Home

Awesome

AWS ECS Terraform module

Terraform module which creates ECS (Elastic Container Service) resources on AWS.

SWUbanner

Available Features

For more details see the design doc

Usage

This project supports creating resources through individual sub-modules, or through a single module that creates both the cluster and service resources. See the respective sub-module directory for more details and example usage.

Integrated Cluster w/ Services

module "ecs" {
  source = "terraform-aws-modules/ecs/aws"

  cluster_name = "ecs-integrated"

  cluster_configuration = {
    execute_command_configuration = {
      logging = "OVERRIDE"
      log_configuration = {
        cloud_watch_log_group_name = "/aws/ecs/aws-ec2"
      }
    }
  }

  fargate_capacity_providers = {
    FARGATE = {
      default_capacity_provider_strategy = {
        weight = 50
      }
    }
    FARGATE_SPOT = {
      default_capacity_provider_strategy = {
        weight = 50
      }
    }
  }

  services = {
    ecsdemo-frontend = {
      cpu    = 1024
      memory = 4096

      # Container definition(s)
      container_definitions = {

        fluent-bit = {
          cpu       = 512
          memory    = 1024
          essential = true
          image     = "906394416424.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:stable"
          firelens_configuration = {
            type = "fluentbit"
          }
          memory_reservation = 50
        }

        ecs-sample = {
          cpu       = 512
          memory    = 1024
          essential = true
          image     = "public.ecr.aws/aws-containers/ecsdemo-frontend:776fd50"
          port_mappings = [
            {
              name          = "ecs-sample"
              containerPort = 80
              protocol      = "tcp"
            }
          ]

          # Example image used requires access to write to root filesystem
          readonly_root_filesystem = false

          dependencies = [{
            containerName = "fluent-bit"
            condition     = "START"
          }]

          enable_cloudwatch_logging = false
          log_configuration = {
            logDriver = "awsfirelens"
            options = {
              Name                    = "firehose"
              region                  = "eu-west-1"
              delivery_stream         = "my-stream"
              log-driver-buffer-limit = "2097152"
            }
          }
          memory_reservation = 100
        }
      }

      service_connect_configuration = {
        namespace = "example"
        service = {
          client_alias = {
            port     = 80
            dns_name = "ecs-sample"
          }
          port_name      = "ecs-sample"
          discovery_name = "ecs-sample"
        }
      }

      load_balancer = {
        service = {
          target_group_arn = "arn:aws:elasticloadbalancing:eu-west-1:1234567890:targetgroup/bluegreentarget1/209a844cd01825a4"
          container_name   = "ecs-sample"
          container_port   = 80
        }
      }

      subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
      security_group_rules = {
        alb_ingress_3000 = {
          type                     = "ingress"
          from_port                = 80
          to_port                  = 80
          protocol                 = "tcp"
          description              = "Service port"
          source_security_group_id = "sg-12345678"
        }
        egress_all = {
          type        = "egress"
          from_port   = 0
          to_port     = 0
          protocol    = "-1"
          cidr_blocks = ["0.0.0.0/0"]
        }
      }
    }
  }

  tags = {
    Environment = "Development"
    Project     = "Example"
  }
}

Examples

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.0
<a name="requirement_aws"></a> aws>= 4.66.1

Providers

No providers.

Modules

NameSourceVersion
<a name="module_cluster"></a> cluster./modules/clustern/a
<a name="module_service"></a> service./modules/servicen/a

Resources

No resources.

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_autoscaling_capacity_providers"></a> autoscaling_capacity_providersMap of autoscaling capacity provider definitions to create for the clusterany{}no
<a name="input_cloudwatch_log_group_kms_key_id"></a> cloudwatch_log_group_kms_key_idIf a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)stringnullno
<a name="input_cloudwatch_log_group_name"></a> cloudwatch_log_group_nameCustom name of CloudWatch Log Group for ECS clusterstringnullno
<a name="input_cloudwatch_log_group_retention_in_days"></a> cloudwatch_log_group_retention_in_daysNumber of days to retain log eventsnumber90no
<a name="input_cloudwatch_log_group_tags"></a> cloudwatch_log_group_tagsA map of additional tags to add to the log group createdmap(string){}no
<a name="input_cluster_configuration"></a> cluster_configurationThe execute command configuration for the clusterany{}no
<a name="input_cluster_name"></a> cluster_nameName of the cluster (up to 255 letters, numbers, hyphens, and underscores)string""no
<a name="input_cluster_service_connect_defaults"></a> cluster_service_connect_defaultsConfigures a default Service Connect namespacemap(string){}no
<a name="input_cluster_settings"></a> cluster_settingsList of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a clusterany<pre>[<br/> {<br/> "name": "containerInsights",<br/> "value": "enabled"<br/> }<br/>]</pre>no
<a name="input_cluster_tags"></a> cluster_tagsA map of additional tags to add to the clustermap(string){}no
<a name="input_create"></a> createDetermines whether resources will be created (affects all resources)booltrueno
<a name="input_create_cloudwatch_log_group"></a> create_cloudwatch_log_groupDetermines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabledbooltrueno
<a name="input_create_task_exec_iam_role"></a> create_task_exec_iam_roleDetermines whether the ECS task definition IAM role should be createdboolfalseno
<a name="input_create_task_exec_policy"></a> create_task_exec_policyDetermines whether the ECS task definition IAM policy should be created. This includes permissions included in AmazonECSTaskExecutionRolePolicy as well as access to secrets and SSM parametersbooltrueno
<a name="input_default_capacity_provider_use_fargate"></a> default_capacity_provider_use_fargateDetermines whether to use Fargate or autoscaling for default capacity provider strategybooltrueno
<a name="input_fargate_capacity_providers"></a> fargate_capacity_providersMap of Fargate capacity provider definitions to use for the clusterany{}no
<a name="input_services"></a> servicesMap of service definitions to createany{}no
<a name="input_tags"></a> tagsA map of tags to add to all resourcesmap(string){}no
<a name="input_task_exec_iam_role_description"></a> task_exec_iam_role_descriptionDescription of the rolestringnullno
<a name="input_task_exec_iam_role_name"></a> task_exec_iam_role_nameName to use on IAM role createdstringnullno
<a name="input_task_exec_iam_role_path"></a> task_exec_iam_role_pathIAM role pathstringnullno
<a name="input_task_exec_iam_role_permissions_boundary"></a> task_exec_iam_role_permissions_boundaryARN of the policy that is used to set the permissions boundary for the IAM rolestringnullno
<a name="input_task_exec_iam_role_policies"></a> task_exec_iam_role_policiesMap of IAM role policy ARNs to attach to the IAM rolemap(string){}no
<a name="input_task_exec_iam_role_tags"></a> task_exec_iam_role_tagsA map of additional tags to add to the IAM role createdmap(string){}no
<a name="input_task_exec_iam_role_use_name_prefix"></a> task_exec_iam_role_use_name_prefixDetermines whether the IAM role name (task_exec_iam_role_name) is used as a prefixbooltrueno
<a name="input_task_exec_iam_statements"></a> task_exec_iam_statementsA map of IAM policy statements for custom permission usageany{}no
<a name="input_task_exec_secret_arns"></a> task_exec_secret_arnsList of SecretsManager secret ARNs the task execution role will be permitted to get/readlist(string)<pre>[<br/> "arn:aws:secretsmanager:::secret:*"<br/>]</pre>no
<a name="input_task_exec_ssm_param_arns"></a> task_exec_ssm_param_arnsList of SSM parameter ARNs the task execution role will be permitted to get/readlist(string)<pre>[<br/> "arn:aws:ssm:::parameter/*"<br/>]</pre>no

Outputs

NameDescription
<a name="output_autoscaling_capacity_providers"></a> autoscaling_capacity_providersMap of autoscaling capacity providers created and their attributes
<a name="output_cloudwatch_log_group_arn"></a> cloudwatch_log_group_arnARN of CloudWatch log group created
<a name="output_cloudwatch_log_group_name"></a> cloudwatch_log_group_nameName of CloudWatch log group created
<a name="output_cluster_arn"></a> cluster_arnARN that identifies the cluster
<a name="output_cluster_capacity_providers"></a> cluster_capacity_providersMap of cluster capacity providers attributes
<a name="output_cluster_id"></a> cluster_idID that identifies the cluster
<a name="output_cluster_name"></a> cluster_nameName that identifies the cluster
<a name="output_services"></a> servicesMap of services created and their attributes
<a name="output_task_exec_iam_role_arn"></a> task_exec_iam_role_arnTask execution IAM role ARN
<a name="output_task_exec_iam_role_name"></a> task_exec_iam_role_nameTask execution IAM role name
<a name="output_task_exec_iam_role_unique_id"></a> task_exec_iam_role_unique_idStable and unique string identifying the task execution IAM role
<!-- END_TF_DOCS -->

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache-2.0 Licensed. See LICENSE.