What does the SecurityGroup do?

[ambsw-technology]

When I first saw the SecurityGroupId export in this package, it seemed to be the solution I wanted for alb-listener. To make alb-listener do what I want in that issue, it would need to expose the ALB's Security Group so I could come back and add rules for it later.

In this case, a Security Group is created and ingress rules are attached, but there's no obvious way that the Security Group is used. I understand NLBs don't have their own security groups (like ALBs do) so a group like this would need to be attached to the target of the connection.

It isn't obvious how that's supposed to happen. I eventually figured out that you could pass this module to fargate-service as ClientSgModule1 and the SG would be attached to the Service, but only because I'm increasingly familiar with these templates.

At minimum, it seems like this template should share the ExposeSecurityGroupId interface with client-sg. Per my interfaces issue, of course, I'd prefer an interface name that is more use-oriented like SecurityGroupProvider or ServiceContainerSg. This would disambiguate it from other uses of the SecurityGroupId like Ingress or Egress. Symmetrically, I'd rename ClientSgModule1 to SecurityGroupProviderModule1 so it was obvious that this package could (in fact should) be used there. It also make sense to mention (in this README) that it should be passed there.

[ambsw-technology]

Nevermind. I finally figured out that it parallels the alb-target and gets attached to the service (via TargetModule).

[ambsw-technology]

P.S. If the export was named TargetSg, it would have been obvious to look at the Target interface (or consumers of the Target interface) to see its use.

[michaelwittig]

Seems to be related to your suggestion here: cfn-modules/docs#36 (just making sure that people will find the discussion if they look at this issue)