Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

No Way To Assign Existing Security Groups To ECS Cluster

See original GitHub issue

❓ General Issue

The Question

When I attempt to create a Cluster using the AWS CDK (Typescript) like so:

    const serverCluster = new ecs.Cluster(this, 'EcsServerCluster', { vpc: vpc })

    serverCluster.addCapacity('DefaultAutoScalingGroup', {
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MEDIUM),
    })

The CDK deploy blows up on the addCapacity call: 1/26 | 10:47:30 AM | CREATE_FAILED | AWS::EC2::SecurityGroup | EcsServerCluster/DefaultAutoScalingGroup/InstanceSecurityGroup (EcsServerClusterDefaultAutoScalingGroupInstanceSecurityGroupEE7A9C3D) API: ec2:CreateSecurityGroup You are not authorized to perform this operation.

I apparently need a way to pass existing security groups when establishing the cluster. When going through the AWS console to create an ECS cluster, you are allowed to specify existing subnets and security groups (for example) when creating a cluster.

I did notice that there was a connections property of ECS Cluster which is used to “Manage the allowed network connections for the cluster with Security Groups.” However, there appears to be no way to set it in the Typescript AWS CDK.

Environment

  • CDK CLI Version: 1.13.1 (build 96cfc63)
  • Module Version: aws-ecs
  • OS: OSX Mojave
  • Language: TypeScript

Other information

1/26 | 10:47:30 AM | CREATE_FAILED | AWS::EC2::SecurityGroup | EcsServerCluster/DefaultAutoScalingGroup/InstanceSecurityGroup (EcsServerClusterDefaultAutoScalingGroupInstanceSecurityGroupEE7A9C3D) API: ec2:CreateSecurityGroup You are not authorized to perform this operation.

Issue Analytics

  • State:open
  • Created 4 years ago
  • Reactions:5
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

9reactions
ShawnWu33commented, Jul 1, 2020

Hi @joncantu @hencrice ,

I saw you add the security group to the cluster.connection however the default security group are always been created in EC2 DefaultAutoScalingGroup, with no inbound rules.

If you are trying add your security group to your ec2 resources that used by your cluster, here is the way: (the following code is using aws-cdk@1.4.7

    const serverCluster = new ecs.Cluster(this, 'EcsServerCluster', { vpc: vpc })

     /***
       * This method adds compute capacity to a cluster by creating an AutoScalingGroup with the specified options.
       * and return the AutoScalingGroup
       */
    const autoScalingGroup = serverCluster.addCapacity('DefaultAutoScalingGroup', {
      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MEDIUM),
    })
    // You can add security group to the autoScalingGroup
    autoScalingGroup.addSecurityGroup(yourSecurityGroup);

I have tested this solution and it works, the security group added here would be added to the ec2 instance created by your ecs cluster and tasks

0reactions
yukihirai0505commented, Jun 23, 2021

I also had the same issue. It has been solved by the @ShawnWu33 's approach. Thank you.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to get the security-group for an ECS cluster - Server Fault
Go to ECS, click clusters, click on your cluster, then click on the service. Under the details tab look at the "Network Access"...
Read more >
Set up to use Amazon ECS - Amazon Elastic Container Service
Create a security group ; Name, A name that is easy for you to remember, such as ecs-instances-default-cluster. ; VPC, The default VPC...
Read more >
Change AWS ECS service's security groups - Stack Overflow
3 Answers 3 · Go to security group -> select associated fargate SG -> modify the rule · Launch another new fargate task...
Read more >
Can I Change the Security Group of an ECS? - 华为云
Yes. Log in to the ECS console, switch to the page showing ECS details, and change the security group of the ECS.For details,...
Read more >
Working with security groups in Amazon EC2 — Boto3 Docs ...
You add rules to each security group to allow traffic to or from its associated instances. You can modify the rules for a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

aws-cdk is incompatible with python 3.8.0 because of a bug in jsii

Next page

Lambda as target in ALB fails to create due to Principal permission issue