Include security group for Network load balancer

DNXLabs · Feb 23, 2024 · bc843ed · bc843ed
1 parent d80b68e
commit bc843ed
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/_variables.tf b/_variables.tf
@@ -129,6 +129,14 @@ variable "security_group_ids" {
   description = "Extra security groups for instances."
 }
 
+
+variable "nlb_security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = "Extra security groups for instances."
+}
+
+
 variable "asg_protect_from_scale_in" {
   default     = false
   description = "(Optional) Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events."

diff --git a/nlb.tf b/nlb.tf
@@ -3,6 +3,7 @@ resource "aws_lb" "ecs" {
   internal           = false
   name               = "ecs-${var.name}"
   subnets            = var.public_subnet_ids
+  security_groups    = length(var.nlb_security_group_ids) > 0 ? var.nlb_security_group_ids :  [aws_security_group.nlb.id]
 
   idle_timeout = 400
 

diff --git a/sg-nlb.tf b/sg-nlb.tf
@@ -0,0 +1,30 @@
+resource "aws_security_group" "nlb" {
+  name        = "ecs-${var.name}-nlb"
+  description = "SG for network load balancer"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "ecs-${var.name}-nlb"
+  }
+}
+
+resource "aws_security_group_rule" "nlb_from_internet" {
+  description              = "Traffic from Internet"
+  type                     = "ingress"
+  from_port                = 1194
+  to_port                  = 1194
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.nlb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "nlb_to_internet" {
+  description       = "Traffic to internet"
+  type              = "egress"
+  from_port                = 1194
+  to_port                  = 1194
+  protocol          = "-1"
+  security_group_id = aws_security_group.nlb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+