Hello everyone,
at our company we're trying to migrate from Heroku to AWS.
I'd like to define a awsx.ecs.FargateService in a custom vpc which has private/public subnet, currently I do this:
const lbSecurityGroup = new aws.ec2.SecurityGroup(
`ls-lb-sg-${stackName}`,
{
vpcId: vpc.vpcId,
description: 'Security group for load balancer',
ingress: [
{ protocol: 'tcp', fromPort: 80, toPort: 80, cidrBlocks: ['0.0.0.0/0'] },
{ protocol: 'tcp', fromPort: 443, toPort: 443, cidrBlocks: ['0.0.0.0/0'] },
],
egress: [{ protocol: '-1', fromPort: 0, toPort: 0, cidrBlocks: ['0.0.0.0/0'] }],
tags: {
environment: stackName,
},
},
{ provider },
)
// Create security group for the Fargate services
const serviceSecurityGroup = new aws.ec2.SecurityGroup(
`ls-service-sg-${stackName}`,
{
vpcId: vpc.vpcId,
description: 'Security group for Fargate services',
ingress: [
{
protocol: 'tcp',
fromPort: 3000,
toPort: 3000,
securityGroups: [lbSecurityGroup.id],
},
],
egress: [{ protocol: '-1', fromPort: 0, toPort: 0, cidrBlocks: ['0.0.0.0/0'] }],
tags: {
Name: `ls-service-sg-${stackName}`,
environment: stackName,
},
},
{ provider },
)
const loadBalancer = new awsx.lb.ApplicationLoadBalancer(
`ls-loadbalancer-${stackName}`,
{
internal: false,
subnetIds: publicSubnetIds,
securityGroups: [lbSecurityGroup.id],
tags: {
environment: stackName,
},
},
{
provider,
},
)
const apiService = new awsx.ecs.FargateService(
`ls-api-service-${stackName}`,
{
cluster: cluster.id,
taskDefinitionArgs: {
containers: {
api: {
name: `ls-api-${stackName}`,
image: img.imageUri,
memory: 4096,
cpu: 1024,
essential: true,
command: ['build/app.js'],
portMappings: [
{
containerPort: 3000,
hostPort: 3000,
targetGroup: loadBalancer.defaultTargetGroup,
},
],
environment: environmentVariables,
healthCheck: {
command: ['CMD-SHELL', 'curl -f <http://localhost:3000/health> || exit 1'],
interval: 30,
timeout: 5,
retries: 3,
startPeriod: 60,
},
},
datadog: {
name: `datadog-agent-${stackName}`,
image: 'datadog/agent:latest',
cpu: 256,
memory: 512,
essential: false,
environment: [datadogApiKey, { name: 'ECS_FARGATE', value: 'true' }],
},
},
},
desiredCount: stackName === 'production' ? 2 : 1,
networkConfiguration: {
subnets: privateSubnetIds,
securityGroups: [serviceSecurityGroup.id],
assignPublicIp: false,
},
tags: {
environment: stackName,
},
},
{ provider },
)
the problem is whenever I try to deploy, I get
aws:lb:LoadBalancer (ls-loadbalancer-dev):
error: sdk-v2/provider2.go:520: sdk.helper_schema: setting ELBv2 Load Balancer (arn:aws:elasticloadbalancing:us-east-1:662016171348:loadbalancer/app/ls-loadbalancer-dev-2873ccc/062c2c77270e2e27) security groups: operation error Elastic Load Balancing v2: SetSecurityGroups, https response error StatusCode: 400, RequestID: c079a5d7-2486-45b2-b8ce-8593168d5989, InvalidConfigurationRequest: One or more security groups are invalid: provider=aws@6.56.1
error: 1 error occurred:
* setting ELBv2 Load Balancer (arn:aws:elasticloadbalancing:us-east-1:662016171348:loadbalancer/app/ls-loadbalancer-dev-2873ccc/062c2c77270e2e27) security groups: operation error Elastic Load Balancing v2: SetSecurityGroups, https response error StatusCode: 400, RequestID: c079a5d7-2486-45b2-b8ce-8593168d5989, InvalidConfigurationRequest: One or more security groups are invalid
Can anyone point me to what is invalid about my security groups?
