add a security group for ecs tasks (#2717)

Author: rudransh-shrivastava

infrastructure/README.md

@@ -164,8 +164,7 @@ Migrate and load data into the new database.
       - Networking:
          - VPC: owasp-nest-staging-vpc
          - Subnets: subnets will be auto-selected due to VPC selection.
-         - Security group name: select all with `owasp-nest-staging-` prefix.
-            (*Note*: temporary step, will be further improved)
+         - Security group name: select the ECS security group (e.g. `owasp-nest-staging-ecs-sg`).
    - Click "Create"
    - The task is now running... Click on the task ID to view Logs, Status, etc.
    - Follow the same steps for `owasp-nest-staging-load-data` and `owasp-nest-staging-index-data`.

infrastructure/main.tf

@@ -61,10 +61,10 @@ module "ecs" {
   aws_region                    = var.aws_region
   common_tags                   = local.common_tags
   container_parameters_arns     = module.parameters.ssm_parameter_arns
+  ecs_sg_id                     = module.security.ecs_sg_id
   environment                   = var.environment
   fixtures_read_only_policy_arn = module.storage.fixtures_read_only_policy_arn
   fixtures_s3_bucket            = var.fixtures_s3_bucket
-  lambda_sg_id                  = module.security.lambda_sg_id
   private_subnet_ids            = module.networking.private_subnet_ids
   project_name                  = var.project_name
 }

infrastructure/modules/ecs/main.tf

@@ -133,7 +133,7 @@ module "sync_data_task" {
   private_subnet_ids           = var.private_subnet_ids
   project_name                 = var.project_name
   schedule_expression          = "cron(17 05 * * ? *)"
-  security_group_ids           = [var.lambda_sg_id]
+  security_group_ids           = [var.ecs_sg_id]
   task_name                    = "sync-data"
 }
 
@@ -162,7 +162,7 @@ module "owasp_update_project_health_metrics_task" {
   private_subnet_ids           = var.private_subnet_ids
   project_name                 = var.project_name
   schedule_expression          = "cron(17 17 * * ? *)"
-  security_group_ids           = [var.lambda_sg_id]
+  security_group_ids           = [var.ecs_sg_id]
   task_name                    = "owasp-update-project-health-metrics"
 }
 
@@ -183,7 +183,7 @@ module "owasp_update_project_health_scores_task" {
   private_subnet_ids           = var.private_subnet_ids
   project_name                 = var.project_name
   schedule_expression          = "cron(22 17 * * ? *)"
-  security_group_ids           = [var.lambda_sg_id]
+  security_group_ids           = [var.ecs_sg_id]
   task_name                    = "owasp-update-project-health-scores"
 }
 
@@ -202,7 +202,7 @@ module "migrate_task" {
   memory                       = var.migrate_task_memory
   private_subnet_ids           = var.private_subnet_ids
   project_name                 = var.project_name
-  security_group_ids           = [var.lambda_sg_id]
+  security_group_ids           = [var.ecs_sg_id]
   task_name                    = "migrate"
 }
 
@@ -231,7 +231,7 @@ module "load_data_task" {
   memory                       = var.load_data_task_memory
   private_subnet_ids           = var.private_subnet_ids
   project_name                 = var.project_name
-  security_group_ids           = [var.lambda_sg_id]
+  security_group_ids           = [var.ecs_sg_id]
   task_name                    = "load-data"
   task_role_arn                = aws_iam_role.ecs_task_role.arn
 }
@@ -251,6 +251,6 @@ module "index_data_task" {
   memory                       = var.index_data_task_memory
   private_subnet_ids           = var.private_subnet_ids
   project_name                 = var.project_name
-  security_group_ids           = [var.lambda_sg_id]
+  security_group_ids           = [var.ecs_sg_id]
   task_name                    = "index-data"
 }

infrastructure/modules/ecs/variables.tf

@@ -15,6 +15,11 @@ variable "container_parameters_arns" {
   default     = {}
 }
 
+variable "ecs_sg_id" {
+  description = "The ID of the security group for the ECS tasks"
+  type        = string
+}
+
 variable "environment" {
   description = "The environment (e.g., staging, production)"
   type        = string
@@ -42,10 +47,7 @@ variable "index_data_task_memory" {
   default     = "2048"
 }
 
-variable "lambda_sg_id" {
-  description = "The ID of the security group for the Lambda function"
-  type        = string
-}
+
 
 variable "load_data_task_cpu" {
   description = "The CPU for the load-data task"

infrastructure/modules/security/main.tf

@@ -13,6 +13,23 @@ terraform {
   }
 }
 
+resource "aws_security_group" "ecs" {
+  description = "Security group for ECS tasks"
+  name        = "${var.project_name}-${var.environment}-ecs-sg"
+  tags = merge(var.common_tags, {
+    Name = "${var.project_name}-${var.environment}-ecs-sg"
+  })
+  vpc_id = var.vpc_id
+
+  egress {
+    cidr_blocks = var.default_egress_cidr_blocks
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    protocol    = "-1"
+    to_port     = 0
+  }
+}
+
 resource "aws_security_group" "lambda" {
   description = "Security group for Lambda functions (Zappa)"
   name        = "${var.project_name}-${var.environment}-lambda-sg"
@@ -90,6 +107,17 @@ resource "aws_security_group" "redis" {
   }
 }
 
+resource "aws_security_group_rule" "rds_from_ecs" {
+  count                    = var.create_rds_proxy ? 0 : 1
+  description              = "PostgreSQL from ECS"
+  from_port                = var.db_port
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.rds.id
+  source_security_group_id = aws_security_group.ecs.id
+  to_port                  = var.db_port
+  type                     = "ingress"
+}
+
 resource "aws_security_group_rule" "rds_from_lambda" {
   count                    = var.create_rds_proxy ? 0 : 1
   description              = "PostgreSQL from Lambda"
@@ -112,6 +140,17 @@ resource "aws_security_group_rule" "rds_from_proxy" {
   source_security_group_id = aws_security_group.rds_proxy[0].id
 }
 
+resource "aws_security_group_rule" "rds_proxy_from_ecs" {
+  count                    = var.create_rds_proxy ? 1 : 0
+  type                     = "ingress"
+  description              = "PostgreSQL from ECS"
+  from_port                = var.db_port
+  to_port                  = var.db_port
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.rds_proxy[0].id
+  source_security_group_id = aws_security_group.ecs.id
+}
+
 resource "aws_security_group_rule" "rds_proxy_from_lambda" {
   count                    = var.create_rds_proxy ? 1 : 0
   type                     = "ingress"
@@ -122,3 +161,13 @@ resource "aws_security_group_rule" "rds_proxy_from_lambda" {
   security_group_id        = aws_security_group.rds_proxy[0].id
   source_security_group_id = aws_security_group.lambda.id
 }
+
+resource "aws_security_group_rule" "redis_from_ecs" {
+  description              = "Redis from ECS"
+  from_port                = var.redis_port
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.redis.id
+  source_security_group_id = aws_security_group.ecs.id
+  to_port                  = var.redis_port
+  type                     = "ingress"
+}

infrastructure/modules/security/outputs.tf

@@ -1,3 +1,8 @@
+output "ecs_sg_id" {
+  description = "The ID of the ECS security group"
+  value       = aws_security_group.ecs.id
+}
+
 output "lambda_sg_id" {
   description = "The ID of the Lambda security group"
   value       = aws_security_group.lambda.id