Merge pull request #11 from unity-sds/431-lockdown-ecs-alb-shared-services

jpl-btlunsfo · web-flow · commit ff8fc11a3e87 · 2025-01-22T10:06:32.000-08:00
Lockdown ECS ALB to only allow Shared Services connections
diff --git a/terraform-unity/networking.tf b/terraform-unity/networking.tf
@@ -1,10 +1,10 @@
 # Create an Application Load Balancer (ALB)
 resource "aws_lb" "httpd_alb" {
   name                       = "${var.project}-${var.venue}-httpd-alb"
-  internal                   = false
+  internal                   = true
   load_balancer_type         = "application"
   security_groups            = [aws_security_group.ecs_alb_sg.id]
-  subnets                    = local.public_subnet_ids
+  subnets                    = local.subnet_ids
   enable_deletion_protection = false
   preserve_host_header       = true
   tags = {
@@ -110,16 +110,6 @@ resource "aws_vpc_security_group_ingress_rule" "ecs_alb_ingress_sg_rule" {
   referenced_security_group_id = aws_security_group.ecs_alb_sg.id
 }
 
-# Add a new ingress rule to the ECS ALB's security group, opening it up to other connections
-#tfsec:ignore:AVD-AWS-0107
-resource "aws_vpc_security_group_ingress_rule" "alb_all_ingress_sg_rule" {
-  security_group_id = aws_security_group.ecs_alb_sg.id
-  to_port           = 8080
-  from_port         = 8080
-  ip_protocol       = "tcp"
-  cidr_ipv4         = "0.0.0.0/0"
-}
-
 # Add a new egress rule to the ECS's security group, allowing ECS to fetch the container images/proxy
 resource "aws_vpc_security_group_egress_rule" "ecs_egress_sg_rule" {
   security_group_id = aws_security_group.ecs_sg.id
@@ -137,3 +127,23 @@ resource "aws_vpc_security_group_egress_rule" "ecs_alb_egress_sg_rule" {
   ip_protocol       = "tcp"
   cidr_ipv4         = "0.0.0.0/0"
 }
+
+data "aws_ssm_parameter" "shared-services_security_group" {
+  name = "arn:aws:ssm:${data.aws_ssm_parameter.shared_service_region.value}:${data.aws_ssm_parameter.shared_service_account_id.value}:parameter/unity/shared-services/network/httpd_security_group"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "ecs_alb_sg_ingress_rule" {
+  security_group_id = aws_security_group.ecs_alb_sg.id
+  from_port         = 8080
+  to_port           = 8080
+  ip_protocol       = "tcp"
+  referenced_security_group_id = data.aws_ssm_parameter.shared-services_security_group.value
+}
+
+resource "aws_vpc_security_group_egress_rule" "ecs_sg_egress_rule" {
+  security_group_id            = aws_security_group.ecs_sg.id
+  from_port                    = 0
+  to_port                      = 65535
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = data.aws_security_group.mc_alb_sg.id
+}
