Aws-cdk: No Way To Assign Existing Security Groups To ECS Cluster

I have not tested this yet, but API allows this.

serverCluster.connections.addSecurityGroup(mySecurityGroup);

Hey @joncantu

Please bare with me here since it's a bit vague from your description whether you wanted to:
1) just create a Cluster using the code sample you provided initially but ran into "ec2:CreateSecurityGroup You are not authorized to perform this operation.", which led you to believe you need to create a security group prior to running cdk deploy.

Or
2) You already have a security group and wanted to create a Cluster with it.

For 1), the main problem was actually the credentials used. Essentially, the IAM user/role you used did not allow you to create a security group. I tried the following sample with an admin role and cdk deploy ran successfully:

import * as cdk from '@aws-cdk/core';
import * as ecs from '@aws-cdk/aws-ecs';
import * as ec2 from '@aws-cdk/aws-ec2';

export class Issue4678Stack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, 'VPC');

    const serverCluster = new ecs.Cluster(this, 'EcsServerCluster', { vpc: vpc })

    serverCluster.addCapacity('DefaultAutoScalingGroup', {
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MEDIUM),
    })
  }
}

For 2), I tried your what you suggested and seems like regardless of whether I call addSecurityGroup(), CDK always creates a security group, which is likely a bug. This is the sample I used:

import * as cdk from '@aws-cdk/core';
import * as ecs from '@aws-cdk/aws-ecs';
import * as ec2 from '@aws-cdk/aws-ec2';

export class Issue4678Stack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, 'VPC');

    const mySecurityGroup = ec2.SecurityGroup.fromSecurityGroupId(this, 'SG', 'sg-82870be7awdwafafawdwa', {
      mutable: true
    })

    const serverCluster = new ecs.Cluster(this, 'EcsServerCluster', { vpc: vpc })
    serverCluster.connections.addSecurityGroup(mySecurityGroup);

    serverCluster.addCapacity('DefaultAutoScalingGroup', {
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MEDIUM),
    })
  }
}

Might be related to #5635 , #4891

Hi @joncantu @hencrice ,

I saw you add the security group to the cluster.connection however the default security group are always been created in EC2 DefaultAutoScalingGroup, with no inbound rules.

If you are trying add your security group to your ec2 resources that used by your cluster, here is the way:
(the following code is using [email protected]

    const serverCluster = new ecs.Cluster(this, 'EcsServerCluster', { vpc: vpc })

     /***
       * This method adds compute capacity to a cluster by creating an AutoScalingGroup with the specified options.
       * and return the AutoScalingGroup
       */
    const autoScalingGroup = serverCluster.addCapacity('DefaultAutoScalingGroup', {
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MEDIUM),
    })
    // You can add security group to the autoScalingGroup
    autoScalingGroup.addSecurityGroup(yourSecurityGroup);

I have tested this solution and it works, the security group added here would be added to the ec2 instance created by your ecs cluster and tasks