├── .github ├── FUNDING.yml ├── renovate.json └── workflows │ └── pipeline.yml ├── .gitignore ├── .pre-commit-config.yaml ├── CODE_OF_CONDUCT.md ├── LICENSE ├── README.md ├── examples └── test │ ├── main.tf │ └── mock_provider.tf ├── files └── iam │ ├── ecs_autoscale_iam_role.json │ ├── ecs_autoscale_iam_role_policy.json │ └── ecs_task_execution_iam_role.json ├── main.tf ├── outputs.tf ├── variables.tf └── versions.tf /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: jnonino 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 13 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base" 4 | ], 5 | "labels": ["enhancement"] 6 | } 7 | -------------------------------------------------------------------------------- /.github/workflows/pipeline.yml: -------------------------------------------------------------------------------- 1 | name: Terraform 2 | on: 3 | push: 4 | branches: [main] 5 | pull_request: 6 | types: [opened, reopened, synchronize] 7 | branches: [main] 8 | release: 9 | types: [published] 10 | 11 | env: 12 | DEFAULT_REGION: us-east-1 13 | AWS_ACCESS_KEY_ID: localstack 14 | AWS_SECRET_ACCESS_KEY: localstack 15 | 16 | jobs: 17 | check-format: 18 | runs-on: ubuntu-latest 19 | container: hashicorp/terraform 20 | steps: 21 | - name: Checkout repository 22 | uses: actions/checkout@v4 23 | - name: Terraform Format Check 24 | run: terraform fmt -check -recursive -diff 25 | 26 | validations: 27 | runs-on: ubuntu-latest 28 | container: hashicorp/terraform 29 | strategy: 30 | matrix: { 31 | dir: ['examples/test'] 32 | } 33 | services: 34 | localstack: 35 | image: localstack/localstack 36 | env: 37 | SERVICES: apigateway,cloudformation,cloudwatch,dynamodb,es,firehose,iam,kinesis,lambda,route53,redshift,s3,secretsmanager,ses,sns,sqs,ssm,stepfunctions,sts 38 | ports: 39 | - 4566:4566 40 | steps: 41 | - name: Checkout repository 42 | uses: actions/checkout@v4 43 | - name: Terraform Init 44 | run: terraform init -upgrade 45 | working-directory: ${{ matrix.dir }} 46 | - name: Terraform Validate 47 | run: terraform validate 48 | working-directory: ${{ matrix.dir }} 49 | - name: Terraform Plan (Mock) 50 | run: terraform plan 51 | working-directory: ${{ matrix.dir }} 52 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .terraform.lock.hcl 2 | 3 | # Created by https://www.toptal.com/developers/gitignore/api/linux,macos,windows,terraform,sublimetext,visualstudiocode 4 | # Edit at https://www.toptal.com/developers/gitignore?templates=linux,macos,windows,terraform,sublimetext,visualstudiocode 5 | 6 | ### Linux ### 7 | *~ 8 | 9 | # temporary files which can be created if a process still has a handle open of a deleted file 10 | .fuse_hidden* 11 | 12 | # KDE directory preferences 13 | .directory 14 | 15 | # Linux trash folder which might appear on any partition or disk 16 | .Trash-* 17 | 18 | # .nfs files are created when an open file is removed but is still being accessed 19 | .nfs* 20 | 21 | ### macOS ### 22 | # General 23 | .DS_Store 24 | .AppleDouble 25 | .LSOverride 26 | 27 | # Icon must end with two \r 28 | Icon 29 | 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear in the root of a volume 35 | .DocumentRevisions-V100 36 | .fseventsd 37 | .Spotlight-V100 38 | .TemporaryItems 39 | .Trashes 40 | .VolumeIcon.icns 41 | .com.apple.timemachine.donotpresent 42 | 43 | # Directories potentially created on remote AFP share 44 | .AppleDB 45 | .AppleDesktop 46 | Network Trash Folder 47 | Temporary Items 48 | .apdisk 49 | 50 | ### macOS Patch ### 51 | # iCloud generated files 52 | *.icloud 53 | 54 | ### SublimeText ### 55 | # Cache files for Sublime Text 56 | *.tmlanguage.cache 57 | *.tmPreferences.cache 58 | *.stTheme.cache 59 | 60 | # Workspace files are user-specific 61 | *.sublime-workspace 62 | 63 | # Project files should be checked into the repository, unless a significant 64 | # proportion of contributors will probably not be using Sublime Text 65 | # *.sublime-project 66 | 67 | # SFTP configuration file 68 | sftp-config.json 69 | sftp-config-alt*.json 70 | 71 | # Package control specific files 72 | Package Control.last-run 73 | Package Control.ca-list 74 | Package Control.ca-bundle 75 | Package Control.system-ca-bundle 76 | Package Control.cache/ 77 | Package Control.ca-certs/ 78 | Package Control.merged-ca-bundle 79 | Package Control.user-ca-bundle 80 | oscrypto-ca-bundle.crt 81 | bh_unicode_properties.cache 82 | 83 | # Sublime-github package stores a github token in this file 84 | # https://packagecontrol.io/packages/sublime-github 85 | GitHub.sublime-settings 86 | 87 | ### Terraform ### 88 | # Local .terraform directories 89 | **/.terraform/* 90 | 91 | # .tfstate files 92 | *.tfstate 93 | *.tfstate.* 94 | 95 | # Crash log files 96 | crash.log 97 | crash.*.log 98 | 99 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as 100 | # password, private keys, and other secrets. These should not be part of version 101 | # control as they are data points which are potentially sensitive and subject 102 | # to change depending on the environment. 103 | *.tfvars 104 | *.tfvars.json 105 | 106 | # Ignore override files as they are usually used to override resources locally and so 107 | # are not checked in 108 | override.tf 109 | override.tf.json 110 | *_override.tf 111 | *_override.tf.json 112 | 113 | # Include override files you do wish to add to version control using negated pattern 114 | # !example_override.tf 115 | 116 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 117 | # example: *tfplan* 118 | 119 | # Ignore CLI configuration files 120 | .terraformrc 121 | terraform.rc 122 | 123 | ### VisualStudioCode ### 124 | .vscode/* 125 | !.vscode/settings.json 126 | !.vscode/tasks.json 127 | !.vscode/launch.json 128 | !.vscode/extensions.json 129 | !.vscode/*.code-snippets 130 | 131 | # Local History for Visual Studio Code 132 | .history/ 133 | 134 | # Built Visual Studio Code Extensions 135 | *.vsix 136 | 137 | ### VisualStudioCode Patch ### 138 | # Ignore all local history of files 139 | .history 140 | .ionide 141 | 142 | ### Windows ### 143 | # Windows thumbnail cache files 144 | Thumbs.db 145 | Thumbs.db:encryptable 146 | ehthumbs.db 147 | ehthumbs_vista.db 148 | 149 | # Dump file 150 | *.stackdump 151 | 152 | # Folder config file 153 | [Dd]esktop.ini 154 | 155 | # Recycle Bin used on file shares 156 | $RECYCLE.BIN/ 157 | 158 | # Windows Installer files 159 | *.cab 160 | *.msi 161 | *.msix 162 | *.msm 163 | *.msp 164 | 165 | # Windows shortcuts 166 | *.lnk 167 | 168 | # End of https://www.toptal.com/developers/gitignore/api/linux,macos,windows,terraform,sublimetext,visualstudiocode 169 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/antonbabenko/pre-commit-terraform 3 | rev: v1.71.0 4 | hooks: 5 | - id: terraform_docs 6 | - id: terraform_fmt 7 | - id: terraform_validate 8 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Citizen Code of Conduct 2 | 3 | ## 1. Purpose 4 | 5 | A primary goal of Terraform AWS ECS Fargate is to be inclusive to the largest number of contributors, with the most varied and diverse backgrounds possible. As such, we are committed to providing a friendly, safe and welcoming environment for all, regardless of gender, sexual orientation, ability, ethnicity, socioeconomic status, and religion (or lack thereof). 6 | 7 | This code of conduct outlines our expectations for all those who participate in our community, as well as the consequences for unacceptable behavior. 8 | 9 | We invite all those who participate in Terraform AWS ECS Fargate to help us create safe and positive experiences for everyone. 10 | 11 | ## 2. Open [Source/Culture/Tech] Citizenship 12 | 13 | A supplemental goal of this Code of Conduct is to increase open [source/culture/tech] citizenship by encouraging participants to recognize and strengthen the relationships between our actions and their effects on our community. 14 | 15 | Communities mirror the societies in which they exist and positive action is essential to counteract the many forms of inequality and abuses of power that exist in society. 16 | 17 | If you see someone who is making an extra effort to ensure our community is welcoming, friendly, and encourages all participants to contribute to the fullest extent, we want to know. 18 | 19 | ## 3. Expected Behavior 20 | 21 | The following behaviors are expected and requested of all community members: 22 | 23 | * Participate in an authentic and active way. In doing so, you contribute to the health and longevity of this community. 24 | * Exercise consideration and respect in your speech and actions. 25 | * Attempt collaboration before conflict. 26 | * Refrain from demeaning, discriminatory, or harassing behavior and speech. 27 | * Be mindful of your surroundings and of your fellow participants. Alert community leaders if you notice a dangerous situation, someone in distress, or violations of this Code of Conduct, even if they seem inconsequential. 28 | * Remember that community event venues may be shared with members of the public; please be respectful to all patrons of these locations. 29 | 30 | ## 4. Unacceptable Behavior 31 | 32 | The following behaviors are considered harassment and are unacceptable within our community: 33 | 34 | * Violence, threats of violence or violent language directed against another person. 35 | * Sexist, racist, homophobic, transphobic, ableist or otherwise discriminatory jokes and language. 36 | * Posting or displaying sexually explicit or violent material. 37 | * Posting or threatening to post other people's personally identifying information ("doxing"). 38 | * Personal insults, particularly those related to gender, sexual orientation, race, religion, or disability. 39 | * Inappropriate photography or recording. 40 | * Inappropriate physical contact. You should have someone's consent before touching them. 41 | * Unwelcome sexual attention. This includes, sexualized comments or jokes; inappropriate touching, groping, and unwelcomed sexual advances. 42 | * Deliberate intimidation, stalking or following (online or in person). 43 | * Advocating for, or encouraging, any of the above behavior. 44 | * Sustained disruption of community events, including talks and presentations. 45 | 46 | ## 5. Weapons Policy 47 | 48 | No weapons will be allowed at Terraform AWS ECS Fargate events, community spaces, or in other spaces covered by the scope of this Code of Conduct. Weapons include but are not limited to guns, explosives (including fireworks), and large knives such as those used for hunting or display, as well as any other item used for the purpose of causing injury or harm to others. Anyone seen in possession of one of these items will be asked to leave immediately, and will only be allowed to return without the weapon. Community members are further expected to comply with all state and local laws on this matter. 49 | 50 | ## 6. Consequences of Unacceptable Behavior 51 | 52 | Unacceptable behavior from any community member, including sponsors and those with decision-making authority, will not be tolerated. 53 | 54 | Anyone asked to stop unacceptable behavior is expected to comply immediately. 55 | 56 | If a community member engages in unacceptable behavior, the community organizers may take any action they deem appropriate, up to and including a temporary ban or permanent expulsion from the community without warning (and without refund in the case of a paid event). 57 | 58 | ## 7. Reporting Guidelines 59 | 60 | If you are subject to or witness unacceptable behavior, or have any other concerns, please notify a community organizer as soon as possible. noninojulian@gmail.com. 61 | 62 | 63 | 64 | Additionally, community organizers are available to help community members engage with local law enforcement or to otherwise help those experiencing unacceptable behavior feel safe. In the context of in-person events, organizers will also provide escorts as desired by the person experiencing distress. 65 | 66 | ## 8. Addressing Grievances 67 | 68 | If you feel you have been falsely or unfairly accused of violating this Code of Conduct, you should notify CN Services with a concise description of your grievance. Your grievance will be handled in accordance with our existing governing policies. 69 | 70 | 71 | 72 | ## 9. Scope 73 | 74 | We expect all community participants (contributors, paid or otherwise; sponsors; and other guests) to abide by this Code of Conduct in all community venues--online and in-person--as well as in all one-on-one communications pertaining to community business. 75 | 76 | This code of conduct and its related procedures also applies to unacceptable behavior occurring outside the scope of community activities when such behavior has the potential to adversely affect the safety and well-being of community members. 77 | 78 | ## 10. Contact info 79 | 80 | noninojulian@gmail.com 81 | 82 | ## 11. License and attribution 83 | 84 | The Citizen Code of Conduct is distributed by [Stumptown Syndicate](http://stumptownsyndicate.org) under a [Creative Commons Attribution-ShareAlike license](http://creativecommons.org/licenses/by-sa/3.0/). 85 | 86 | Portions of text derived from the [Django Code of Conduct](https://www.djangoproject.com/conduct/) and the [Geek Feminism Anti-Harassment Policy](http://geekfeminism.wikia.com/wiki/Conference_anti-harassment/Policy). 87 | 88 | _Revision 2.3. Posted 6 March 2017._ 89 | 90 | _Revision 2.2. Posted 4 February 2016._ 91 | 92 | _Revision 2.1. Posted 23 June 2014._ 93 | 94 | _Revision 2.0, adopted by the [Stumptown Syndicate](http://stumptownsyndicate.org) board on 10 January 2013. Posted 17 March 2013._ 95 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2019 Julian Nonino, Maria Florencia Caro 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS ECS Fargate Terraform Module # 2 | 3 | This Terraform module deploys an AWS ECS Fargate service. 4 | 5 | [![](https://github.com/cn-terraform/terraform-aws-ecs-fargate/workflows/terraform/badge.svg)](https://github.com/cn-terraform/terraform-aws-ecs-fargate/actions?query=workflow%3Aterraform) 6 | [![](https://img.shields.io/github/license/cn-terraform/terraform-aws-ecs-fargate)](https://github.com/cn-terraform/terraform-aws-ecs-fargate) 7 | [![](https://img.shields.io/github/issues/cn-terraform/terraform-aws-ecs-fargate)](https://github.com/cn-terraform/terraform-aws-ecs-fargate) 8 | [![](https://img.shields.io/github/issues-closed/cn-terraform/terraform-aws-ecs-fargate)](https://github.com/cn-terraform/terraform-aws-ecs-fargate) 9 | [![](https://img.shields.io/github/languages/code-size/cn-terraform/terraform-aws-ecs-fargate)](https://github.com/cn-terraform/terraform-aws-ecs-fargate) 10 | [![](https://img.shields.io/github/repo-size/cn-terraform/terraform-aws-ecs-fargate)](https://github.com/cn-terraform/terraform-aws-ecs-fargate) 11 | 12 | ## Usage 13 | 14 | Check valid versions on: 15 | * Github Releases: 16 | * Terraform Module Registry: 17 | 18 | ## Install pre commit hooks. 19 | 20 | Please run this command right after cloning the repository. 21 | 22 | pre-commit install 23 | 24 | For that you may need to install the folowwing tools: 25 | * [Pre-commit](https://pre-commit.com/) 26 | * [Terraform Docs](https://terraform-docs.io/) 27 | 28 | In order to run all checks at any point run the following command: 29 | 30 | pre-commit run --all-files 31 | 32 | 33 | ## Requirements 34 | 35 | | Name | Version | 36 | |------|---------| 37 | | [terraform](#requirement\_terraform) | >= 0.13 | 38 | | [aws](#requirement\_aws) | >= 4 | 39 | 40 | ## Providers 41 | 42 | No providers. 43 | 44 | ## Modules 45 | 46 | | Name | Source | Version | 47 | |------|--------|---------| 48 | | [ecs-cluster](#module\_ecs-cluster) | cn-terraform/ecs-cluster/aws | 1.0.10 | 49 | | [ecs-fargate-service](#module\_ecs-fargate-service) | cn-terraform/ecs-fargate-service/aws | 2.0.35 | 50 | | [td](#module\_td) | cn-terraform/ecs-fargate-task-definition/aws | 1.0.30 | 51 | 52 | ## Resources 53 | 54 | No resources. 55 | 56 | ## Inputs 57 | 58 | | Name | Description | Type | Default | Required | 59 | |------|-------------|------|---------|:--------:| 60 | | [additional\_certificates\_arn\_for\_https\_listeners](#input\_additional\_certificates\_arn\_for\_https\_listeners) | (Optional) List of SSL server certificate ARNs for HTTPS listener. Use it if you need to set additional certificates besides default\_certificate\_arn | `list(any)` | `[]` | no | 61 | | [assign\_public\_ip](#input\_assign\_public\_ip) | (Optional) Assign a public IP address to the ENI (Fargate launch type only). If true service will be associated with public subnets. Default false. | `bool` | `false` | no | 62 | | [block\_s3\_bucket\_public\_access](#input\_block\_s3\_bucket\_public\_access) | (Optional) If true, public access to the S3 bucket will be blocked. | `bool` | `true` | no | 63 | | [command](#input\_command) | The command that is passed to the container | `list(string)` | `[]` | no | 64 | | [container\_cpu](#input\_container\_cpu) | (Optional) The number of cpu units to reserve for the container. This is optional for tasks using Fargate launch type and the total amount of container\_cpu of all containers in a task will need to be lower than the task-level cpu value | `number` | `1024` | no | 65 | | [container\_definition](#input\_container\_definition) | Container definition overrides which allows for extra keys or overriding existing keys. | `map(any)` | `{}` | no | 66 | | [container\_depends\_on](#input\_container\_depends\_on) | The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY | 
list(object({
    containerName = string
    condition     = string
  }))
| `[]` | no | 67 | | [container\_image](#input\_container\_image) | The image used to start the container. Images in the Docker Hub registry available by default | `string` | n/a | yes | 68 | | [container\_memory](#input\_container\_memory) | (Optional) The amount of memory (in MiB) to allow the container to use. This is a hard limit, if the container attempts to exceed the container\_memory, the container is killed. This field is optional for Fargate launch type and the total amount of container\_memory of all containers in a task will need to be lower than the task memory value | `number` | `4096` | no | 69 | | [container\_memory\_reservation](#input\_container\_memory\_reservation) | (Optional) The amount of memory (in MiB) to reserve for the container. If container needs to exceed this threshold, it can do so up to the set container\_memory hard limit | `number` | `2048` | no | 70 | | [container\_name](#input\_container\_name) | The name of the container. Up to 255 characters ([a-z], [A-Z], [0-9], -, \_ allowed) | `string` | n/a | yes | 71 | | [custom\_lb\_arn](#input\_custom\_lb\_arn) | ARN of the Load Balancer to use in the ECS service. If provided, this module will not create a load balancer and will use the one provided in this variable | `string` | `null` | no | 72 | | [default\_certificate\_arn](#input\_default\_certificate\_arn) | (Optional) The ARN of the default SSL server certificate. Required if var.https\_ports is set. | `string` | `null` | no | 73 | | [deployment\_maximum\_percent](#input\_deployment\_maximum\_percent) | (Optional) The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment. | `number` | `200` | no | 74 | | [deployment\_minimum\_healthy\_percent](#input\_deployment\_minimum\_healthy\_percent) | (Optional) The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment. | `number` | `100` | no | 75 | | [deployment\_controller](#input\_deployment\_controller) | (Optional) Deployment controller. | `list(any)` | `[]` | no | 76 | | [desired\_count](#input\_desired\_count) | (Optional) The number of instances of the task definition to place and keep running. Defaults to 0. | `number` | `1` | no | 77 | | [disable\_networking](#input\_disable\_networking) | When this parameter is true, networking is disabled within the container. | `bool` | `null` | no | 78 | | [dns\_search\_domains](#input\_dns\_search\_domains) | Container DNS search domains. A list of DNS search domains that are presented to the container | `list(string)` | `[]` | no | 79 | | [dns\_servers](#input\_dns\_servers) | Container DNS servers. This is a list of strings specifying the IP addresses of the DNS servers | `list(string)` | `[]` | no | 80 | | [docker\_labels](#input\_docker\_labels) | The configuration options to send to the `docker_labels` | `map(string)` | `null` | no | 81 | | [docker\_security\_options](#input\_docker\_security\_options) | A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. | `list(string)` | `[]` | no | 82 | | [ecs\_service\_placement\_constraints](#input\_ecs\_service\_placement\_constraints) | (Optional) rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. This is a list of maps, where each map should contain "type" and "expression" | `list(any)` | `[]` | no | 83 | | [ecs\_service\_security\_groups](#input\_ecs\_service\_security\_groups) | (Optional) The security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used. | `list(any)` | `[]` | no | 84 | | [ecs\_task\_execution\_role\_custom\_policies](#input\_ecs\_task\_execution\_role\_custom\_policies) | (Optional) Custom policies to attach to the ECS task execution role. For example for reading secrets from AWS Systems Manager Parameter Store or Secrets Manager | `list(string)` | `[]` | no | 85 | | [enable\_autoscaling](#input\_enable\_autoscaling) | (Optional) If true, autoscaling alarms will be created. | `bool` | `true` | no | 86 | | [enable\_ecs\_managed\_tags](#input\_enable\_ecs\_managed\_tags) | (Optional) Specifies whether to enable Amazon ECS managed tags for the tasks within the service. | `bool` | `false` | no | 87 | | [enable\_execute\_command](#input\_enable\_execute\_command) | (Optional) Specifies whether to enable Amazon ECS Exec for the tasks within the service. | `bool` | `false` | no | 88 | | [enable\_module](#input\_enable\_module) | (Optional) Boolean variable to enable or disable the whole module. Defaults to true. | `bool` | `true` | no | 89 | | [enable\_s3\_bucket\_server\_side\_encryption](#input\_enable\_s3\_bucket\_server\_side\_encryption) | (Optional) If true, server side encryption will be applied. | `bool` | `true` | no | 90 | | [enable\_s3\_logs](#input\_enable\_s3\_logs) | (Optional) If true, all resources to send LB logs to S3 will be created | `bool` | `true` | no | 91 | | [entrypoint](#input\_entrypoint) | The entry point that is passed to the container | `list(string)` | `[]` | no | 92 | | [environment](#input\_environment) | The environment variables to pass to the container. This is a list of maps. map\_environment overrides environment | 
list(object({
    name  = string
    value = string
  }))
| `[]` | no | 93 | | [environment\_files](#input\_environment\_files) | One or more files containing the environment variables to pass to the container. This maps to the --env-file option to docker run. The file must be hosted in Amazon S3. This option is only available to tasks using the EC2 launch type. This is a list of maps | 
list(object({
    value = string
    type  = string
  }))
| `[]` | no | 94 | | [ephemeral\_storage\_size](#input\_ephemeral\_storage\_size) | The number of GBs to provision for ephemeral storage on Fargate tasks. Must be greater than or equal to 21 and less than or equal to 200 | `number` | `0` | no | 95 | | [essential](#input\_essential) | Determines whether all other containers in a task are stopped, if this container fails or stops for any reason. Due to how Terraform type casts booleans in json it is required to double quote this value | `bool` | `true` | no | 96 | | [extra\_hosts](#input\_extra\_hosts) | A list of hostnames and IP address mappings to append to the /etc/hosts file on the container. This is a list of maps | 
list(object({
    ipAddress = string
    hostname  = string
  }))
| `[]` | no | 97 | | [firelens\_configuration](#input\_firelens\_configuration) | The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html | 
object({
    type    = string
    options = map(string)
  })
| `null` | no | 98 | | [health\_check\_grace\_period\_seconds](#input\_health\_check\_grace\_period\_seconds) | (Optional) Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 2147483647. Only valid for services configured to use load balancers. | `number` | `0` | no | 99 | | [healthcheck](#input\_healthcheck) | (Optional) A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | 
object({
    command     = list(string)
    retries     = number
    timeout     = number
    interval    = number
    startPeriod = number
  })
| `null` | no | 100 | | [hostname](#input\_hostname) | The hostname to use for your container. | `string` | `null` | no | 101 | | [interactive](#input\_interactive) | When this parameter is true, this allows you to deploy containerized applications that require stdin or a tty to be allocated. | `bool` | `null` | no | 102 | | [lb\_deregistration\_delay](#input\_lb\_deregistration\_delay) | (Optional) The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds. | `number` | `300` | no | 103 | | [lb\_drop\_invalid\_header\_fields](#input\_lb\_drop\_invalid\_header\_fields) | (Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. | `bool` | `false` | no | 104 | | [lb\_enable\_cross\_zone\_load\_balancing](#input\_lb\_enable\_cross\_zone\_load\_balancing) | (Optional) If true, cross-zone load balancing of the load balancer will be enabled. Defaults to false. | `bool` | `false` | no | 105 | | [lb\_enable\_deletion\_protection](#input\_lb\_enable\_deletion\_protection) | (Optional) If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | `false` | no | 106 | | [lb\_enable\_http2](#input\_lb\_enable\_http2) | (Optional) Indicates whether HTTP/2 is enabled in the load balancer. Defaults to true. | `bool` | `true` | no | 107 | | [lb\_http\_ingress\_cidr\_blocks](#input\_lb\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allowed to access the Load Balancer through HTTP | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | 108 | | [lb\_http\_ingress\_prefix\_list\_ids](#input\_lb\_http\_ingress\_prefix\_list\_ids) | List of prefix list IDs blocks to allowed to access the Load Balancer through HTTP | `list(string)` | `[]` | no | 109 | | [lb\_http\_ports](#input\_lb\_http\_ports) | Map containing objects with two fields, listener\_port and the target\_group\_port to redirect HTTP requests | `map(any)` | 
{
  "default_http": {
    "listener_port": 80,
    "target_group_port": 80
  }
}
| no | 110 | | [lb\_https\_ingress\_cidr\_blocks](#input\_lb\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allowed to access the Load Balancer through HTTPS | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | 111 | | [lb\_https\_ingress\_prefix\_list\_ids](#input\_lb\_https\_ingress\_prefix\_list\_ids) | List of prefix list IDs blocks to allowed to access the Load Balancer through HTTPS | `list(string)` | `[]` | no | 112 | | [lb\_https\_ports](#input\_lb\_https\_ports) | Map containing objects with two fields, listener\_port and the target\_group\_port to redirect HTTPS requests | `map(any)` | 
{
  "default_http": {
    "listener_port": 443,
    "target_group_port": 443
  }
}
| no | 113 | | [lb\_idle\_timeout](#input\_lb\_idle\_timeout) | (Optional) The time in seconds that the connection is allowed to be idle. Default: 60. | `number` | `60` | no | 114 | | [lb\_internal](#input\_lb\_internal) | (Optional) If true, the LB will be internal. | `bool` | `false` | no | 115 | | [lb\_ip\_address\_type](#input\_lb\_ip\_address\_type) | (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. Defaults to ipv4 | `string` | `"ipv4"` | no | 116 | | [lb\_load\_balancing\_algorithm\_type](#input\_lb\_load\_balancing\_algorithm\_type) | (Optional) Determines how the load balancer selects targets when routing requests. The value is round\_robin or least\_outstanding\_requests. The default is round\_robin. | `string` | `"round_robin"` | no | 117 | | [lb\_security\_groups](#input\_lb\_security\_groups) | (Optional) A list of security group IDs to assign to the LB. | `list(string)` | `[]` | no | 118 | | [lb\_slow\_start](#input\_lb\_slow\_start) | (Optional) The amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0 seconds. | `number` | `0` | no | 119 | | [lb\_stickiness](#input\_lb\_stickiness) | (Optional) A Stickiness block. Provide three fields. type, the type of sticky sessions. The only current possible value is lb\_cookie. cookie\_duration, the time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). enabled, boolean to enable / disable stickiness. Default is true. | 
object({
    type            = string
    cookie_duration = string
    enabled         = bool
  })
| 
{
  "cookie_duration": 86400,
  "enabled": true,
  "type": "lb_cookie"
}
| no | 120 | | [lb\_target\_group\_health\_check\_enabled](#input\_lb\_target\_group\_health\_check\_enabled) | (Optional) Indicates whether health checks are enabled. Defaults to true. | `bool` | `true` | no | 121 | | [lb\_target\_group\_health\_check\_healthy\_threshold](#input\_lb\_target\_group\_health\_check\_healthy\_threshold) | (Optional) The number of consecutive health checks successes required before considering an unhealthy target healthy. Defaults to 3. | `number` | `3` | no | 122 | | [lb\_target\_group\_health\_check\_interval](#input\_lb\_target\_group\_health\_check\_interval) | (Optional) The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds. Default 30 seconds. | `number` | `30` | no | 123 | | [lb\_target\_group\_health\_check\_matcher](#input\_lb\_target\_group\_health\_check\_matcher) | The HTTP codes to use when checking for a successful response from a target. You can specify multiple values (for example, "200,202") or a range of values (for example, "200-299"). Default is 200. | `string` | `"200"` | no | 124 | | [lb\_target\_group\_health\_check\_path](#input\_lb\_target\_group\_health\_check\_path) | The destination for the health check request. | `string` | `"/"` | no | 125 | | [lb\_target\_group\_health\_check\_timeout](#input\_lb\_target\_group\_health\_check\_timeout) | (Optional) The amount of time, in seconds, during which no response means a failed health check. The range is 2 to 120 seconds, and the default is 5 seconds. | `number` | `5` | no | 126 | | [lb\_target\_group\_health\_check\_unhealthy\_threshold](#input\_lb\_target\_group\_health\_check\_unhealthy\_threshold) | (Optional) The number of consecutive health check failures required before considering the target unhealthy. Defaults to 3. | `number` | `3` | no | 127 | | [lb\_waf\_web\_acl\_arn](#input\_lb\_waf\_web\_acl\_arn) | ARN of a WAFV2 to associate with the ALB | `string` | `""` | no | 128 | | [links](#input\_links) | List of container names this container can communicate with without port mappings | `list(string)` | `[]` | no | 129 | | [linux\_parameters](#input\_linux\_parameters) | Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LinuxParameters.html | 
object({
    capabilities = object({
      add  = list(string)
      drop = list(string)
    })
    devices = list(object({
      containerPath = string
      hostPath      = string
      permissions   = list(string)
    }))
    initProcessEnabled = bool
    maxSwap            = number
    sharedMemorySize   = number
    swappiness         = number
    tmpfs = list(object({
      containerPath = string
      mountOptions  = list(string)
      size          = number
    }))
  })
| `null` | no | 130 | | [log\_configuration](#input\_log\_configuration) | Log configuration options to send to a custom log driver for the container. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html | `any` | `null` | no | 131 | | [map\_environment](#input\_map\_environment) | The environment variables to pass to the container. This is a map of string: {key: value}. map\_environment overrides environment | `map(string)` | `null` | no | 132 | | [mount\_points](#input\_mount\_points) | Container mount points. This is a list of maps, where each map should contain a `containerPath` and `sourceVolume`. The `readOnly` key is optional. | `list(any)` | `[]` | no | 133 | | [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS | `any` | n/a | yes | 134 | | [ordered\_placement\_strategy](#input\_ordered\_placement\_strategy) | (Optional) Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered\_placement\_strategy blocks is 5. This is a list of maps where each map should contain "id" and "field" | `list(any)` | `[]` | no | 135 | | [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The ARN of the policy that is used to set the permissions boundary for the `ecs_task_execution_role` role. | `string` | `null` | no | 136 | | [placement\_constraints\_task\_definition](#input\_placement\_constraints\_task\_definition) | (Optional) A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. This is a list of maps, where each map should contain "type" and "expression" | `list(any)` | `[]` | no | 137 | | [platform\_version](#input\_platform\_version) | (Optional) The platform version on which to run your service. Defaults to 1.4.0. More information about Fargate platform versions can be found in the AWS ECS User Guide. | `string` | `"1.4.0"` | no | 138 | | [port\_mappings](#input\_port\_mappings) | The port mappings to configure for the container. This is a list of maps. Each map should contain "containerPort", "hostPort", and "protocol", where "protocol" is one of "tcp" or "udp". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort | 
list(object({
    containerPort = number
    hostPort      = number
    protocol      = string
  }))
| 
[
  {
    "containerPort": 80,
    "hostPort": 80,
    "protocol": "tcp"
  }
]
| no | 139 | | [private\_subnets\_ids](#input\_private\_subnets\_ids) | The private subnets associated with the task or service. | `list(any)` | n/a | yes | 140 | | [privileged](#input\_privileged) | When this variable is `true`, the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type. | `bool` | `null` | no | 141 | | [propagate\_tags](#input\_propagate\_tags) | (Optional) Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK\_DEFINITION. Default to SERVICE | `string` | `"SERVICE"` | no | 142 | | [proxy\_configuration](#input\_proxy\_configuration) | (Optional) The proxy configuration details for the App Mesh proxy. This is a list of maps, where each map should contain "container\_name", "properties" and "type" | `list(any)` | `[]` | no | 143 | | [pseudo\_terminal](#input\_pseudo\_terminal) | When this parameter is true, a TTY is allocated. | `bool` | `null` | no | 144 | | [public\_subnets\_ids](#input\_public\_subnets\_ids) | The public subnets associated with the task or service. | `list(any)` | n/a | yes | 145 | | [readonly\_root\_filesystem](#input\_readonly\_root\_filesystem) | Determines whether a container is given read-only access to its root filesystem. Due to how Terraform type casts booleans in json it is required to double quote this value | `bool` | `false` | no | 146 | | [repository\_credentials](#input\_repository\_credentials) | Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials | `map(string)` | `null` | no | 147 | | [s3\_bucket\_server\_side\_encryption\_key](#input\_s3\_bucket\_server\_side\_encryption\_key) | (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | `string` | `null` | no | 148 | | [s3\_bucket\_server\_side\_encryption\_sse\_algorithm](#input\_s3\_bucket\_server\_side\_encryption\_sse\_algorithm) | (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | `string` | `"AES256"` | no | 149 | | [secrets](#input\_secrets) | The secrets to pass to the container. This is a list of maps | 
list(object({
    name      = string
    valueFrom = string
  }))
| `[]` | no | 150 | | [service\_registries](#input\_service\_registries) | (Optional) The service discovery registries for the service. The maximum number of service\_registries blocks is 1. This is a map that should contain the following fields "registry\_arn", "port", "container\_port" and "container\_name" | `map(any)` | `{}` | no | 151 | | [ssl\_policy](#input\_ssl\_policy) | (Optional) The name of the SSL Policy for the listener. . Required if var.https\_ports is set. | `string` | `null` | no | 152 | | [start\_timeout](#input\_start\_timeout) | Time duration (in seconds) to wait before giving up on resolving dependencies for a container | `number` | `null` | no | 153 | | [stop\_timeout](#input\_stop\_timeout) | Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own | `number` | `null` | no | 154 | | [system\_controls](#input\_system\_controls) | A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""} | `list(map(string))` | `[]` | no | 155 | | [tags](#input\_tags) | Resource tags | `map(string)` | `{}` | no | 156 | | [ulimits](#input\_ulimits) | Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit" | 
list(object({
    name      = string
    hardLimit = number
    softLimit = number
  }))
| `[]` | no | 157 | | [user](#input\_user) | The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set. | `string` | `null` | no | 158 | | [volumes](#input\_volumes) | (Optional) A set of volume blocks that containers in your task may use | 
list(object({
    host_path = string
    name      = string
    docker_volume_configuration = list(object({
      autoprovision = bool
      driver        = string
      driver_opts   = map(string)
      labels        = map(string)
      scope         = string
    }))
    efs_volume_configuration = list(object({
      file_system_id          = string
      root_directory          = string
      transit_encryption      = string
      transit_encryption_port = string
      authorization_config = list(object({
        access_point_id = string
        iam             = string
      }))
    }))
  }))
| `[]` | no | 159 | | [volumes\_from](#input\_volumes\_from) | A list of VolumesFrom maps which contain "sourceContainer" (name of the container that has the volumes to mount) and "readOnly" (whether the container can write to the volume) | 
list(object({
    sourceContainer = string
    readOnly        = bool
  }))
| `[]` | no | 160 | | [vpc\_id](#input\_vpc\_id) | ID of the VPC | `any` | n/a | yes | 161 | | [working\_directory](#input\_working\_directory) | The working directory to run commands inside the container | `string` | `null` | no | 162 | 163 | ## Outputs 164 | 165 | | Name | Description | 166 | |------|-------------| 167 | | [aws\_ecs\_cluster\_cluster\_arn](#output\_aws\_ecs\_cluster\_cluster\_arn) | The Amazon Resource Name (ARN) that identifies the cluster | 168 | | [aws\_ecs\_cluster\_cluster\_id](#output\_aws\_ecs\_cluster\_cluster\_id) | The Amazon ID that identifies the cluster | 169 | | [aws\_ecs\_cluster\_cluster\_name](#output\_aws\_ecs\_cluster\_cluster\_name) | The name of the cluster | 170 | | [aws\_ecs\_service\_service\_cluster](#output\_aws\_ecs\_service\_service\_cluster) | The Amazon Resource Name (ARN) of cluster which the service runs on. | 171 | | [aws\_ecs\_service\_service\_desired\_count](#output\_aws\_ecs\_service\_service\_desired\_count) | The number of instances of the task definition | 172 | | [aws\_ecs\_service\_service\_id](#output\_aws\_ecs\_service\_service\_id) | The Amazon Resource Name (ARN) that identifies the service. | 173 | | [aws\_ecs\_service\_service\_name](#output\_aws\_ecs\_service\_service\_name) | The name of the service. | 174 | | [aws\_ecs\_task\_definition\_td\_arn](#output\_aws\_ecs\_task\_definition\_td\_arn) | Full ARN of the Task Definition (including both family and revision). | 175 | | [aws\_ecs\_task\_definition\_td\_family](#output\_aws\_ecs\_task\_definition\_td\_family) | The family of the Task Definition. | 176 | | [aws\_ecs\_task\_definition\_td\_revision](#output\_aws\_ecs\_task\_definition\_td\_revision) | The revision of the task in a particular family. | 177 | | [aws\_iam\_role\_ecs\_task\_execution\_role\_arn](#output\_aws\_iam\_role\_ecs\_task\_execution\_role\_arn) | The Amazon Resource Name (ARN) specifying the role. | 178 | | [aws\_iam\_role\_ecs\_task\_execution\_role\_create\_date](#output\_aws\_iam\_role\_ecs\_task\_execution\_role\_create\_date) | The creation date of the IAM role. | 179 | | [aws\_iam\_role\_ecs\_task\_execution\_role\_description](#output\_aws\_iam\_role\_ecs\_task\_execution\_role\_description) | The description of the role. | 180 | | [aws\_iam\_role\_ecs\_task\_execution\_role\_id](#output\_aws\_iam\_role\_ecs\_task\_execution\_role\_id) | The ID of the role. | 181 | | [aws\_iam\_role\_ecs\_task\_execution\_role\_name](#output\_aws\_iam\_role\_ecs\_task\_execution\_role\_name) | The name of the role. | 182 | | [aws\_iam\_role\_ecs\_task\_execution\_role\_unique\_id](#output\_aws\_iam\_role\_ecs\_task\_execution\_role\_unique\_id) | The stable and unique string identifying the role. | 183 | | [aws\_lb\_lb\_arn](#output\_aws\_lb\_lb\_arn) | The ARN of the load balancer (matches id). | 184 | | [aws\_lb\_lb\_arn\_suffix](#output\_aws\_lb\_lb\_arn\_suffix) | The ARN suffix for use with CloudWatch Metrics. | 185 | | [aws\_lb\_lb\_dns\_name](#output\_aws\_lb\_lb\_dns\_name) | The DNS name of the load balancer. | 186 | | [aws\_lb\_lb\_id](#output\_aws\_lb\_lb\_id) | The ARN of the load balancer (matches arn). | 187 | | [aws\_lb\_lb\_zone\_id](#output\_aws\_lb\_lb\_zone\_id) | The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record). | 188 | | [aws\_security\_group\_lb\_access\_sg\_arn](#output\_aws\_security\_group\_lb\_access\_sg\_arn) | The ARN of the security group | 189 | | [aws\_security\_group\_lb\_access\_sg\_description](#output\_aws\_security\_group\_lb\_access\_sg\_description) | The description of the security group | 190 | | [aws\_security\_group\_lb\_access\_sg\_egress](#output\_aws\_security\_group\_lb\_access\_sg\_egress) | The egress rules. | 191 | | [aws\_security\_group\_lb\_access\_sg\_id](#output\_aws\_security\_group\_lb\_access\_sg\_id) | The ID of the security group | 192 | | [aws\_security\_group\_lb\_access\_sg\_ingress](#output\_aws\_security\_group\_lb\_access\_sg\_ingress) | The ingress rules. | 193 | | [aws\_security\_group\_lb\_access\_sg\_name](#output\_aws\_security\_group\_lb\_access\_sg\_name) | The name of the security group | 194 | | [aws\_security\_group\_lb\_access\_sg\_owner\_id](#output\_aws\_security\_group\_lb\_access\_sg\_owner\_id) | The owner ID. | 195 | | [aws\_security\_group\_lb\_access\_sg\_vpc\_id](#output\_aws\_security\_group\_lb\_access\_sg\_vpc\_id) | The VPC ID. | 196 | | [container\_name](#output\_container\_name) | Name of the container | 197 | | [ecs\_tasks\_sg\_arn](#output\_ecs\_tasks\_sg\_arn) | ${var.name\_prefix} ECS Tasks Security Group - The ARN of the security group | 198 | | [ecs\_tasks\_sg\_description](#output\_ecs\_tasks\_sg\_description) | ${var.name\_prefix} ECS Tasks Security Group - The description of the security group | 199 | | [ecs\_tasks\_sg\_id](#output\_ecs\_tasks\_sg\_id) | ${var.name\_prefix} ECS Tasks Security Group - The ID of the security group | 200 | | [ecs\_tasks\_sg\_name](#output\_ecs\_tasks\_sg\_name) | ${var.name\_prefix} ECS Tasks Security Group - The name of the security group | 201 | | [lb\_http\_listeners\_arns](#output\_lb\_http\_listeners\_arns) | List of HTTP Listeners ARNs | 202 | | [lb\_http\_listeners\_ids](#output\_lb\_http\_listeners\_ids) | List of HTTP Listeners IDs | 203 | | [lb\_http\_tgs\_arns](#output\_lb\_http\_tgs\_arns) | List of HTTP Target Groups ARNs | 204 | | [lb\_http\_tgs\_ids](#output\_lb\_http\_tgs\_ids) | List of HTTP Target Groups IDs | 205 | | [lb\_http\_tgs\_names](#output\_lb\_http\_tgs\_names) | List of HTTP Target Groups Names | 206 | | [lb\_https\_listeners\_arns](#output\_lb\_https\_listeners\_arns) | List of HTTPS Listeners ARNs | 207 | | [lb\_https\_listeners\_ids](#output\_lb\_https\_listeners\_ids) | List of HTTPS Listeners IDs | 208 | | [lb\_https\_tgs\_arns](#output\_lb\_https\_tgs\_arns) | List of HTTPS Target Groups ARNs | 209 | | [lb\_https\_tgs\_ids](#output\_lb\_https\_tgs\_ids) | List of HTTPS Target Groups IDs | 210 | | [lb\_https\_tgs\_names](#output\_lb\_https\_tgs\_names) | List of HTTPS Target Groups Names | 211 | 212 | -------------------------------------------------------------------------------- /examples/test/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | public_subnet_ids = [for s in module.base-network.public_subnets : s.id] 3 | private_subnet_ids = [for s in module.base-network.private_subnets : s.id] 4 | } 5 | 6 | module "base-network" { 7 | source = "cn-terraform/networking/aws" 8 | cidr_block = "192.168.0.0/16" 9 | 10 | vpc_additional_tags = { 11 | vpc_tag1 = "tag1", 12 | vpc_tag2 = "tag2", 13 | } 14 | 15 | public_subnets = { 16 | first_public_subnet = { 17 | availability_zone = "us-east-1a" 18 | cidr_block = "192.168.0.0/19" 19 | } 20 | second_public_subnet = { 21 | availability_zone = "us-east-1b" 22 | cidr_block = "192.168.32.0/19" 23 | } 24 | } 25 | 26 | public_subnets_additional_tags = { 27 | public_subnet_tag1 = "tag1", 28 | public_subnet_tag2 = "tag2", 29 | } 30 | 31 | private_subnets = { 32 | first_private_subnet = { 33 | availability_zone = "us-east-1a" 34 | cidr_block = "192.168.128.0/19" 35 | } 36 | second_private_subnet = { 37 | availability_zone = "us-east-1b" 38 | cidr_block = "192.168.160.0/19" 39 | } 40 | } 41 | 42 | private_subnets_additional_tags = { 43 | private_subnet_tag1 = "tag1", 44 | private_subnet_tag2 = "tag2", 45 | } 46 | } 47 | 48 | module "test" { 49 | source = "../../" 50 | name_prefix = "test" 51 | vpc_id = module.base-network.vpc_id 52 | container_image = "ubuntu" 53 | container_name = "test" 54 | public_subnets_ids = local.public_subnet_ids 55 | private_subnets_ids = local.private_subnet_ids 56 | } 57 | -------------------------------------------------------------------------------- /examples/test/mock_provider.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.13" 3 | required_providers { 4 | aws = { 5 | source = "hashicorp/aws" 6 | version = ">= 4" 7 | } 8 | } 9 | } 10 | 11 | provider "aws" { 12 | region = "us-east-1" 13 | skip_credentials_validation = true 14 | skip_requesting_account_id = true 15 | skip_metadata_api_check = true 16 | s3_use_path_style = true 17 | 18 | endpoints { 19 | apigateway = "http://localstack:4566" 20 | cloudformation = "http://localstack:4566" 21 | cloudwatch = "http://localstack:4566" 22 | dynamodb = "http://localstack:4566" 23 | es = "http://localstack:4566" 24 | firehose = "http://localstack:4566" 25 | iam = "http://localstack:4566" 26 | kinesis = "http://localstack:4566" 27 | lambda = "http://localstack:4566" 28 | route53 = "http://localstack:4566" 29 | redshift = "http://localstack:4566" 30 | s3 = "http://localstack:4566" 31 | secretsmanager = "http://localstack:4566" 32 | ses = "http://localstack:4566" 33 | sns = "http://localstack:4566" 34 | sqs = "http://localstack:4566" 35 | ssm = "http://localstack:4566" 36 | stepfunctions = "http://localstack:4566" 37 | sts = "http://localstack:4566" 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /files/iam/ecs_autoscale_iam_role.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Principal": { 7 | "Service": "application-autoscaling.amazonaws.com" 8 | }, 9 | "Action": "sts:AssumeRole" 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /files/iam/ecs_autoscale_iam_role_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": [ 7 | "ecs:DescribeServices", 8 | "ecs:UpdateService" 9 | ], 10 | "Resource": [ 11 | "*" 12 | ] 13 | }, 14 | { 15 | "Effect": "Allow", 16 | "Action": [ 17 | "cloudwatch:DescribeAlarms" 18 | ], 19 | "Resource": [ 20 | "*" 21 | ] 22 | } 23 | ] 24 | } 25 | -------------------------------------------------------------------------------- /files/iam/ecs_task_execution_iam_role.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Principal": { 7 | "Service": "ecs-tasks.amazonaws.com" 8 | }, 9 | "Action": "sts:AssumeRole", 10 | "Sid": "" 11 | } 12 | ] 13 | } 14 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------ 2 | # ECS Cluster 3 | #------------------------------------------------------------------------------ 4 | module "ecs-cluster" { 5 | source = "cn-terraform/ecs-cluster/aws" 6 | version = "1.0.11" 7 | # source = "../terraform-aws-ecs-cluster" 8 | 9 | name = var.name_prefix 10 | tags = var.tags 11 | } 12 | 13 | #------------------------------------------------------------------------------ 14 | # ECS Task Definition 15 | #------------------------------------------------------------------------------ 16 | module "td" { 17 | source = "cn-terraform/ecs-fargate-task-definition/aws" 18 | version = "1.0.36" 19 | # source = "../terraform-aws-ecs-fargate-task-definition" 20 | 21 | additional_containers = var.additional_containers 22 | command = var.command 23 | container_cpu = var.container_cpu 24 | container_definition_overrides = var.container_definition_overrides 25 | container_depends_on = var.container_depends_on 26 | container_image = var.container_image 27 | container_memory = var.container_memory 28 | container_memory_reservation = var.container_memory_reservation 29 | container_name = var.container_name 30 | disable_networking = var.disable_networking 31 | dns_search_domains = var.dns_search_domains 32 | dns_servers = var.dns_servers 33 | docker_labels = var.docker_labels 34 | docker_security_options = var.docker_security_options 35 | entrypoint = var.entrypoint 36 | environment = var.environment 37 | environment_files = var.environment_files 38 | essential = var.essential 39 | extra_hosts = var.extra_hosts 40 | firelens_configuration = var.firelens_configuration 41 | healthcheck = var.healthcheck 42 | hostname = var.hostname 43 | interactive = var.interactive 44 | links = var.links 45 | linux_parameters = var.linux_parameters 46 | log_configuration = var.log_configuration 47 | map_environment = var.map_environment 48 | mount_points = var.mount_points 49 | name_prefix = var.name_prefix 50 | port_mappings = var.port_mappings 51 | privileged = var.privileged 52 | pseudo_terminal = var.pseudo_terminal 53 | readonly_root_filesystem = var.readonly_root_filesystem 54 | repository_credentials = var.repository_credentials 55 | secrets = var.secrets 56 | start_timeout = var.start_timeout 57 | stop_timeout = var.stop_timeout 58 | system_controls = var.system_controls 59 | ulimits = var.ulimits 60 | user = var.user 61 | volumes_from = var.volumes_from 62 | working_directory = var.working_directory 63 | 64 | ecs_task_execution_role_custom_policies = var.ecs_task_execution_role_custom_policies 65 | ephemeral_storage_size = var.ephemeral_storage_size 66 | permissions_boundary = var.permissions_boundary 67 | placement_constraints = var.placement_constraints_task_definition 68 | proxy_configuration = var.proxy_configuration 69 | volumes = var.volumes 70 | 71 | tags = var.tags 72 | } 73 | 74 | #------------------------------------------------------------------------------ 75 | # ECS Service 76 | #------------------------------------------------------------------------------ 77 | module "ecs-fargate-service" { 78 | source = "cn-terraform/ecs-fargate-service/aws" 79 | version = "2.0.47" 80 | # source = "../terraform-aws-ecs-fargate-service" 81 | 82 | name_prefix = var.name_prefix 83 | vpc_id = var.vpc_id 84 | 85 | deployment_controller = var.deployment_controller 86 | deployment_maximum_percent = var.deployment_maximum_percent 87 | deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent 88 | desired_count = var.desired_count 89 | ecs_cluster_arn = module.ecs-cluster.aws_ecs_cluster_cluster_arn 90 | enable_ecs_managed_tags = var.enable_ecs_managed_tags 91 | enable_execute_command = var.enable_execute_command 92 | force_new_deployment = var.force_new_deployment 93 | health_check_grace_period_seconds = var.health_check_grace_period_seconds 94 | ordered_placement_strategy = var.ordered_placement_strategy 95 | placement_constraints = var.ecs_service_placement_constraints 96 | platform_version = var.platform_version 97 | propagate_tags = var.propagate_tags 98 | service_registries = var.service_registries 99 | task_definition_arn = module.td.aws_ecs_task_definition_td_arn 100 | 101 | # Deployment circuit breaker 102 | deployment_circuit_breaker_enabled = var.deployment_circuit_breaker_enabled 103 | deployment_circuit_breaker_rollback = var.deployment_circuit_breaker_rollback 104 | 105 | # Network configuration block 106 | public_subnets = var.public_subnets_ids 107 | private_subnets = var.private_subnets_ids 108 | security_groups = var.ecs_service_security_groups 109 | assign_public_ip = var.assign_public_ip 110 | 111 | # ECS Service Load Balancer block 112 | container_name = var.container_name 113 | 114 | # ECS Autoscaling 115 | enable_autoscaling = var.enable_autoscaling 116 | ecs_cluster_name = module.ecs-cluster.aws_ecs_cluster_cluster_name 117 | 118 | # Application Load Balancer 119 | custom_lb_arn = var.custom_lb_arn 120 | additional_lbs = var.additional_lbs 121 | lb_internal = var.lb_internal 122 | lb_security_groups = var.lb_security_groups 123 | lb_drop_invalid_header_fields = var.lb_drop_invalid_header_fields 124 | lb_idle_timeout = var.lb_idle_timeout 125 | lb_enable_deletion_protection = var.lb_enable_deletion_protection 126 | lb_enable_cross_zone_load_balancing = var.lb_enable_cross_zone_load_balancing 127 | lb_enable_http2 = var.lb_enable_http2 128 | lb_ip_address_type = var.lb_ip_address_type 129 | waf_web_acl_arn = var.lb_waf_web_acl_arn 130 | 131 | # Application Load Balancer Logs 132 | enable_s3_logs = var.enable_s3_logs 133 | block_s3_bucket_public_access = var.block_s3_bucket_public_access 134 | enable_s3_bucket_server_side_encryption = var.enable_s3_bucket_server_side_encryption 135 | s3_bucket_server_side_encryption_sse_algorithm = var.s3_bucket_server_side_encryption_sse_algorithm 136 | s3_bucket_server_side_encryption_key = var.s3_bucket_server_side_encryption_key 137 | 138 | # Access Control to Application Load Balancer 139 | lb_http_ports = var.lb_http_ports 140 | lb_http_ingress_cidr_blocks = var.lb_http_ingress_cidr_blocks 141 | lb_http_ingress_prefix_list_ids = var.lb_http_ingress_prefix_list_ids 142 | lb_https_ports = var.lb_https_ports 143 | lb_https_ingress_cidr_blocks = var.lb_https_ingress_cidr_blocks 144 | lb_https_ingress_prefix_list_ids = var.lb_https_ingress_prefix_list_ids 145 | 146 | # Target Groups 147 | lb_deregistration_delay = var.lb_deregistration_delay 148 | lb_slow_start = var.lb_slow_start 149 | lb_load_balancing_algorithm_type = var.lb_load_balancing_algorithm_type 150 | lb_stickiness = var.lb_stickiness 151 | lb_target_group_health_check_enabled = var.lb_target_group_health_check_enabled 152 | lb_target_group_health_check_interval = var.lb_target_group_health_check_interval 153 | lb_target_group_health_check_path = var.lb_target_group_health_check_path 154 | lb_target_group_health_check_timeout = var.lb_target_group_health_check_timeout 155 | lb_target_group_health_check_healthy_threshold = var.lb_target_group_health_check_healthy_threshold 156 | lb_target_group_health_check_unhealthy_threshold = var.lb_target_group_health_check_unhealthy_threshold 157 | lb_target_group_health_check_matcher = var.lb_target_group_health_check_matcher 158 | 159 | # Certificates 160 | default_certificate_arn = var.default_certificate_arn 161 | ssl_policy = var.ssl_policy 162 | additional_certificates_arn_for_https_listeners = var.additional_certificates_arn_for_https_listeners 163 | 164 | # Optional tags 165 | tags = var.tags 166 | } 167 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------ 2 | # ECS CLUSTER 3 | #------------------------------------------------------------------------------ 4 | output "aws_ecs_cluster_cluster_name" { 5 | description = "The name of the cluster" 6 | value = module.ecs-cluster.aws_ecs_cluster_cluster_name 7 | } 8 | 9 | output "aws_ecs_cluster_cluster_id" { 10 | description = "The Amazon ID that identifies the cluster" 11 | value = module.ecs-cluster.aws_ecs_cluster_cluster_id 12 | } 13 | 14 | output "aws_ecs_cluster_cluster_arn" { 15 | description = "The Amazon Resource Name (ARN) that identifies the cluster" 16 | value = module.ecs-cluster.aws_ecs_cluster_cluster_arn 17 | } 18 | 19 | #------------------------------------------------------------------------------ 20 | # AWS ECS Task Execution Role 21 | #------------------------------------------------------------------------------ 22 | output "aws_iam_role_ecs_task_execution_role_arn" { 23 | description = "The Amazon Resource Name (ARN) specifying the role." 24 | value = module.td.aws_iam_role_ecs_task_execution_role_arn 25 | } 26 | output "aws_iam_role_ecs_task_execution_role_create_date" { 27 | description = "The creation date of the IAM role." 28 | value = module.td.aws_iam_role_ecs_task_execution_role_create_date 29 | } 30 | output "aws_iam_role_ecs_task_execution_role_description" { 31 | description = "The description of the role." 32 | value = module.td.aws_iam_role_ecs_task_execution_role_description 33 | } 34 | output "aws_iam_role_ecs_task_execution_role_id" { 35 | description = "The ID of the role." 36 | value = module.td.aws_iam_role_ecs_task_execution_role_id 37 | } 38 | output "aws_iam_role_ecs_task_execution_role_name" { 39 | description = "The name of the role." 40 | value = module.td.aws_iam_role_ecs_task_execution_role_name 41 | } 42 | output "aws_iam_role_ecs_task_execution_role_unique_id" { 43 | description = "The stable and unique string identifying the role." 44 | value = module.td.aws_iam_role_ecs_task_execution_role_unique_id 45 | } 46 | 47 | #------------------------------------------------------------------------------ 48 | # ECS Task Definition 49 | #------------------------------------------------------------------------------ 50 | output "aws_ecs_task_definition_td_arn" { 51 | description = "Full ARN of the Task Definition (including both family and revision)." 52 | value = module.td.aws_ecs_task_definition_td_arn 53 | } 54 | 55 | output "aws_ecs_task_definition_td_family" { 56 | description = "The family of the Task Definition." 57 | value = module.td.aws_ecs_task_definition_td_family 58 | } 59 | 60 | output "aws_ecs_task_definition_td_revision" { 61 | description = "The revision of the task in a particular family." 62 | value = module.td.aws_ecs_task_definition_td_revision 63 | } 64 | output "container_name" { 65 | description = "Name of the container" 66 | value = var.container_name 67 | } 68 | 69 | #------------------------------------------------------------------------------ 70 | # APPLICATION LOAD BALANCER 71 | #------------------------------------------------------------------------------ 72 | output "aws_lb_lb_id" { 73 | description = "The ARN of the load balancer (matches arn)." 74 | value = module.ecs-fargate-service.aws_lb_lb_id 75 | } 76 | 77 | output "aws_lb_lb_arn" { 78 | description = "The ARN of the load balancer (matches id)." 79 | value = module.ecs-fargate-service.aws_lb_lb_arn 80 | } 81 | 82 | output "aws_lb_lb_arn_suffix" { 83 | description = "The ARN suffix for use with CloudWatch Metrics." 84 | value = module.ecs-fargate-service.aws_lb_lb_arn_suffix 85 | } 86 | 87 | output "aws_lb_lb_dns_name" { 88 | description = "The DNS name of the load balancer." 89 | value = module.ecs-fargate-service.aws_lb_lb_dns_name 90 | } 91 | 92 | output "aws_lb_lb_zone_id" { 93 | description = "The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record)." 94 | value = module.ecs-fargate-service.aws_lb_lb_zone_id 95 | } 96 | 97 | #------------------------------------------------------------------------------ 98 | # ACCESS CONTROL TO APPLICATION LOAD BALANCER 99 | #------------------------------------------------------------------------------ 100 | output "aws_security_group_lb_access_sg_id" { 101 | description = "The ID of the security group" 102 | value = module.ecs-fargate-service.aws_security_group_lb_access_sg_id 103 | } 104 | 105 | output "aws_security_group_lb_access_sg_arn" { 106 | description = "The ARN of the security group" 107 | value = module.ecs-fargate-service.aws_security_group_lb_access_sg_arn 108 | } 109 | 110 | output "aws_security_group_lb_access_sg_vpc_id" { 111 | description = "The VPC ID." 112 | value = module.ecs-fargate-service.aws_security_group_lb_access_sg_vpc_id 113 | } 114 | 115 | output "aws_security_group_lb_access_sg_owner_id" { 116 | description = "The owner ID." 117 | value = module.ecs-fargate-service.aws_security_group_lb_access_sg_owner_id 118 | } 119 | 120 | output "aws_security_group_lb_access_sg_name" { 121 | description = "The name of the security group" 122 | value = module.ecs-fargate-service.aws_security_group_lb_access_sg_name 123 | } 124 | 125 | output "aws_security_group_lb_access_sg_description" { 126 | description = "The description of the security group" 127 | value = module.ecs-fargate-service.aws_security_group_lb_access_sg_description 128 | } 129 | 130 | output "aws_security_group_lb_access_sg_ingress" { 131 | description = "The ingress rules." 132 | value = module.ecs-fargate-service.aws_security_group_lb_access_sg_ingress 133 | } 134 | 135 | output "aws_security_group_lb_access_sg_egress" { 136 | description = "The egress rules." 137 | value = module.ecs-fargate-service.aws_security_group_lb_access_sg_egress 138 | } 139 | 140 | #------------------------------------------------------------------------------ 141 | # AWS LOAD BALANCER - Target Groups 142 | #------------------------------------------------------------------------------ 143 | output "lb_http_tgs_ids" { 144 | description = "List of HTTP Target Groups IDs" 145 | value = module.ecs-fargate-service.lb_http_tgs_ids 146 | } 147 | 148 | output "lb_http_tgs_arns" { 149 | description = "List of HTTP Target Groups ARNs" 150 | value = module.ecs-fargate-service.lb_http_tgs_arns 151 | } 152 | 153 | output "lb_http_tgs_names" { 154 | description = "List of HTTP Target Groups Names" 155 | value = module.ecs-fargate-service.lb_http_tgs_names 156 | } 157 | 158 | output "lb_https_tgs_ids" { 159 | description = "List of HTTPS Target Groups IDs" 160 | value = module.ecs-fargate-service.lb_https_tgs_ids 161 | } 162 | 163 | output "lb_https_tgs_arns" { 164 | description = "List of HTTPS Target Groups ARNs" 165 | value = module.ecs-fargate-service.lb_https_tgs_arns 166 | } 167 | 168 | output "lb_https_tgs_names" { 169 | description = "List of HTTPS Target Groups Names" 170 | value = module.ecs-fargate-service.lb_https_tgs_names 171 | } 172 | 173 | #------------------------------------------------------------------------------ 174 | # AWS LOAD BALANCER - Listeners 175 | #------------------------------------------------------------------------------ 176 | output "lb_http_listeners_ids" { 177 | description = "List of HTTP Listeners IDs" 178 | value = module.ecs-fargate-service.lb_http_listeners_ids 179 | } 180 | 181 | output "lb_http_listeners_arns" { 182 | description = "List of HTTP Listeners ARNs" 183 | value = module.ecs-fargate-service.lb_http_listeners_arns 184 | } 185 | 186 | output "lb_https_listeners_ids" { 187 | description = "List of HTTPS Listeners IDs" 188 | value = module.ecs-fargate-service.lb_https_listeners_ids 189 | } 190 | 191 | output "lb_https_listeners_arns" { 192 | description = "List of HTTPS Listeners ARNs" 193 | value = module.ecs-fargate-service.lb_https_listeners_arns 194 | } 195 | 196 | #------------------------------------------------------------------------------ 197 | # AWS ECS SERVICE 198 | #------------------------------------------------------------------------------ 199 | output "aws_ecs_service_service_id" { 200 | description = "The Amazon Resource Name (ARN) that identifies the service." 201 | value = module.ecs-fargate-service.aws_ecs_service_service_id 202 | } 203 | 204 | output "aws_ecs_service_service_name" { 205 | description = "The name of the service." 206 | value = module.ecs-fargate-service.aws_ecs_service_service_name 207 | } 208 | 209 | output "aws_ecs_service_service_cluster" { 210 | description = "The Amazon Resource Name (ARN) of cluster which the service runs on." 211 | value = module.ecs-fargate-service.aws_ecs_service_service_cluster 212 | } 213 | 214 | output "aws_ecs_service_service_desired_count" { 215 | description = "The number of instances of the task definition" 216 | value = module.ecs-fargate-service.aws_ecs_service_service_desired_count 217 | } 218 | 219 | #------------------------------------------------------------------------------ 220 | # AWS SECURITY GROUPS 221 | #------------------------------------------------------------------------------ 222 | output "ecs_tasks_sg_id" { 223 | description = "$${var.name_prefix} ECS Tasks Security Group - The ID of the security group" 224 | value = module.ecs-fargate-service.ecs_tasks_sg_id 225 | } 226 | 227 | output "ecs_tasks_sg_arn" { 228 | description = "$${var.name_prefix} ECS Tasks Security Group - The ARN of the security group" 229 | value = module.ecs-fargate-service.ecs_tasks_sg_arn 230 | } 231 | 232 | output "ecs_tasks_sg_name" { 233 | description = "$${var.name_prefix} ECS Tasks Security Group - The name of the security group" 234 | value = module.ecs-fargate-service.ecs_tasks_sg_name 235 | } 236 | 237 | output "ecs_tasks_sg_description" { 238 | description = "$${var.name_prefix} ECS Tasks Security Group - The description of the security group" 239 | value = module.ecs-fargate-service.ecs_tasks_sg_description 240 | } 241 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------ 2 | # Misc 3 | #------------------------------------------------------------------------------ 4 | variable "name_prefix" { 5 | description = "Name prefix for resources on AWS" 6 | } 7 | 8 | variable "enable_module" { 9 | description = "(Optional) Boolean variable to enable or disable the whole module. Defaults to true." 10 | type = bool 11 | default = true 12 | } 13 | 14 | variable "tags" { 15 | type = map(string) 16 | default = {} 17 | description = "Resource tags" 18 | } 19 | 20 | #------------------------------------------------------------------------------ 21 | # AWS Networking 22 | #------------------------------------------------------------------------------ 23 | variable "vpc_id" { 24 | description = "ID of the VPC" 25 | } 26 | 27 | #------------------------------------------------------------------------------ 28 | # AWS ECS Container Definition Variables 29 | #------------------------------------------------------------------------------ 30 | variable "additional_containers" { 31 | description = "Additional container definitions (sidecars) to use for the task." 32 | default = [] 33 | type = any #cloudposse/ecs-container-definition/aws 34 | } 35 | 36 | variable "container_name" { 37 | type = string 38 | description = "The name of the container. Up to 255 characters ([a-z], [A-Z], [0-9], -, _ allowed)" 39 | } 40 | 41 | variable "container_image" { 42 | type = string 43 | description = "The image used to start the container. Images in the Docker Hub registry available by default" 44 | } 45 | 46 | variable "container_memory" { 47 | type = number 48 | description = "(Optional) The amount of memory (in MiB) to allow the container to use. This is a hard limit, if the container attempts to exceed the container_memory, the container is killed. This field is optional for Fargate launch type and the total amount of container_memory of all containers in a task will need to be lower than the task memory value" 49 | default = 4096 # 4 GB 50 | } 51 | 52 | variable "container_memory_reservation" { 53 | type = number 54 | description = "(Optional) The amount of memory (in MiB) to reserve for the container. If container needs to exceed this threshold, it can do so up to the set container_memory hard limit" 55 | default = 2048 # 2 GB 56 | } 57 | 58 | variable "container_definition_overrides" { 59 | type = map(any) 60 | description = "Container definition overrides which allows for extra keys or overriding existing keys." 61 | default = {} 62 | } 63 | 64 | variable "port_mappings" { 65 | description = "The port mappings to configure for the container. This is a list of maps. Each map should contain \"containerPort\", \"hostPort\", and \"protocol\", where \"protocol\" is one of \"tcp\" or \"udp\". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort" 66 | type = list(object({ 67 | containerPort = number 68 | hostPort = number 69 | protocol = string 70 | })) 71 | default = [ 72 | { 73 | containerPort = 80 74 | hostPort = 80 75 | protocol = "tcp" 76 | } 77 | ] 78 | } 79 | 80 | # https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_HealthCheck.html 81 | variable "healthcheck" { 82 | description = "(Optional) A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries)" 83 | type = object({ 84 | command = list(string) 85 | retries = number 86 | timeout = number 87 | interval = number 88 | startPeriod = number 89 | }) 90 | default = null 91 | } 92 | 93 | variable "container_cpu" { 94 | # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-task-defs 95 | type = number 96 | description = "(Optional) The number of cpu units to reserve for the container. This is optional for tasks using Fargate launch type and the total amount of container_cpu of all containers in a task will need to be lower than the task-level cpu value" 97 | default = 1024 # 1 vCPU 98 | } 99 | 100 | variable "essential" { 101 | type = bool 102 | description = "Determines whether all other containers in a task are stopped, if this container fails or stops for any reason. Due to how Terraform type casts booleans in json it is required to double quote this value" 103 | default = true 104 | } 105 | 106 | variable "entrypoint" { 107 | type = list(string) 108 | description = "The entry point that is passed to the container" 109 | default = [] 110 | } 111 | 112 | variable "command" { 113 | type = list(string) 114 | description = "The command that is passed to the container" 115 | default = [] 116 | } 117 | 118 | variable "working_directory" { 119 | type = string 120 | description = "The working directory to run commands inside the container" 121 | default = null 122 | } 123 | 124 | variable "environment" { 125 | type = list(object({ 126 | name = string 127 | value = string 128 | })) 129 | description = "The environment variables to pass to the container. This is a list of maps. map_environment overrides environment" 130 | default = [] 131 | } 132 | 133 | variable "extra_hosts" { 134 | type = list(object({ 135 | ipAddress = string 136 | hostname = string 137 | })) 138 | description = "A list of hostnames and IP address mappings to append to the /etc/hosts file on the container. This is a list of maps" 139 | default = [] 140 | } 141 | 142 | variable "map_environment" { 143 | type = map(string) 144 | description = "The environment variables to pass to the container. This is a map of string: {key: value}. map_environment overrides environment" 145 | default = null 146 | } 147 | 148 | # https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_EnvironmentFile.html 149 | variable "environment_files" { 150 | type = list(object({ 151 | value = string 152 | type = string 153 | })) 154 | description = "One or more files containing the environment variables to pass to the container. This maps to the --env-file option to docker run. The file must be hosted in Amazon S3. This option is only available to tasks using the EC2 launch type. This is a list of maps" 155 | default = [] 156 | } 157 | 158 | variable "secrets" { 159 | type = list(object({ 160 | name = string 161 | valueFrom = string 162 | })) 163 | description = "The secrets to pass to the container. This is a list of maps" 164 | default = [] 165 | } 166 | 167 | variable "readonly_root_filesystem" { 168 | type = bool 169 | description = "Determines whether a container is given read-only access to its root filesystem. Due to how Terraform type casts booleans in json it is required to double quote this value" 170 | default = false 171 | } 172 | 173 | # https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LinuxParameters.html 174 | variable "linux_parameters" { 175 | type = object({ 176 | capabilities = object({ 177 | add = list(string) 178 | drop = list(string) 179 | }) 180 | devices = list(object({ 181 | containerPath = string 182 | hostPath = string 183 | permissions = list(string) 184 | })) 185 | initProcessEnabled = bool 186 | maxSwap = number 187 | sharedMemorySize = number 188 | swappiness = number 189 | tmpfs = list(object({ 190 | containerPath = string 191 | mountOptions = list(string) 192 | size = number 193 | })) 194 | }) 195 | description = "Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LinuxParameters.html" 196 | default = null 197 | } 198 | 199 | # https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html 200 | variable "log_configuration" { 201 | type = any 202 | description = "Log configuration options to send to a custom log driver for the container. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html" 203 | default = null 204 | } 205 | 206 | # https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html 207 | variable "firelens_configuration" { 208 | type = object({ 209 | type = string 210 | options = map(string) 211 | }) 212 | description = "The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html" 213 | default = null 214 | } 215 | 216 | variable "mount_points" { 217 | type = list(any) 218 | 219 | description = "Container mount points. This is a list of maps, where each map should contain a `containerPath` and `sourceVolume`. The `readOnly` key is optional." 220 | default = [] 221 | } 222 | 223 | variable "dns_servers" { 224 | type = list(string) 225 | description = "Container DNS servers. This is a list of strings specifying the IP addresses of the DNS servers" 226 | default = [] 227 | } 228 | 229 | variable "dns_search_domains" { 230 | type = list(string) 231 | description = "Container DNS search domains. A list of DNS search domains that are presented to the container" 232 | default = [] 233 | } 234 | 235 | variable "ulimits" { 236 | type = list(object({ 237 | name = string 238 | hardLimit = number 239 | softLimit = number 240 | })) 241 | description = "Container ulimit settings. This is a list of maps, where each map should contain \"name\", \"hardLimit\" and \"softLimit\"" 242 | default = [] 243 | } 244 | 245 | variable "repository_credentials" { 246 | type = map(string) 247 | description = "Container repository credentials; required when using a private repo. This map currently supports a single key; \"credentialsParameter\", which should be the ARN of a Secrets Manager's secret holding the credentials" 248 | default = null 249 | } 250 | 251 | variable "volumes_from" { 252 | type = list(object({ 253 | sourceContainer = string 254 | readOnly = bool 255 | })) 256 | description = "A list of VolumesFrom maps which contain \"sourceContainer\" (name of the container that has the volumes to mount) and \"readOnly\" (whether the container can write to the volume)" 257 | default = [] 258 | } 259 | 260 | variable "links" { 261 | type = list(string) 262 | description = "List of container names this container can communicate with without port mappings" 263 | default = [] 264 | } 265 | 266 | variable "user" { 267 | type = string 268 | description = "The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set." 269 | default = null 270 | } 271 | 272 | variable "container_depends_on" { 273 | type = list(object({ 274 | containerName = string 275 | condition = string 276 | })) 277 | description = "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY" 278 | default = [] 279 | } 280 | 281 | variable "docker_labels" { 282 | type = map(string) 283 | description = "The configuration options to send to the `docker_labels`" 284 | default = null 285 | } 286 | 287 | variable "start_timeout" { 288 | type = number 289 | description = "Time duration (in seconds) to wait before giving up on resolving dependencies for a container" 290 | default = null 291 | } 292 | 293 | variable "stop_timeout" { 294 | type = number 295 | description = "Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own" 296 | default = null 297 | } 298 | 299 | variable "privileged" { 300 | type = bool 301 | description = "When this variable is `true`, the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type." 302 | default = null 303 | } 304 | 305 | variable "system_controls" { 306 | type = list(map(string)) 307 | description = "A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = \"\", value = \"\"}" 308 | default = [] 309 | } 310 | 311 | variable "hostname" { 312 | type = string 313 | description = "The hostname to use for your container." 314 | default = null 315 | } 316 | 317 | variable "disable_networking" { 318 | type = bool 319 | description = "When this parameter is true, networking is disabled within the container." 320 | default = null 321 | } 322 | 323 | variable "interactive" { 324 | type = bool 325 | description = "When this parameter is true, this allows you to deploy containerized applications that require stdin or a tty to be allocated." 326 | default = null 327 | } 328 | 329 | variable "pseudo_terminal" { 330 | type = bool 331 | description = "When this parameter is true, a TTY is allocated. " 332 | default = null 333 | } 334 | 335 | variable "docker_security_options" { 336 | type = list(string) 337 | description = "A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems." 338 | default = [] 339 | } 340 | 341 | #------------------------------------------------------------------------------ 342 | # AWS ECS Task Definition Variables 343 | #------------------------------------------------------------------------------ 344 | variable "permissions_boundary" { 345 | description = "(Optional) The ARN of the policy that is used to set the permissions boundary for the `ecs_task_execution_role` role." 346 | type = string 347 | default = null 348 | } 349 | 350 | variable "ecs_task_execution_role_custom_policies" { 351 | description = "(Optional) Custom policies to attach to the ECS task execution role. For example for reading secrets from AWS Systems Manager Parameter Store or Secrets Manager" 352 | type = list(string) 353 | default = [] 354 | } 355 | 356 | variable "placement_constraints_task_definition" { 357 | description = "(Optional) A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement_constraints is 10. This is a list of maps, where each map should contain \"type\" and \"expression\"" 358 | type = list(any) 359 | default = [] 360 | } 361 | 362 | variable "proxy_configuration" { 363 | description = "(Optional) The proxy configuration details for the App Mesh proxy. This is a list of maps, where each map should contain \"container_name\", \"properties\" and \"type\"" 364 | type = list(any) 365 | default = [] 366 | } 367 | 368 | variable "ephemeral_storage_size" { 369 | type = number 370 | description = "The number of GBs to provision for ephemeral storage on Fargate tasks. Must be greater than or equal to 21 and less than or equal to 200" 371 | default = 0 372 | 373 | validation { 374 | condition = var.ephemeral_storage_size == 0 || (var.ephemeral_storage_size >= 21 && var.ephemeral_storage_size <= 200) 375 | error_message = "The ephemeral_storage_size value must be inclusively between 21 and 200." 376 | } 377 | } 378 | 379 | variable "volumes" { 380 | description = "(Optional) A set of volume blocks that containers in your task may use" 381 | type = list(object({ 382 | host_path = string 383 | name = string 384 | docker_volume_configuration = list(object({ 385 | autoprovision = bool 386 | driver = string 387 | driver_opts = map(string) 388 | labels = map(string) 389 | scope = string 390 | })) 391 | efs_volume_configuration = list(object({ 392 | file_system_id = string 393 | root_directory = string 394 | transit_encryption = string 395 | transit_encryption_port = string 396 | authorization_config = list(object({ 397 | access_point_id = string 398 | iam = string 399 | })) 400 | })) 401 | })) 402 | default = [] 403 | } 404 | 405 | #------------------------------------------------------------------------------ 406 | # AWS ECS SERVICE 407 | #------------------------------------------------------------------------------ 408 | variable "deployment_maximum_percent" { 409 | description = "(Optional) The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment." 410 | type = number 411 | default = 200 412 | } 413 | 414 | variable "deployment_minimum_healthy_percent" { 415 | description = "(Optional) The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment." 416 | type = number 417 | default = 100 418 | } 419 | 420 | variable "deployment_controller" { 421 | description = "(Optional) Deployment controller" 422 | type = list(any) 423 | default = [{ 424 | type = "ECS" 425 | }] 426 | } 427 | 428 | variable "desired_count" { 429 | description = "(Optional) The number of instances of the task definition to place and keep running. Defaults to 0." 430 | type = number 431 | default = 1 432 | } 433 | 434 | variable "enable_ecs_managed_tags" { 435 | description = "(Optional) Specifies whether to enable Amazon ECS managed tags for the tasks within the service." 436 | type = bool 437 | default = false 438 | } 439 | 440 | variable "force_new_deployment" { 441 | description = "(Optional) Enable to force a new task deployment of the service. This can be used to update tasks to use a newer Docker image with same image/tag combination (e.g. myimage:latest), roll Fargate tasks onto a newer platform version, or immediately deploy ordered_placement_strategy and placement_constraints updates." 442 | default = false 443 | type = bool 444 | } 445 | 446 | variable "enable_execute_command" { 447 | description = "(Optional) Specifies whether to enable Amazon ECS Exec for the tasks within the service." 448 | type = bool 449 | default = false 450 | } 451 | 452 | variable "health_check_grace_period_seconds" { 453 | description = "(Optional) Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 2147483647. Only valid for services configured to use load balancers." 454 | type = number 455 | default = 0 456 | } 457 | 458 | variable "ordered_placement_strategy" { 459 | description = "(Optional) Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered_placement_strategy blocks is 5. This is a list of maps where each map should contain \"id\" and \"field\"" 460 | type = list(any) 461 | default = [] 462 | } 463 | 464 | variable "ecs_service_placement_constraints" { 465 | type = list(any) 466 | description = "(Optional) rules that are taken into consideration during task placement. Maximum number of placement_constraints is 10. This is a list of maps, where each map should contain \"type\" and \"expression\"" 467 | default = [] 468 | } 469 | 470 | variable "platform_version" { 471 | description = "(Optional) The platform version on which to run your service. Defaults to 1.4.0. More information about Fargate platform versions can be found in the AWS ECS User Guide." 472 | default = "1.4.0" 473 | } 474 | 475 | variable "propagate_tags" { 476 | description = "(Optional) Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION. Default to SERVICE" 477 | default = "SERVICE" 478 | } 479 | 480 | variable "service_registries" { 481 | description = "(Optional) The service discovery registries for the service. The maximum number of service_registries blocks is 1. This is a map that should contain the following fields \"registry_arn\", \"port\", \"container_port\" and \"container_name\"" 482 | type = map(any) 483 | default = {} 484 | } 485 | 486 | variable "enable_autoscaling" { 487 | description = "(Optional) If true, autoscaling alarms will be created." 488 | type = bool 489 | default = true 490 | } 491 | 492 | variable "deployment_circuit_breaker_enabled" { 493 | description = "(Optional) You can enable the deployment circuit breaker to cause a service deployment to transition to a failed state if tasks are persistently failing to reach RUNNING state or are failing healthcheck." 494 | type = bool 495 | default = false 496 | } 497 | 498 | variable "deployment_circuit_breaker_rollback" { 499 | description = "(Optional) The optional rollback option causes Amazon ECS to roll back to the last completed deployment upon a deployment failure." 500 | type = bool 501 | default = false 502 | } 503 | 504 | #------------------------------------------------------------------------------ 505 | # AWS ECS SERVICE network_configuration BLOCK 506 | #------------------------------------------------------------------------------ 507 | variable "public_subnets_ids" { 508 | description = "The public subnets associated with the task or service." 509 | type = list(any) 510 | } 511 | 512 | variable "private_subnets_ids" { 513 | description = "The private subnets associated with the task or service." 514 | type = list(any) 515 | } 516 | 517 | variable "ecs_service_security_groups" { 518 | description = "(Optional) The security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used." 519 | type = list(any) 520 | default = [] 521 | } 522 | 523 | variable "assign_public_ip" { 524 | description = "(Optional) Assign a public IP address to the ENI (Fargate launch type only). If true service will be associated with public subnets. Default false. " 525 | type = bool 526 | default = false 527 | } 528 | 529 | #------------------------------------------------------------------------------ 530 | # APPLICATION LOAD BALANCER 531 | #------------------------------------------------------------------------------ 532 | variable "custom_lb_arn" { 533 | description = "ARN of the Load Balancer to use in the ECS service. If provided, this module will not create a load balancer and will use the one provided in this variable" 534 | type = string 535 | default = null 536 | } 537 | 538 | variable "additional_lbs" { 539 | default = {} 540 | description = "Additional load balancers to add to ECS service" 541 | type = map(object 542 | ( 543 | { 544 | target_group_arn = string 545 | container_port = number 546 | } 547 | ) 548 | ) 549 | } 550 | 551 | variable "lb_internal" { 552 | description = "(Optional) If true, the LB will be internal." 553 | type = bool 554 | default = false 555 | } 556 | 557 | variable "lb_security_groups" { 558 | description = "(Optional) A list of security group IDs to assign to the LB." 559 | type = list(string) 560 | default = [] 561 | } 562 | 563 | variable "lb_drop_invalid_header_fields" { 564 | description = "(Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens." 565 | type = bool 566 | default = false 567 | } 568 | 569 | variable "lb_idle_timeout" { 570 | description = "(Optional) The time in seconds that the connection is allowed to be idle. Default: 60." 571 | type = number 572 | default = 60 573 | } 574 | 575 | variable "lb_enable_deletion_protection" { 576 | description = "(Optional) If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false." 577 | type = bool 578 | default = false 579 | } 580 | 581 | variable "lb_enable_cross_zone_load_balancing" { 582 | description = "(Optional) If true, cross-zone load balancing of the load balancer will be enabled. Defaults to false." 583 | type = bool 584 | default = false 585 | } 586 | 587 | variable "lb_enable_http2" { 588 | description = "(Optional) Indicates whether HTTP/2 is enabled in the load balancer. Defaults to true." 589 | type = bool 590 | default = true 591 | } 592 | 593 | variable "lb_ip_address_type" { 594 | description = "(Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. Defaults to ipv4" 595 | type = string 596 | default = "ipv4" 597 | } 598 | 599 | variable "lb_waf_web_acl_arn" { 600 | description = "ARN of a WAFV2 to associate with the ALB" 601 | type = string 602 | default = "" 603 | } 604 | 605 | #------------------------------------------------------------------------------ 606 | # APPLICATION LOAD BALANCER LOGS 607 | #------------------------------------------------------------------------------ 608 | variable "enable_s3_logs" { 609 | description = "(Optional) If true, all resources to send LB logs to S3 will be created" 610 | type = bool 611 | default = true 612 | } 613 | 614 | variable "block_s3_bucket_public_access" { 615 | description = "(Optional) If true, public access to the S3 bucket will be blocked." 616 | type = bool 617 | default = true 618 | } 619 | 620 | variable "enable_s3_bucket_server_side_encryption" { 621 | description = "(Optional) If true, server side encryption will be applied." 622 | type = bool 623 | default = true 624 | } 625 | 626 | variable "s3_bucket_server_side_encryption_sse_algorithm" { 627 | description = "(Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms" 628 | type = string 629 | default = "AES256" 630 | } 631 | 632 | variable "s3_bucket_server_side_encryption_key" { 633 | description = "(Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms." 634 | type = string 635 | default = null 636 | } 637 | 638 | #------------------------------------------------------------------------------ 639 | # ACCESS CONTROL TO APPLICATION LOAD BALANCER 640 | #------------------------------------------------------------------------------ 641 | variable "lb_http_ports" { 642 | description = "Map containing objects with two fields, listener_port and the target_group_port to redirect HTTP requests" 643 | type = map(any) 644 | default = { 645 | default-http = { 646 | listener_port = 80 647 | target_group_port = 80 648 | } 649 | } 650 | } 651 | 652 | variable "lb_http_ingress_cidr_blocks" { 653 | description = "List of CIDR blocks to allowed to access the Load Balancer through HTTP" 654 | type = list(string) 655 | default = ["0.0.0.0/0"] 656 | } 657 | 658 | variable "lb_http_ingress_prefix_list_ids" { 659 | description = "List of prefix list IDs blocks to allowed to access the Load Balancer through HTTP" 660 | type = list(string) 661 | default = [] 662 | } 663 | 664 | variable "lb_https_ports" { 665 | description = "Map containing objects with two fields, listener_port and the target_group_port to redirect HTTPS requests" 666 | type = map(any) 667 | default = { 668 | default-https = { 669 | listener_port = 443 670 | target_group_port = 443 671 | } 672 | } 673 | } 674 | 675 | variable "lb_https_ingress_cidr_blocks" { 676 | description = "List of CIDR blocks to allowed to access the Load Balancer through HTTPS" 677 | type = list(string) 678 | default = ["0.0.0.0/0"] 679 | } 680 | 681 | variable "lb_https_ingress_prefix_list_ids" { 682 | description = "List of prefix list IDs blocks to allowed to access the Load Balancer through HTTPS" 683 | type = list(string) 684 | default = [] 685 | } 686 | 687 | #------------------------------------------------------------------------------ 688 | # AWS LOAD BALANCER - Target Groups 689 | #------------------------------------------------------------------------------ 690 | variable "lb_deregistration_delay" { 691 | description = "(Optional) The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds." 692 | type = number 693 | default = 300 694 | } 695 | 696 | variable "lb_slow_start" { 697 | description = "(Optional) The amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0 seconds." 698 | type = number 699 | default = 0 700 | } 701 | 702 | variable "lb_load_balancing_algorithm_type" { 703 | description = "(Optional) Determines how the load balancer selects targets when routing requests. The value is round_robin or least_outstanding_requests. The default is round_robin." 704 | type = string 705 | default = "round_robin" 706 | } 707 | 708 | variable "lb_stickiness" { 709 | description = "(Optional) A Stickiness block. Provide three fields. type, the type of sticky sessions. The only current possible value is lb_cookie. cookie_duration, the time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). enabled, boolean to enable / disable stickiness. Default is true." 710 | type = object({ 711 | type = string 712 | cookie_duration = string 713 | enabled = bool 714 | }) 715 | default = { 716 | type = "lb_cookie" 717 | cookie_duration = 86400 718 | enabled = true 719 | } 720 | } 721 | 722 | variable "lb_target_group_health_check_enabled" { 723 | description = "(Optional) Indicates whether health checks are enabled. Defaults to true." 724 | type = bool 725 | default = true 726 | } 727 | 728 | variable "lb_target_group_health_check_interval" { 729 | description = "(Optional) The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds. Default 30 seconds." 730 | type = number 731 | default = 30 732 | } 733 | 734 | variable "lb_target_group_health_check_path" { 735 | description = "The destination for the health check request." 736 | type = string 737 | default = "/" 738 | } 739 | 740 | variable "lb_target_group_health_check_timeout" { 741 | description = "(Optional) The amount of time, in seconds, during which no response means a failed health check. The range is 2 to 120 seconds, and the default is 5 seconds." 742 | type = number 743 | default = 5 744 | } 745 | 746 | variable "lb_target_group_health_check_healthy_threshold" { 747 | description = "(Optional) The number of consecutive health checks successes required before considering an unhealthy target healthy. Defaults to 3." 748 | type = number 749 | default = 3 750 | } 751 | 752 | variable "lb_target_group_health_check_unhealthy_threshold" { 753 | description = "(Optional) The number of consecutive health check failures required before considering the target unhealthy. Defaults to 3." 754 | type = number 755 | default = 3 756 | } 757 | 758 | variable "lb_target_group_health_check_matcher" { 759 | description = "The HTTP codes to use when checking for a successful response from a target. You can specify multiple values (for example, \"200,202\") or a range of values (for example, \"200-299\"). Default is 200." 760 | type = string 761 | default = "200" 762 | } 763 | 764 | #------------------------------------------------------------------------------ 765 | # AWS LOAD BALANCER - Target Groups 766 | #------------------------------------------------------------------------------ 767 | variable "ssl_policy" { 768 | description = "(Optional) The name of the SSL Policy for the listener. . Required if var.https_ports is set." 769 | type = string 770 | default = null 771 | } 772 | 773 | variable "default_certificate_arn" { 774 | description = "(Optional) The ARN of the default SSL server certificate. Required if var.https_ports is set." 775 | type = string 776 | default = null 777 | } 778 | 779 | variable "additional_certificates_arn_for_https_listeners" { 780 | description = "(Optional) List of SSL server certificate ARNs for HTTPS listener. Use it if you need to set additional certificates besides default_certificate_arn" 781 | type = list(any) 782 | default = [] 783 | } 784 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.13" 3 | required_providers { 4 | aws = { 5 | source = "hashicorp/aws" 6 | version = ">= 4" 7 | } 8 | } 9 | } 10 | --------------------------------------------------------------------------------