Merge pull request #6 from unity-sds/431-lockdown-mc-alb-allow-ecs

Add implicit ingress rule creation for venue-services proxy connection to the management console
unity-sds · Sep 5, 2024 · 4b75729 · 4b75729
2 parents 9c3214d + 7dc9dba
commit 4b75729
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 10 deletions.
diff --git a/terraform-unity/ecs.tf b/terraform-unity/ecs.tf
@@ -160,3 +160,22 @@ resource "aws_ecs_service" "httpd_service" {
     aws_ssm_parameter.managementproxy_config
   ]
 }
+
+# Find the MC's ALB's security group (created before unity-proxy)
+data "aws_security_group" "mc_alb_sg" {
+  tags = {
+    Name        = "Unity Management Console Load Balancer SG"
+    Venue       = var.venue
+    ServiceArea = "cs"
+    Proj        = var.project
+  }
+}
+
+# Add a new ingress rule to the MC ALB's security group, allowing the ECS instance to connect
+resource "aws_vpc_security_group_ingress_rule" "ecs_mc_alb_ingress_sg_rule" {
+  security_group_id            = data.aws_security_group.mc_alb_sg.id
+  to_port                      = 8080
+  from_port                    = 8080
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = aws_security_group.ecs_sg.id
+}
diff --git a/terraform-unity/lambda.tf b/terraform-unity/lambda.tf
@@ -22,6 +22,7 @@ resource "aws_lambda_function" "httpdlambda" {
     Service = "U-CS"
   }
 }
+
 resource "aws_security_group" "lambda_sg" {
   name        = "${var.project}-${var.venue}-httpd_lambda_sg"
   description = "Security group for httpd lambda service"

diff --git a/terraform-unity/networking.tf b/terraform-unity/networking.tf
@@ -48,12 +48,12 @@ resource "aws_lb_listener" "httpd_listener" {
   }
 }
 # Unity shared serive account ID
-data "aws_ssm_parameter" "shared_service_account_id"{
+data "aws_ssm_parameter" "shared_service_account_id" {
   name = var.ssm_account_id
 }
 
 #Unity shared serive account region
-data "aws_ssm_parameter" "shared_service_region"{
+data "aws_ssm_parameter" "shared_service_region" {
   name = var.ssm_region
 }
 
@@ -71,11 +71,11 @@ resource "aws_ssm_parameter" "mgmt_endpoint" {
 
 # New SSM parameter for management console
 resource "aws_ssm_parameter" "management_console_url" {
-  name  = "/unity/${var.project}/${var.venue}/component/management-console"
-  type  = "String"
+  name = "/unity/${var.project}/${var.venue}/component/management-console"
+  type = "String"
   value = jsonencode({
-    healthCheckUrl   = "https://www.${data.aws_ssm_parameter.shared-service-domain.value}:4443/${var.project}/${var.venue}/management/api/health_checks"
-    landingPageUrl   = "https://www.${data.aws_ssm_parameter.shared-service-domain.value}:4443/${var.project}/${var.venue}/management/ui/landing"
-    componentName    = "Management Console"
+    healthCheckUrl = "https://www.${data.aws_ssm_parameter.shared-service-domain.value}:4443/${var.project}/${var.venue}/management/api/health_checks"
+    landingPageUrl = "https://www.${data.aws_ssm_parameter.shared-service-domain.value}:4443/${var.project}/${var.venue}/management/ui/landing"
+    componentName  = "Management Console"
   })
 }
diff --git a/terraform-unity/variables.tf b/terraform-unity/variables.tf
@@ -40,10 +40,10 @@ variable "httpd_proxy_version" {
   default     = "0.16.0"
 }
 
-variable "ssm_account_id"{
+variable "ssm_account_id" {
   description = "Name of the SSM paramter for shared service account ID"
-  type = string
-  default = "/unity/shared-services/aws/account"
+  type        = string
+  default     = "/unity/shared-services/aws/account"
 }
 
 variable "ssm_region" {