feat: Allow specifying VPC ID used by service security group in lieu of deriving from subnets provided (#353)

taufort · bryantbiggs · web-flow · commit ac8f42074a3f · 2025-10-01T09:28:49.000-05:00
* feat: Add new vpc_id input Sometimes, it happens that Terraform tries to recreate the security group of the ECS service whereas the VPC did not actually change. To avoid this issue, let's use the dependency inversion principle (described here https://developer.hashicorp.com/terraform/language/modules/develop/composition#dependency-inversion) by passing the VPC ID as an input. * fix: Update logic and variable definition --------- Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.100.0
+    rev: v1.101.0
     hooks:
       - id: terraform_wrapper_module_for_each
       - id: terraform_fmt
diff --git a/README.md b/README.md
@@ -119,6 +119,7 @@ module "ecs" {
       }
 
       subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
+
       security_group_ingress_rules = {
         alb_3000 = {
           description                  = "Service port"
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -177,6 +177,7 @@ module "ecs" {
       ]
 
       subnet_ids                    = module.vpc.private_subnets
+      vpc_id                        = module.vpc.vpc_id
       availability_zone_rebalancing = "ENABLED"
       security_group_ingress_rules = {
         alb_3000 = {
diff --git a/modules/service/README.md b/modules/service/README.md
@@ -342,6 +342,7 @@ module "ecs_service" {
 | <a name="input_triggers"></a> [triggers](#input\_triggers) | Map of arbitrary keys and values that, when changed, will trigger an in-place update (redeployment). Useful with `timestamp()` | `map(string)` | `null` | no |
 | <a name="input_volume"></a> [volume](#input\_volume) | Configuration block for volumes that containers in your task may use | <pre>map(object({<br/>    configure_at_launch = optional(bool)<br/>    docker_volume_configuration = optional(object({<br/>      autoprovision = optional(bool)<br/>      driver        = optional(string)<br/>      driver_opts   = optional(map(string))<br/>      labels        = optional(map(string))<br/>      scope         = optional(string)<br/>    }))<br/>    efs_volume_configuration = optional(object({<br/>      authorization_config = optional(object({<br/>        access_point_id = optional(string)<br/>        iam             = optional(string)<br/>      }))<br/>      file_system_id          = string<br/>      root_directory          = optional(string)<br/>      transit_encryption      = optional(string)<br/>      transit_encryption_port = optional(number)<br/>    }))<br/>    fsx_windows_file_server_volume_configuration = optional(object({<br/>      authorization_config = optional(object({<br/>        credentials_parameter = string<br/>        domain                = string<br/>      }))<br/>      file_system_id = string<br/>      root_directory = string<br/>    }))<br/>    host_path = optional(string)<br/>    name      = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_volume_configuration"></a> [volume\_configuration](#input\_volume\_configuration) | Configuration for a volume specified in the task definition as a volume that is configured at launch time | <pre>object({<br/>    name = string<br/>    managed_ebs_volume = object({<br/>      encrypted        = optional(bool)<br/>      file_system_type = optional(string)<br/>      iops             = optional(number)<br/>      kms_key_id       = optional(string)<br/>      size_in_gb       = optional(number)<br/>      snapshot_id      = optional(string)<br/>      tag_specifications = optional(list(object({<br/>        propagate_tags = optional(string, "TASK_DEFINITION")<br/>        resource_type  = string<br/>        tags           = optional(map(string))<br/>      })))<br/>      throughput  = optional(number)<br/>      volume_type = optional(string)<br/>    })<br/>  })</pre> | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID where to deploy the task or service. If not provided, the VPC ID is derived from the subnets provided | `string` | `null` | no |
 | <a name="input_vpc_lattice_configurations"></a> [vpc\_lattice\_configurations](#input\_vpc\_lattice\_configurations) | The VPC Lattice configuration for your service that allows Lattice to connect, secure, and monitor your service across multiple accounts and VPCs | <pre>object({<br/>    role_arn         = string<br/>    target_group_arn = string<br/>    port_name        = string<br/>  })</pre> | `null` | no |
 | <a name="input_wait_for_steady_state"></a> [wait\_for\_steady\_state](#input\_wait\_for\_steady\_state) | If true, Terraform will wait for the service to reach a steady state before continuing. Default is `false` | `bool` | `null` | no |
 | <a name="input_wait_until_stable"></a> [wait\_until\_stable](#input\_wait\_until\_stable) | Whether terraform should wait until the task set has reached `STEADY_STATE` | `bool` | `null` | no |
diff --git a/modules/service/main.tf b/modules/service/main.tf
@@ -1638,7 +1638,7 @@ locals {
 }
 
 data "aws_subnet" "this" {
-  count = local.create_security_group ? 1 : 0
+  count = local.create_security_group && var.vpc_id != null ? 1 : 0
 
   region = var.region
 
@@ -1653,7 +1653,7 @@ resource "aws_security_group" "this" {
   name        = var.security_group_use_name_prefix ? null : local.security_group_name
   name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
   description = var.security_group_description
-  vpc_id      = data.aws_subnet.this[0].vpc_id
+  vpc_id      = try(data.aws_subnet.this[0].vpc_id, var.vpc_id)
 
   tags = merge(
     var.tags,
diff --git a/modules/service/variables.tf b/modules/service/variables.tf
@@ -209,6 +209,12 @@ variable "subnet_ids" {
   nullable    = false
 }
 
+variable "vpc_id" {
+  description = "The VPC ID where to deploy the task or service. If not provided, the VPC ID is derived from the subnets provided"
+  type        = string
+  default     = null
+}
+
 variable "ordered_placement_strategy" {
   description = "Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence"
   type = map(object({
diff --git a/wrappers/service/main.tf b/wrappers/service/main.tf
@@ -138,6 +138,7 @@ module "wrapper" {
   triggers                                = try(each.value.triggers, var.defaults.triggers, null)
   volume                                  = try(each.value.volume, var.defaults.volume, null)
   volume_configuration                    = try(each.value.volume_configuration, var.defaults.volume_configuration, null)
+  vpc_id                                  = try(each.value.vpc_id, var.defaults.vpc_id, null)
   vpc_lattice_configurations              = try(each.value.vpc_lattice_configurations, var.defaults.vpc_lattice_configurations, null)
   wait_for_steady_state                   = try(each.value.wait_for_steady_state, var.defaults.wait_for_steady_state, null)
   wait_until_stable                       = try(each.value.wait_until_stable, var.defaults.wait_until_stable, null)

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,7 @@ module "ecs" {`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	`subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]`
	`122`	`+`
`122`	`123`	`security_group_ingress_rules = {`
`123`	`124`	`alb_3000 = {`
`124`	`125`	`description = "Service port"`
Original file line number	Diff line number	Diff line change
`@@ -177,6 +177,7 @@ module "ecs" {`
`177`	`177`	`]`
`178`	`178`
`179`	`179`	`subnet_ids = module.vpc.private_subnets`
	`180`	`+ vpc_id = module.vpc.vpc_id`
`180`	`181`	`availability_zone_rebalancing = "ENABLED"`
`181`	`182`	`security_group_ingress_rules = {`
`182`	`183`	`alb_3000 = {`