AWS ECS Terraform module
Terraform module which creates ECS (Elastic Container Service) resources on AWS.
Available Features
- ECS cluster w/ Fargate or EC2 Auto Scaling capacity providers
- ECS Service w/ task definition, task set, and container definition support
- Separate sub-modules or integrated module for ECS cluster and service
For more details see the design doc
Usage
This project supports creating resources through individual sub-modules, or through a single module that creates both the cluster and service resources. See the respective sub-module directory for more details and example usage.
Integrated Cluster w/ Services
module "ecs" {
source = "terraform-aws-modules/ecs/aws"
cluster_name = "ecs-integrated"
cluster_configuration = {
execute_command_configuration = {
logging = "OVERRIDE"
log_configuration = {
cloud_watch_log_group_name = "/aws/ecs/aws-ec2"
}
}
}
fargate_capacity_providers = {
FARGATE = {
default_capacity_provider_strategy = {
weight = 50
}
}
FARGATE_SPOT = {
default_capacity_provider_strategy = {
weight = 50
}
}
}
services = {
ecsdemo-frontend = {
cpu = 1024
memory = 4096
# Container definition(s)
container_definitions = {
fluent-bit = {
cpu = 512
memory = 1024
essential = true
image = "906394416424.dkr.ecr.us-west-2.amazonaws.com/aws-for-fluent-bit:stable"
firelens_configuration = {
type = "fluentbit"
}
memory_reservation = 50
}
ecs-sample = {
cpu = 512
memory = 1024
essential = true
image = "public.ecr.aws/aws-containers/ecsdemo-frontend:776fd50"
port_mappings = [
{
name = "ecs-sample"
containerPort = 80
protocol = "tcp"
}
]
# Example image used requires access to write to root filesystem
readonly_root_filesystem = false
dependencies = [{
containerName = "fluent-bit"
condition = "START"
}]
enable_cloudwatch_logging = false
log_configuration = {
logDriver = "awsfirelens"
options = {
Name = "firehose"
region = "eu-west-1"
delivery_stream = "my-stream"
log-driver-buffer-limit = "2097152"
}
}
memory_reservation = 100
}
}
service_connect_configuration = {
namespace = "example"
service = {
client_alias = {
port = 80
dns_name = "ecs-sample"
}
port_name = "ecs-sample"
discovery_name = "ecs-sample"
}
}
load_balancer = {
service = {
target_group_arn = "arn:aws:elasticloadbalancing:eu-west-1:1234567890:targetgroup/bluegreentarget1/209a844cd01825a4"
container_name = "ecs-sample"
container_port = 80
}
}
subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
security_group_rules = {
alb_ingress_3000 = {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
description = "Service port"
source_security_group_id = "sg-12345678"
}
egress_all = {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
}
}
tags = {
Environment = "Development"
Project = "Example"
}
}Examples
- ECS Cluster Complete
- ECS Cluster w/ EC2 Autoscaling Capacity Provider
- ECS Cluster w/ Fargate Capacity Provider
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.55 |
Providers
No providers.
Modules
| Name | Source | Version |
|---|---|---|
| cluster | ./modules/cluster | n/a |
| service | ./modules/service | n/a |
Resources
No resources.
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| autoscaling_capacity_providers | Map of autoscaling capacity provider definitions to create for the cluster | any |
{} |
no |
| cloudwatch_log_group_kms_key_id | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | string |
null |
no |
| cloudwatch_log_group_retention_in_days | Number of days to retain log events | number |
90 |
no |
| cloudwatch_log_group_tags | A map of additional tags to add to the log group created | map(string) |
{} |
no |
| cluster_configuration | The execute command configuration for the cluster | any |
{} |
no |
| cluster_name | Name of the cluster (up to 255 letters, numbers, hyphens, and underscores) | string |
"" |
no |
| cluster_service_connect_defaults | Configures a default Service Connect namespace | map(string) |
{} |
no |
| cluster_settings | Configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster | map(string) |
{ |
no |
| cluster_tags | A map of additional tags to add to the cluster | map(string) |
{} |
no |
| create | Determines whether resources will be created (affects all resources) | bool |
true |
no |
| create_cloudwatch_log_group | Determines whether a log group is created by this module for the cluster logs. If not, AWS will automatically create one if logging is enabled | bool |
true |
no |
| create_task_exec_iam_role | Determines whether the ECS task definition IAM role should be created | bool |
false |
no |
| create_task_exec_policy | Determines whether the ECS task definition IAM policy should be created. This includes permissions included in AmazonECSTaskExecutionRolePolicy as well as access to secrets and SSM parameters | bool |
true |
no |
| default_capacity_provider_use_fargate | Determines whether to use Fargate or autoscaling for default capacity provider strategy | bool |
true |
no |
| fargate_capacity_providers | Map of Fargate capacity provider definitions to use for the cluster | any |
{} |
no |
| services | Map of service definitions to create | any |
{} |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| task_exec_iam_role_description | Description of the role | string |
null |
no |
| task_exec_iam_role_name | Name to use on IAM role created | string |
null |
no |
| task_exec_iam_role_path | IAM role path | string |
null |
no |
| task_exec_iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string |
null |
no |
| task_exec_iam_role_policies | Map of IAM role policy ARNs to attach to the IAM role | map(string) |
{} |
no |
| task_exec_iam_role_tags | A map of additional tags to add to the IAM role created | map(string) |
{} |
no |
| task_exec_iam_role_use_name_prefix | Determines whether the IAM role name (task_exec_iam_role_name) is used as a prefix |
bool |
true |
no |
| task_exec_iam_statements | A map of IAM policy statements for custom permission usage | any |
{} |
no |
| task_exec_secret_arns | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | list(string) |
[ |
no |
| task_exec_ssm_param_arns | List of SSM parameter ARNs the task execution role will be permitted to get/read | list(string) |
[ |
no |
Outputs
| Name | Description |
|---|---|
| autoscaling_capacity_providers | Map of autoscaling capacity providers created and their attributes |
| cloudwatch_log_group_arn | Arn of cloudwatch log group created |
| cloudwatch_log_group_name | Name of cloudwatch log group created |
| cluster_arn | ARN that identifies the cluster |
| cluster_capacity_providers | Map of cluster capacity providers attributes |
| cluster_id | ID that identifies the cluster |
| cluster_name | Name that identifies the cluster |
| services | Map of services created and their attributes |
| task_exec_iam_role_arn | Task execution IAM role ARN |
| task_exec_iam_role_name | Task execution IAM role name |
| task_exec_iam_role_unique_id | Stable and unique string identifying the task execution IAM role |
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache-2.0 Licensed. See LICENSE.