fix(ecs-patterns): Adds missing option to secure ingress of ALB in Ap…

packages/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts

@@ -42,6 +42,13 @@ export interface ApplicationLoadBalancedServiceBaseProps {
    */
   readonly publicLoadBalancer?: boolean;
 
+  /**
+   * Determines whether or not the Security Group for the Load Balancer's Listener will be open to all traffic by default.
+   *
+   * @default true -- The security group allows ingress from all IP addresses.
+   */
+  readonly openListener?: boolean;
+
   /**
    * The desired number of instantiations of the task definition to keep running on the service.
    * The minimum value is 1
@@ -323,7 +330,7 @@ export abstract class ApplicationLoadBalancedServiceBase extends cdk.Construct {
     this.listener = loadBalancer.addListener('PublicListener', {
       protocol,
       port: props.listenerPort,
-      open: true,
+      open: props.openListener ?? true,
     });
     this.targetGroup = this.listener.addTargets('ECS', targetProps);
 

packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.l3s.ts

@@ -1,4 +1,4 @@
-import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
+import { arrayWith, expect, haveResource, haveResourceLike, objectLike } from '@aws-cdk/assert';
 import { Certificate } from '@aws-cdk/aws-certificatemanager';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as ecs from '@aws-cdk/aws-ecs';
@@ -1048,4 +1048,58 @@ export = {
 
     test.done();
   },
+
+  'test ECS loadbalanced construct default/open security group'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+    cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') });
+
+    // WHEN
+    new ecsPatterns.ApplicationLoadBalancedEc2Service(stack, 'Service', {
+      cluster,
+      memoryReservationMiB: 1024,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+      },
+    });
+
+    // THEN - Stack contains no ingress security group rules
+    expect(stack).to(haveResourceLike('AWS::EC2::SecurityGroup', {
+      SecurityGroupIngress: [{
+        CidrIp: '0.0.0.0/0',
+        FromPort: 80,
+        IpProtocol: 'tcp',
+        ToPort: 80,
+      }],
+    }));
+
+    test.done();
+  },
+
+  'test ECS loadbalanced construct closed security group'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+    cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') });
+
+    // WHEN
+    new ecsPatterns.ApplicationLoadBalancedEc2Service(stack, 'Service', {
+      cluster,
+      memoryReservationMiB: 1024,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+      },
+      openListener: false,
+    });
+
+    // THEN - Stack contains no ingress security group rules
+    expect(stack).notTo(haveResourceLike('AWS::EC2::SecurityGroup', {
+      SecurityGroupIngress: arrayWith(objectLike({})),
+    }));
+
+    test.done();
+  },
 };