Fixed CIDR block

siddharth-singh1 · siddharth-singh1 · commit 993551eefc51 · 2024-12-09T20:23:38.000+05:30
diff --git a/README.md b/README.md
@@ -136,6 +136,7 @@ No resources.
 | <a name="input_alb"></a> [alb](#input\_alb) | Configuration settings for the Application Load Balancer (ALB). This includes attributes related to the ALB itself, such as its name, port, protocol, and other optional settings like access logs and tags. | <pre>object({<br/>    name                       = optional(string, null)<br/>    port                       = optional(number)<br/>    protocol                   = optional(string, "HTTP")<br/>    internal                   = optional(bool, false)<br/>    load_balancer_type         = optional(string, "application")<br/>    idle_timeout               = optional(number, 60)<br/>    enable_deletion_protection = optional(bool, false)<br/>    enable_http2               = optional(bool, true)<br/>    certificate_arn            = optional(string, null)<br/><br/>    access_logs = optional(object({<br/>      bucket  = string<br/>      enabled = optional(bool, false)<br/>      prefix  = optional(string, "")<br/>    }))<br/><br/>    tags = optional(map(string), {})<br/>  })</pre> | n/a | yes |
 | <a name="input_alb_target_group"></a> [alb\_target\_group](#input\_alb\_target\_group) | List of target groups to create | <pre>list(object({<br/>    name                              = optional(string, "target-group")<br/>    port                              = number<br/>    protocol                          = optional(string, null)<br/>    protocol_version                  = optional(string, "HTTP1")<br/>    vpc_id                            = optional(string, "")<br/>    target_type                       = optional(string, "ip")<br/>    ip_address_type                   = optional(string, "ipv4")<br/>    load_balancing_algorithm_type     = optional(string, "round_robin")<br/>    load_balancing_cross_zone_enabled = optional(string, "use_load_balancer_configuration")<br/>    deregistration_delay              = optional(number, 300)<br/>    slow_start                        = optional(number, 0)<br/>    tags                              = optional(map(string), {})<br/><br/>    health_check = optional(object({<br/>      enabled             = optional(bool, true)<br/>      protocol            = optional(string, "HTTP")<br/>      path                = optional(string, "/")<br/>      port                = optional(string, "traffic-port")<br/>      timeout             = optional(number, 6)<br/>      healthy_threshold   = optional(number, 3)<br/>      unhealthy_threshold = optional(number, 3)<br/>      interval            = optional(number, 30)<br/>      matcher             = optional(string, "200")<br/>    }))<br/><br/>    stickiness = optional(object({<br/>      enabled         = optional(bool, true)<br/>      type            = string<br/>      cookie_duration = optional(number, 86400)<br/>      })<br/>    )<br/><br/>  }))</pre> | n/a | yes |
 | <a name="input_capacity_provider"></a> [capacity\_provider](#input\_capacity\_provider) | Configuration settings for the ECS capacity providers, including the capacity providers used for autoscaling and Fargate. This variable defines the properties of each capacity provider and how they are managed, such as scaling policies and termination protection. | <pre>object({<br/>    autoscaling_capacity_providers = map(object({<br/>      name                           = optional(string)<br/>      auto_scaling_group_arn         = string<br/>      managed_termination_protection = optional(string, "DISABLED")<br/>      managed_draining               = optional(string, "ENABLED")<br/>      managed_scaling = optional(object({<br/>        instance_warmup_period    = optional(number)<br/>        maximum_scaling_step_size = optional(number)<br/>        minimum_scaling_step_size = optional(number)<br/>        status                    = optional(string)<br/>        target_capacity           = optional(number)<br/>      }))<br/>      tags = optional(map(string), {})<br/>    }))<br/>    default_capacity_provider_use_fargate = bool<br/>    fargate_capacity_providers            = any<br/>  })</pre> | n/a | yes |
+| <a name="input_cidr_blocks"></a> [cidr\_blocks](#input\_cidr\_blocks) | CIDR blocks for security group ingress rules | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_create_alb"></a> [create\_alb](#input\_create\_alb) | Flag to create or skip the creation of ALB | `bool` | `false` | no |
 | <a name="input_create_service"></a> [create\_service](#input\_create\_service) | Flag to create or skip the creation of ECS demo service | `bool` | `false` | no |
 | <a name="input_ecs_cluster"></a> [ecs\_cluster](#input\_ecs\_cluster) | The ECS-specific values to use such as cluster, service, and repository names.<br/><br/>Keys:<br/>  - cluster\_name: The name of the ECS cluster.<br/>  - cluster\_configuration: The execute command configuration for the cluster.<br/>  - cluster\_settings: A list of cluster settings (e.g., container insights). Default is an empty list.<br/>  - cluster\_service\_connect\_defaults: Configures a default Service Connect namespace.<br/>  - create\_cloudwatch\_log\_group: Boolean flag to specify whether to create a CloudWatch log group for the ECS cluster. | <pre>object({<br/>    name = string<br/>    configuration = optional(object({<br/>      execute_command_configuration = optional(object({<br/>        kms_key_id = optional(string, "")<br/>        logging    = optional(string, "DEFAULT")<br/>        log_configuration = optional(object({<br/>          cloudwatch_encryption_enabled = optional(bool, null)<br/>          log_group_name                = optional(string, null)<br/>          log_group_retention_in_days   = optional(number, null)<br/>          log_group_kms_key_id          = optional(string, null)<br/>          log_group_tags                = optional(map(string), null)<br/>          s3_bucket_name                = optional(string, null)<br/>          s3_bucket_encryption_enabled  = optional(bool, null)<br/>          s3_key_prefix                 = optional(string, null)<br/>        }), {})<br/>      }), {})<br/>    }), {})<br/>    create_cloudwatch_log_group = bool<br/>    service_connect_defaults    = optional(map(string), null)<br/>    settings                    = optional(any, null)<br/>    tags                        = optional(map(string), null)<br/>  })</pre> | n/a | yes |
diff --git a/docs/module-usage-guide/README.md b/docs/module-usage-guide/README.md
@@ -10,6 +10,8 @@ This document provides guidelines and instructions for users looking to implemen
 
 The [Terraform AWS ARC ECS](https://github.com/sourcefuse/terraform-aws-arc-ecs) module provides a secure and modular foundation for deploying ECS clusters on AWS.
 
+The Module assumes there is a docker image present on ECR which will serve as ECS service if the optional ECS module is called.
+
 ### Prerequisites
 
 Before using this module, ensure you have the following:
diff --git a/example/main.tf b/example/main.tf
@@ -23,8 +23,8 @@ module "ecs_cluster" {
   ##########################################
   ## Flags for ALB and service modules
   ##########################################
-  create_alb     = false
-  create_service = false
+  create_alb     = true
+  create_service = true
 
   #####################
   ## ecs cluster
@@ -72,22 +72,24 @@ module "ecs_cluster" {
 
   task = {
     tasks_desired        = 1
-    container_port       = 8100
+    container_port       = 80
     container_memory     = 1024
     container_vcpu       = 256
     container_definition = "container/container_definition.json.tftpl"
   }
 
   lb = {
     name              = "arc-poc-alb"
-    listener_port     = 8100
-    security_group_id = ""
+    listener_port     = 80
+    security_group_id = "sg-12345"
   }
 
   #####################
   ## ALB
   #####################
 
+  cidr_blocks = null
+
   alb = {
     name     = "arc-poc-alb"
     internal = false
@@ -98,7 +100,7 @@ module "ecs_cluster" {
     name        = "arc-poc-alb-tg"
     port        = 80
     protocol    = "HTTP"
-    vpc_id      = "vpc-123445"
+    vpc_id      = "vpc-12345"
     target_type = "ip"
     health_check = {
       enabled = true
diff --git a/main.tf b/main.tf
@@ -29,7 +29,9 @@ module "alb" {
   count  = var.create_alb ? 1 : 0
   source = "./modules/alb"
 
-  vpc_id = var.vpc_id
+  vpc_id      = var.vpc_id
+  cidr_blocks = var.cidr_blocks
+
 
   alb = {
     name                       = var.alb.name
diff --git a/modules/alb/data.tf b/modules/alb/data.tf
@@ -12,3 +12,8 @@ data "aws_subnet" "public" {
 
   id = each.value
 }
+
+# To get VPC CIDR for ALB security group as default ingress
+data "aws_vpc" "this" {
+  id = var.vpc_id
+}
diff --git a/modules/alb/locals.tf b/modules/alb/locals.tf
@@ -4,4 +4,7 @@ locals {
     for s in data.aws_subnet.public :
     s.id if lookup(s.tags, "Type", "") == "public"
   ]
+
+  cidr_blocks = var.cidr_blocks != null ? var.cidr_blocks : [data.aws_vpc.this.cidr_block]
+
 }
diff --git a/modules/alb/main.tf b/modules/alb/main.tf
@@ -24,14 +24,14 @@ resource "aws_security_group" "lb_sg" {
     from_port   = 80
     to_port     = 80
     protocol    = "tcp"
-    cidr_blocks = var.cidr_blocks
+    cidr_blocks = local.cidr_blocks
   }
 
   ingress {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = var.cidr_blocks
+    cidr_blocks = local.cidr_blocks
   }
 
   egress {
diff --git a/modules/alb/variables.tf b/modules/alb/variables.tf
@@ -10,9 +10,9 @@ variable "vpc_id" {
 }
 
 variable "cidr_blocks" {
-  description = "CIDR blocks for security group ingress rules"
+  description = "CIDR blocks for ALB security group ingress rules"
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = null
 }
 
 
diff --git a/modules/ecs_service/main.tf b/modules/ecs_service/main.tf
@@ -75,11 +75,10 @@ resource "aws_security_group" "ecs" {
   vpc_id      = var.vpc_id
 
   ingress {
-    description = "Allow inbound proxy traffic"
-    from_port   = var.task.container_port
-    to_port     = var.task.container_port
-    protocol    = "tcp"
-    #cidr_blocks     = [for subnet in data.aws_subnet.private : subnet.cidr_block]
+    description     = "Allow inbound proxy traffic"
+    from_port       = var.task.container_port
+    to_port         = var.task.container_port
+    protocol        = "tcp"
     security_groups = [var.lb.security_group_id]
   }
 
diff --git a/variables.tf b/variables.tf
@@ -84,6 +84,12 @@ variable "vpc_id" {
   description = "ID of VPC in which all resources need to be created"
 }
 
+variable "cidr_blocks" {
+  description = "CIDR blocks for security group ingress rules"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
 variable "alb" {
   description = "Configuration settings for the Application Load Balancer (ALB). This includes attributes related to the ALB itself, such as its name, port, protocol, and other optional settings like access logs and tags."
   type = object({

Original file line number	Diff line number	Diff line change
`@@ -12,3 +12,8 @@ data "aws_subnet" "public" {`
`12`	`12`
`13`	`13`	`id = each.value`
`14`	`14`	`}`
	`15`	`+`
	`16`	`+# To get VPC CIDR for ALB security group as default ingress`
	`17`	`+data "aws_vpc" "this" {`
	`18`	`+ id = var.vpc_id`
	`19`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -4,4 +4,7 @@ locals {`
`4`	`4`	`for s in data.aws_subnet.public :`
`5`	`5`	`s.id if lookup(s.tags, "Type", "") == "public"`
`6`	`6`	`]`
	`7`	`+`
	`8`	`+ cidr_blocks = var.cidr_blocks != null ? var.cidr_blocks : [data.aws_vpc.this.cidr_block]`
	`9`	`+`
`7`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,9 +10,9 @@ variable "vpc_id" {`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`variable "cidr_blocks" {`
`13`		`- description = "CIDR blocks for security group ingress rules"`
	`13`	`+ description = "CIDR blocks for ALB security group ingress rules"`
`14`	`14`	`type = list(string)`
`15`		`- default = ["0.0.0.0/0"]`
	`15`	`+ default = null`
`16`	`16`	`}`
`17`	`17`
`18`	`18`