[ECS] Why "securityGroups" fromClusterAttributes mandatory ?

[Cloudrage]

When using ECS with EC2 instances (hosts), no pb; but when using Fargate, we don't have any Security Group associated with the container instances registered to the cluster, so why it's needed at the import ?

Reproduction Steps

For example, you create a Cluster in a Stack A :

    const EcsCluster = new ecs.Cluster(this, 'EcsCluster', {
      vpc: vpc,
      clusterName: EcsClusterName,
      containerInsights: true
    });

     const SecurityGroupEcsHost = new ec2.SecurityGroup(this, 'SecurityGroupEcsHost', {
       vpc: vpc,
       allowAllOutbound: true,
       description: 'Security Group for ECS Host'
     });

    AutoScalingGroupEcsHost.addSecurityGroup(SecurityGroupEcsHost);

    EcsCluster.addAutoScalingGroup(AutoScalingGroupEcsHost;

And you want to create an ECS EC2Service in another Stack B :

clusterName: EcsClusterName,
vpc,
securityGroups: [SecurityGroupEcsHost]
});

No pb at this time because on the first Stack, you have provided SGR & ASG resources for Hosts Instances.

What did you expect to happen?

But now, I want to create ECS Fargate resources on the other Stack, and the SGR is created on this one because associated with Fargate Service.

    const EcsClusterFargate = new ecs.Cluster(this, 'EcsClusterFargate ', {
      vpc: vpc,
      clusterName: EcsClusterFargateName,
      containerInsights: true
    });

But in that case, I can't import the dedicated Cluster like that :

const EcsClusterFargate = ecs.Cluster.fromClusterAttributes(this, 'EcsCluster', {
clusterName: EcsClusterFargateName,
vpc
});

So,, why it's mandatory ?
Do I have to attach a fake SGR ?

Environment

• CLI Version : 1.68.0
• Framework Version: 6.14.8
• Node.js Version: v12.15.0
• OS : Linux
• Language (Version): TypeScript

---

This is 🐛 Bug Report

[Cloudrage]

For a workaround, I've provided the Fargate SGR create on the other Stack "B" :

    const SecurityGroupEcsFargate = new ec2.SecurityGroup(this, 'SecurityGroupEcsFargate', {
      vpc: vpc,
      allowAllOutbound: true,
      description: 'Security Group for Fargate'
    });

        const EcsCluster = ecs.Cluster.fromClusterAttributes(this, 'EcsCluster', {
          clusterName: EcsClusterName,
          vpc,
          securityGroups: [SecurityGroupEcsFargate]
        });

Even if the SGR is, not the one associated with the container instances registered to the cluster :
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ecs.ClusterAttributes.html

Maybe you can clarify the situation ? ^^

[MrArnoldPalmer]

So, this is required because of the way the Cluster L2 construct is modeled. As detailed in this comment ecs clusters don't actually have security groups. This instances within them do, but if your cluster is purely fargate that isn't a thing.

This causes a couple of weird issues, including this one. I don't see an issue changing this to be an optional property, we just need to make sure we are checking for the presence of an SG on imported clusters wherever they are needed and throwing a nice error if it's not present.

[mimozell]

I'm experiencing the same. It's a very stupid error. If you don't need security groups with aws ecs describe-clusters <clustername> why would you need it here? :(

[tscully49]

We are having the same issue in a different context. In cloudformation, creating a fargate serivice only requires The short name or full Amazon Resource Name (ARN) of the cluster on which to run your service. If you do not specify a cluster, the default cluster is assumed. (from https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html) and I would expect that to have similar behavior here. Instead, for CDK, to create a FargateService construct, I have to find the cluster with this function by passing both the securityGroups and VPC, when it seems a cluster name or ARN should be fine.