Fixed CIDR block

sourcefuse · Dec 9, 2024 · 993551e · 993551e
1 parent 98b29ba
commit 993551e
Show file tree

Hide file tree

Showing 10 changed files with 36 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -136,6 +136,7 @@ No resources.
 | <a name="input_alb"></a> [alb](#input\_alb) | Configuration settings for the Application Load Balancer (ALB). This includes attributes related to the ALB itself, such as its name, port, protocol, and other optional settings like access logs and tags. | <pre>object({<br/>    name                       = optional(string, null)<br/>    port                       = optional(number)<br/>    protocol                   = optional(string, "HTTP")<br/>    internal                   = optional(bool, false)<br/>    load_balancer_type         = optional(string, "application")<br/>    idle_timeout               = optional(number, 60)<br/>    enable_deletion_protection = optional(bool, false)<br/>    enable_http2               = optional(bool, true)<br/>    certificate_arn            = optional(string, null)<br/><br/>    access_logs = optional(object({<br/>      bucket  = string<br/>      enabled = optional(bool, false)<br/>      prefix  = optional(string, "")<br/>    }))<br/><br/>    tags = optional(map(string), {})<br/>  })</pre> | n/a | yes |
 | <a name="input_alb_target_group"></a> [alb\_target\_group](#input\_alb\_target\_group) | List of target groups to create | <pre>list(object({<br/>    name                              = optional(string, "target-group")<br/>    port                              = number<br/>    protocol                          = optional(string, null)<br/>    protocol_version                  = optional(string, "HTTP1")<br/>    vpc_id                            = optional(string, "")<br/>    target_type                       = optional(string, "ip")<br/>    ip_address_type                   = optional(string, "ipv4")<br/>    load_balancing_algorithm_type     = optional(string, "round_robin")<br/>    load_balancing_cross_zone_enabled = optional(string, "use_load_balancer_configuration")<br/>    deregistration_delay              = optional(number, 300)<br/>    slow_start                        = optional(number, 0)<br/>    tags                              = optional(map(string), {})<br/><br/>    health_check = optional(object({<br/>      enabled             = optional(bool, true)<br/>      protocol            = optional(string, "HTTP")<br/>      path                = optional(string, "/")<br/>      port                = optional(string, "traffic-port")<br/>      timeout             = optional(number, 6)<br/>      healthy_threshold   = optional(number, 3)<br/>      unhealthy_threshold = optional(number, 3)<br/>      interval            = optional(number, 30)<br/>      matcher             = optional(string, "200")<br/>    }))<br/><br/>    stickiness = optional(object({<br/>      enabled         = optional(bool, true)<br/>      type            = string<br/>      cookie_duration = optional(number, 86400)<br/>      })<br/>    )<br/><br/>  }))</pre> | n/a | yes |
 | <a name="input_capacity_provider"></a> [capacity\_provider](#input\_capacity\_provider) | Configuration settings for the ECS capacity providers, including the capacity providers used for autoscaling and Fargate. This variable defines the properties of each capacity provider and how they are managed, such as scaling policies and termination protection. | <pre>object({<br/>    autoscaling_capacity_providers = map(object({<br/>      name                           = optional(string)<br/>      auto_scaling_group_arn         = string<br/>      managed_termination_protection = optional(string, "DISABLED")<br/>      managed_draining               = optional(string, "ENABLED")<br/>      managed_scaling = optional(object({<br/>        instance_warmup_period    = optional(number)<br/>        maximum_scaling_step_size = optional(number)<br/>        minimum_scaling_step_size = optional(number)<br/>        status                    = optional(string)<br/>        target_capacity           = optional(number)<br/>      }))<br/>      tags = optional(map(string), {})<br/>    }))<br/>    default_capacity_provider_use_fargate = bool<br/>    fargate_capacity_providers            = any<br/>  })</pre> | n/a | yes |
+| <a name="input_cidr_blocks"></a> [cidr\_blocks](#input\_cidr\_blocks) | CIDR blocks for security group ingress rules | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_create_alb"></a> [create\_alb](#input\_create\_alb) | Flag to create or skip the creation of ALB | `bool` | `false` | no |
 | <a name="input_create_service"></a> [create\_service](#input\_create\_service) | Flag to create or skip the creation of ECS demo service | `bool` | `false` | no |
 | <a name="input_ecs_cluster"></a> [ecs\_cluster](#input\_ecs\_cluster) | The ECS-specific values to use such as cluster, service, and repository names.<br/><br/>Keys:<br/>  - cluster\_name: The name of the ECS cluster.<br/>  - cluster\_configuration: The execute command configuration for the cluster.<br/>  - cluster\_settings: A list of cluster settings (e.g., container insights). Default is an empty list.<br/>  - cluster\_service\_connect\_defaults: Configures a default Service Connect namespace.<br/>  - create\_cloudwatch\_log\_group: Boolean flag to specify whether to create a CloudWatch log group for the ECS cluster. | <pre>object({<br/>    name = string<br/>    configuration = optional(object({<br/>      execute_command_configuration = optional(object({<br/>        kms_key_id = optional(string, "")<br/>        logging    = optional(string, "DEFAULT")<br/>        log_configuration = optional(object({<br/>          cloudwatch_encryption_enabled = optional(bool, null)<br/>          log_group_name                = optional(string, null)<br/>          log_group_retention_in_days   = optional(number, null)<br/>          log_group_kms_key_id          = optional(string, null)<br/>          log_group_tags                = optional(map(string), null)<br/>          s3_bucket_name                = optional(string, null)<br/>          s3_bucket_encryption_enabled  = optional(bool, null)<br/>          s3_key_prefix                 = optional(string, null)<br/>        }), {})<br/>      }), {})<br/>    }), {})<br/>    create_cloudwatch_log_group = bool<br/>    service_connect_defaults    = optional(map(string), null)<br/>    settings                    = optional(any, null)<br/>    tags                        = optional(map(string), null)<br/>  })</pre> | n/a | yes |

diff --git a/docs/module-usage-guide/README.md b/docs/module-usage-guide/README.md
@@ -10,6 +10,8 @@ This document provides guidelines and instructions for users looking to implemen
 
 The [Terraform AWS ARC ECS](https://github.com/sourcefuse/terraform-aws-arc-ecs) module provides a secure and modular foundation for deploying ECS clusters on AWS.
 
+The Module assumes there is a docker image present on ECR which will serve as ECS service if the optional ECS module is called.
+
 ### Prerequisites
 
 Before using this module, ensure you have the following:

diff --git a/example/main.tf b/example/main.tf
@@ -23,8 +23,8 @@ module "ecs_cluster" {
   ##########################################
   ## Flags for ALB and service modules
   ##########################################
-  create_alb     = false
-  create_service = false
+  create_alb     = true
+  create_service = true
 
   #####################
   ## ecs cluster
@@ -72,22 +72,24 @@ module "ecs_cluster" {
 
   task = {
     tasks_desired        = 1
-    container_port       = 8100
+    container_port       = 80
     container_memory     = 1024
     container_vcpu       = 256
     container_definition = "container/container_definition.json.tftpl"
   }
 
   lb = {
     name              = "arc-poc-alb"
-    listener_port     = 8100
-    security_group_id = ""
+    listener_port     = 80
+    security_group_id = "sg-12345"
   }
 
   #####################
   ## ALB
   #####################
 
+  cidr_blocks = null
+
   alb = {
     name     = "arc-poc-alb"
     internal = false
@@ -98,7 +100,7 @@ module "ecs_cluster" {
     name        = "arc-poc-alb-tg"
     port        = 80
     protocol    = "HTTP"
-    vpc_id      = "vpc-123445"
+    vpc_id      = "vpc-12345"
     target_type = "ip"
     health_check = {
       enabled = true

diff --git a/main.tf b/main.tf
@@ -29,7 +29,9 @@ module "alb" {
   count  = var.create_alb ? 1 : 0
   source = "./modules/alb"
 
-  vpc_id = var.vpc_id
+  vpc_id      = var.vpc_id
+  cidr_blocks = var.cidr_blocks
+
 
   alb = {
     name                       = var.alb.name

diff --git a/modules/alb/data.tf b/modules/alb/data.tf
@@ -12,3 +12,8 @@ data "aws_subnet" "public" {
 
   id = each.value
 }
+
+# To get VPC CIDR for ALB security group as default ingress
+data "aws_vpc" "this" {
+  id = var.vpc_id
+}
diff --git a/modules/alb/locals.tf b/modules/alb/locals.tf
@@ -4,4 +4,7 @@ locals {
     for s in data.aws_subnet.public :
     s.id if lookup(s.tags, "Type", "") == "public"
   ]
+
+  cidr_blocks = var.cidr_blocks != null ? var.cidr_blocks : [data.aws_vpc.this.cidr_block]
+
 }
diff --git a/modules/alb/main.tf b/modules/alb/main.tf
@@ -24,14 +24,14 @@ resource "aws_security_group" "lb_sg" {
     from_port   = 80
     to_port     = 80
     protocol    = "tcp"
-    cidr_blocks = var.cidr_blocks
+    cidr_blocks = local.cidr_blocks
   }
 
   ingress {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = var.cidr_blocks
+    cidr_blocks = local.cidr_blocks
   }
 
   egress {

diff --git a/modules/alb/variables.tf b/modules/alb/variables.tf
@@ -10,9 +10,9 @@ variable "vpc_id" {
 }
 
 variable "cidr_blocks" {
-  description = "CIDR blocks for security group ingress rules"
+  description = "CIDR blocks for ALB security group ingress rules"
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = null
 }
 
 

diff --git a/modules/ecs_service/main.tf b/modules/ecs_service/main.tf
@@ -75,11 +75,10 @@ resource "aws_security_group" "ecs" {
   vpc_id      = var.vpc_id
 
   ingress {
-    description = "Allow inbound proxy traffic"
-    from_port   = var.task.container_port
-    to_port     = var.task.container_port
-    protocol    = "tcp"
-    #cidr_blocks     = [for subnet in data.aws_subnet.private : subnet.cidr_block]
+    description     = "Allow inbound proxy traffic"
+    from_port       = var.task.container_port
+    to_port         = var.task.container_port
+    protocol        = "tcp"
     security_groups = [var.lb.security_group_id]
   }
 

diff --git a/variables.tf b/variables.tf
@@ -84,6 +84,12 @@ variable "vpc_id" {
   description = "ID of VPC in which all resources need to be created"
 }
 
+variable "cidr_blocks" {
+  description = "CIDR blocks for security group ingress rules"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
 variable "alb" {
   description = "Configuration settings for the Application Load Balancer (ALB). This includes attributes related to the ALB itself, such as its name, port, protocol, and other optional settings like access logs and tags."
   type = object({