb_internal ? format("%s-%s-int", substr("${var.cluster_name}-${var.name}", 0, 23), random_string.nlb_prefix.result) : format("%s-%s", substr("${var.cluster_name}-${var.name}", 0, 27), random_string.nlb_prefix.result)
+  name               = local.name
   internal           = var.nlb_internal
   load_balancer_type = "network"
   subnets            = var.nlb_subnets_ids
-}
+  security_groups    = [aws_security_group.nlb[0].id]
+}
+
+resource "aws_security_group" "nlb" {
+  count = var.nlb ? 1 : 0
+
+  name_prefix = local.name
+
+  description = "SG for NLB app ${local.name}"
+  vpc_id      = var.vpc_id
+
+
+  ingress {
+    from_port   = var.port
+    to_port     = var.port
+    protocol    = "tcp"
+    cidr_blocks = var.security_group_nlb_inbound_cidrs
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}