Skip to content

6100: Add default security group for ecs tasks and services #6492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ca61688 merged 24 commits into from
Jan 30, 2026
+155 −119
Merged

6100: Add default security group for ecs tasks and services #6492

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
9085fb0
6100: Add default security group for ecs tasks and services
ca61688 Jan 27, 2026
b5f95ab
6100: Fix SleeperInstanceIT
ca61688 Jan 27, 2026
c11ba0c
Merge branch 'develop' into 6100-add-security-group-for-ecs
ca61688 Jan 27, 2026
08cdc83
6100: Add logging for ecs security group
ca61688 Jan 27, 2026
fdc1f16
6100: Attempt to fix security group issue
ca61688 Jan 27, 2026
9867973
6100: Attempt to fix security group issue
ca61688 Jan 27, 2026
35de5b4
6100: Test fix for deploment issue
ca61688 Jan 28, 2026
a70d662
6100: Add logging to ManagedPoliciesStack
ca61688 Jan 28, 2026
082951e
6100: Test fix for deploment issue
ca61688 Jan 28, 2026
b788b3b
6100: Remove extra securit group from CompactiononEcResources
ca61688 Jan 28, 2026
5842e68
6100: Tidy up code
ca61688 Jan 28, 2026
9f088f4
Merge branch 'develop' into 6100-add-security-group-for-ecs
ca61688 Jan 28, 2026
31447e0
6100: Improve property description
ca61688 Jan 28, 2026
d123137
6100: Address review comments
ca61688 Jan 28, 2026
5c74b14
Merge branch 'develop' into 6100-add-security-group-for-ecs
ca61688 Jan 28, 2026
fb4752b
6100: Update documentation
ca61688 Jan 28, 2026
83c7674
6100: Fix SleeperInstanceIT
ca61688 Jan 28, 2026
2e70cab
6100: Correct Security Group description
ca61688 Jan 29, 2026
e08c457
6100: Move ecs security group into ecs stack
ca61688 Jan 29, 2026
52a4628
6100: Rename AutoStopEcs cluster to ecs cluster
ca61688 Jan 29, 2026
364c726
6100: Rename AutoStopEcs cluster to ecs cluster
ca61688 Jan 29, 2026
6976448
Merge branch 'develop' into 6100-add-security-group-for-ecs
ca61688 Jan 30, 2026
7049153
6100: Fix SleeperInstanceIT
ca61688 Jan 30, 2026
20f9b48
6100: Fix typo
ca61688 Jan 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/usage/properties/instance/cdk/common.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ The following instance properties are commonly used throughout Sleeper.
| sleeper.config.bucket | The S3 bucket name used to store configuration files. |
| sleeper.account | The AWS account number. This is the AWS account that the instance is deployed in. |
| sleeper.region | The AWS region the instance is deployed in. |
| sleeper.ecs.security.group.id | The security group ID to be used for ECS tasks and services. |
| sleeper.data.bucket | The S3 bucket name used to store table data. |
| sleeper.tables.name.index.dynamo.table | The name of the DynamoDB table indexing tables by their name. |
| sleeper.tables.id.index.dynamo.table | The name of the DynamoDB table indexing tables by their ID. |
Expand Down
1 change: 0 additions & 1 deletion docs/usage/properties/instance/user/common.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,5 @@ The following instance properties are commonly used throughout Sleeper.
| sleeper.task.runner.memory.mb | The amount of memory in MB for the lambda that creates ECS tasks to execute compaction and ingest jobs. | 1024 | true |
| sleeper.task.runner.timeout.seconds | The timeout in seconds for the lambda that creates ECS tasks to execute compaction jobs and ingest jobs.<br>This must be >0 and <= 900. | 900 | true |
| sleeper.properties.force.reload | If true, properties will be reloaded every time a long running job is started or a lambda is run. This will mainly be used in test scenarios to ensure properties are up to date. | false | false |
| sleeper.ecs.security.groups | A comma-separated list of up to 5 security group IDs to be used when running ECS tasks. | | true |
| sleeper.default.lambda.concurrency.reserved | Default value for the reserved concurrency for each lambda in the Sleeper instance that scales according to the number of Sleeper tables.<br>The state store committer lambda is an exception to this, as it has reserved concurrency by default. This is set in the property sleeper.statestore.committer.concurrency.reserved. Other lambdas are present that do not scale by the number of Sleeper tables, and are not set from this property.<br>By default no concurrency is reserved for the lambdas. Each lambda also has its own property that overrides the value found here.<br>See reserved concurrency overview at: https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html | | false |
| sleeper.default.lambda.concurrency.max | Default value for the maximum concurrency for each lambda in the Sleeper instance that scales according to the number of Sleeper tables.<br>Other lambdas are present that do not scale by the number of Sleeper tables, and are not set from this property.<br>By default the maximum concurrency is set to 10, which is enough for 10 online tables. If there are more online tables, this number may need to be increased. Each lambda also has its own property that overrides the value found here.<br>See maximum concurrency overview at: https://aws.amazon.com/blogs/compute/introducing-maximum-concurrency-of-aws-lambda-functions-when-using-amazon-sqs-as-an-event-source/ | 10 | false |
4 changes: 0 additions & 4 deletions example/full/instance.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,10 +194,6 @@ sleeper.logging.root.level=INFO
# (default value shown below, uncomment to set a value)
# sleeper.properties.force.reload=false

# A comma-separated list of up to 5 security group IDs to be used when running ECS tasks.
# (uncomment to set a value)
# sleeper.ecs.security.groups=

# Default value for the reserved concurrency for each lambda in the Sleeper instance that scales
# according to the number of Sleeper tables.
# The state store committer lambda is an exception to this, as it has reserved concurrency by default.
Expand Down
4 changes: 2 additions & 2 deletions java/common/common-task/src/main/java/sleeper/common/task/RunDataProcessingTasks.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,8 @@
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.COMPACTION_TASK_EC2_DEFINITION_FAMILY;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.COMPACTION_TASK_FARGATE_DEFINITION_FAMILY;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.CONFIG_BUCKET;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.ECS_SECURITY_GROUP;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.LEAF_PARTITION_BULK_EXPORT_QUEUE_URL;
import static sleeper.core.properties.instance.CommonProperty.ECS_SECURITY_GROUPS;
import static sleeper.core.properties.instance.CommonProperty.FARGATE_VERSION;
import static sleeper.core.properties.instance.CommonProperty.SUBNETS;
import static sleeper.core.properties.instance.CompactionProperty.COMPACTION_ECS_LAUNCHTYPE;
Expand Down Expand Up @@ -337,7 +337,7 @@ private static TaskOverride createOverride(InstanceProperties instanceProperties
private static NetworkConfiguration networkConfig(InstanceProperties instanceProperties) {
AwsVpcConfiguration vpcConfiguration = AwsVpcConfiguration.builder()
.subnets(instanceProperties.getList(SUBNETS))
.securityGroups(instanceProperties.getList(ECS_SECURITY_GROUPS))
.securityGroups(instanceProperties.get(ECS_SECURITY_GROUP))
.build();
return NetworkConfiguration.builder()
.awsvpcConfiguration(vpcConfiguration)
Expand Down
4 changes: 2 additions & 2 deletions java/common/common-task/src/main/java/sleeper/common/task/RunIngestTasks.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@
import java.util.List;

import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.CONFIG_BUCKET;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.ECS_SECURITY_GROUP;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.INGEST_CLUSTER;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.INGEST_JOB_QUEUE_URL;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.INGEST_TASK_DEFINITION_FAMILY;
import static sleeper.core.properties.instance.CommonProperty.ECS_SECURITY_GROUPS;
import static sleeper.core.properties.instance.CommonProperty.FARGATE_VERSION;
import static sleeper.core.properties.instance.CommonProperty.SUBNETS;
import static sleeper.core.properties.instance.IngestProperty.MAXIMUM_CONCURRENT_INGEST_TASKS;
Expand Down Expand Up @@ -103,7 +103,7 @@ public void run() {
.networkConfiguration(networkConfiguration -> networkConfiguration
.awsvpcConfiguration(vpcConfiguration -> vpcConfiguration
.subnets(properties.getList(SUBNETS))
.securityGroups(properties.getList(ECS_SECURITY_GROUPS))))
.securityGroups(properties.get(ECS_SECURITY_GROUP))))
.overrides(overrides -> overrides
.containerOverrides(ContainerOverride.builder()
.name(containerName)
Expand Down
6 changes: 6 additions & 0 deletions java/core/src/main/java/sleeper/core/properties/instance/CdkDefinedInstanceProperty.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,12 @@ static List<CdkDefinedInstanceProperty> getAllInGroup(PropertyGroup group) {
.propertyGroup(InstancePropertyGroup.COMMON)
.build();

// Security Groups
CdkDefinedInstanceProperty ECS_SECURITY_GROUP = Index.propertyBuilder("sleeper.ecs.security.group.id")
.description("The security group ID to be used for ECS tasks and services.")
.propertyGroup(InstancePropertyGroup.COMMON)
.build();

// Data
CdkDefinedInstanceProperty DATA_BUCKET = Index.propertyBuilder("sleeper.data.bucket")
.description("The S3 bucket name used to store table data.")
Expand Down
5 changes: 0 additions & 5 deletions java/core/src/main/java/sleeper/core/properties/instance/CommonProperty.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,11 +219,6 @@ public interface CommonProperty {
.validationPredicate(SleeperPropertyValueUtils::isTrueOrFalse)
.propertyGroup(InstancePropertyGroup.COMMON)
.build();
UserDefinedInstanceProperty ECS_SECURITY_GROUPS = Index.propertyBuilder("sleeper.ecs.security.groups")
.description("A comma-separated list of up to 5 security group IDs to be used when running ECS tasks.")
.validationPredicate(value -> SleeperPropertyValueUtils.isListWithMaxSize(value, 5))
.runCdkDeployWhenChanged(true)
.propertyGroup(InstancePropertyGroup.COMMON).build();
UserDefinedInstanceProperty DEFAULT_LAMBDA_CONCURRENCY_RESERVED = Index.propertyBuilder("sleeper.default.lambda.concurrency.reserved")
.description("Default value for the reserved concurrency for each lambda in the Sleeper instance " +
"that scales according to the number of Sleeper tables.\n" +
Expand Down
20 changes: 10 additions & 10 deletions java/deployment/cdk/src/main/java/sleeper/cdk/stack/SleeperCoreStacks.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@
import sleeper.cdk.networking.SleeperNetworking;
import sleeper.cdk.stack.compaction.CompactionTrackerResources;
import sleeper.cdk.stack.core.AutoDeleteS3ObjectsStack;
import sleeper.cdk.stack.core.AutoStopEcsClusterTasksStack;
import sleeper.cdk.stack.core.ConfigBucketStack;
import sleeper.cdk.stack.core.EcsClusterTasksStack;
import sleeper.cdk.stack.core.LoggingStack;
import sleeper.cdk.stack.core.LoggingStack.LogGroupRef;
import sleeper.cdk.stack.core.ManagedPoliciesStack;
Expand Down Expand Up @@ -81,7 +81,7 @@ public class SleeperCoreStacks {
private final IngestTrackerResources ingestTracker;
private final CompactionTrackerResources compactionTracker;
private final AutoDeleteS3ObjectsStack autoDeleteS3Stack;
private final AutoStopEcsClusterTasksStack autoStopEcsStack;
private final EcsClusterTasksStack ecsClusterTasksStack;
private SleeperInstanceRoles roles;

@SuppressWarnings("checkstyle:ParameterNumberCheck")
Expand All @@ -93,7 +93,7 @@ private SleeperCoreStacks(
IngestTrackerResources ingestTracker,
CompactionTrackerResources compactionTracker,
AutoDeleteS3ObjectsStack autoDeleteS3Stack,
AutoStopEcsClusterTasksStack autoStopEcsStack) {
EcsClusterTasksStack ecsClusterTasksStack) {
this.networking = networking;
this.loggingStack = loggingStack;
this.deadLetters = deadLetters;
Expand All @@ -106,7 +106,7 @@ private SleeperCoreStacks(
this.ingestTracker = ingestTracker;
this.compactionTracker = compactionTracker;
this.autoDeleteS3Stack = autoDeleteS3Stack;
this.autoStopEcsStack = autoStopEcsStack;
this.ecsClusterTasksStack = ecsClusterTasksStack;
}

public static SleeperCoreStacks create(Stack stack, SleeperInstanceProps props) {
Expand All @@ -132,7 +132,7 @@ public static SleeperCoreStacks create(
new TopicStack(scope, "Topic", instanceProperties));

// Custom resource providers
AutoStopEcsClusterTasksStack autoStopEcsStack = new AutoStopEcsClusterTasksStack(scope, "AutoStopEcsClusterTasks", instanceProperties, jars, loggingStack);
EcsClusterTasksStack ecsClusterTasksStack = new EcsClusterTasksStack(scope, "AutoStopEcsClusterTasks", instanceProperties, jars, loggingStack);
ManagedPoliciesStack policiesStack = new ManagedPoliciesStack(scope, "Policies", instanceProperties);

// Stacks for tables
Expand All @@ -150,11 +150,11 @@ public static SleeperCoreStacks create(
instanceProperties, jars,
loggingStack, configBucketStack, tableIndexStack,
stateStoreStacks, ingestTracker, compactionTracker,
policiesStack, deadLetters);
policiesStack, ecsClusterTasksStack, deadLetters);

SleeperCoreStacks stacks = new SleeperCoreStacks(networking, loggingStack, deadLetters,
configBucketStack, tableIndexStack, policiesStack, stateStoreStacks, dataStack,
stateStoreCommitterStack, ingestTracker, compactionTracker, autoDeleteS3Stack, autoStopEcsStack);
stateStoreCommitterStack, ingestTracker, compactionTracker, autoDeleteS3Stack, ecsClusterTasksStack);

// Table state store maintenance
new TransactionLogSnapshotStack(scope, "TransactionLogSnapshot",
Expand Down Expand Up @@ -236,11 +236,11 @@ public void addAutoDeleteS3Objects(Construct scope, IBucket bucket) {
}

public void addAutoStopEcsClusterTasksAfterTaskCreatorIsDeleted(Construct scope, ICluster cluster, IFunction taskCreator) {
autoStopEcsStack.addAutoStopEcsClusterTasksAfterTaskCreatorIsDeleted(scope, cluster, taskCreator);
ecsClusterTasksStack.addAutoStopEcsClusterTasksAfterTaskCreatorIsDeleted(scope, cluster, taskCreator);
}

public AutoStopEcsClusterTasksStack getAutoStopEcsStack() {
return autoStopEcsStack;
public EcsClusterTasksStack getEcsClusterTasksStack() {
return ecsClusterTasksStack;
}

// The Lambda IFunction.getRole method is annotated as nullable, even though it will never return null in practice.
Expand Down
18 changes: 1 addition & 17 deletions java/deployment/cdk/src/main/java/sleeper/cdk/stack/compaction/CompactionOnEc2Resources.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
import software.amazon.awscdk.services.ec2.EbsDeviceOptions;
import software.amazon.awscdk.services.ec2.EbsDeviceVolumeType;
import software.amazon.awscdk.services.ec2.IMachineImage;
import software.amazon.awscdk.services.ec2.ISecurityGroup;
import software.amazon.awscdk.services.ec2.IVpc;
import software.amazon.awscdk.services.ec2.InstanceArchitecture;
import software.amazon.awscdk.services.ec2.InstanceClass;
Expand All @@ -51,7 +50,6 @@
import software.amazon.awscdk.services.iam.PolicyStatement;
import software.amazon.awscdk.services.lambda.CfnPermission;
import software.amazon.awscdk.services.lambda.IFunction;
import software.constructs.Construct;
import software.constructs.IDependable;

import sleeper.cdk.jars.SleeperLambdaCode;
Expand All @@ -70,14 +68,10 @@
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.Predicate;
import java.util.stream.Collectors;

import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.ACCOUNT;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.COMPACTION_AUTO_SCALING_GROUP;
import static sleeper.core.properties.instance.CdkDefinedInstanceProperty.COMPACTION_TASK_EC2_DEFINITION_FAMILY;
import static sleeper.core.properties.instance.CommonProperty.ECS_SECURITY_GROUPS;
import static sleeper.core.properties.instance.CompactionProperty.COMPACTION_EC2_POOL_MAXIMUM;
import static sleeper.core.properties.instance.CompactionProperty.COMPACTION_EC2_POOL_MINIMUM;
import static sleeper.core.properties.instance.CompactionProperty.COMPACTION_EC2_ROOT_SIZE;
Expand Down Expand Up @@ -166,8 +160,7 @@ private void addEC2CapacityProvider(Cluster cluster, IVpc vpc, SleeperLambdaCode
.build())
.instanceProfile(InstanceProfile.Builder.create(stack, "CompactionScalingInstanceProfile").build())
.build();
addSecurityGroupReferences(stack, instanceProperties)
.forEach(scalingLaunchTemplate::addSecurityGroup);

AutoScalingGroup ec2scalingGroup = AutoScalingGroup.Builder.create(stack, "CompactionScalingGroup")
.vpc(vpc)
.launchTemplate(scalingLaunchTemplate)
Expand Down Expand Up @@ -266,13 +259,4 @@ private static AmiHardwareType lookupAmiHardwareType(InstanceArchitecture archit
throw new IllegalArgumentException("Unrecognised architecture: " + architecture);
}
}

private static List<ISecurityGroup> addSecurityGroupReferences(Construct scope, InstanceProperties instanceProperties) {
AtomicInteger index = new AtomicInteger(1);
return instanceProperties.getList(ECS_SECURITY_GROUPS).stream()
.filter(Predicate.not(String::isBlank))
.map(groupId -> SecurityGroup.fromLookupById(scope, "CompactionScalingSG" + index.getAndIncrement(), groupId))
.collect(Collectors.toList());
}

}
Loading
Loading