-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathecs-cluster-infrastructure-security-group.tf
More file actions
141 lines (120 loc) · 6.84 KB
/
ecs-cluster-infrastructure-security-group.tf
File metadata and controls
141 lines (120 loc) · 6.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
resource "aws_security_group" "infrastructure_ecs_cluster_container_instances" {
count = local.enable_infrastructure_ecs_cluster ? 1 : 0
name = "${local.resource_prefix}-infrastructure-ecs-cluster-container-instances"
description = "Infrastructure ECS cluster container instances"
vpc_id = aws_vpc.infrastructure[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_ingress_tcp" {
count = local.enable_infrastructure_ecs_cluster && local.infrastructure_vpc_network_enable_public ? 1 : 0
description = "Allow container port tcp ingress from ALB if launched, otherwise from Public Subnets"
type = "ingress"
from_port = 32768
to_port = 65535
protocol = "tcp"
cidr_blocks = length(local.infrastructure_ecs_cluster_services) == 0 ? [for subnet in aws_subnet.infrastructure_public : subnet.cidr_block] : null
source_security_group_id = length(local.infrastructure_ecs_cluster_services) > 0 ? aws_security_group.infrastructure_ecs_cluster_service_alb[0].id : null
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_ingress_udp" {
count = local.enable_infrastructure_ecs_cluster && local.infrastructure_vpc_network_enable_public ? 1 : 0
description = "Allow container port udp ingress from ALB if launched, otherwise from Public Subnets"
type = "ingress"
from_port = 32768
to_port = 65535
protocol = "udp"
cidr_blocks = length(local.infrastructure_ecs_cluster_services) == 0 ? [for subnet in aws_subnet.infrastructure_public : subnet.cidr_block] : null
source_security_group_id = length(local.infrastructure_ecs_cluster_services) > 0 ? aws_security_group.infrastructure_ecs_cluster_service_alb[0].id : null
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_egress_https_tcp" {
count = local.enable_infrastructure_ecs_cluster ? 1 : 0
description = "Allow HTTPS tcp outbound"
type = "egress"
from_port = 443
to_port = 443
protocol = "tcp"
# tfsec:ignore:aws-ec2-no-public-egress-sgr
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_egress_https_udp" {
count = local.enable_infrastructure_ecs_cluster ? 1 : 0
description = "Allow HTTPS udp outbound"
type = "egress"
from_port = 443
to_port = 443
protocol = "udp"
# tfsec:ignore:aws-ec2-no-public-egress-sgr
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_egress_dns_tcp" {
count = local.enable_infrastructure_ecs_cluster ? 1 : 0
description = "Allow DNS tcp outbound to AWS"
type = "egress"
from_port = 53
to_port = 53
protocol = "tcp"
cidr_blocks = local.infrastructure_ecs_cluster_publicly_avaialble ? [
for subnet in aws_subnet.infrastructure_public : subnet.cidr_block
] : [
for subnet in aws_subnet.infrastructure_private : subnet.cidr_block
]
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_egress_dns_udp" {
count = local.enable_infrastructure_ecs_cluster ? 1 : 0
description = "Allow DNS udp outbound to AWS"
type = "egress"
from_port = 53
to_port = 53
protocol = "udp"
cidr_blocks = local.infrastructure_ecs_cluster_publicly_avaialble ? [
for subnet in aws_subnet.infrastructure_public : subnet.cidr_block
] : [
for subnet in aws_subnet.infrastructure_private : subnet.cidr_block
]
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_egress_nfs_tcp" {
count = local.enable_infrastructure_ecs_cluster && local.enable_infrastructure_ecs_cluster_efs ? 1 : 0
description = "Allow NFS tcp outbound to EFS security group"
type = "egress"
from_port = 2049
to_port = 2049
protocol = "tcp"
source_security_group_id = aws_security_group.infrastructure_ecs_cluster_efs[0].id
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_egress_rds" {
for_each = local.enable_infrastructure_ecs_cluster ? local.infrastructure_rds : {}
description = "Allow ${each.value["engine"]} tcp outbound to RDS security group"
type = "egress"
from_port = local.rds_ports[each.value["engine"]]
to_port = local.rds_ports[each.value["engine"]]
protocol = "tcp"
source_security_group_id = aws_security_group.infrastructure_rds[each.key].id
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_custom" {
for_each = local.enable_infrastructure_ecs_cluster ? local.infrastructure_ecs_cluster_custom_security_group_rules : {}
description = each.value["description"]
type = each.value["type"]
from_port = each.value["from_port"]
to_port = each.value["to_port"]
protocol = each.value["protocol"]
source_security_group_id = each.value["source_security_group_id"] != "" ? each.value["source_security_group_id"] : null
cidr_blocks = length(each.value["cidr_blocks"]) > 0 ? each.value["cidr_blocks"] : null
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}
resource "aws_security_group_rule" "infrastructure_ecs_cluster_container_instances_egress_logspout_tcp" {
count = local.enable_infrastructure_ecs_cluster && local.infrastructure_ecs_cluster_syslog_port != null ? 1 : 0
description = "Allow Logspout tcp outbound"
type = "egress"
from_port = local.infrastructure_ecs_cluster_syslog_port
to_port = local.infrastructure_ecs_cluster_syslog_port
protocol = "tcp"
# tfsec:ignore:aws-ec2-no-public-egress-sgr
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.infrastructure_ecs_cluster_container_instances[0].id
}