From 5f5e59d6b0797343e13e193f894ea435ba402691 Mon Sep 17 00:00:00 2001 From: Anton Kamenov Date: Sat, 18 Feb 2023 20:36:38 +0200 Subject: [PATCH] Limit EFS volume creation to public subnets --- ecs/awsResources.go | 2 ++ ecs/sdk.go | 5 ++++- ecs/volumes.go | 10 +++++----- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/ecs/awsResources.go b/ecs/awsResources.go index 7abb7cf94..4f269598b 100644 --- a/ecs/awsResources.go +++ b/ecs/awsResources.go @@ -39,6 +39,7 @@ import ( type awsResources struct { vpc string // shouldn't this also be an awsResource ? subnets []awsResource + pubSubnets []awsResource cluster awsResource loadBalancer awsResource loadBalancerType string @@ -221,6 +222,7 @@ func (b *ecsAPIService) parseVPCExtension(ctx context.Context, project *types.Pr r.vpc = vpc r.subnets = subNets + r.pubSubnets = publicSubNets return nil } diff --git a/ecs/sdk.go b/ecs/sdk.go index 72c2a3f01..8ef652e47 100644 --- a/ecs/sdk.go +++ b/ecs/sdk.go @@ -227,7 +227,10 @@ func (s sdk) IsPublicSubnet(ctx context.Context, subNetID string) (bool, error) if len(tables.RouteTables) == 0 { // If a subnet is not explicitly associated with any route table, it is implicitly associated with the main route table. // https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-route-tables.html - return true, nil + + // Normally main route tables are used for the private subnets, so this should be FALSE and not TRUE + // regular setup is 3 public subnets + N number of private subnets + return false, nil } for _, routeTable := range tables.RouteTables { for _, route := range routeTable.Routes { diff --git a/ecs/volumes.go b/ecs/volumes.go index 876b825f8..3dec0c3d6 100644 --- a/ecs/volumes.go +++ b/ecs/volumes.go @@ -31,12 +31,12 @@ import ( func (b *ecsAPIService) createNFSMountTarget(project *types.Project, resources awsResources, template *cloudformation.Template) { for volume := range project.Volumes { - for _, subnet := range resources.subnets { - name := fmt.Sprintf("%sNFSMountTargetOn%s", normalizeResourceName(volume), normalizeResourceName(subnet.ID())) + for _, pubSubnet := range resources.pubSubnets { + name := fmt.Sprintf("%sNFSMountTargetOn%s", normalizeResourceName(volume), normalizeResourceName(pubSubnet.ID())) template.Resources[name] = &efs.MountTarget{ FileSystemId: resources.filesystems[volume].ID(), SecurityGroups: resources.allSecurityGroups(), - SubnetId: subnet.ID(), + SubnetId: pubSubnet.ID(), } } } @@ -44,8 +44,8 @@ func (b *ecsAPIService) createNFSMountTarget(project *types.Project, resources a func (b *ecsAPIService) mountTargets(volume string, resources awsResources) []string { var refs []string - for _, subnet := range resources.subnets { - refs = append(refs, fmt.Sprintf("%sNFSMountTargetOn%s", normalizeResourceName(volume), normalizeResourceName(subnet.ID()))) + for _, pubSubnet := range resources.pubSubnets { + refs = append(refs, fmt.Sprintf("%sNFSMountTargetOn%s", normalizeResourceName(volume), normalizeResourceName(pubSubnet.ID()))) } return refs }