You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We left the default open because we couldn't predict what ports someones tasks might require. For example, a task that launches on an ephemeral port and registers to an alb. My reading of the ECS docs https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group leaves me thinking that the SG on the instance would need to know what ports the tasks might need. Also in part because of the way the SG is implanted, because I used ingress and egress blocks rather then the TF Security Group Rule resource, refactoring this will be a breaking change. 😢 I've added a refactor to our backlog, and we could add a default of something like "open to only my VPC" but in general I think I prefer providing an interface where the end user can apply appropriate rules rather then predict what those might be..
However, I'd be totally happy if you wanted to update the README to call that our a bit more! That would be fantastic!
The module creates a security group allowing all traffic from everywhere. Not sure that's a safe default.
There should at least be a warning about this behavior (I don't think its enough to just mention this in the allowed_cidr_blocks bullet point.
The text was updated successfully, but these errors were encountered: