-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathsecurity_groups.tf
61 lines (53 loc) · 2.09 KB
/
security_groups.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
/*
Module: ECS-Fargate-Appmesh
Version: 2.0.0
This file will create:
- security groups to attach to ecs tasks and allow permission from private or public subnet.
*/
// traffic to the ECS cluster should only come from the LB
resource "aws_security_group" "ecs_tasks" {
// add name
name = "${var.prefix}-${var.env}-${var.app_name}-ecs-tasks-security-group"
// add description
description = "Allow inbound access from the private subnets for appmesh services. Allow inbound access from lb if virtual_gateway_arn is not none"
// set vpc_id
vpc_id = var.vpc.vpc_id
// incoming tcp port open for fargate services
ingress {
description = "enable incomming traffic to ecs fargate services. Other than virtual gateway only private subnets allowed"
protocol = "tcp"
from_port = var.app_port
to_port = var.app_port
cidr_blocks = var.virtual_gateway_arn == "none" ? var.vpc.private_subnets_cidr_blocks : var.vpc.public_subnets_cidr_blocks
}
dynamic "ingress" {
for_each = var.extra_ports
content {
description = "enable incomming traffic to ecs fargate services. Other than virtual gateway only private subnets allowed"
protocol = "tcp"
from_port = ingress.value
to_port = ingress.value
cidr_blocks = var.virtual_gateway_arn == "none" ? var.vpc.private_subnets_cidr_blocks : var.vpc.public_subnets_cidr_blocks
}
}
egress {
description = "out going traffic from appmesh services. by default only vpc cidr is set"
protocol = "-1"
from_port = 0
to_port = 0
# false positive tfsec alert
cidr_blocks = length(var.egress_cidr_blocks) != 0 ? var.egress_cidr_blocks : [var.vpc.vpc_cidr_block] #tfsec:ignore:aws-ec2-no-public-egress-sgr
}
dynamic "egress" { #tfsec:ignore:aws-ec2-no-public-egress-sgr
for_each = [length(var.sg_prefixs)]
content {
description = "out going traffic from appmesh services. to vpc endpoint prefixs"
from_port = 0
to_port = 0
protocol = "-1"
prefix_list_ids = var.sg_prefixs
}
}
// add tags
tags = var.tags
}