-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing security group to allow ALB to access ECS/Fargate Service #2
Comments
Hello @denis-ryzhkov, I see you are defining your own VPC outside of the plugin. The plugin takes care of the groups needed to make everything work when it's creating its own VPC (
If you are using the VPC, only for this service and it's okay for you to let the plugin manage it, I would strongly recommend to defined the VPC CIRD and subnets and letting the plugin do the rest. |
Thank you for reply, @gwdp! Could you please give an example of use case you mentioned, when this plugin creates ALB, creates ECS Service, but does not create a security group to allow this ALB to access this Service, and this behavior is desired by the user? Even with VPC defined outside of the plugin, the plugin creates another security group anyway:
So it is not the "create no security groups at all" case, when we use external VPC. And, it is already implemented:
Please just make it available for external VPC case, at least with option |
Hey @denis-ryzhkov, sorry for the delay. Until now, there were 2 use cases for the plugin, first, you let the plugin create the VPC and ALB for you, second, you create the VPC and the ALB on your own and specify for the plugin to use. Correct me if wrong, but you are actually using on a third use case, you create the VPC but not the ALB, which is a case I haven't predicted and you are absolutely right on relying on the plugin to create everything is required for that ALB to work on your defined VPC. If this assumption is correct, I see the plugin is checking for
I might need to check the whole plugin for this rule and check if there isn't everything else that needs to be changed in order to support self-defined VPC but auto-created ALB. Please, confirm to me if this is the case, if so allow me some time (probably this week), to modify it and release and a beta version for you to test it out. This is a case we certainly want to support :) |
You are absolutely right, @gwdp! I do use existing VPC and I configure the plugin to create both ECS Service and ALB. And I definitely want the plugin to create the missing security group to allow this new ALB to access this new ECS Service. Eager to test the new plugin version, please keep me posted! |
@denis-ryzhkov sorry for taking too long.. Could you give |
@gwdp thank you! I can confirm that
However, the
I guess this sec group is already created by the plugin Please enable creation of this sec group for our use case too. P.S. I'd propose better naming, but if it blocks delivery, please skip it:
|
…he shared cluster (which is responsible for it). [related to #2]
@denis-ryzhkov Thanks for the testing and feedback again!! Made the fix and updated the resources constants.. Still, haven't included exactly what you proposed (one to maintain small names (due CF limit) and second keep the 'ECS' all caps standard used on code :) ) Changed are available on |
@gwdp thank you! When I check the diff of
Please attach Once you fix it, please let me know, I'm eager to test it. |
@denis-ryzhkov My bad, I was in doubt about this sec. group.. Fixed now, third time is the charm :) |
@gwdp it works, finally! Thanks a lot, the issue is closed. |
Awesome, releasing |
hey @gwdp how are you? |
@denis-ryzhkov Done earlier today. Sorry for the wait :) |
@gwdp, thank you for supporting this plugin!
My ECS/Fargate Task had "Stopped reason: Task failed ELB health checks" because
AWS::ECS::Service
created by this plugin did not have a security group to allow ALB to access this Service.Please replace the workaround below with proper fix of the plugin code:
Even with this workaround, all
securityGroupIds
(AlbToServiceSecGroup
and e.g.RdsClientSecGroup
) are applied both toAWS::ECS::Service
(OK) and to ALB, which does not need these security groups.Please implement additional
serviceSecurityGroupIds
option with a list of security groups forAWS::ECS::Service
only.The text was updated successfully, but these errors were encountered: