Improve security group creation/deletion and switch to using prefix (#17)

Author: marcincuber

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v2.5.0
+  rev: v3.0.1
   hooks:
   - id: check-added-large-files
     args: ['--maxkb=500']

README.md

@@ -109,6 +109,7 @@ No requirements.
 | repository\_credentials | name or ARN of a secrets manager secret (arn:aws:secretsmanager:region:aws\_account\_id:secret:secret\_name) | `string` | `""` | no |
 | repository\_credentials\_kms\_key | key id, key ARN, alias name or alias ARN of the key that encrypted the repository credentials | `string` | `"alias/aws/secretsmanager"` | no |
 | service\_registry\_arn | ARN of aws\_service\_discovery\_service resource | `string` | `""` | no |
+| sg\_name\_prefix | A prefix used for Security group name. | `string` | `""` | no |
 | tags | A map of tags (key-value pairs) passed to resources. | `map(string)` | `{}` | no |
 | target\_group\_name | The name for the tasks target group | `string` | `""` | no |
 | task\_container\_assign\_public\_ip | Assigned public IP to the container. | `bool` | `false` | no |

examples/core/main.tf

@@ -7,7 +7,7 @@ provider "aws" {
 #####
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2.21"
+  version = "~> 2.32"
 
   name = "simple-vpc"
 
@@ -70,15 +70,15 @@ resource "aws_security_group_rule" "task_ingress_80" {
 #####
 # private repo credentials secretsmanager
 #####
-data "aws_kms_key" "secretsmanager_key" {
-  key_id = "alias/aws/secretsmanager"
-}
+# data "aws_kms_key" "secretsmanager_key" {
+#   key_id = "alias/aws/secretsmanager"
+# }
 
-resource "aws_secretsmanager_secret" "task_credentials" {
-  name = "task_repository_credentials"
+# resource "aws_secretsmanager_secret" "task_credentials" {
+#   name = "task_repository_credentials"
 
-  kms_key_id = data.aws_kms_key.secretsmanager_key.arn
-}
+#   kms_key_id = data.aws_kms_key.secretsmanager_key.arn
+# }
 
 #####
 # ECS cluster and fargate
@@ -90,7 +90,9 @@ resource "aws_ecs_cluster" "cluster" {
 module "fargate" {
   source = "../../"
 
-  name_prefix        = "ecs-fargate-example"
+  name_prefix = "ecs-fargate-example"
+  # sg_name_prefix     = "my-security-group-name" # uncomment if you want to name security group with specific name
+
   vpc_id             = module.vpc.vpc_id
   private_subnet_ids = module.vpc.public_subnets
   lb_arn             = module.alb.arn
@@ -116,3 +118,20 @@ module "fargate" {
   # create_repository_credentials_iam_policy = false
   # repository_credentials                   = aws_secretsmanager_secret.task_credentials.arn
 }
+
+
+resource "aws_security_group" "allow_sg_test" {
+  name        = "allow_sg_test"
+  description = "Allow sg inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+}
+
+resource "aws_security_group_rule" "test_sg_ingress" {
+  security_group_id        = aws_security_group.allow_sg_test.id
+  type                     = "ingress"
+  protocol                 = "tcp"
+  from_port                = 3022
+  to_port                  = 3022
+  source_security_group_id = module.fargate.service_sg_id
+}
+

main.tf

@@ -50,14 +50,20 @@ resource "aws_iam_role_policy" "log_agent" {
 #####
 resource "aws_security_group" "ecs_service" {
   vpc_id      = var.vpc_id
-  name        = "${var.name_prefix}-ecs-service-sg"
+  name_prefix = var.sg_name_prefix == "" ? "${var.name_prefix}-ecs-service-sg-" : "${var.sg_name_prefix}-"
   description = "Fargate service security group"
   tags = merge(
     var.tags,
     {
-      Name = "${var.name_prefix}-sg"
+      Name = var.sg_name_prefix == "" ? "${var.name_prefix}-ecs-service-sg" : "${var.sg_name_prefix}"
     },
   )
+
+  revoke_rules_on_delete = true
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_security_group_rule" "egress_service" {

variables.tf

@@ -3,6 +3,12 @@ variable "name_prefix" {
   type        = string
 }
 
+variable "sg_name_prefix" {
+  description = "A prefix used for Security group name."
+  type        = string
+  default     = ""
+}
+
 variable "container_name" {
   description = "Optional name for the container to be used instead of name_prefix."
   default     = ""