Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ecs-service-extensions] Expose security groups as part of the service build interface #11585

Closed
2 tasks
npb17 opened this issue Nov 19, 2020 · 6 comments
Closed
2 tasks

[ecs-service-extensions] Expose security groups as part of the service build interface #11585

npb17 opened this issue Nov 19, 2020 · 6 comments
Labels
@aws-cdk-containers/ecs-service-extensions Related to ecs-service-extensions package feature-request A feature should be added or improved. p2

Comments

@npb17
Copy link

npb17 commented Nov 19, 2020

Allow modifying a fargate service's security groups using extensions

Use Case

We have a use case where in we want additional security groups to be added to a fargate service. These security groups are pre created and are used to restrict access to certain resources. The idea is to create an extension which modifies the service prop by adding these additional security groups.

Proposed Solution

The service build interface needs to be modified to account for security groups. Since this is only applicable to a fargate service, it becomes a little tricky. I think we could create a FargateServiceBuild that extends ServiceBuild. (similarly create Ec2ServiceBuild) and then modify extension interfaces where service build is referenced to use FargateServiceBuild | Ec2ServiceBuild

Other

N/A

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@npb17 npb17 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2020
@SomayaB SomayaB added the @aws-cdk-containers/ecs-service-extensions Related to ecs-service-extensions package label Nov 20, 2020
@nathanpeck
Copy link
Member

Interesting!

So if I understand correctly you want to be able to modify this property: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ecs.Ec2Service.html#securitygroups

So this needs to be part of the ServiceBuild interface. Can you elaborate a bit more on the usecase for this? Are you connecting your service to an external resource which isn't managed by CDK?

I think we can add this fairly easily, I just want to make sure I cover the use case thoroughly to make sure there are no other gaps

@nathanpeck nathanpeck added in-progress This issue is being actively worked on. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 20, 2020
@npb17
Copy link
Author

npb17 commented Nov 20, 2020
edited
Loading

Thats correct. We have a few resources that are provisioned outside of CDK and have ingress allowed from certain security groups. The idea here is to add these "allowed" security groups on the fargate service so that the service can access them.

@npb17
Copy link
Author

npb17 commented Dec 17, 2020

@nathanpeck whats the guidance on modifying service attributes in general? This issue talks about security groups but we also have a use case where we may want to update the platform version for a fargate service. It almost seems like the ServiceBuild data structure should be extended to include Ec2ServiceProps | FargeteServiceProps.

@brentryan
Copy link
Contributor

Agree with @npb17 . It seems like extensions is going to keep falling behind new features being added to Ec2Service or FargateService. For example, circuitBreaker property was just added and there's no way to use that feature with extensions currently. I think we should look to modify the extensions behavior to use the native props that are exposed by those services as a unified type as @npb17 suggested or similar. What are you thoughts @nathanpeck ?

@SoManyHs SoManyHs removed the in-progress This issue is being actively worked on. label Mar 9, 2021
@madeline-k madeline-k mentioned this issue Jan 25, 2023
Open
2 tasks
@madeline-k
Copy link
Contributor

Transferred to the new home for ecs-service-extensions.

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk-containers/ecs-service-extensions Related to ecs-service-extensions package feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@brentryan @uttarasridhar @nathanpeck @MrArnoldPalmer @SomayaB @SoManyHs @peterwoodworth @npb17 @madeline-k