Ensure the tasks have access to the database to make connections if u…

…sing non-terraform VPC (#345)
civiform · Aug 2, 2024 · 9524547 · 9524547
1 parent e2fd70b
commit 9524547
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/cloud/aws/modules/ecs_fargate_service/outputs.tf b/cloud/aws/modules/ecs_fargate_service/outputs.tf
@@ -8,11 +8,16 @@ output "aws_lb_civiform_lb_arn" {
 }
 
 output "aws_security_group_lb_access_sg_id" {
- description = "The ID of the security group"
+ description = "The ID of the LB access security group"
  value = aws_security_group.lb_access_sg.id
 }
 
+output "aws_security_group_ecs_tasks_access_sg_id" {
+ description = "The ID of the ECS tasks access security group"
+ value = aws_security_group.ecs_tasks_sg.id
+}
+
 output "aws_ecs_service_name" {
- description = "The service name of the aws ecs service."
+ description = "The name of the AWS ECS service"
  value = aws_ecs_service.service.name
 }
diff --git a/cloud/aws/templates/aws_oidc/main.tf b/cloud/aws/templates/aws_oidc/main.tf
@@ -139,6 +139,17 @@ resource "aws_security_group" "rds" {
  cidr_blocks = ["${ingress.value}/32"]
  }
  }
+
+ dynamic "ingress" {
+ for_each = local.enable_managed_vpc ? [] : [1]
+ # If the VPC is managed outside of terraform, we need to ensure that the tasks have access to the database to make connections
+ content {
+ from_port = 5432
+ to_port = 5432
+ protocol = "tcp"
+ security_groups = [module.ecs_fargate_service.aws_security_group_ecs_tasks_access_sg_id]
+ }
+ }
 }
 
 module "pgadmin" {