Update HC port

[dylanratcliffe]

No description provided.

[github-actions]

Expected Changes

ecs-task-definition › facial-recognition-terraform-example

--- current
+++ planned
@@ -1,26 +1,26 @@
-arn: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:5
-arn_without_revision: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example
-container_definitions: '[{"cpu":1024,"environment":[{"name":"DATABASE_URL","value":"tf-20240827194315707700000013.cnx7xf6hwmba.eu-west-2.rds.amazonaws.com"}],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:1234"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234,"hostPort":1234,"protocol":"tcp"}],"systemControls":[],"volumesFrom":[]}]'
+arn: (known after apply)
+arn_without_revision: (known after apply)
+container_definitions: '[{"cpu":1024,"environment":[{"name":"DATABASE_URL","value":"tf-20240827194315707700000013.cnx7xf6hwmba.eu-west-2.rds.amazonaws.com"}],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:8080"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234}],"volumesFrom":[]}]'
 cpu: "1024"
 ephemeral_storage: []
-execution_role_arn: ""
+execution_role_arn: null
 family: facial-recognition-terraform-example
-id: facial-recognition-terraform-example
+id: (known after apply)
 inference_accelerator: []
-ipc_mode: ""
+ipc_mode: null
 memory: "2048"
 network_mode: awsvpc
-pid_mode: ""
+pid_mode: null
 placement_constraints: []
 proxy_configuration: []
 requires_compatibilities:
     - FARGATE
-revision: 5
+revision: (known after apply)
 runtime_platform: []
 skip_destroy: false
-tags: {}
-tags_all: {}
-task_role_arn: ""
+tags: null
+tags_all: (known after apply)
+task_role_arn: null
 terraform_address: module.scenarios[0].aws_ecs_task_definition.face
 terraform_name: module.scenarios[0].aws_ecs_task_definition.face
 track_latest: false

Unmapped Changes

Note

These changes couldn't be mapped to a discoverable cloud resource and therefore won't be included in the blast radius calculation.

aws_ecs_service › module.scenarios[0].aws_ecs_service.face

--- current
+++ planned
@@ -42,7 +42,7 @@
 service_registries: []
 tags: {}
 tags_all: {}
-task_definition: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition-terraform-example:5
+task_definition: (known after apply)
 terraform_address: module.scenarios[0].aws_ecs_service.face
 terraform_name: module.scenarios[0].aws_ecs_service.face
 timeouts: null

aws_network_acl › module.scenarios[0].aws_network_acl.block_high_ports

--- current
+++ planned
@@ -1 +1,40 @@
+arn: (known after apply)
+egress:
+    - action: allow
+      cidr_block: 0.0.0.0/0
+      from_port: 1
+      icmp_code: null
+      icmp_type: null
+      ipv6_cidr_block: ""
+      protocol: "-1"
+      rule_no: 100
+      to_port: 65535
+id: (known after apply)
+ingress:
+    - action: allow
+      cidr_block: 0.0.0.0/0
+      from_port: 22
+      icmp_code: null
+      icmp_type: null
+      ipv6_cidr_block: ""
+      protocol: tcp
+      rule_no: 100
+      to_port: 22
+    - action: deny
+      cidr_block: 0.0.0.0/0
+      from_port: 10000
+      icmp_code: null
+      icmp_type: null
+      ipv6_cidr_block: ""
+      protocol: tcp
+      rule_no: 200
+      to_port: 65535
+owner_id: (known after apply)
+subnet_ids: (known after apply)
+tags:
+    Name: block-high-ports-nacl
+tags_all:
+    Name: block-high-ports-nacl
+terraform_address: module.scenarios[0].aws_network_acl.block_high_ports
+terraform_name: module.scenarios[0].aws_network_acl.block_high_ports
+vpc_id: vpc-0be4b791e20954fea

aws_network_acl_association › module.scenarios[0].aws_network_acl_association.subnet_0482035a966810071

--- current
+++ planned
@@ -1 +1,5 @@
+id: (known after apply)
+network_acl_id: (known after apply)
+subnet_id: subnet-0482035a966810071
+terraform_address: module.scenarios[0].aws_network_acl_association.subnet_0482035a966810071
+terraform_name: module.scenarios[0].aws_network_acl_association.subnet_0482035a966810071

aws_network_acl_association › module.scenarios[0].aws_network_acl_association.subnet_05ef77bb39c151e08

--- current
+++ planned
@@ -1 +1,5 @@
+id: (known after apply)
+network_acl_id: (known after apply)
+subnet_id: subnet-05ef77bb39c151e08
+terraform_address: module.scenarios[0].aws_network_acl_association.subnet_05ef77bb39c151e08
+terraform_name: module.scenarios[0].aws_network_acl_association.subnet_05ef77bb39c151e08

aws_network_acl_association › module.scenarios[0].aws_network_acl_association.subnet_07e9f4f746f63ed3d

--- current
+++ planned
@@ -1 +1,5 @@
+id: (known after apply)
+network_acl_id: (known after apply)
+subnet_id: subnet-07e9f4f746f63ed3d
+terraform_address: module.scenarios[0].aws_network_acl_association.subnet_07e9f4f746f63ed3d
+terraform_name: module.scenarios[0].aws_network_acl_association.subnet_07e9f4f746f63ed3d

aws_network_acl_association › module.scenarios[0].aws_network_acl_association.subnet_0f0702af871e6a71f

--- current
+++ planned
@@ -1 +1,5 @@
+id: (known after apply)
+network_acl_id: (known after apply)
+subnet_id: subnet-0f0702af871e6a71f
+terraform_address: module.scenarios[0].aws_network_acl_association.subnet_0f0702af871e6a71f
+terraform_name: module.scenarios[0].aws_network_acl_association.subnet_0f0702af871e6a71f

Blast Radius

Items	Edges
22	31

Open in Overmind

Risks

Health Check Configuration Change for 'facial-recognition' Service [High]

The ECS task definition for the 'facial-recognition' service is undergoing a change in its health check configuration. Previously, the health check command targeted port 1234, but this is being changed to target port 8080. If port 8080 is not exposed or the service is not correctly configured to respond on this port, health checks might fail, which could result in the ECS service being marked as unhealthy, potentially leading to unwanted restarts or scaling down of tasks.

Validation Steps:

• Verify that the application running within the container is correctly set to listen and respond on port 8080.
• Confirm that the security group sg-0f938e19644436ad3 allows incoming traffic on port 8080.
• Review existing load balancing rules to ensure they correctly forward traffic to the new health check port, if applicable.

Creation of a New Network ACL and Associations [Medium]

A new Network ACL (block-high-ports-nacl) is being created with rules to deny ingress traffic from ports 10000 to 65535 across multiple subnets. This change could lead to communication issues for applications or services that rely on these ports within the affected subnets, potentially disrupting traffic flow. It's crucial to confirm that no necessary services operate on these blocked ports.

Validation Steps:

• Audit current services running in subnets subnet-0482035a966810071, subnet-05ef77bb39c151e08, subnet-07e9f4f746f63ed3d, and subnet-0f0702af871e6a71f for dependencies on high number ports.
• Ensure that only non-critical or external services (e.g., not vital for internal communication) use the blocked port ranges.