Update network configuration for module

- With introduction of VPC endpoint routing existing ECS service can no
  longer access secrestmanager.
  - This is fixed by introducing the security group rules for the ECS
    security group to allow access to/from VPC endpoint

Author: TheOneFromNorway

terraform/app/modules/dms/dms.tf

@@ -1,30 +1,10 @@
-
 resource "aws_dms_replication_subnet_group" "dms_subnet_group" {
   replication_subnet_group_id          = "dms-subnet-group"
   replication_subnet_group_description = "Subnet group for DMS replication instance"
   subnet_ids                           = var.subnet_ids
   depends_on                           = [aws_iam_role.dms_vpc_role]
 }
 
-resource "aws_security_group" "dms" {
-  name        = "dms-security-group"
-  description = "Security group for DMS replication instance"
-  vpc_id      = var.vpc_id
-
-  tags = {
-    Name = "dms-security-group-${var.environment}"
-  }
-}
-
-resource "aws_security_group_rule" "dms_ingress" {
-  type                     = "ingress"
-  from_port                = 5432
-  to_port                  = 5432
-  protocol                 = "tcp"
-  security_group_id        = var.rds_cluster_security_group_id
-  source_security_group_id = aws_security_group.dms.id
-}
-
 resource "aws_dms_replication_instance" "dms_instance" {
   replication_instance_id     = "dms-replication-instance"
   replication_instance_class  = "dms.t3.medium"
@@ -33,27 +13,6 @@ resource "aws_dms_replication_instance" "dms_instance" {
   publicly_accessible         = false
 }
 
-resource "aws_security_group_rule" "egress_to_rds" {
-  type                     = "egress"
-  from_port                = var.source_port
-  to_port                  = var.source_port
-  protocol                 = "tcp"
-  security_group_id        = aws_security_group.dms.id
-  source_security_group_id = var.rds_cluster_security_group_id
-}
-
-module "secretsmanager_vpc_endpoint" {
-  source                = "../vpc_endpoint"
-  ingress_ports         = ["443"]
-  service_name          = "com.amazonaws.eu-west-2.secretsmanager"
-  source_security_group = aws_security_group.dms.id
-  subnet_ids            = var.subnet_ids
-  vpc_id                = var.vpc_id
-  tags = {
-    Name = "SecretsManager VPC Endpoint - ${var.environment}"
-  }
-}
-
 resource "aws_dms_endpoint" "source" {
   endpoint_id                     = "source-endpoint"
   endpoint_type                   = "source"

terraform/app/modules/dms/network.tf

@@ -0,0 +1,71 @@
+resource "aws_security_group" "dms" {
+  name        = "dms-security-group"
+  description = "Security group for DMS replication instance"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "dms-security-group-${var.environment}"
+  }
+}
+
+module "secretsmanager_vpc_endpoint" {
+  source                = "../vpc_endpoint"
+  ingress_ports         = ["443"]
+  service_name          = "com.amazonaws.eu-west-2.secretsmanager"
+  source_security_group = aws_security_group.dms.id
+  subnet_ids            = var.subnet_ids
+  vpc_id                = var.vpc_id
+  tags = {
+    Name = "SecretsManager VPC Endpoint - ${var.environment}"
+  }
+}
+
+resource "aws_security_group_rule" "egress_to_rds" {
+  type                     = "egress"
+  from_port                = var.source_port
+  to_port                  = var.source_port
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.dms.id
+  source_security_group_id = var.rds_cluster_security_group_id
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "dms_ingress" {
+  type                     = "ingress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  security_group_id        = var.rds_cluster_security_group_id
+  source_security_group_id = aws_security_group.dms.id
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "ingress_from_ecs" {
+  count                    = length(var.ecs_sg_ids)
+  type                     = "ingress"
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+  security_group_id        = module.secretsmanager_vpc_endpoint.sg_id
+  source_security_group_id = var.ecs_sg_ids[count.index]
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "egress_to_ecs" {
+  count                    = length(var.ecs_sg_ids)
+  type                     = "egress"
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+  security_group_id        = var.ecs_sg_ids[count.index]
+  source_security_group_id = module.secretsmanager_vpc_endpoint.sg_id
+  lifecycle {
+    create_before_destroy = true
+  }
+}

terraform/app/modules/dms/secrets.tf

@@ -12,11 +12,11 @@ locals {
 }
 
 resource "aws_secretsmanager_secret" "source" {
-  name = "${var.environment}_dms_temporary_secret_source"
+  name = "dms_temporary_secret_source_123"
 }
 
 resource "aws_secretsmanager_secret" "target" {
-  name = "${var.environment}_dms_temporary_secret_target"
+  name = "dms_temporary_secret_target_123"
 }
 
 resource "aws_secretsmanager_secret_version" "source" {

terraform/app/modules/dms/variables.tf

@@ -22,6 +22,13 @@ variable "source_database_name" {
   nullable    = false
 }
 
+variable "ecs_sg_ids" {
+  type        = list(string)
+  description = "List of ECS security group IDs"
+  default     = []
+  nullable    = false
+}
+
 variable "source_db_secret_arn" {
   type        = string
   description = "The secret arn for the source database"

terraform/app/rds.tf

@@ -112,6 +112,7 @@ module "dms_custom_kms_migration" {
   source      = "./modules/dms"
   environment = var.environment
 
+  ecs_sg_ids            = local.ecs_sg_ids
   source_endpoint       = aws_rds_cluster.aurora_cluster.endpoint
   source_port           = aws_rds_cluster.aurora_cluster.port
   source_database_name  = aws_rds_cluster.aurora_cluster.database_name