Skip to content

SG hardening#364

Open
e9e4e5f0faef wants to merge 2 commits intofeat/ecs-fargate-migrationfrom
security/sg-hardening
Open

SG hardening#364
e9e4e5f0faef wants to merge 2 commits intofeat/ecs-fargate-migrationfrom
security/sg-hardening

Conversation

@e9e4e5f0faef
Copy link
Collaborator

@e9e4e5f0faef e9e4e5f0faef commented Feb 3, 2026

Summary

Aligns SG architecture with the pattern established in thunderbird-accounts repo

Depends on #362 (feat/ecs-fargate-migration)

Changes

  • Refactored SG config into separate load_balancers and containers sections
  • Code dynamically wiring source_security_group_id from ALB SG to container ingress rules
  • Only accept on containers traffic from their ALB SG

Config structure (matches accounts repo)

tb:network:SecurityGroupWithRules:
  load_balancers:
    web: { ingress: 443 from internet }
    versioncheck: { ingress: 443 from internet }
    worker: null  # No ALB here
  containers:
    web: { ingress: 8000 from ALB SG }
    versioncheck: { ingress: 8000 from ALB SG }
    worker: { no ingress }

Testing

  • Python syntax has been validated
  • Pattern verified against thunderbird-accounts implementation

Checklist

  • Follows thunderbird-accounts security group pattern
  • Source SG dynamically wired
  • pulumi preview

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@e9e4e5f0faef