Skip to content

6100: Add default security group for ecs tasks and services#6492

Merged
ca61688 merged 24 commits intodevelopfrom
6100-add-security-group-for-ecs
Jan 30, 2026
Merged

6100: Add default security group for ecs tasks and services#6492
ca61688 merged 24 commits intodevelopfrom
6100-add-security-group-for-ecs

Conversation

@ca61688
Copy link
Collaborator

@ca61688 ca61688 commented Jan 27, 2026

Make sure you have checked all steps below.

Issue

  • My PR fully resolves the following issues. I've referenced an issue in the PR title, for example "Issue 1234 - My
    Feature". Note that before an issue is finished, you can still make a pull request by raising a separate issue
    for your progress.

Tests

  • My PR adds the following tests based on our test strategy OR does not need testing for this extremely good reason:
    • Only manual testing possible

Documentation

  • In case of new functionality, my PR adds documentation that describes how to use it, or I have linked to a
    separate issue for that below.
  • If I have added new Java code, I have added Javadoc that explains it following our conventions and style.
  • If I have added or removed any dependencies from the project, I have updated the NOTICES file.

@ca61688 ca61688 linked an issue Jan 27, 2026 that may be closed by this pull request
Create security groups to run ECS tasks #6100
Closed
@ca61688 ca61688 added the needs-reviewer Pull requests that need a reviewer to be assigned label Jan 28, 2026
@ca61688 ca61688 marked this pull request as ready for review January 28, 2026 12:03
patchwork01
patchwork01 reviewed Jan 28, 2026
View reviewed changes
java/core/src/main/java/sleeper/core/properties/instance/CdkDefinedInstanceProperty.java Outdated

// Security Groups
CdkDefinedInstanceProperty ECS_SECURITY_GROUP = Index.propertyBuilder("sleeper.ecs.security.group")
.description("The security group to be used for ECS tasks and services.")
Copy link
Collaborator

@patchwork01 patchwork01 Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can be clear that this is the security group ID, as opposed to e.g. the ARN. Maybe the property name should have .id at the end as well?

java/deployment/cdk/src/main/java/sleeper/cdk/stack/core/StateStoreCommitterStack.java Outdated
.newInstancesProtectedFromScaleIn(false)
.updatePolicy(UpdatePolicy.rollingUpdate())
.securityGroup(SecurityGroup.fromSecurityGroupId(policiesStack, instanceId,
instanceProperties.get(ECS_SECURITY_GROUP)))
Copy link
Collaborator

@patchwork01 patchwork01 Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this is defining a new security group construct, adding it to the managed policies stack, and setting a construct ID of the Sleeper instance ID.

Can we just call a getter to return the security group from the policies stack?

java/deployment/cdk/src/main/java/sleeper/cdk/stack/core/ManagedPoliciesStack.java Outdated
private void createEcsSecurityGroup(Construct scope, InstanceProperties instanceProperties) {
SecurityGroup securityGroup = SecurityGroup.Builder.create(scope, "ECS")
.vpc(Vpc.fromLookup(scope, "vpc", VpcLookupOptions.builder().vpcId(instanceProperties.get(VPC_ID)).build()))
.description("ECS security group")
Copy link
Collaborator

@patchwork01 patchwork01 Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we explain roughly what this is for in the description? It'll be used for ECS tasks and services that don't need to serve incoming requests.

java/deployment/cdk/src/main/java/sleeper/cdk/stack/core/StateStoreCommitterStack.java Outdated
.newInstancesProtectedFromScaleIn(false)
.updatePolicy(UpdatePolicy.rollingUpdate())
.securityGroup(SecurityGroup.fromSecurityGroupId(policiesStack, instanceId,
instanceProperties.get(ECS_SECURITY_GROUP)))
Copy link
Collaborator

@patchwork01 patchwork01 Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation of this method says "launchTemplate and mixedInstancesPolicy must not be specified when this property is specified". It looks like it wants you to put it on the launch template.

We don't have a system test to catch this right now as none of them use the ECS-based committer. Please can you test it by configuring your instance to use the committer explicitly?

Copy link
Collaborator Author

@ca61688 ca61688 Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good spot, I've moved it higher up into the launch template itself and will test it with a deployment

@patchwork01 patchwork01 removed the needs-reviewer Pull requests that need a reviewer to be assigned label Jan 28, 2026
@ca61688 ca61688 removed their assignment Jan 30, 2026
@ca61688 ca61688 added the needs-reviewer Pull requests that need a reviewer to be assigned label Jan 30, 2026
@ca61688
Copy link
Collaborator Author

ca61688 commented Jan 30, 2026

Ready for rereview

patchwork01
patchwork01 approved these changes Jan 30, 2026
View reviewed changes
@patchwork01 patchwork01 assigned ca61688 and unassigned patchwork01 Jan 30, 2026
@patchwork01 patchwork01 removed the needs-reviewer Pull requests that need a reviewer to be assigned label Jan 30, 2026
@ca61688 ca61688 merged commit d45420f into develop Jan 30, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patchwork01 patchwork01 patchwork01 approved these changes

Assignees

@ca61688 ca61688

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Create security groups to run ECS tasks

2 participants

@ca61688 @patchwork01