Aws-cdk: Multiple security groups associated to a fargate service

Created on 13 May 2019 · 10Comments · Source: aws/aws-cdk

You can associate multiple security groups to a fargate service (i think the limit is 5 currently). The higher level cdk construct for fargate service currently only allows a single security group.

Is there something in the works that would allow us to associate multiple security groups or a possible workaround?

@aws-cdaws-ecs efformedium feature-request in-progress

Source

npb17

👍9

Most helpful comment

@tsykora-verimatrix Here is a workaround

const cfnService = ecsService.node.findChild("Service") as ecs.CfnService;

//Inject cfn override for multiple SGs
cfnService.addOverride("Properties.NetworkConfiguration.AwsvpcConfiguration.SecurityGroups", [
  secGroupA.securityGroupId, 
  secGroupB.securityGroupId
]);

Output CFN...

NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
            - sg-12345
            - sg-67890
          Subnets:
            - subnet-12345
            - subnet-54321
            - subnet-67890

robertd on 10 Sep 2019

👍3

All 10 comments

I've the same issue. I'd like to assign two different security groups to a Fargate Service but FargateService construct only allows one. If I try to specify two in a list, I get back:

jsii.errors.JSIIError: Expected object reference, got [{"$jsii.byref":"@aws-cdk/aws-ec2.SecurityGroupXXXXX"},{"$jsii.byref":"@aws-cdk/aws-ec2.SecurityGroupXXXXX"}]

Documentation states "securitygroups", plural:
security_group (Optional[ISecurityGroup]) – The security groups to associate with the service. If you do not specify a security group, the default security group for the VPC is used. Default: - A new security group is created.

But it only takes a single SG.
Afaik there is no workaround for this atm.

tsykora-verimatrix on 3 Sep 2019

Same issue here. We just hit the wall with this one and unfortunately override doesn't work (or I don't know how to set it up :) ).

const resource = tnmaccessService.node.findChild("Service") as ecs.CfnService;
resource.networkConfiguration.awsvpcConfiguration.securityGroups = [ "sg-12345", "sg-54321"];

robertd on 8 Sep 2019

@robertd override doesn't work either. Afaik there is no workaround. I had to create a SG with ingress rules mixed from the two SGs that I wanted to use. It is ugly and not maintainable at large scale.

tsykora-verimatrix on 9 Sep 2019

@tsykora-verimatrix #3985 should address this issue. Hopefully it makes it into 1.8.0.

robertd on 9 Sep 2019

👍1

@tsykora-verimatrix Here is a workaround

const cfnService = ecsService.node.findChild("Service") as ecs.CfnService;

//Inject cfn override for multiple SGs
cfnService.addOverride("Properties.NetworkConfiguration.AwsvpcConfiguration.SecurityGroups", [
  secGroupA.securityGroupId, 
  secGroupB.securityGroupId
]);

Output CFN...

NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
            - sg-12345
            - sg-67890
          Subnets:
            - subnet-12345
            - subnet-54321
            - subnet-67890

robertd on 10 Sep 2019

👍3

@robertd thanks a lot, it looks good, I'll give it a try

tsykora-verimatrix on 20 Sep 2019

👍1

therobertd commented on Sep 10

@tsykora-verimatrix Here is a workaround

const cfnService = ecsService.node.findChild("Service") as ecs.CfnService;

//Inject cfn override for multiple SGs
cfnService.addOverride("Properties.NetworkConfiguration.AwsvpcConfiguration.SecurityGroups", [
  secGroupA.securityGroupId, 
  secGroupB.securityGroupId
]);

Output CFN...

NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
            - sg-12345
            - sg-67890
          Subnets:
            - subnet-12345
            - subnet-54321
            - subnet-67890

the solution works if you want to remove the securityGroup and replace with your group .. but what if I want to keep the one its there and add some more .

they should open up a interface to add the groups .

vjain16 on 18 Dec 2019

@tsykora-verimatrix Here is a workaround

const cfnService = ecsService.node.findChild("Service") as ecs.CfnService;

//Inject cfn override for multiple SGs
cfnService.addOverride("Properties.NetworkConfiguration.AwsvpcConfiguration.SecurityGroups", [
  secGroupA.securityGroupId, 
  secGroupB.securityGroupId
]);

Output CFN...

NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
            - sg-12345
            - sg-67890
          Subnets:
            - subnet-12345
            - subnet-54321
            - subnet-67890

is there any way I can just add the additional security group instead of replacing it . my problem is the CDK construct ecsPatterns.ApplicationLoadBalancedEc2Service or ecsPatterns.ApplicationLoadBalancedFargateService add some lb security group on the fly and I don't want to touch them , instead I want to add my security group to it .

vjain16 on 3 Jan 2020

👍1

@vjain16 I was able to do something similar by first getting a reference to the existing security group that cdk attached to the service:

const externalSecurityGroup = SecurityGroup.fromSecurityGroupId(this, "SomeExternalSG", "sg-xxx");
const createdSg = ecsService.connections.securityGroups[0];
const cfnService = ecsService.node.findChild("Service") as ecs.CfnService;
cfnService.addOverride("Properties.NetworkConfiguration.AwsvpcConfiguration.SecurityGroups", [
  createdSg.securityGroupId, 
  externalSecurityGroup.securityGroupId
]);

In my case, I only have a connection between the target service and the load balancer, so ymmv on the evaluation of ecsService.connections.securityGroups[0];