Skip to content

SG hardening#364

Closed
e9e4e5f0faef wants to merge 2 commits intofeat/ecs-fargate-migrationfrom
security/sg-hardening
Closed

SG hardening#364
e9e4e5f0faef wants to merge 2 commits intofeat/ecs-fargate-migrationfrom
security/sg-hardening

Conversation

@e9e4e5f0faef
Copy link
Collaborator

@e9e4e5f0faef e9e4e5f0faef commented Feb 3, 2026

Summary

Aligns SG architecture with the pattern established in thunderbird-accounts repo

Depends on #362 (feat/ecs-fargate-migration)

Changes

  • Refactored SG config into separate load_balancers and containers sections
  • Code dynamically wiring source_security_group_id from ALB SG to container ingress rules
  • Only accept on containers traffic from their ALB SG

Config structure (matches accounts repo)

tb:network:SecurityGroupWithRules:
  load_balancers:
    web: { ingress: 443 from internet }
    versioncheck: { ingress: 443 from internet }
    worker: null  # No ALB here
  containers:
    web: { ingress: 8000 from ALB SG }
    versioncheck: { ingress: 8000 from ALB SG }
    worker: { no ingress }

Testing

  • Python syntax has been validated
  • Pattern verified against thunderbird-accounts implementation

Checklist

  • Follows thunderbird-accounts security group pattern
  • Source SG dynamically wired
  • pulumi preview

@e9e4e5f0faef
Copy link
Collaborator Author

e9e4e5f0faef commented Feb 14, 2026

Superseded via feat/ecs-fargate-migration -- now SG hardening is included in the main branch

@e9e4e5f0faef e9e4e5f0faef deleted the security/sg-hardening branch February 14, 2026 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@e9e4e5f0faef