From aa5c2fae4cd241481a753156e8974e7d38dfe58a Mon Sep 17 00:00:00 2001 From: Alex Date: Wed, 16 Sep 2020 15:08:06 +0100 Subject: [PATCH] Make adding all egress rule to the ECS security group optional (#75) * Make adding all egress rule to the ECS security group optional * Updated README.md Co-authored-by: Alex Taylor Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com> --- README.md | 3 +++ docs/terraform.md | 3 +++ main.tf | 2 +- variables.tf | 6 ++++++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 94c77da..9f0785d 100644 --- a/README.md +++ b/README.md @@ -216,6 +216,7 @@ Available targets: ``` + ## Requirements | Name | Version | @@ -249,6 +250,7 @@ Available targets: | desired\_count | The number of instances of the task definition to place and keep running | `number` | `1` | no | | ecs\_cluster\_arn | The ARN of the ECS cluster where service will be provisioned | `string` | n/a | yes | | ecs\_load\_balancers | A list of load balancer config objects for the ECS service; see `load_balancer` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html | 
list(object({
    container_name   = string
    container_port   = number
    elb_name         = string
    target_group_arn = string
  }))
| `[]` | no | +| enable\_all\_egress\_rule | A flag to enable/disable adding the all ports egress rule to the ECS security group | `bool` | `true` | no | | enable\_ecs\_managed\_tags | Specifies whether to enable Amazon ECS managed tags for the tasks within the service | `bool` | `false` | no | | enable\_icmp\_rule | Specifies whether to enable ICMP on the security group | `bool` | `true` | no | | enabled | Set to false to prevent the module from creating any resources | `bool` | `true` | no | @@ -301,6 +303,7 @@ Available targets: | task\_role\_id | ECS Task role id | | task\_role\_name | ECS Task role name | + diff --git a/docs/terraform.md b/docs/terraform.md index 04e14f4..8c58050 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -1,3 +1,4 @@ + ## Requirements | Name | Version | @@ -31,6 +32,7 @@ | desired\_count | The number of instances of the task definition to place and keep running | `number` | `1` | no | | ecs\_cluster\_arn | The ARN of the ECS cluster where service will be provisioned | `string` | n/a | yes | | ecs\_load\_balancers | A list of load balancer config objects for the ECS service; see `load_balancer` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html | 
list(object({
    container_name   = string
    container_port   = number
    elb_name         = string
    target_group_arn = string
  }))
| `[]` | no | +| enable\_all\_egress\_rule | A flag to enable/disable adding the all ports egress rule to the ECS security group | `bool` | `true` | no | | enable\_ecs\_managed\_tags | Specifies whether to enable Amazon ECS managed tags for the tasks within the service | `bool` | `false` | no | | enable\_icmp\_rule | Specifies whether to enable ICMP on the security group | `bool` | `true` | no | | enabled | Set to false to prevent the module from creating any resources | `bool` | `true` | no | @@ -83,3 +85,4 @@ | task\_role\_id | ECS Task role id | | task\_role\_name | ECS Task role name | + diff --git a/main.tf b/main.tf index a72c59b..c841e1c 100644 --- a/main.tf +++ b/main.tf @@ -230,7 +230,7 @@ resource "aws_security_group" "ecs_service" { } resource "aws_security_group_rule" "allow_all_egress" { - count = var.enabled ? 1 : 0 + count = var.enabled && var.enable_all_egress_rule ? 1 : 0 type = "egress" from_port = 0 to_port = 0 diff --git a/variables.tf b/variables.tf index 6304ca7..0afcd21 100644 --- a/variables.tf +++ b/variables.tf @@ -100,6 +100,12 @@ variable "security_group_ids" { default = [] } +variable "enable_all_egress_rule" { + type = bool + description = "A flag to enable/disable adding the all ports egress rule to the ECS security group" + default = true +} + variable "launch_type" { type = string description = "The launch type on which to run your service. Valid values are `EC2` and `FARGATE`"