feat(ecs-patterns): allow specifying security groups on ScheduledTask…

… pattern (aws#15096)

Closes aws#5213, aws#14220

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-ecs-patterns/README.md

@@ -499,6 +499,25 @@ const scheduledFargateTask = new ScheduledFargateTask(stack, 'ScheduledFargateTa
 });
 ```
 
+### Set SecurityGroups for ScheduledFargateTask
+
+```ts
+const stack = new cdk.Stack();
+const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });
+const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+const securityGroup = new ec2.SecurityGroup(stack, 'SG', { vpc });
+
+const scheduledFargateTask = new ScheduledFargateTask(stack, 'ScheduledFargateTask', {
+  cluster,
+  scheduledFargateTaskImageOptions: {
+    image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+    memoryLimitMiB: 512,
+  },
+  schedule: events.Schedule.expression('rate(1 minute)'),
+  securityGroups: [securityGroup],
+});
+```
+
 ### Use the REMOVE_DEFAULT_DESIRED_COUNT feature flag
 
 The REMOVE_DEFAULT_DESIRED_COUNT feature flag is used to override the default desiredCount that is autogenerated by the CDK. This will set the desiredCount of any service created by any of the following constructs to be undefined.

packages/@aws-cdk/aws-ecs-patterns/lib/base/scheduled-task-base.ts

@@ -1,5 +1,5 @@
 import { Schedule } from '@aws-cdk/aws-applicationautoscaling';
-import { IVpc, SubnetSelection, SubnetType } from '@aws-cdk/aws-ec2';
+import { ISecurityGroup, IVpc, SubnetSelection, SubnetType } from '@aws-cdk/aws-ec2';
 import { AwsLogDriver, Cluster, ContainerImage, ICluster, LogDriver, Secret, TaskDefinition } from '@aws-cdk/aws-ecs';
 import { Rule } from '@aws-cdk/aws-events';
 import { EcsTask } from '@aws-cdk/aws-events-targets';
@@ -68,6 +68,13 @@ export interface ScheduledTaskBaseProps {
    * @default Private subnets
    */
   readonly subnetSelection?: SubnetSelection;
+
+  /**
+   * Existing security groups to use for your service.
+   *
+   * @default - a new security group will be created.
+   */
+  readonly securityGroups?: ISecurityGroup[]
 }
 
 export interface ScheduledTaskImageProps {
@@ -138,6 +145,11 @@ export abstract class ScheduledTaskBase extends CoreConstruct {
    */
   public readonly eventRule: Rule;
 
+  /**
+   * The security group to use for the ECS Task.
+   */
+  private readonly _securityGroups?: ISecurityGroup[];
+
   /**
    * Constructs a new instance of the ScheduledTaskBase class.
    */
@@ -150,6 +162,7 @@ export abstract class ScheduledTaskBase extends CoreConstruct {
     }
     this.desiredTaskCount = props.desiredTaskCount || 1;
     this.subnetSelection = props.subnetSelection || { subnetType: SubnetType.PRIVATE };
+    this._securityGroups = props.securityGroups;
 
     // An EventRule that describes the event trigger (in this case a scheduled run)
     this.eventRule = new Rule(this, 'ScheduledEventRule', {
@@ -171,6 +184,7 @@ export abstract class ScheduledTaskBase extends CoreConstruct {
       taskDefinition,
       taskCount: this.desiredTaskCount,
       subnetSelection: this.subnetSelection,
+      securityGroups: this._securityGroups,
     });
 
     this.addTaskAsTarget(eventRuleTarget);

packages/@aws-cdk/aws-ecs-patterns/lib/fargate/scheduled-fargate-task.ts

@@ -128,6 +128,7 @@ export class ScheduledFargateTask extends ScheduledTaskBase {
       taskCount: this.desiredTaskCount,
       subnetSelection: this.subnetSelection,
       platformVersion: props.platformVersion,
+      securityGroups: props.securityGroups,
     });
 
     this.addTaskAsTarget(eventRuleTarget);

packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.scheduled-ecs-task.ts

@@ -73,6 +73,7 @@ export = {
     const stack = new cdk.Stack();
     const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });
     const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+
     cluster.addCapacity('DefaultAutoScalingGroup', {
       instanceType: new ec2.InstanceType('t2.micro'),
     });
@@ -141,6 +142,60 @@ export = {
 
     test.done();
   },
+  'Scheduled ECS Task - with securityGroups defined'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });
+    const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+    const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', {
+      networkMode: ecs.NetworkMode.AWS_VPC,
+    });
+    const sg = new ec2.SecurityGroup(stack, 'MySG', { vpc });
+
+    new ScheduledEc2Task(stack, 'ScheduledEc2Task', {
+      cluster,
+      scheduledEc2TaskDefinitionOptions: {
+        taskDefinition,
+      },
+      schedule: events.Schedule.expression('rate(1 minute)'),
+      securityGroups: [sg],
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::Events::Rule', {
+      Targets: [
+        {
+          Arn: { 'Fn::GetAtt': ['EcsCluster97242B84', 'Arn'] },
+          EcsParameters: {
+            LaunchType: 'EC2',
+            NetworkConfiguration: {
+              AwsVpcConfiguration: {
+                AssignPublicIp: 'DISABLED',
+                SecurityGroups: [{
+                  'Fn::GetAtt': [
+                    'MySG94FE69A8',
+                    'GroupId',
+                  ],
+                }],
+                Subnets: [
+                  {
+                    Ref: 'VpcPrivateSubnet1Subnet536B997A',
+                  },
+                ],
+              },
+            },
+            TaskCount: 1,
+            TaskDefinitionArn: { Ref: 'Ec2TaskDef0226F28C' },
+          },
+          Id: 'Target0',
+          Input: '{}',
+          RoleArn: { 'Fn::GetAtt': ['Ec2TaskDefEventsRoleA0756175', 'Arn'] },
+        },
+      ],
+    }));
+
+    test.done();
+  },
 
   'Scheduled Ec2 Task - with MemoryReservation defined'(test: Test) {
     // GIVEN

packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.scheduled-fargate-task.ts

@@ -351,6 +351,58 @@ export = {
       ],
     }));
 
+    test.done();
+  },
+  'Scheduled Fargate Task - with securityGroups defined'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });
+    const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+    const sg = new ec2.SecurityGroup(stack, 'SG', { vpc });
+
+    new ScheduledFargateTask(stack, 'ScheduledFargateTask', {
+      cluster,
+      scheduledFargateTaskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('henk'),
+        memoryLimitMiB: 512,
+      },
+      schedule: events.Schedule.expression('rate(1 minute)'),
+      securityGroups: [sg],
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::Events::Rule', {
+      Targets: [
+        {
+          Arn: { 'Fn::GetAtt': ['EcsCluster97242B84', 'Arn'] },
+          EcsParameters: {
+            LaunchType: 'FARGATE',
+            NetworkConfiguration: {
+              AwsVpcConfiguration: {
+                AssignPublicIp: 'DISABLED',
+                SecurityGroups: [{
+                  'Fn::GetAtt': [
+                    'SGADB53937',
+                    'GroupId',
+                  ],
+                }],
+                Subnets: [
+                  {
+                    Ref: 'VpcPrivateSubnet1Subnet536B997A',
+                  },
+                ],
+              },
+            },
+            TaskCount: 1,
+            TaskDefinitionArn: { Ref: 'ScheduledFargateTaskScheduledTaskDef521FA675' },
+          },
+          Id: 'Target0',
+          Input: '{}',
+          RoleArn: { 'Fn::GetAtt': ['ScheduledFargateTaskScheduledTaskDefEventsRole6CE19522', 'Arn'] },
+        },
+      ],
+    }));
+
     test.done();
   },
 };