From 0490e7dd185a7eb8512412820a7b00dd8957320a Mon Sep 17 00:00:00 2001
From: Jordan Acosta <jordanjacosta@gmail.com>
Date: Wed, 24 Jan 2024 11:19:38 -0800
Subject: [PATCH 1/4] fix(aws-ecs): add rules to default vpc security group

---
 aws-ecs/vpc.tf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/aws-ecs/vpc.tf b/aws-ecs/vpc.tf
index f0fa271..5c5fc8c 100644
--- a/aws-ecs/vpc.tf
+++ b/aws-ecs/vpc.tf
@@ -34,6 +34,15 @@ module "vpc" {
   #create_database_subnet_group = true
   #create_elasticache_subnet_group = true
 
+  default_security_group_egress = [
+    {
+      "protocol"  = "-1"
+      from_port   = 0
+      to_port     = 0
+      cidr_blocks = "0.0.0.0/0"
+    }
+  ]
+
   public_subnet_tags = {
     "kubernetes.io/cluster/${local.nuon_id}" = "shared"
     "kubernetes.io/role/elb"                 = 1

From b7c812a13de06d44e49eca9549aeda6d35da54de Mon Sep 17 00:00:00 2001
From: Jordan Acosta <jordanjacosta@gmail.com>
Date: Thu, 25 Jan 2024 10:16:43 -0800
Subject: [PATCH 2/4] fix(aws-ecs): expose ingress

Merging this now to match byovpc version of ecs, but will lock both down
with custom SGs in the next PR.
---
 aws-ecs/vpc.tf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/aws-ecs/vpc.tf b/aws-ecs/vpc.tf
index 5c5fc8c..9335ba5 100644
--- a/aws-ecs/vpc.tf
+++ b/aws-ecs/vpc.tf
@@ -43,6 +43,15 @@ module "vpc" {
     }
   ]
 
+  default_security_group_ingress = [
+    {
+      "protocol"  = "-1"
+      from_port   = 0
+      to_port     = 0
+      cidr_blocks = "0.0.0.0/0"
+    }
+  ]
+
   public_subnet_tags = {
     "kubernetes.io/cluster/${local.nuon_id}" = "shared"
     "kubernetes.io/role/elb"                 = 1

From 300e400714249ae1bb2f91eff134eb375872f7ff Mon Sep 17 00:00:00 2001
From: Jordan Acosta <jordanjacosta@gmail.com>
Date: Fri, 26 Jan 2024 13:10:48 -0800
Subject: [PATCH 3/4] feat(aws-ecs-byovpc): add runner security group

---
 aws-ecs-byovpc/outputs.tf               |  4 ++--
 aws-ecs-byovpc/runner_security_group.tf | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 aws-ecs-byovpc/runner_security_group.tf

diff --git a/aws-ecs-byovpc/outputs.tf b/aws-ecs-byovpc/outputs.tf
index 51ebbf3..d42bd09 100644
--- a/aws-ecs-byovpc/outputs.tf
+++ b/aws-ecs-byovpc/outputs.tf
@@ -31,8 +31,8 @@ output "vpc" {
     public_subnet_cidr_blocks = [for s in data.aws_subnet.public : s.cidr_block]
     public_subnet_ids         = data.aws_subnets.public.ids
 
-    default_security_group_id  = data.aws_security_group.default.id
-    default_security_group_arn = data.aws_security_group.default.arn
+    default_security_group_id  = aws_security_group.runner.id
+    default_security_group_arn = aws_security_group.runner.arn
   }
 }
 
diff --git a/aws-ecs-byovpc/runner_security_group.tf b/aws-ecs-byovpc/runner_security_group.tf
new file mode 100644
index 0000000..d89a4ee
--- /dev/null
+++ b/aws-ecs-byovpc/runner_security_group.tf
@@ -0,0 +1,17 @@
+resource "aws_security_group" "runner" {
+  vpc_id = var.vpc_id
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}

From 9cec51afb015d89e2140d77636e6db75996a1c9a Mon Sep 17 00:00:00 2001
From: Jordan Acosta <jordanjacosta@gmail.com>
Date: Fri, 26 Jan 2024 16:47:39 -0800
Subject: [PATCH 4/4] feat(aws-ecs): add runner security group

---
 aws-ecs/outputs.tf               |  4 ++--
 aws-ecs/runner_security_group.tf | 17 +++++++++++++++++
 aws-ecs/vpc.tf                   | 18 ------------------
 3 files changed, 19 insertions(+), 20 deletions(-)
 create mode 100644 aws-ecs/runner_security_group.tf

diff --git a/aws-ecs/outputs.tf b/aws-ecs/outputs.tf
index d3632c9..3402116 100644
--- a/aws-ecs/outputs.tf
+++ b/aws-ecs/outputs.tf
@@ -31,8 +31,8 @@ output "vpc" {
     public_subnet_cidr_blocks = module.vpc.public_subnets_cidr_blocks
     public_subnet_ids         = module.vpc.public_subnets
 
-    default_security_group_id = module.vpc.default_security_group_id
-    # default_security_group_arn = data.aws_security_group.default.arn
+    default_security_group_id = aws_security_group.runner.id
+    # default_security_group_arn = aws_security_group.runner.arn
   }
 }
 
diff --git a/aws-ecs/runner_security_group.tf b/aws-ecs/runner_security_group.tf
new file mode 100644
index 0000000..cb4a43c
--- /dev/null
+++ b/aws-ecs/runner_security_group.tf
@@ -0,0 +1,17 @@
+resource "aws_security_group" "runner" {
+  vpc_id = module.vpc.vpc_id
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
diff --git a/aws-ecs/vpc.tf b/aws-ecs/vpc.tf
index 9335ba5..f0fa271 100644
--- a/aws-ecs/vpc.tf
+++ b/aws-ecs/vpc.tf
@@ -34,24 +34,6 @@ module "vpc" {
   #create_database_subnet_group = true
   #create_elasticache_subnet_group = true
 
-  default_security_group_egress = [
-    {
-      "protocol"  = "-1"
-      from_port   = 0
-      to_port     = 0
-      cidr_blocks = "0.0.0.0/0"
-    }
-  ]
-
-  default_security_group_ingress = [
-    {
-      "protocol"  = "-1"
-      from_port   = 0
-      to_port     = 0
-      cidr_blocks = "0.0.0.0/0"
-    }
-  ]
-
   public_subnet_tags = {
     "kubernetes.io/cluster/${local.nuon_id}" = "shared"
     "kubernetes.io/role/elb"                 = 1