Awesome
AWS ECS Terraform module
Terraform module which creates ECS (Elastic Container Service) resources on AWS.
Available Features
- ECS cluster w/ Fargate or EC2 Auto Scaling capacity providers
- ECS Service w/ task definition, task set, and container definition support
- Separate sub-modules or integrated module for ECS cluster and service
For more details see the design doc
Usage
This project supports creating resources through individual sub-modules, or through a single module that creates both the cluster and service resources. See the respective sub-module directory for more details and example usage.
Integrated Cluster w/ Services
module "ecs" {
source = "terraform-aws-modules/ecs/aws"
cluster_name = "ecs-integrated"
cluster_configuration = {
execute_command_configuration = {
logging = "OVERRIDE"
log_configuration = {
cloud_watch_log_group_name = "/aws/ecs/aws-ec2"
}
}
}
fargate_capacity_providers = {
FARGATE = {
default_capacity_provider_strategy = {
weight = 50
}
}
FARGATE_SPOT = {
default_capacity_provider_strategy = {
weight = 50
}
}
}
services = {
ecsdemo-frontend = {
cpu = 1024
memory = 4096
# Container definition(s)
container_definitions = {
fluent-bit = {
cpu = 512
memory = 1024
essential = true
image = "906394416424.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:stable"
firelens_configuration = {
type = "fluentbit"
}
memory_reservation = 50
}
ecs-sample = {
cpu = 512
memory = 1024
essential = true
image = "public.ecr.aws/aws-containers/ecsdemo-frontend:776fd50"
port_mappings = [
{
name = "ecs-sample"
containerPort = 80
protocol = "tcp"
}
]
# Example image used requires access to write to root filesystem
readonly_root_filesystem = false
dependencies = [{
containerName = "fluent-bit"
condition = "START"
}]
enable_cloudwatch_logging = false
log_configuration = {
logDriver = "awsfirelens"
options = {
Name = "firehose"
region = "eu-west-1"
delivery_stream = "my-stream"
log-driver-buffer-limit = "2097152"
}
}
memory_reservation = 100
}
}
service_connect_configuration = {
namespace = "example"
service = {
client_alias = {
port = 80
dns_name = "ecs-sample"
}
port_name = "ecs-sample"
discovery_name = "ecs-sample"
}
}
load_balancer = {
service = {
target_group_arn = "arn:aws:elasticloadbalancing:eu-west-1:1234567890:targetgroup/bluegreentarget1/209a844cd01825a4"
container_name = "ecs-sample"
container_port = 80
}
}
subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
security_group_rules = {
alb_ingress_3000 = {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
description = "Service port"
source_security_group_id = "sg-12345678"
}
egress_all = {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
}
}
tags = {
Environment = "Development"
Project = "Example"
}
}
Examples
- ECS Cluster Complete
- ECS Cluster w/ EC2 Autoscaling Capacity Provider
- ECS Cluster w/ Fargate Capacity Provider
Requirements
| Name | Version |
|---|---|
| <a name="requirement_terraform"></a> terraform | >= 1.0 |
| <a name="requirement_aws"></a> aws | >= 4.66.1 |
Providers
No providers.
Modules
| Name | Source | Version |
|---|---|---|
| <a name="module_cluster"></a> cluster | ./modules/cluster | n/a |
| <a name="module_service"></a> service | ./modules/service | n/a |
Resources
No resources.
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| <a name="input_autoscaling_capacity_providers"></a> autoscaling_capacity_providers | Map of autoscaling capacity provider definitions to create for the cluster | any | {} | no |
| <a name="input_cloudwatch_log_group_kms_key_id"></a> cloudwatch_log_group_kms_key_id | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | string | null | no |
| <a name="input_cloudwatch_log_group_name"></a> cloudwatch_log_group_name | Custom name of CloudWatch Log Group for ECS cluster | string | null | no |
| <a name="input_cloudwatch_log_group_retention_in_days"></a> cloudwatch_log_group_retention_in_days | Number of days to retain log events | number | 90 | no |
| <a name="input_cloudwatch_log_group_tags"></a> cloudwatch_log_group_tags | A map of additional tags to add to the log group created | map(string) | {} | no |
| <a name="input_cluster_configuration"></a> cluster_configuration | The execute command configuration for the cluster | any | {} | no |
| <a name="input_cluster_name"></a> cluster_name | Name of the cluster (up to 255 letters, numbers, hyphens, and underscores) | string | "" | no |
| <a name="input_cluster_service_connect_defaults"></a> cluster_service_connect_defaults | Configures a default Service Connect namespace | map(string) | {} | no |
| <a name="input_cluster_settings"></a> cluster_settings | List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster | any | <pre>[<br> {<br> "name": "containerInsights",<br> "value": "enabled"<br> }<br>]</pre> | no |
| <a name="input_cluster_tags"></a> cluster_tags | A map of additional tags to add to the cluster | map(string) | {} | no |
| <a name="input_create"></a> create | Determines whether resources will be created (affects all resources) | bool | true | no |
| <a name="input_create_cloudwatch_log_group"></a> create_cloudwatch_log_group | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | bool | true | no |
| <a name="input_create_task_exec_iam_role"></a> create_task_exec_iam_role | Determines whether the ECS task definition IAM role should be created | bool | false | no |
| <a name="input_create_task_exec_policy"></a> create_task_exec_policy | Determines whether the ECS task definition IAM policy should be created. This includes permissions included in AmazonECSTaskExecutionRolePolicy as well as access to secrets and SSM parameters | bool | true | no |
| <a name="input_default_capacity_provider_use_fargate"></a> default_capacity_provider_use_fargate | Determines whether to use Fargate or autoscaling for default capacity provider strategy | bool | true | no |
| <a name="input_fargate_capacity_providers"></a> fargate_capacity_providers | Map of Fargate capacity provider definitions to use for the cluster | any | {} | no |
| <a name="input_services"></a> services | Map of service definitions to create | any | {} | no |
| <a name="input_tags"></a> tags | A map of tags to add to all resources | map(string) | {} | no |
| <a name="input_task_exec_iam_role_description"></a> task_exec_iam_role_description | Description of the role | string | null | no |
| <a name="input_task_exec_iam_role_name"></a> task_exec_iam_role_name | Name to use on IAM role created | string | null | no |
| <a name="input_task_exec_iam_role_path"></a> task_exec_iam_role_path | IAM role path | string | null | no |
| <a name="input_task_exec_iam_role_permissions_boundary"></a> task_exec_iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string | null | no |
| <a name="input_task_exec_iam_role_policies"></a> task_exec_iam_role_policies | Map of IAM role policy ARNs to attach to the IAM role | map(string) | {} | no |
| <a name="input_task_exec_iam_role_tags"></a> task_exec_iam_role_tags | A map of additional tags to add to the IAM role created | map(string) | {} | no |
| <a name="input_task_exec_iam_role_use_name_prefix"></a> task_exec_iam_role_use_name_prefix | Determines whether the IAM role name (task_exec_iam_role_name) is used as a prefix | bool | true | no |
| <a name="input_task_exec_iam_statements"></a> task_exec_iam_statements | A map of IAM policy statements for custom permission usage | any | {} | no |
| <a name="input_task_exec_secret_arns"></a> task_exec_secret_arns | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | list(string) | <pre>[<br> "arn:aws:secretsmanager:::secret:*"<br>]</pre> | no |
| <a name="input_task_exec_ssm_param_arns"></a> task_exec_ssm_param_arns | List of SSM parameter ARNs the task execution role will be permitted to get/read | list(string) | <pre>[<br> "arn:aws:ssm:::parameter/*"<br>]</pre> | no |
Outputs
| Name | Description |
|---|---|
| <a name="output_autoscaling_capacity_providers"></a> autoscaling_capacity_providers | Map of autoscaling capacity providers created and their attributes |
| <a name="output_cloudwatch_log_group_arn"></a> cloudwatch_log_group_arn | ARN of CloudWatch log group created |
| <a name="output_cloudwatch_log_group_name"></a> cloudwatch_log_group_name | Name of CloudWatch log group created |
| <a name="output_cluster_arn"></a> cluster_arn | ARN that identifies the cluster |
| <a name="output_cluster_capacity_providers"></a> cluster_capacity_providers | Map of cluster capacity providers attributes |
| <a name="output_cluster_id"></a> cluster_id | ID that identifies the cluster |
| <a name="output_cluster_name"></a> cluster_name | Name that identifies the cluster |
| <a name="output_services"></a> services | Map of services created and their attributes |
| <a name="output_task_exec_iam_role_arn"></a> task_exec_iam_role_arn | Task execution IAM role ARN |
| <a name="output_task_exec_iam_role_name"></a> task_exec_iam_role_name | Task execution IAM role name |
| <a name="output_task_exec_iam_role_unique_id"></a> task_exec_iam_role_unique_id | Stable and unique string identifying the task execution IAM role |
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache-2.0 Licensed. See LICENSE.