Skip to content

terraform-aws-modules/terraform-aws-ecs

Repository files navigation

AWS ECS Terraform module

Terraform module which creates ECS (Elastic Container Service) resources on AWS.

SWUbanner

Available Features

  • ECS cluster w/ Fargate or EC2 Auto Scaling capacity providers
  • ECS Service w/ task definition, task set, and container definition support
  • Separate sub-modules or integrated module for ECS cluster and service

For more details see the design doc

Usage

This project supports creating resources through individual sub-modules, or through a single module that creates both the cluster and service resources. See the respective sub-module directory for more details and example usage.

Integrated Cluster w/ Services

module "ecs" {
  source = "terraform-aws-modules/ecs/aws"

  cluster_name = "ecs-integrated"

  cluster_configuration = {
    execute_command_configuration = {
      logging = "OVERRIDE"
      log_configuration = {
        cloud_watch_log_group_name = "/aws/ecs/aws-ec2"
      }
    }
  }

  fargate_capacity_providers = {
    FARGATE = {
      default_capacity_provider_strategy = {
        weight = 50
      }
    }
    FARGATE_SPOT = {
      default_capacity_provider_strategy = {
        weight = 50
      }
    }
  }

  services = {
    ecsdemo-frontend = {
      cpu    = 1024
      memory = 4096

      # Container definition(s)
      container_definitions = {

        fluent-bit = {
          cpu       = 512
          memory    = 1024
          essential = true
          image     = "906394416424.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:stable"
          firelens_configuration = {
            type = "fluentbit"
          }
          memory_reservation = 50
        }

        ecs-sample = {
          cpu       = 512
          memory    = 1024
          essential = true
          image     = "public.ecr.aws/aws-containers/ecsdemo-frontend:776fd50"
          port_mappings = [
            {
              name          = "ecs-sample"
              containerPort = 80
              protocol      = "tcp"
            }
          ]

          # Example image used requires access to write to root filesystem
          readonly_root_filesystem = false

          dependencies = [{
            containerName = "fluent-bit"
            condition     = "START"
          }]

          enable_cloudwatch_logging = false
          log_configuration = {
            logDriver = "awsfirelens"
            options = {
              Name                    = "firehose"
              region                  = "eu-west-1"
              delivery_stream         = "my-stream"
              log-driver-buffer-limit = "2097152"
            }
          }
          memory_reservation = 100
        }
      }

      service_connect_configuration = {
        namespace = "example"
        service = {
          client_alias = {
            port     = 80
            dns_name = "ecs-sample"
          }
          port_name      = "ecs-sample"
          discovery_name = "ecs-sample"
        }
      }

      load_balancer = {
        service = {
          target_group_arn = "arn:aws:elasticloadbalancing:eu-west-1:1234567890:targetgroup/bluegreentarget1/209a844cd01825a4"
          container_name   = "ecs-sample"
          container_port   = 80
        }
      }

      subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
      security_group_rules = {
        alb_ingress_3000 = {
          type                     = "ingress"
          from_port                = 80
          to_port                  = 80
          protocol                 = "tcp"
          description              = "Service port"
          source_security_group_id = "sg-12345678"
        }
        egress_all = {
          type        = "egress"
          from_port   = 0
          to_port     = 0
          protocol    = "-1"
          cidr_blocks = ["0.0.0.0/0"]
        }
      }
    }
  }

  tags = {
    Environment = "Development"
    Project     = "Example"
  }
}

Examples

Requirements

Name Version
terraform >= 1.0
aws >= 4.66.1

Providers

No providers.

Modules

Name Source Version
cluster ./modules/cluster n/a
service ./modules/service n/a

Resources

No resources.

Inputs

Name Description Type Default Required
autoscaling_capacity_providers Map of autoscaling capacity provider definitions to create for the cluster any {} no
cloudwatch_log_group_kms_key_id If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) string null no
cloudwatch_log_group_name Custom name of CloudWatch Log Group for ECS cluster string null no
cloudwatch_log_group_retention_in_days Number of days to retain log events number 90 no
cloudwatch_log_group_tags A map of additional tags to add to the log group created map(string) {} no
cluster_configuration The execute command configuration for the cluster any {} no
cluster_name Name of the cluster (up to 255 letters, numbers, hyphens, and underscores) string "" no
cluster_service_connect_defaults Configures a default Service Connect namespace map(string) {} no
cluster_settings List of configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster any
[
{
"name": "containerInsights",
"value": "enabled"
}
]
no
cluster_tags A map of additional tags to add to the cluster map(string) {} no
create Determines whether resources will be created (affects all resources) bool true no
create_cloudwatch_log_group Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled bool true no
create_task_exec_iam_role Determines whether the ECS task definition IAM role should be created bool false no
create_task_exec_policy Determines whether the ECS task definition IAM policy should be created. This includes permissions included in AmazonECSTaskExecutionRolePolicy as well as access to secrets and SSM parameters bool true no
default_capacity_provider_use_fargate Determines whether to use Fargate or autoscaling for default capacity provider strategy bool true no
fargate_capacity_providers Map of Fargate capacity provider definitions to use for the cluster any {} no
services Map of service definitions to create any {} no
tags A map of tags to add to all resources map(string) {} no
task_exec_iam_role_description Description of the role string null no
task_exec_iam_role_name Name to use on IAM role created string null no
task_exec_iam_role_path IAM role path string null no
task_exec_iam_role_permissions_boundary ARN of the policy that is used to set the permissions boundary for the IAM role string null no
task_exec_iam_role_policies Map of IAM role policy ARNs to attach to the IAM role map(string) {} no
task_exec_iam_role_tags A map of additional tags to add to the IAM role created map(string) {} no
task_exec_iam_role_use_name_prefix Determines whether the IAM role name (task_exec_iam_role_name) is used as a prefix bool true no
task_exec_iam_statements A map of IAM policy statements for custom permission usage any {} no
task_exec_secret_arns List of SecretsManager secret ARNs the task execution role will be permitted to get/read list(string)
[
"arn:aws:secretsmanager:::secret:*"
]
no
task_exec_ssm_param_arns List of SSM parameter ARNs the task execution role will be permitted to get/read list(string)
[
"arn:aws:ssm:::parameter/*"
]
no

Outputs

Name Description
autoscaling_capacity_providers Map of autoscaling capacity providers created and their attributes
cloudwatch_log_group_arn ARN of CloudWatch log group created
cloudwatch_log_group_name Name of CloudWatch log group created
cluster_arn ARN that identifies the cluster
cluster_capacity_providers Map of cluster capacity providers attributes
cluster_id ID that identifies the cluster
cluster_name Name that identifies the cluster
services Map of services created and their attributes
task_exec_iam_role_arn Task execution IAM role ARN
task_exec_iam_role_name Task execution IAM role name
task_exec_iam_role_unique_id Stable and unique string identifying the task execution IAM role

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache-2.0 Licensed. See LICENSE.