├── .editorconfig
├── .github
    └── workflows
    │   └── image.yml
├── .gitignore
├── .terraform.lock.hcl
├── Dockerfile
├── LICENSE
├── README.md
├── config.tf
├── ecs.tf
├── go.mod
├── go.sum
├── main.go
└── network.tf


/.editorconfig:
--------------------------------------------------------------------------------
 1 | root = true
 2 | 
 3 | [*]
 4 | indent_style = tab
 5 | indent_size = 4
 6 | charset = utf-8
 7 | trim_trailing_whitespace = true
 8 | insert_final_newline = true
 9 | 
10 | [*.tf]
11 | indent_style = space
12 | indent_size = 2
13 | 
14 | [*.yml]
15 | indent_size = 2
16 | indent_style = space
17 | 


--------------------------------------------------------------------------------
/.github/workflows/image.yml:
--------------------------------------------------------------------------------
 1 | name: Release new version
 2 | on:
 3 |   - push
 4 | jobs:
 5 |   build_image:
 6 |     name: Build image
 7 |     runs-on: ubuntu-latest
 8 |     steps:
 9 |       - name: Checkout
10 |         uses: actions/checkout@v4
11 |       - name: Build sun-api Docker image
12 |         run: |
13 |           docker build \
14 |             -t ghcr.io/jimmysawczuk/sun-api:latest .
15 |       - name: Push sun-api Docker image
16 |         env:
17 |           GH_PAT: ${{ secrets.GH_PAT }}
18 |         run: |
19 |           echo $GH_PAT | docker login ghcr.io -u jimmysawczuk --password-stdin
20 |           docker push ghcr.io/jimmysawczuk/sun-api:latest
21 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /.terraform
2 | /vendor
3 | 


--------------------------------------------------------------------------------
/.terraform.lock.hcl:
--------------------------------------------------------------------------------
 1 | # This file is maintained automatically by "terraform init".
 2 | # Manual edits may be lost in future updates.
 3 | 
 4 | provider "registry.terraform.io/hashicorp/aws" {
 5 |   version     = "3.69.0"
 6 |   constraints = "~> 3.69.0"
 7 |   hashes = [
 8 |     "h1:DFUb87/IK9l6anGAagwkDZ3x62p18JCljU8he5SfLrM=",
 9 |     "zh:0cedd84ba908ba7190052b16cd7f70c41b0e2c2e914e54eecf2e3dae193f47fa",
10 |     "zh:14b89bac6412e20d415fe67d5f2eaa1414d9bbf75a5bd8fc963f6ab8e3b8b1a0",
11 |     "zh:159131129edab7ea118dee7d6daf1bfe4615f200a2d5120deb8369cbd2c4b598",
12 |     "zh:32a3a35964c9becb167180df905f34eb0cae7c30e00452527a0e600ee95c033f",
13 |     "zh:5330374066ca27d9a00ca667c81183c1dbfa0fcfdd5c1797a6185b76bc7c13bc",
14 |     "zh:78b75c45b7c660efaf89428ca988a77a4f55eba359f95ed7a54efe87fad1ab8b",
15 |     "zh:81f723c3f33dc0761ed12b025c1f411fe22f2c6a97e22f4adeb10f7668a5df8f",
16 |     "zh:98053adb091233fea8c1a82768dfce994e8407e2cb948d28ff88865d2d9a4dcd",
17 |     "zh:a52866826b51c0b4cb6b970cb3328542846e108c8f4d24c090d7ca0ffa341e44",
18 |     "zh:a9923cbdf30e9b66f889fef22e1f4b657d9ac1a48812f476ef841405a3c11525",
19 |     "zh:c079f98be9b8456e6eae6c07c5dcb84ecbcbb70b2f361f1c6f9c3ba90366d905",
20 |   ]
21 | }
22 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM golang:1.24 AS builder
 2 | WORKDIR /app
 3 | COPY main.go go.mod go.sum ./
 4 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -o app .
 5 | 
 6 | FROM alpine:latest
 7 | LABEL org.opencontainers.image.source=https://github.com/jimmysawczuk/terraform-fargate-tutorial
 8 | LABEL maintainer="me@jimmysawczuk.com"
 9 | 
10 | RUN apk update \
11 | 	&& apk add ca-certificates tzdata \
12 | 	&& update-ca-certificates \
13 | 	&& apk add shadow \
14 | 	&& groupadd -r app \
15 | 	&& useradd -r -g app -s /sbin/nologin -c "Docker image user" app
16 | 
17 | USER app
18 | WORKDIR /app
19 | 
20 | COPY --from=builder /app/app ./app
21 | EXPOSE 3000
22 | CMD ["./app"]
23 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019-2021 Jimmy Sawczuk
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # terraform-fargate-tutorial
 2 | 
 3 | This repository contains a working example of setting up a minimal Fargate ECS service on AWS using Terraform. It was last updated in September 2021 to use Terraform 1.0.5.
 4 | 
 5 | See the post [at Section 411](https://section411.com/2019/07/hello-world/).
 6 | 
 7 | ## Diagram
 8 | 
 9 | ![sun-api](https://user-images.githubusercontent.com/590736/171856164-70c98307-c847-455e-ab28-2b5badf97d14.png)
10 | 


--------------------------------------------------------------------------------
/config.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region  = "us-east-1"
 3 |   profile = "tfuser"
 4 | }
 5 | 
 6 | terraform {
 7 |   required_version = ">= 1.0"
 8 | 
 9 |   backend "s3" {
10 |     bucket  = "terraform"
11 |     key     = "terraform.tfstate"
12 |     region  = "us-east-1"
13 |     profile = "tfuser"
14 |   }
15 | 
16 |   required_providers {
17 |     aws = {
18 |       source  = "hashicorp/aws"
19 |       version = "~> 3.69.0"
20 |     }
21 |   }
22 | }
23 | 


--------------------------------------------------------------------------------
/ecs.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   repository_url = "ghcr.io/jimmysawczuk/sun-api"
  3 | }
  4 | 
  5 | # We need a cluster in which to put our service.
  6 | resource "aws_ecs_cluster" "app" {
  7 |   name = "app"
  8 | }
  9 | 
 10 | # An ECR repository is a private alternative to Docker Hub.
 11 | resource "aws_ecr_repository" "sun_api" {
 12 |   name = "sun-api"
 13 | }
 14 | 
 15 | # Log groups hold logs from our app.
 16 | resource "aws_cloudwatch_log_group" "sun_api" {
 17 |   name = "/ecs/sun-api"
 18 | }
 19 | 
 20 | # The main service.
 21 | resource "aws_ecs_service" "sun_api" {
 22 |   name            = "sun-api"
 23 |   task_definition = aws_ecs_task_definition.sun_api.arn
 24 |   cluster         = aws_ecs_cluster.app.id
 25 |   launch_type     = "FARGATE"
 26 | 
 27 |   desired_count = 1
 28 | 
 29 |   load_balancer {
 30 |     target_group_arn = aws_lb_target_group.sun_api.arn
 31 |     container_name   = "sun-api"
 32 |     container_port   = "3000"
 33 |   }
 34 | 
 35 |   network_configuration {
 36 |     assign_public_ip = false
 37 | 
 38 |     security_groups = [
 39 |       aws_security_group.egress_all.id,
 40 |       aws_security_group.ingress_api.id,
 41 |     ]
 42 | 
 43 |     subnets = [
 44 |       aws_subnet.private_d.id,
 45 |       aws_subnet.private_e.id,
 46 |     ]
 47 |   }
 48 | }
 49 | 
 50 | # The task definition for our app.
 51 | resource "aws_ecs_task_definition" "sun_api" {
 52 |   family = "sun-api"
 53 | 
 54 |   container_definitions = <<EOF
 55 |   [
 56 |     {
 57 |       "name": "sun-api",
 58 |       "image": "${local.repository_url == "" ? aws_ecr_repository.sun_api.repository_url : local.repository_url}:latest",
 59 |       "portMappings": [
 60 |         {
 61 |           "containerPort": 3000
 62 |         }
 63 |       ],
 64 |       "logConfiguration": {
 65 |         "logDriver": "awslogs",
 66 |         "options": {
 67 |           "awslogs-region": "us-east-1",
 68 |           "awslogs-group": "/ecs/sun-api",
 69 |           "awslogs-stream-prefix": "ecs"
 70 |         }
 71 |       }
 72 |     }
 73 |   ]
 74 | 
 75 | EOF
 76 | 
 77 |   execution_role_arn = aws_iam_role.sun_api_task_execution_role.arn
 78 | 
 79 |   # These are the minimum values for Fargate containers.
 80 |   cpu                      = 256
 81 |   memory                   = 512
 82 |   requires_compatibilities = ["FARGATE"]
 83 | 
 84 |   # This is required for Fargate containers (more on this later).
 85 |   network_mode = "awsvpc"
 86 | }
 87 | 
 88 | # This is the role under which ECS will execute our task. This role becomes more important
 89 | # as we add integrations with other AWS services later on.
 90 | 
 91 | # The assume_role_policy field works with the following aws_iam_policy_document to allow
 92 | # ECS tasks to assume this role we're creating.
 93 | resource "aws_iam_role" "sun_api_task_execution_role" {
 94 |   name               = "sun-api-task-execution-role"
 95 |   assume_role_policy = data.aws_iam_policy_document.ecs_task_assume_role.json
 96 | }
 97 | 
 98 | data "aws_iam_policy_document" "ecs_task_assume_role" {
 99 |   statement {
100 |     actions = ["sts:AssumeRole"]
101 | 
102 |     principals {
103 |       type        = "Service"
104 |       identifiers = ["ecs-tasks.amazonaws.com"]
105 |     }
106 |   }
107 | }
108 | 
109 | # Normally we'd prefer not to hardcode an ARN in our Terraform, but since this is an AWS-managed
110 | # policy, it's okay.
111 | data "aws_iam_policy" "ecs_task_execution_role" {
112 |   arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
113 | }
114 | 
115 | # Attach the above policy to the execution role.
116 | resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
117 |   role       = aws_iam_role.sun_api_task_execution_role.name
118 |   policy_arn = data.aws_iam_policy.ecs_task_execution_role.arn
119 | }
120 | 
121 | resource "aws_lb_target_group" "sun_api" {
122 |   name        = "sun-api"
123 |   port        = 3000
124 |   protocol    = "HTTP"
125 |   target_type = "ip"
126 |   vpc_id      = aws_vpc.app_vpc.id
127 | 
128 |   health_check {
129 |     enabled = true
130 |     path    = "/health"
131 |   }
132 | 
133 |   depends_on = [aws_alb.sun_api]
134 | }
135 | 
136 | resource "aws_alb" "sun_api" {
137 |   name               = "sun-api-lb"
138 |   internal           = false
139 |   load_balancer_type = "application"
140 | 
141 |   subnets = [
142 |     aws_subnet.public_d.id,
143 |     aws_subnet.public_e.id,
144 |   ]
145 | 
146 |   security_groups = [
147 |     aws_security_group.http.id,
148 |     aws_security_group.https.id,
149 |     aws_security_group.egress_all.id,
150 |   ]
151 | 
152 |   depends_on = [aws_internet_gateway.igw]
153 | }
154 | 
155 | resource "aws_alb_listener" "sun_api_http" {
156 |   load_balancer_arn = aws_alb.sun_api.arn
157 |   port              = "80"
158 |   protocol          = "HTTP"
159 | 
160 |   default_action {
161 |     type = "redirect"
162 | 
163 |     redirect {
164 |       port        = "443"
165 |       protocol    = "HTTPS"
166 |       status_code = "HTTP_301"
167 |     }
168 |   }
169 | }
170 | 
171 | resource "aws_alb_listener" "sun_api_https" {
172 |   load_balancer_arn = aws_alb.sun_api.arn
173 |   port              = "443"
174 |   protocol          = "HTTPS"
175 |   certificate_arn   = aws_acm_certificate.sun_api.arn
176 | 
177 |   default_action {
178 |     type             = "forward"
179 |     target_group_arn = aws_lb_target_group.sun_api.arn
180 |   }
181 | }
182 | 
183 | output "alb_url" {
184 |   value = "http://${aws_alb.sun_api.dns_name}"
185 | }
186 | 
187 | resource "aws_acm_certificate" "sun_api" {
188 |   domain_name       = "sun-api.jimmysawczuk.net"
189 |   validation_method = "DNS"
190 | }
191 | 
192 | output "domain_validations" {
193 |   value = aws_acm_certificate.sun_api.domain_validation_options
194 | }
195 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/jimmysawczuk/terraform-fargate-tutorial
2 | 
3 | go 1.24
4 | 
5 | require github.com/go-chi/chi/v5 v5.2.1
6 | 


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
2 | github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
3 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"context"
  5 | 	"encoding/json"
  6 | 	"fmt"
  7 | 	"log"
  8 | 	"net/http"
  9 | 	"time"
 10 | 
 11 | 	"github.com/go-chi/chi/v5"
 12 | )
 13 | 
 14 | func main() {
 15 | 	var err error
 16 | 	time.Local, err = time.LoadLocation("America/New_York")
 17 | 	if err != nil {
 18 | 		panic("timezone not loaded!")
 19 | 	}
 20 | 
 21 | 	mux := chi.NewRouter()
 22 | 	mux.Get("/health", health)
 23 | 	mux.Get("/", handler)
 24 | 
 25 | 	log.Println("listening on :3000")
 26 | 	http.ListenAndServe(":3000", mux)
 27 | }
 28 | 
 29 | func health(w http.ResponseWriter, _ *http.Request) {
 30 | 	w.WriteHeader(http.StatusOK)
 31 | 	w.Write([]byte("ok " + time.Now().Format(time.RFC3339)))
 32 | }
 33 | 
 34 | func handler(w http.ResponseWriter, r *http.Request) {
 35 | 	lat := r.URL.Query().Get("lat")
 36 | 	if lat == "" {
 37 | 		lat = "41.495833"
 38 | 	}
 39 | 
 40 | 	lng := r.URL.Query().Get("lng")
 41 | 	if lng == "" {
 42 | 		lng = "-81.685278"
 43 | 	}
 44 | 
 45 | 	date, _ := time.Parse(time.RFC3339, r.URL.Query().Get("date"))
 46 | 	if date.IsZero() {
 47 | 		date = time.Now()
 48 | 	}
 49 | 
 50 | 	u := fmt.Sprintf(
 51 | 		"https://api.sunrise-sunset.org/json?lat=%s&lng=%s&date=%s&formatted=0",
 52 | 		lat,
 53 | 		lng,
 54 | 		date.Format("2006-01-02"),
 55 | 	)
 56 | 
 57 | 	log.Println("sending request to", u)
 58 | 
 59 | 	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
 60 | 	defer cancel()
 61 | 
 62 | 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, u, nil)
 63 | 	if err != nil {
 64 | 		w.WriteHeader(http.StatusInternalServerError)
 65 | 		w.Write([]byte("couldn't make http request"))
 66 | 		return
 67 | 	}
 68 | 
 69 | 	resp, err := http.DefaultClient.Do(req)
 70 | 	if err != nil {
 71 | 		w.WriteHeader(http.StatusInternalServerError)
 72 | 		w.Write([]byte(fmt.Errorf("http: do: %w", err).Error()))
 73 | 		return
 74 | 	}
 75 | 
 76 | 	var target struct {
 77 | 		Status  string `json:"status"`
 78 | 		Results struct {
 79 | 			Sunrise   time.Time `json:"sunrise"`
 80 | 			Sunset    time.Time `json:"sunset"`
 81 | 			SolarNoon time.Time `json:"solar_noon"`
 82 | 		} `json:"results"`
 83 | 	}
 84 | 
 85 | 	if err := json.NewDecoder(resp.Body).Decode(&target); err != nil {
 86 | 		w.WriteHeader(http.StatusInternalServerError)
 87 | 		w.Write([]byte("couldn't decode json"))
 88 | 		return
 89 | 	}
 90 | 
 91 | 	resp.Body.Close()
 92 | 
 93 | 	out := struct {
 94 | 		OK        bool   `json:"ok"`
 95 | 		Date      string `json:"date"`
 96 | 		Sunrise   string `json:"sunrise"`
 97 | 		Sunset    string `json:"sunset"`
 98 | 		SolarNoon string `json:"solar_noon"`
 99 | 	}{
100 | 		OK:        true,
101 | 		Date:      date.Format("2006-01-02"),
102 | 		Sunrise:   target.Results.Sunrise.In(time.Local).Format("3:04 PM"),
103 | 		Sunset:    target.Results.Sunset.In(time.Local).Format("3:04 PM"),
104 | 		SolarNoon: target.Results.SolarNoon.In(time.Local).Format("3:04 PM"),
105 | 	}
106 | 
107 | 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
108 | 	w.WriteHeader(http.StatusOK)
109 | 	json.NewEncoder(w).Encode(out)
110 | }
111 | 


--------------------------------------------------------------------------------
/network.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_vpc" "app_vpc" {
  2 |   cidr_block = "10.0.0.0/16"
  3 | }
  4 | 
  5 | resource "aws_subnet" "public_d" {
  6 |   vpc_id            = aws_vpc.app_vpc.id
  7 |   cidr_block        = "10.0.1.0/25"
  8 |   availability_zone = "us-east-1d"
  9 | 
 10 |   tags = {
 11 |     "Name" = "public | us-east-1d"
 12 |   }
 13 | }
 14 | 
 15 | resource "aws_subnet" "private_d" {
 16 |   vpc_id            = aws_vpc.app_vpc.id
 17 |   cidr_block        = "10.0.2.0/25"
 18 |   availability_zone = "us-east-1d"
 19 | 
 20 |   tags = {
 21 |     "Name" = "private | us-east-1d"
 22 |   }
 23 | }
 24 | 
 25 | resource "aws_subnet" "public_e" {
 26 |   vpc_id            = aws_vpc.app_vpc.id
 27 |   cidr_block        = "10.0.1.128/25"
 28 |   availability_zone = "us-east-1e"
 29 | 
 30 |   tags = {
 31 |     "Name" = "public | us-east-1e"
 32 |   }
 33 | }
 34 | 
 35 | resource "aws_subnet" "private_e" {
 36 |   vpc_id            = aws_vpc.app_vpc.id
 37 |   cidr_block        = "10.0.2.128/25"
 38 |   availability_zone = "us-east-1e"
 39 | 
 40 |   tags = {
 41 |     "Name" = "private | us-east-1e"
 42 |   }
 43 | }
 44 | 
 45 | resource "aws_route_table" "public" {
 46 |   vpc_id = aws_vpc.app_vpc.id
 47 |   tags = {
 48 |     "Name" = "public"
 49 |   }
 50 | }
 51 | 
 52 | resource "aws_route_table" "private" {
 53 |   vpc_id = aws_vpc.app_vpc.id
 54 |   tags = {
 55 |     "Name" = "private"
 56 |   }
 57 | }
 58 | 
 59 | resource "aws_route_table_association" "public_d_subnet" {
 60 |   subnet_id      = aws_subnet.public_d.id
 61 |   route_table_id = aws_route_table.public.id
 62 | }
 63 | 
 64 | resource "aws_route_table_association" "private_d_subnet" {
 65 |   subnet_id      = aws_subnet.private_d.id
 66 |   route_table_id = aws_route_table.private.id
 67 | }
 68 | 
 69 | resource "aws_route_table_association" "public_e_subnet" {
 70 |   subnet_id      = aws_subnet.public_e.id
 71 |   route_table_id = aws_route_table.public.id
 72 | }
 73 | 
 74 | resource "aws_route_table_association" "private_e_subnet" {
 75 |   subnet_id      = aws_subnet.private_e.id
 76 |   route_table_id = aws_route_table.private.id
 77 | }
 78 | 
 79 | resource "aws_eip" "nat" {
 80 |   vpc = true
 81 | }
 82 | 
 83 | resource "aws_internet_gateway" "igw" {
 84 |   vpc_id = aws_vpc.app_vpc.id
 85 | }
 86 | 
 87 | resource "aws_nat_gateway" "ngw" {
 88 |   subnet_id     = aws_subnet.public_d.id
 89 |   allocation_id = aws_eip.nat.id
 90 | 
 91 |   depends_on = [aws_internet_gateway.igw]
 92 | }
 93 | 
 94 | resource "aws_route" "public_igw" {
 95 |   route_table_id         = aws_route_table.public.id
 96 |   destination_cidr_block = "0.0.0.0/0"
 97 |   gateway_id             = aws_internet_gateway.igw.id
 98 | }
 99 | 
100 | resource "aws_route" "private_ngw" {
101 |   route_table_id         = aws_route_table.private.id
102 |   destination_cidr_block = "0.0.0.0/0"
103 |   nat_gateway_id         = aws_nat_gateway.ngw.id
104 | }
105 | 
106 | resource "aws_security_group" "http" {
107 |   name        = "http"
108 |   description = "HTTP traffic"
109 |   vpc_id      = aws_vpc.app_vpc.id
110 | 
111 |   ingress {
112 |     from_port   = 80
113 |     to_port     = 80
114 |     protocol    = "TCP"
115 |     cidr_blocks = ["0.0.0.0/0"]
116 |   }
117 | }
118 | 
119 | resource "aws_security_group" "https" {
120 |   name        = "https"
121 |   description = "HTTPS traffic"
122 |   vpc_id      = aws_vpc.app_vpc.id
123 | 
124 |   ingress {
125 |     from_port   = 443
126 |     to_port     = 443
127 |     protocol    = "TCP"
128 |     cidr_blocks = ["0.0.0.0/0"]
129 |   }
130 | }
131 | 
132 | resource "aws_security_group" "egress_all" {
133 |   name        = "egress-all"
134 |   description = "Allow all outbound traffic"
135 |   vpc_id      = aws_vpc.app_vpc.id
136 | 
137 |   egress {
138 |     from_port   = 0
139 |     to_port     = 0
140 |     protocol    = "-1"
141 |     cidr_blocks = ["0.0.0.0/0"]
142 |   }
143 | }
144 | 
145 | resource "aws_security_group" "ingress_api" {
146 |   name        = "ingress-api"
147 |   description = "Allow ingress to API"
148 |   vpc_id      = aws_vpc.app_vpc.id
149 | 
150 |   ingress {
151 |     from_port   = 3000
152 |     to_port     = 3000
153 |     protocol    = "TCP"
154 |     cidr_blocks = ["0.0.0.0/0"]
155 |   }
156 | }
157 | 


--------------------------------------------------------------------------------