Skip to content

Improve Security Groups for ECS Tasks #2716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rudransh-shrivastava wants to merge 2 commits into from
Closed

Improve Security Groups for ECS Tasks #2716

rudransh-shrivastava wants to merge 2 commits into from

Conversation

@rudransh-shrivastava
Copy link
Collaborator

@rudransh-shrivastava rudransh-shrivastava commented Nov 24, 2025
edited
Loading

This PR was reopened as #2685 wasn't actually merged.
Resolves #2568

Proposed change

Checklist

  • I've read and followed the contributing guidelines.
  • I've run make check-test locally; all checks and tests passed.

@github-actions github-actions bot added the docs Improvements or additions to documentation label Nov 24, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 24, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

Summary by CodeRabbit

  • Refactor

    • Improved infrastructure security by implementing dedicated security groups for ECS services and establishing proper access controls between database, cache, and application layers.

  • Documentation

    • Updated security group configuration guidance in infrastructure documentation.

✏️ Tip: You can customize this high-level summary in your review settings.

Walkthrough

This PR replaces the Lambda security group reference with a dedicated ECS security group across the infrastructure configuration. It updates variable and resource definitions, rewires module arguments, and introduces new security group resources with associated ingress/egress rules for ECS, RDS, RDS Proxy, and Redis.

Changes

Cohort / File(s) Change Summary
Documentation and Configuration
infrastructure/README.md		 Updated security group selection instructions from generic "select all with owasp-nest-staging- prefix" to specific "select the ECS security group (e.g. owasp-nest-staging-ecs-sg)" with temporary note removed.
Main Infrastructure Module Wiring
infrastructure/main.tf		 Added ecs_sg_id argument to ECS module (wired to module.security.ecs_sg_id); removed lambda_sg_id argument.
ECS Module Configuration
infrastructure/modules/ecs/main.tf, infrastructure/modules/ecs/variables.tf		 Replaced lambda_sg_id with ecs_sg_id variable across six ECS task modules (sync_data_task, owasp_update_project_health_metrics_task, owasp_update_project_health_scores_task, migrate_task, load_data_task, index_data_task); updated variable declarations to reflect new ECS security group.
Security Module Resources and Outputs
infrastructure/modules/security/main.tf, infrastructure/modules/security/outputs.tf		 Added four new security groups (ecs, rds, rds_proxy, redis) with standard egress rules and tagging; introduced three security group rules (rds_from_ecs, rds_proxy_from_ecs, redis_from_ecs) enabling inbound access from ECS to target resources; exported new ecs_sg_id output.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Review correctness of new security group ingress/egress rules and their conditional logic (rds_proxy count)
  • Verify consistent variable replacement across all six ECS task module instantiations
  • Confirm proper wiring between modules: main.tf → ecs module inputs → security module outputs
  • Validate that removed lambda_sg_id references don't break any unmigrated dependencies

Possibly related PRs

Suggested labels

backend

Suggested reviewers

  • kasya
  • arkid15r
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ec1aa2 and 17202cb.

📒 Files selected for processing (6)
  • infrastructure/README.md (1 hunks)
  • infrastructure/main.tf (1 hunks)
  • infrastructure/modules/ecs/main.tf (6 hunks)
  • infrastructure/modules/ecs/variables.tf (2 hunks)
  • infrastructure/modules/security/main.tf (4 hunks)
  • infrastructure/modules/security/outputs.tf (1 hunks)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Nov 24, 2025

The PR must be linked to an issue assigned to the PR author.

@github-actions github-actions bot closed this Nov 24, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 24, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkid15r arkid15r Awaiting requested review from arkid15r arkid15r will be requested when the pull request is marked ready for review arkid15r is a code owner

@kasya kasya Awaiting requested review from kasya kasya will be requested when the pull request is marked ready for review kasya is a code owner

Assignees

No one assigned

Labels

docs Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rudransh-shrivastava