feat: add default security group stack

src/fargate.ts

@@ -12,6 +12,7 @@ import * as targets from 'aws-cdk-lib/aws-route53-targets'
 import { StackConfig } from './configuration'
 import { ARecord } from './route53'
 import * as elb from 'aws-cdk-lib/aws-elasticloadbalancingv2'
+import { SecurityGroup } from './security-group'
 
 // Default docker image to use
 const DEFAULT_IMAGE = 'nginxdemos/hello:latest'
@@ -50,6 +51,7 @@ interface FargateServiceProps extends cdk.NestedStackProps {
   repository?: ecr.IRepository
   taskConfiguration: TaskConfiguration
   image?: ecs.ContainerImage
+  securityGroup?: ec2.ISecurityGroup
 }
 
 /**
@@ -77,6 +79,7 @@ export class FargateService extends cdk.NestedStack {
       zone,
       repository,
       taskConfiguration,
+      securityGroup: defaultSecurityGroup,
     } = props
 
     // Compile secrets into list of mapped ecs.Secrets
@@ -104,10 +107,21 @@ export class FargateService extends cdk.NestedStack {
         ecs.ContainerImage.fromEcrRepository(repository, imageVersion)) ||
       ecs.ContainerImage.fromRegistry(DEFAULT_IMAGE)
 
+    // Scaffold default security group if not provided
+    let securityGroup = defaultSecurityGroup
+    if (!securityGroup) {
+      const groupStack = new SecurityGroup(
+        this,
+        stack.getResourceID('SecurityGroup'),
+        { vpc: cluster.vpc },
+      )
+      securityGroup = groupStack.securityGroup
+    }
+
     const desiredCount = taskConfiguration?.desiredCount || 1
     this.service = new ecs_patterns.ApplicationLoadBalancedFargateService(
       this,
-      stack.getResourceID('AdminService'),
+      stack.getResourceID('FargateService'),
       {
         assignPublicIp: true,
         cluster: cluster,
@@ -127,6 +141,7 @@ export class FargateService extends cdk.NestedStack {
           subnetType: ec2.SubnetType.PUBLIC,
           onePerAz: true,
         },
+        securityGroups: [securityGroup],
       },
     )
 

src/index.ts

@@ -8,6 +8,7 @@ export * from './helper'
 export * from './ipv6vpc'
 export * from './rds'
 export * from './route53'
+export * from './security-group'
 export * from './s3'
 export * from './vpc'
 export * from './website-distribution'

src/security-group.ts

@@ -0,0 +1,42 @@
+import { Construct } from 'constructs'
+import * as cdk from 'aws-cdk-lib'
+import * as ec2 from 'aws-cdk-lib/aws-ec2'
+
+export interface SecurityGroupProps extends cdk.NestedStackProps {
+  vpc: ec2.IVpc
+  incomingPorts?: number[]
+}
+
+/**
+ * Default security group suitable for a basic ECS service
+ */
+export class SecurityGroup extends cdk.NestedStack {
+  public readonly securityGroup: ec2.ISecurityGroup
+
+  constructor(scope: Construct, id: string, props: SecurityGroupProps) {
+    super(scope, id, props)
+    const { vpc, incomingPorts } = props
+
+    this.securityGroup = new ec2.SecurityGroup(this, `${id}Group`, {
+      vpc,
+      description: 'Allows HTTP/HTTPS ingress and all egress traffic',
+      allowAllOutbound: true,
+    })
+
+    const portsToOpen = incomingPorts || [80, 443]
+
+    // Open all selected ports
+    portsToOpen.forEach((port) => {
+      this.securityGroup.addIngressRule(
+        ec2.Peer.anyIpv4(),
+        ec2.Port.tcp(port),
+        `Allow ${port} from anywhere (IPv4)`,
+      )
+      this.securityGroup.addIngressRule(
+        ec2.Peer.anyIpv6(),
+        ec2.Port.tcp(port),
+        `Allow ${port} from anywhere (IPv6)`,
+      )
+    })
+  }
+}