Merge pull request #22 from DNXLabs/feature/security-group

Include security group for Network load balancer
DNXLabs · Feb 23, 2024 · caaf7c5 · caaf7c5
2 parents d80b68e + 6c1fed0
commit caaf7c5
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -66,6 +66,7 @@ The following resources will be created:
 | lb\_access\_logs\_prefix | Bucket prefix to store lb access logs. | `string` | `""` | no |
 | mfa | Enable or disable MFA for VPN users | `string` | `"false"` | no |
 | name | Name of this ECS cluster. | `any` | n/a | yes |
+| nlb\_security\_group\_ids | Extra security groups for instances. | `list(string)` | `[]` | no |
 | on\_demand\_base\_capacity | You can designate a base portion of your total capacity as On-Demand. As the group scales, per your settings, the base portion is provisioned first, while additional On-Demand capacity is percentage-based. | `number` | `0` | no |
 | on\_demand\_percentage | Percentage of on-demand intances vs spot. | `number` | `0` | no |
 | private\_subnet\_ids | List of private subnet IDs for ECS instances and Internal ALB when enabled. | `list(string)` | n/a | yes |

diff --git a/_variables.tf b/_variables.tf
@@ -129,6 +129,14 @@ variable "security_group_ids" {
   description = "Extra security groups for instances."
 }
 
+
+variable "nlb_security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = "Extra security groups for instances."
+}
+
+
 variable "asg_protect_from_scale_in" {
   default     = false
   description = "(Optional) Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events."

diff --git a/nlb.tf b/nlb.tf
@@ -3,6 +3,7 @@ resource "aws_lb" "ecs" {
   internal           = false
   name               = "ecs-${var.name}"
   subnets            = var.public_subnet_ids
+  security_groups    = length(var.nlb_security_group_ids) > 0 ? var.nlb_security_group_ids : [aws_security_group.nlb.id]
 
   idle_timeout = 400
 

diff --git a/sg-nlb.tf b/sg-nlb.tf
@@ -0,0 +1,30 @@
+resource "aws_security_group" "nlb" {
+  name        = "ecs-${var.name}-nlb"
+  description = "SG for network load balancer"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "ecs-${var.name}-nlb"
+  }
+}
+
+resource "aws_security_group_rule" "nlb_from_internet" {
+  description       = "Traffic from Internet"
+  type              = "ingress"
+  from_port         = 1194
+  to_port           = 1194
+  protocol          = "-1"
+  security_group_id = aws_security_group.nlb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "nlb_to_internet" {
+  description       = "Traffic to internet"
+  type              = "egress"
+  from_port         = 1194
+  to_port           = 1194
+  protocol          = "-1"
+  security_group_id = aws_security_group.nlb.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+