Merge pull request #13 from DNXLabs/feature/improvements

brunodasilvalenga · web-flow · commit 73eb90d13dd0 · 2022-12-20T00:32:05.000+10:00
Feature/improvements
diff --git a/README.md b/README.md
@@ -84,9 +84,12 @@ In addition you have the option to create or not :
 | nlb | Flag to create the NLB | `bool` | `false` | no |
 | nlb\_arn | Networking LoadBalance ARN - Required if nlb=false or nlb\_internal=false | `string` | `""` | no |
 | nlb\_internal | Creates an Internal NLB for this service | `bool` | `false` | no |
+| nlb\_subnets\_cidr | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no |
+| nlb\_subnets\_ids | The subnets associated with the task or service. (REQUIRED IF 'LAUCH\_TYPE' IS FARGATE) | `any` | `null` | no |
 | ordered\_placement\_strategy | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. | <pre>list(object({<br>    field      = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | placement\_constraints | Rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. | <pre>list(object({<br>    type       = string<br>    expression = string<br>  }))</pre> | `[]` | no |
 | port | Port for target group to listen | `string` | `"80"` | no |
+| security\_group\_ecs\_nodes\_inbound\_cidrs | ECS Nodes inbound allowed CIDRs for the security group. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | security\_groups | The security groups associated with the task or service | `any` | `null` | no |
 | service\_health\_check\_grace\_period\_seconds | Time until your container starts serving requests | `number` | `0` | no |
 | service\_role\_arn | Existing service role ARN created by ECS cluster module | `any` | n/a | yes |
diff --git a/_variables.tf b/_variables.tf
@@ -143,6 +143,16 @@ variable "subnets" {
   description = "The subnets associated with the task or service. (REQUIRED IF 'LAUCH_TYPE' IS FARGATE)"
 }
 
+variable "nlb_subnets_ids" {
+  default     = null
+  description = "The subnets associated with the task or service. (REQUIRED IF 'LAUCH_TYPE' IS FARGATE)"
+}
+
+variable "nlb_subnets_cidr" {
+  default     = null
+  description = "The subnets associated with the task or service. (REQUIRED IF 'LAUCH_TYPE' IS FARGATE)"
+}
+
 variable "network_mode" {
   default     = null
   description = "The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. (REQUIRED IF 'LAUCH_TYPE' IS FARGATE)"
@@ -179,4 +189,10 @@ variable "cloudwatch_logs_retention" {
 variable "cloudwatch_logs_export" {
   default     = false
   description = "Whether to mark the log group to export to an S3 bucket (needs terraform-aws-log-exporter to be deployed in the account/region)"
+}
+
+variable "security_group_ecs_nodes_inbound_cidrs" {
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+  description = "ECS Nodes inbound allowed CIDRs for the security group."
 }
diff --git a/nlb.tf b/nlb.tf
@@ -9,5 +9,5 @@ resource "aws_lb" "default" {
   name               = var.nlb_internal ? format("%s-%s-int", substr("${var.cluster_name}-${var.name}", 0, 23), random_string.nlb_prefix.result) : format("%s-%s", substr("${var.cluster_name}-${var.name}", 0, 27), random_string.nlb_prefix.result)
   internal           = var.nlb_internal
   load_balancer_type = "network"
-  subnets            = var.subnets
+  subnets            = var.nlb_subnets_ids
 }
diff --git a/route53-record.tf b/route53-record.tf
@@ -10,5 +10,5 @@ resource "aws_route53_record" "hostname" {
   name    = var.hostname
   type    = "CNAME"
   ttl     = "300"
-  records = var.nlb_internal ? [aws_lb.default[0].dns_name] : [try(data.aws_lb.nlb_selected[0].dns_name, "")]
+  records = [aws_lb.default[0].dns_name]
 }
diff --git a/sg-nodes.tf b/sg-nodes.tf
@@ -5,6 +5,16 @@ data "aws_security_group" "selected" {
   }
 }
 
+resource "aws_security_group_rule" "vpc_from_nlb_to_ecs_nodes" {
+  description       = "From NLB subnet"
+  type              = "ingress"
+  from_port         = 0
+  to_port           = 65535
+  protocol          = "TCP"
+  security_group_id = data.aws_security_group.selected.id
+  cidr_blocks       = var.nlb_subnets_cidr
+}
+
 
 resource "aws_security_group_rule" "all_from_nlb_to_ecs_nodes" {
   description       = "for NLB"
@@ -13,5 +23,5 @@ resource "aws_security_group_rule" "all_from_nlb_to_ecs_nodes" {
   to_port           = 65535
   protocol          = "TCP"
   security_group_id = data.aws_security_group.selected.id
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = var.security_group_ecs_nodes_inbound_cidrs
 }

Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,5 @@ resource "aws_lb" "default" {`
`9`	`9`	`name = var.nlb_internal ? format("%s-%s-int", substr("${var.cluster_name}-${var.name}", 0, 23), random_string.nlb_prefix.result) : format("%s-%s", substr("${var.cluster_name}-${var.name}", 0, 27), random_string.nlb_prefix.result)`
`10`	`10`	`internal = var.nlb_internal`
`11`	`11`	`load_balancer_type = "network"`
`12`		`- subnets = var.subnets`
	`12`	`+ subnets = var.nlb_subnets_ids`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,5 +10,5 @@ resource "aws_route53_record" "hostname" {`
`10`	`10`	`name = var.hostname`
`11`	`11`	`type = "CNAME"`
`12`	`12`	`ttl = "300"`
`13`		`- records = var.nlb_internal ? [aws_lb.default[0].dns_name] : [try(data.aws_lb.nlb_selected[0].dns_name, "")]`
	`13`	`+ records = [aws_lb.default[0].dns_name]`
`14`	`14`	`}`