From 6918848f1dab99c67e49d21bdc839d907ff8b647 Mon Sep 17 00:00:00 2001
From: Michael Barrientos <mbarrien@users.noreply.github.com>
Date: Wed, 25 Sep 2019 09:47:44 -0700
Subject: [PATCH] [feature] Add ECS modules to cztack (#132)

---
 aws-ecs-job-fargate/README.md        |  45 ++++++
 aws-ecs-job-fargate/iam.tf           |  58 ++++++++
 aws-ecs-job-fargate/main.tf          |  87 ++++++++++++
 aws-ecs-job-fargate/outputs.tf       |  17 +++
 aws-ecs-job-fargate/variables.tf     |  91 +++++++++++++
 aws-ecs-job/README.md                |  40 ++++++
 aws-ecs-job/iam.tf                   |  58 ++++++++
 aws-ecs-job/main.tf                  |  72 ++++++++++
 aws-ecs-job/outputs.tf               |  12 ++
 aws-ecs-job/variables.tf             |  72 ++++++++++
 aws-ecs-service-fargate/README.md    | 196 +++++++++++++++++++++++++++
 aws-ecs-service-fargate/alb.tf       | 112 +++++++++++++++
 aws-ecs-service-fargate/discovery.tf |  25 ++++
 aws-ecs-service-fargate/domain.tf    |  62 +++++++++
 aws-ecs-service-fargate/iam.tf       |  57 ++++++++
 aws-ecs-service-fargate/main.tf      |  14 ++
 aws-ecs-service-fargate/outputs.tf   |  27 ++++
 aws-ecs-service-fargate/service.tf   | 145 ++++++++++++++++++++
 aws-ecs-service-fargate/variables.tf | 192 ++++++++++++++++++++++++++
 aws-ecs-service/README.md            | 186 +++++++++++++++++++++++++
 aws-ecs-service/alb.tf               | 119 ++++++++++++++++
 aws-ecs-service/discovery.tf         |  25 ++++
 aws-ecs-service/domain.tf            |  62 +++++++++
 aws-ecs-service/iam.tf               |  57 ++++++++
 aws-ecs-service/main.tf              |  14 ++
 aws-ecs-service/outputs.tf           |  27 ++++
 aws-ecs-service/service.tf           | 147 ++++++++++++++++++++
 aws-ecs-service/variables.tf         | 186 +++++++++++++++++++++++++
 28 files changed, 2205 insertions(+)
 create mode 100644 aws-ecs-job-fargate/README.md
 create mode 100644 aws-ecs-job-fargate/iam.tf
 create mode 100755 aws-ecs-job-fargate/main.tf
 create mode 100755 aws-ecs-job-fargate/outputs.tf
 create mode 100755 aws-ecs-job-fargate/variables.tf
 create mode 100644 aws-ecs-job/README.md
 create mode 100644 aws-ecs-job/iam.tf
 create mode 100755 aws-ecs-job/main.tf
 create mode 100755 aws-ecs-job/outputs.tf
 create mode 100755 aws-ecs-job/variables.tf
 create mode 100644 aws-ecs-service-fargate/README.md
 create mode 100644 aws-ecs-service-fargate/alb.tf
 create mode 100644 aws-ecs-service-fargate/discovery.tf
 create mode 100644 aws-ecs-service-fargate/domain.tf
 create mode 100644 aws-ecs-service-fargate/iam.tf
 create mode 100755 aws-ecs-service-fargate/main.tf
 create mode 100755 aws-ecs-service-fargate/outputs.tf
 create mode 100644 aws-ecs-service-fargate/service.tf
 create mode 100755 aws-ecs-service-fargate/variables.tf
 create mode 100644 aws-ecs-service/README.md
 create mode 100644 aws-ecs-service/alb.tf
 create mode 100644 aws-ecs-service/discovery.tf
 create mode 100644 aws-ecs-service/domain.tf
 create mode 100644 aws-ecs-service/iam.tf
 create mode 100755 aws-ecs-service/main.tf
 create mode 100755 aws-ecs-service/outputs.tf
 create mode 100644 aws-ecs-service/service.tf
 create mode 100755 aws-ecs-service/variables.tf

diff --git a/aws-ecs-job-fargate/README.md b/aws-ecs-job-fargate/README.md
new file mode 100644
index 00000000..b9fd44c9
--- /dev/null
+++ b/aws-ecs-job-fargate/README.md
@@ -0,0 +1,45 @@
+# ECS Job on Fargate
+
+This creates an ECS service running on Fargate with no load balancer in front of it. Good for
+background worker daemon sort of things.
+
+## Terraform managed task definition vs czecs
+
+If the user sets `var.manage_task_definition = true`, Terraform will manage the lifecycle
+of the container definition; any external changes are reset on the next Terraform run.
+
+If var.manage_task_definition = false, the user is expected to manage the
+container definition external to Terraform (e.g. using [czecs](https://github.com/chanzuckerberg/czecs)). Upon creation,
+Terraform will use a stub definition, but from that point forward will ignore any
+changes to the definition, allowing external task definition management.
+
+<!-- START -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_id |  | string | n/a | yes |
+| container\_name | Name of the container. Must match name in task definition. If omitted, defaults to name derived from project/env/service. | string | `null` | no |
+| cpu | CPU units for Fargate task. Used if task_definition provided, or for initial stub task if externally managed. | number | `256` | no |
+| deployment\_maximum\_percent | (Optional) The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment. Not valid when using the DAEMON scheduling strategy. | number | `200` | no |
+| deployment\_minimum\_healthy\_percent | (Optional) The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment. | number | `100` | no |
+| desired\_count |  | number | n/a | yes |
+| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| memory | Memory in megabytes for Fargate task. Used if task_definition provided, or for initial stub task if externally managed. | number | `512` | no |
+| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+| registry\_secretsmanager\_arn | ARN for AWS Secrets Manager secret for credentials to private registry | string | `null` | no |
+| security\_group\_ids | Security group to use for the Fargate task. | list | `<list>` | no |
+| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| task\_definition | JSON to describe task. If omitted, defaults to a stub task that is expected to be managed outside of Terraform. | string | `null` | no |
+| task\_role\_arn |  | string | n/a | yes |
+| task\_subnets | Subnets to launch Fargate task in. | list | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ecs\_service\_arn | ARN for the ECS service. |
+| ecs\_task\_definition\_family | The family of the task definition defined for the given/generated container definition. |
+| task\_execution\_role\_arn | Task execution role for Fargate task. |
+
+<!-- END -->
diff --git a/aws-ecs-job-fargate/iam.tf b/aws-ecs-job-fargate/iam.tf
new file mode 100644
index 00000000..4647df90
--- /dev/null
+++ b/aws-ecs-job-fargate/iam.tf
@@ -0,0 +1,58 @@
+data "aws_iam_policy_document" "execution_role" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+# Always create and attach, Fargate requires task definition to have execution role ARN to support log driver awslogs.
+resource "aws_iam_role" "task_execution_role" {
+  name               = "${local.name}-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.execution_role.json
+}
+
+# TODO(mbarrien): We can probably narrow this down to allowing access to only
+# the specific ECR arn if applicable, and the specific cloudwatch log group.
+# Either pass both identifiers in, or pass the entire role ARN as an argument
+resource "aws_iam_role_policy_attachment" "task_execution_role" {
+  count      = var.registry_secretsmanager_arn != null ? 1 : 0
+  role       = aws_iam_role.task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "registry_secretsmanager" {
+  count = var.registry_secretsmanager_arn != null ? 1 : 0
+
+  statement {
+    actions = [
+      "kms:Decrypt",
+    ]
+
+    resources = [var.registry_secretsmanager_arn]
+  }
+
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    # Limit to only current version of the secret
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "secretsmanager:VersionStage"
+      values   = ["AWSCURRENT"]
+    }
+
+    resources = [var.registry_secretsmanager_arn]
+  }
+}
+
+resource "aws_iam_role_policy" "task_execution_role_secretsmanager" {
+  count  = var.registry_secretsmanager_arn != null ? 1 : 0
+  role   = aws_iam_role.task_execution_role.name
+  policy = data.aws_iam_policy_document.registry_secretsmanager[0].json
+}
diff --git a/aws-ecs-job-fargate/main.tf b/aws-ecs-job-fargate/main.tf
new file mode 100755
index 00000000..89bfb521
--- /dev/null
+++ b/aws-ecs-job-fargate/main.tf
@@ -0,0 +1,87 @@
+locals {
+  name = "${var.project}-${var.env}-${var.service}"
+
+  container_name = var.container_name == null ? local.name : var.container_name
+
+  task_definition = "${aws_ecs_task_definition.job.family}:${aws_ecs_task_definition.job.revision}"
+
+  tags = {
+    managedBy = "terraform"
+    Name      = local.name
+    project   = var.project
+    env       = var.env
+    service   = var.service
+    owner     = var.owner
+  }
+}
+
+# Only one of the following is active at a time, depending on var.manage_task_definition
+resource "aws_ecs_service" "job" {
+  name        = local.name
+  cluster     = var.cluster_id
+  count       = var.manage_task_definition ? 1 : 0
+  launch_type = "FARGATE"
+
+  task_definition                    = local.task_definition
+  desired_count                      = var.desired_count
+  deployment_maximum_percent         = var.deployment_maximum_percent
+  deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
+  scheduling_strategy                = "REPLICA"
+
+  network_configuration {
+    subnets         = var.task_subnets
+    security_groups = var.security_group_ids
+  }
+
+  tags = local.tags
+}
+
+resource "aws_ecs_service" "unmanaged-job" {
+  name        = local.name
+  cluster     = var.cluster_id
+  count       = var.manage_task_definition ? 0 : 1
+  launch_type = "FARGATE"
+
+  task_definition                    = local.task_definition
+  desired_count                      = var.desired_count
+  deployment_maximum_percent         = var.deployment_maximum_percent
+  deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
+  scheduling_strategy                = "REPLICA"
+
+  network_configuration {
+    subnets         = var.task_subnets
+    security_groups = var.security_group_ids
+  }
+
+  lifecycle {
+    ignore_changes = [task_definition]
+  }
+
+  tags = local.tags
+}
+
+# Default container definition if var.manage_task_definition == false
+# Defaults to a minimal hello-world implementation; should be updated separately from
+# Terraform, e.g. using ecs deploy or czecs
+locals {
+  template = <<TEMPLATE
+[
+  {
+    "name": "${local.container_name}",
+    "image": "library/busybox:1.29",
+    "command": ["sh", "-c", "while true; do { echo -e 'HTTP/1.1 200 OK\r\n\nRunning stub server'; date; } | nc -l -p 8080; done"]
+  }
+]
+TEMPLATE
+}
+
+resource "aws_ecs_task_definition" "job" {
+  family                   = local.name
+  container_definitions    = var.manage_task_definition ? var.task_definition : local.template
+  task_role_arn            = var.task_role_arn
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.cpu
+  memory                   = var.memory
+  network_mode             = "awsvpc"
+  execution_role_arn       = aws_iam_role.task_execution_role.arn
+}
diff --git a/aws-ecs-job-fargate/outputs.tf b/aws-ecs-job-fargate/outputs.tf
new file mode 100755
index 00000000..bebb3a70
--- /dev/null
+++ b/aws-ecs-job-fargate/outputs.tf
@@ -0,0 +1,17 @@
+output "ecs_service_arn" {
+  description = "ARN for the ECS service."
+
+  # Awful hack modified from https://github.com/hashicorp/terraform/issues/16726
+  # Since we know exactly one of the following has count > 0, we just concatenate all the mostly empty lists, and return the first element.
+  value = concat(aws_ecs_service.unmanaged-job.*.id, aws_ecs_service.job.*.id)[0]
+}
+
+output "ecs_task_definition_family" {
+  description = "The family of the task definition defined for the given/generated container definition."
+  value       = aws_ecs_task_definition.job.family
+}
+
+output "task_execution_role_arn" {
+  description = "Task execution role for Fargate task."
+  value       = aws_iam_role.task_execution_role.arn
+}
diff --git a/aws-ecs-job-fargate/variables.tf b/aws-ecs-job-fargate/variables.tf
new file mode 100755
index 00000000..1b434f4f
--- /dev/null
+++ b/aws-ecs-job-fargate/variables.tf
@@ -0,0 +1,91 @@
+variable "project" {
+  type        = string
+  description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
+}
+
+variable "service" {
+  type        = string
+  description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "env" {
+  type        = string
+  description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "owner" {
+  type        = string
+  description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "cluster_id" {
+  type = string
+}
+
+variable "desired_count" {
+  type = number
+}
+
+variable "deployment_maximum_percent" {
+  description = "(Optional) The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment. Not valid when using the DAEMON scheduling strategy."
+  type        = number
+  default     = 200
+}
+
+variable "deployment_minimum_healthy_percent" {
+  description = "(Optional) The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment."
+  type        = number
+  default     = 100
+}
+
+variable "task_role_arn" {
+  type = string
+}
+
+variable "task_definition" {
+  description = "JSON to describe task. If omitted, defaults to a stub task that is expected to be managed outside of Terraform."
+  type        = string
+  default     = null
+}
+
+variable "cpu" {
+  description = "CPU units for Fargate task. Used if task_definition provided, or for initial stub task if externally managed."
+  type        = number
+  default     = 256
+}
+
+variable "memory" {
+  description = "Memory in megabytes for Fargate task. Used if task_definition provided, or for initial stub task if externally managed."
+  type        = number
+  default     = 512
+}
+
+variable "task_subnets" {
+  description = "Subnets to launch Fargate task in."
+  type        = list(string)
+  default     = []
+}
+
+variable "security_group_ids" {
+  description = "Security group to use for the Fargate task."
+  type        = list(string)
+  default     = []
+}
+
+variable "container_name" {
+  description = "Name of the container. Must match name in task definition. If omitted, defaults to name derived from project/env/service."
+  type        = string
+  default     = null
+}
+
+variable "registry_secretsmanager_arn" {
+  description = "ARN for AWS Secrets Manager secret for credentials to private registry"
+  type        = string
+  default     = null
+}
+
+variable "manage_task_definition" {
+  description = "If false, Terraform will not touch the task definition for the ECS service after initial creation"
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/aws-ecs-job/README.md b/aws-ecs-job/README.md
new file mode 100644
index 00000000..53b06630
--- /dev/null
+++ b/aws-ecs-job/README.md
@@ -0,0 +1,40 @@
+# ECS Job
+
+This creates an ECS service with no load balancer in front of it. Good for
+background worker daemon sort of things.
+
+## Terraform managed task definition vs czecs
+
+If the user sets `var.manage_task_definition = true`, Terraform will manage the lifecycle
+of the container definition; any external changes are reset on the next Terraform run.
+
+If var.manage_task_definition = false, the user is expected to manage the
+container definition external to Terraform (e.g. using [czecs](https://github.com/chanzuckerberg/czecs)). Upon creation,
+Terraform will use a stub definition, but from that point forward will ignore any
+changes to the definition, allowing external task definition management.
+
+<!-- START -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_id |  | string | n/a | yes |
+| container\_name | Name of the container. Must match name in task definition. If omitted, defaults to name derived from project/env/service. | string | `null` | no |
+| deployment\_maximum\_percent | (Optional) The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment. Not valid when using the DAEMON scheduling strategy. | number | `200` | no |
+| deployment\_minimum\_healthy\_percent | (Optional) The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment. | number | `100` | no |
+| desired\_count |  | number | n/a | yes |
+| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+| scheduling\_strategy | Scheduling strategy for the service: REPLICA or DAEMON. | string | `"REPLICA"` | no |
+| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| task\_definition | JSON to describe task. If omitted, defaults to a stub task that is expected to be managed outside of Terraform. | string | `null` | no |
+| task\_role\_arn |  | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ecs\_service\_arn | ARN for the ECS service. |
+| ecs\_task\_definition\_family | The family of the task definition defined for the given/generated container definition. |
+
+<!-- END -->
diff --git a/aws-ecs-job/iam.tf b/aws-ecs-job/iam.tf
new file mode 100644
index 00000000..d4d35ff0
--- /dev/null
+++ b/aws-ecs-job/iam.tf
@@ -0,0 +1,58 @@
+data "aws_iam_policy_document" "execution_role" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "task_execution_role" {
+  count              = var.registry_secretsmanager_arn != null ? 1 : 0
+  name               = "${local.name}-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.execution_role.json
+}
+
+# TODO(mbarrien): We can probably narrow this down to allowing access to only
+# the specific ECR arn if applicable, and the specific cloudwatch log group.
+# Either pass both identifiers in, or pass the entire role ARN as an argument
+resource "aws_iam_role_policy_attachment" "task_execution_role" {
+  count      = var.registry_secretsmanager_arn != null ? 1 : 0
+  role       = aws_iam_role.task_execution_role[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "registry_secretsmanager" {
+  count = var.registry_secretsmanager_arn != null ? 1 : 0
+
+  statement {
+    actions = [
+      "kms:Decrypt",
+    ]
+
+    resources = [var.registry_secretsmanager_arn]
+  }
+
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    # Limit to only current version of the secret
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "secretsmanager:VersionStage"
+      values   = ["AWSCURRENT"]
+    }
+
+    resources = [var.registry_secretsmanager_arn]
+  }
+}
+
+resource "aws_iam_role_policy" "task_execution_role_secretsmanager" {
+  count  = var.registry_secretsmanager_arn != null ? 1 : 0
+  role   = aws_iam_role.task_execution_role[0].name
+  policy = data.aws_iam_policy_document.registry_secretsmanager[0].json
+}
diff --git a/aws-ecs-job/main.tf b/aws-ecs-job/main.tf
new file mode 100755
index 00000000..df4fc120
--- /dev/null
+++ b/aws-ecs-job/main.tf
@@ -0,0 +1,72 @@
+locals {
+  name = "${var.project}-${var.env}-${var.service}"
+
+  container_name = var.container_name == null ? local.name : var.container_name
+
+  task_definition = "${aws_ecs_task_definition.job.family}:${aws_ecs_task_definition.job.revision}"
+
+  tags = {
+    managedBy = "terraform"
+    Name      = local.name
+    project   = var.project
+    env       = var.env
+    service   = var.service
+    owner     = var.owner
+  }
+}
+
+# Only one of the following is active at a time, depending on var.manage_task_definition
+resource "aws_ecs_service" "job" {
+  name    = local.name
+  cluster = var.cluster_id
+  count   = var.manage_task_definition ? 1 : 0
+
+  task_definition                    = local.task_definition
+  desired_count                      = var.desired_count
+  deployment_maximum_percent         = var.deployment_maximum_percent
+  deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
+  scheduling_strategy                = var.scheduling_strategy
+
+  tags = local.tags
+}
+
+resource "aws_ecs_service" "unmanaged-job" {
+  name    = local.name
+  cluster = var.cluster_id
+  count   = var.manage_task_definition ? 0 : 1
+
+  task_definition                    = local.task_definition
+  desired_count                      = var.desired_count
+  deployment_maximum_percent         = var.deployment_maximum_percent
+  deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
+  scheduling_strategy                = var.scheduling_strategy
+
+  lifecycle {
+    ignore_changes = [task_definition]
+  }
+
+  tags = local.tags
+}
+
+# Default container definition if var.manage_task_definition == false
+# Defaults to a minimal hello-world implementation; should be updated separately from
+# Terraform, e.g. using ecs deploy or czecs
+locals {
+  template = <<TEMPLATE
+[
+  {
+    "name": "${local.container_name}",
+    "image": "library/busybox:1.29",
+    "command": ["sh", "-c", "while true; do { echo -e 'HTTP/1.1 200 OK\r\n\nRunning stub server'; date; } | nc -l -p 8080; done"],
+    "memoryReservation": 4
+  }
+]
+TEMPLATE
+}
+
+resource "aws_ecs_task_definition" "job" {
+  family                = local.name
+  container_definitions = var.manage_task_definition ? var.task_definition : local.template
+  task_role_arn         = var.task_role_arn
+  execution_role_arn    = var.registry_secretsmanager_arn == null ? null : aws_iam_role.task_execution_role[0].arn
+}
diff --git a/aws-ecs-job/outputs.tf b/aws-ecs-job/outputs.tf
new file mode 100755
index 00000000..2ccb4756
--- /dev/null
+++ b/aws-ecs-job/outputs.tf
@@ -0,0 +1,12 @@
+output "ecs_service_arn" {
+  description = "ARN for the ECS service."
+
+  # Awful hack modified from https://github.com/hashicorp/terraform/issues/16726
+  # Since we know exactly one of the following has count > 0, we just concatenate all the mostly empty lists, and return the first element.
+  value = concat(aws_ecs_service.unmanaged-job.*.id, aws_ecs_service.job.*.id)[0]
+}
+
+output "ecs_task_definition_family" {
+  description = "The family of the task definition defined for the given/generated container definition."
+  value       = aws_ecs_task_definition.job.family
+}
diff --git a/aws-ecs-job/variables.tf b/aws-ecs-job/variables.tf
new file mode 100755
index 00000000..4488e700
--- /dev/null
+++ b/aws-ecs-job/variables.tf
@@ -0,0 +1,72 @@
+variable "project" {
+  type        = string
+  description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
+}
+
+variable "service" {
+  type        = string
+  description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "env" {
+  type        = string
+  description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "owner" {
+  type        = string
+  description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "cluster_id" {
+  type = string
+}
+
+variable "desired_count" {
+  type = number
+}
+
+variable "deployment_maximum_percent" {
+  description = "(Optional) The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment. Not valid when using the DAEMON scheduling strategy."
+  type        = number
+  default     = 200
+}
+
+variable "deployment_minimum_healthy_percent" {
+  description = "(Optional) The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment."
+  type        = number
+  default     = 100
+}
+
+variable "task_role_arn" {
+  type = string
+}
+
+variable "task_definition" {
+  description = "JSON to describe task. If omitted, defaults to a stub task that is expected to be managed outside of Terraform."
+  type        = string
+  default     = null
+}
+
+variable "scheduling_strategy" {
+  description = "Scheduling strategy for the service: REPLICA or DAEMON."
+  default     = "REPLICA"
+}
+
+variable "container_name" {
+  description = "Name of the container. Must match name in task definition. If omitted, defaults to name derived from project/env/service."
+  type        = string
+  default     = null
+}
+
+variable "registry_secretsmanager_arn" {
+  description = "ARN for AWS Secrets Manager secret for credentials to private registry"
+  type        = string
+  default     = null
+}
+
+variable "manage_task_definition" {
+  description = "If false, Terraform will not touch the task definition for the ECS service after initial creation"
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/aws-ecs-service-fargate/README.md b/aws-ecs-service-fargate/README.md
new file mode 100644
index 00000000..2e73f5bf
--- /dev/null
+++ b/aws-ecs-service-fargate/README.md
@@ -0,0 +1,196 @@
+# ECS Fargate Service
+
+This module creates an ECS Fargate service fronted by a public ALB.
+
+## Notes
+
+In Fargate, the hostPort and containerPort must match; 0 is not allowed for hostPort, and omitting hostPort is not allowed.
+
+## Terraform managed task definition vs czecs
+
+If the user sets `var.manage_task_definition = true`, Terraform will manage the lifecycle
+of the container definition; any external changes are reset on the next Terraform run.
+
+If var.manage_task_definition = false, the user is expected to manage the
+container definition external to Terraform (e.g. using [czecs](https://github.com/chanzuckerberg/czecs)). Upon creation,
+Terraform will use a stub definition, but from that point forward will ignore any
+changes to the definition, allowing external task definition management.
+
+## Example
+
+```hcl
+data "aws_route53_zone" "zone" {
+  name         = "example.com."
+  private_zone = false
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name               = "${var.project}-${var.env}-myservice"
+  description        = "Task role for myservice in ${var.env} environment"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+module "role-policy" {
+  source    = "github.com/chanzuckerberg/cztack//aws-params-reader-policy?ref=v0.19.4"
+  project   = var.project
+  env       = var.env
+  service   = var.component
+  region    = var.region
+  role_name = aws_iam_role.role.name
+}
+
+# This will define a task that runs this (example) container.
+locals {
+  template = <<TEMPLATE
+[
+  {
+    "name": "myservice",
+    "image": "chanzuckerberg/myservice:branch-master",
+    "cpu": 1024,
+    "memoryReservation": 1024,
+    "essential": true,
+    "portMappings": [
+      {
+        "containerPort": 80,
+        "hostPort": 80       # Must match containerPort in Fargate
+      }
+    ],
+    "environment": [
+      { "name": "AWS_REGION",           "value": "${var.region}" },
+      { "name": "AWS_DEFAULT_REGION",   "value": "${var.region}" },
+      { "name": "ENVIRONMENT",          "value": "${var.env}" },
+    ],
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${var.project}-${var.env}-myservice",
+        "awslogs-region": "${var.region}",
+        "awslogs-stream-prefix": "${var.container_name}"
+      }
+    }
+  }
+]
+TEMPLATE
+}
+
+data "aws_acm_certificate" "staging" {
+  domain   = var.hostname
+  statuses = ["ISSUED"]
+}
+
+module "web-service" {
+  source = "github.com/chanzuckerberg/cztack//aws-ecs-service-fargate?ref=v0.20.0"
+
+  # this is the name of the service and many of the resources will have this name
+  service = "myservice"
+
+  # The number of tasks to run (no autoscaling currently)
+  desired_count       = 2
+
+  # These two together will set the domain name for your service.
+  subdomain           = "myservice"
+  route53_zone_id     = data.aws_route53_zone.zone.id
+
+  # Parameters used for naming and tagging, auto-generated by fogg if you are using it.
+  project = var.project
+  owner   = var.owner
+  env     = var.env
+
+  # This port will exposed on this named container. This named container will also be
+  # the one to which the load balancer points. The cert will be attached to the https listener.
+  # The health of that contiainer will be checked with the `health_check_path` path.
+  container_port      = 80
+  container_name      = myservice
+  acm_certificate_arn = data.aws_acm_certificate.staging.arn
+  health_check_path   = "/health"
+
+  # The VPC and subnets in which the load balancer will be created.
+  vpc_id              = data.terraform_remote_state.cloud-env.outputs.vpc_id
+  lb_subnets          = data.terraform_remote_state.cloud-env.outputs.public_subnets
+  task_subnets        = data.terraform_remote_state.cloud-env.outputs.private_subnets
+
+  # The cluster in which the service is run.
+  cluster_id          = data.terraform_remote_state.ecs.outputs.cluster_id
+  # See above. This is what defines the containers that are run.
+  task_definition     = local.template
+
+  # The task is given this role. Useful for services that need to make API calls to AWS.
+  task_role_arn       = aws_iam_role.role.arn
+
+  cpu                 = 256
+  memory              = 512
+
+  with_service_discovery = true
+}
+```
+
+## Service Discovery
+
+In addition to a load balancer, this module supports registering all instances of
+tasks with DNS via ECS service discovery. If with_service_discovery is true, a new private
+DNS zone is created, and the tasks are registered in that DNS zone. The domain name is only
+resolvable from within the VPC; it is not publicly resolvable.
+
+<!-- START -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| access\_logs\_bucket | S3 bucket to write alb access logs to. Empty for no access logs. | string | `null` | no |
+| acm\_certificate\_arn | Certificate for the HTTPS listener. | string | n/a | yes |
+| cluster\_id |  | string | n/a | yes |
+| container\_egress\_cidrs | CIDR blocks the task is allowed to communicate with for outbound traffic. | list | `["0.0.0.0/0"]` | no |
+| container\_egress\_security\_group\_ids | Security groups the task is allowed to communicate with for outbound traffic. | list | `[]` | no |
+| container\_name | Name of the container. Must match name in task definition. If omitted, defaults to name derived from project/env/service. | string | `null` | no |
+| container\_port |  | number | n/a | yes |
+| cpu | CPU units for Fargate task. Used if var.manage_task_definition provided, or for initial stub task if externally managed. | number | `256` | no |
+| desired\_count |  | number | n/a | yes |
+| disable\_http\_redirect | Disable redirecting HTTP to HTTPS. | bool | `true` | no |
+| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| extra\_tags | Extra tags that will be added to components created by this module. | map | `{}` | no |
+| health\_check\_grace\_period\_seconds | Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. | number | `60` | no |
+| health\_check\_matcher | Range of HTTP status codes considered success for health checks. [Doc](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html#matcher) | string | `"200-399"` | no |
+| health\_check\_path |  | string | `"/"` | no |
+| internal\_lb |  | bool | `false` | no |
+| lb\_idle\_timeout\_seconds |  | number | `60` | no |
+| lb\_ingress\_cidrs |  | list | `<list>` | no |
+| lb\_ingress\_security\_group\_ids |  | list | `<list>` | no |
+| lb\_subnets | List of subnets in which to deploy the load balancer. | list | n/a | yes |
+| manage\_task\_definition | If false, Terraform will not touch the task definition for the ECS service after initial creation | bool | `true` | no |
+| memory | Memory in megabytes for Fargate task. Used if task_definition provided, or for initial stub task if externally managed. | number | `512` | no |
+| owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+| registry\_secretsmanager\_arn | ARN for AWS Secrets Manager secret for credentials to private registry | string | `null` | no |
+| route53\_zone\_id | Zone in which to create an alias record to the ALB. | string | n/a | yes |
+| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| ssl\_policy | ELB policy to determine which SSL/TLS encryption protocols are enabled. Probably don't touch this. | string | `null` | no |
+| subdomain | Subdomain in the zone. Final domain name will be subdomain.zone | string | n/a | yes |
+| task\_definition | JSON to describe task. If omitted, defaults to a stub task that is expected to be managed outside of Terraform. | string | `null` | no |
+| task\_role\_arn |  | string | n/a | yes |
+| task\_subnets | List of subnets in which to deploy the task for awsvpc networking mode. | list | `[]` | no |
+| vpc\_id |  | string | n/a | yes |
+| with\_service\_discovery | Register the service with ECS service discovery. Adds a sub-zone to the given route53_zone_id. | bool | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| alb\_access\_logs\_prefix | ALB access logs S3 prefix |
+| alb\_dns\_name |  |
+| alb\_route53\_zone\_id |  |
+| container\_security\_group\_id | Security group id for the container. |
+| ecs\_task\_definition\_family | The family of the task definition defined for the given/generated container definition. |
+| private\_service\_discovery\_domain | Domain name for service discovery, if with_service_discovery=true. Only resolvable within the VPC. |
+
+<!-- END -->
diff --git a/aws-ecs-service-fargate/alb.tf b/aws-ecs-service-fargate/alb.tf
new file mode 100644
index 00000000..ffdac298
--- /dev/null
+++ b/aws-ecs-service-fargate/alb.tf
@@ -0,0 +1,112 @@
+locals {
+  access_logs_prefix = var.access_logs_bucket == null ? "" : local.name
+
+  ingress_rules = ["https-443-tcp", "http-80-tcp"]
+
+  # Default to allowing TLS 1.1 on external facing services, disabling and only allowing TLS 1.2 for internal
+  ssl_policy = compact([var.ssl_policy, var.internal_lb ? "ELBSecurityPolicy-TLS-1-2-2017-01" : "ELBSecurityPolicy-TLS-1-1-2017-01"])[0]
+}
+
+resource "aws_lb_target_group" "service" {
+  name        = local.name
+  port        = var.container_port
+  protocol    = "HTTP"
+  vpc_id      = var.vpc_id
+  target_type = "ip"
+
+  deregistration_delay = 60
+
+  health_check {
+    path     = var.health_check_path
+    matcher  = var.health_check_matcher
+    timeout  = var.health_check_timeout
+    interval = var.health_check_interval
+  }
+
+  tags = local.tags
+}
+
+resource "aws_lb" "service" {
+  name            = local.name
+  internal        = var.internal_lb
+  security_groups = [module.alb-sg.this_security_group_id]
+  subnets         = var.lb_subnets
+  idle_timeout    = var.lb_idle_timeout_seconds
+
+  dynamic "access_logs" {
+    for_each = compact([var.access_logs_bucket])
+    content {
+      bucket  = var.access_logs_bucket
+      prefix  = local.access_logs_prefix
+      enabled = true
+    }
+  }
+
+  tags = local.tags
+}
+
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.service.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = var.disable_http_redirect ? "forward" : "redirect"
+    target_group_arn = var.disable_http_redirect ? aws_lb_target_group.service.arn : null
+
+    dynamic "redirect" {
+      for_each = compact([var.disable_http_redirect ? "" : "present"])
+      content {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+  }
+}
+
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.service.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = local.ssl_policy
+  certificate_arn   = var.acm_certificate_arn
+
+  default_action {
+    target_group_arn = aws_lb_target_group.service.arn
+    type             = "forward"
+  }
+}
+
+module "alb-sg" {
+  source      = "terraform-aws-modules/security-group/aws"
+  version     = "3.1.0"
+  name        = "${local.name}-alb"
+  description = "Security group for ${var.internal_lb ? "internal" : "internet facing"} ALB"
+  vpc_id      = var.vpc_id
+  tags        = local.tags
+
+  ingress_with_cidr_blocks = [
+    for rule in local.ingress_rules : {
+      cidr_blocks = join(",", var.lb_ingress_cidrs)
+      rule        = rule
+    } if length(var.lb_ingress_cidrs) != 0
+  ]
+
+  ingress_with_source_security_group_id = [
+    for sg_rule in setproduct(var.lb_ingress_security_group_ids, local.ingress_rules) : {
+      source_security_group_id = sg_rule[0]
+      rule                     = sg_rule[1]
+    }
+  ]
+
+  egress_with_source_security_group_id = [
+    {
+      from_port                = var.container_port
+      to_port                  = var.container_port
+      protocol                 = "tcp"
+      description              = "Container port"
+      source_security_group_id = module.container-sg.this_security_group_id
+    },
+  ]
+}
diff --git a/aws-ecs-service-fargate/discovery.tf b/aws-ecs-service-fargate/discovery.tf
new file mode 100644
index 00000000..dddc1d52
--- /dev/null
+++ b/aws-ecs-service-fargate/discovery.tf
@@ -0,0 +1,25 @@
+resource "aws_service_discovery_private_dns_namespace" "discovery" {
+  count       = var.with_service_discovery ? 1 : 0
+  name        = "${local.name}.terraform.local"
+  description = "Namespace for service discovery for ${local.name}"
+  vpc         = var.vpc_id
+}
+
+resource "aws_service_discovery_service" "discovery" {
+  count       = var.with_service_discovery ? 1 : 0
+  name        = local.name
+  description = "Service discovery for ${local.name}"
+
+  health_check_custom_config {
+    failure_threshold = 1
+  }
+
+  dns_config {
+    namespace_id = aws_service_discovery_private_dns_namespace.discovery[0].id
+
+    dns_records {
+      ttl  = 10
+      type = "A"
+    }
+  }
+}
diff --git a/aws-ecs-service-fargate/domain.tf b/aws-ecs-service-fargate/domain.tf
new file mode 100644
index 00000000..b3d3a0ea
--- /dev/null
+++ b/aws-ecs-service-fargate/domain.tf
@@ -0,0 +1,62 @@
+locals {
+  fqdn = join(".", compact([var.subdomain, data.aws_route53_zone.zone.name]))
+}
+
+data "aws_route53_zone" "zone" {
+  zone_id = var.route53_zone_id
+}
+
+resource "aws_route53_record" "ipv4" {
+  zone_id = var.route53_zone_id
+  name    = local.fqdn
+  type    = "A"
+
+  allow_overwrite = false
+
+  alias {
+    name                   = aws_lb.service.dns_name
+    zone_id                = aws_lb.service.zone_id
+    evaluate_target_health = true
+  }
+}
+
+# The following DNS records only exist if doing HTTP redirect
+
+resource "aws_route53_record" "ipv6" {
+  count   = var.disable_http_redirect ? 0 : 1
+  zone_id = var.route53_zone_id
+  name    = local.fqdn
+  type    = "AAAA"
+
+  alias {
+    name                   = aws_lb.service.dns_name
+    zone_id                = aws_lb.service.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "www-ipv4" {
+  count   = var.disable_http_redirect ? 0 : 1
+  zone_id = var.route53_zone_id
+  name    = "www.${local.fqdn}"
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.service.dns_name
+    zone_id                = aws_lb.service.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "www-ipv6" {
+  count   = var.disable_http_redirect ? 0 : 1
+  zone_id = var.route53_zone_id
+  name    = "www.${local.fqdn}"
+  type    = "AAAA"
+
+  alias {
+    name                   = aws_lb.service.dns_name
+    zone_id                = aws_lb.service.zone_id
+    evaluate_target_health = true
+  }
+}
diff --git a/aws-ecs-service-fargate/iam.tf b/aws-ecs-service-fargate/iam.tf
new file mode 100644
index 00000000..4914765a
--- /dev/null
+++ b/aws-ecs-service-fargate/iam.tf
@@ -0,0 +1,57 @@
+data "aws_iam_policy_document" "execution_role" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+# Always create and attach, Fargate requires task definition to have execution role ARN to support log driver awslogs.
+resource "aws_iam_role" "task_execution_role" {
+  name               = "${local.name}-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.execution_role.json
+}
+
+# TODO: Add support for giving permissions to ECR ARNs and possibly cloudwatch log group
+# Or provide ability to pass in own execution role ARN
+resource "aws_iam_role_policy_attachment" "task_execution_role" {
+  count      = var.registry_secretsmanager_arn != null ? 1 : 0
+  role       = aws_iam_role.task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "registry_secretsmanager" {
+  count = var.registry_secretsmanager_arn != null ? 1 : 0
+
+  statement {
+    actions = [
+      "kms:Decrypt",
+    ]
+
+    resources = [var.registry_secretsmanager_arn]
+  }
+
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    # Limit to only current version of the secret
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "secretsmanager:VersionStage"
+      values   = ["AWSCURRENT"]
+    }
+
+    resources = [var.registry_secretsmanager_arn]
+  }
+}
+
+resource "aws_iam_role_policy" "task_execution_role_secretsmanager" {
+  count  = var.registry_secretsmanager_arn != null ? 1 : 0
+  role   = aws_iam_role.task_execution_role.name
+  policy = data.aws_iam_policy_document.registry_secretsmanager[0].json
+}
diff --git a/aws-ecs-service-fargate/main.tf b/aws-ecs-service-fargate/main.tf
new file mode 100755
index 00000000..06c8dc6b
--- /dev/null
+++ b/aws-ecs-service-fargate/main.tf
@@ -0,0 +1,14 @@
+locals {
+  name = "${var.project}-${var.env}-${var.service}"
+
+  default_tags = {
+    managedBy = "terraform"
+    Name      = local.name
+    project   = var.project
+    env       = var.env
+    service   = var.service
+    owner     = var.owner
+  }
+
+  tags = merge(var.extra_tags, local.default_tags)
+}
diff --git a/aws-ecs-service-fargate/outputs.tf b/aws-ecs-service-fargate/outputs.tf
new file mode 100755
index 00000000..2d22bba7
--- /dev/null
+++ b/aws-ecs-service-fargate/outputs.tf
@@ -0,0 +1,27 @@
+output "alb_dns_name" {
+  value = aws_lb.service.dns_name
+}
+
+output "alb_route53_zone_id" {
+  value = aws_lb.service.zone_id
+}
+
+output "ecs_task_definition_family" {
+  description = "The family of the task definition defined for the given/generated container definition."
+  value       = aws_ecs_task_definition.job.family
+}
+
+output "container_security_group_id" {
+  description = "Security group id for the container."
+  value       = module.container-sg.this_security_group_id
+}
+
+output "private_service_discovery_domain" {
+  description = "Domain name for service discovery, if with_service_discovery=true. Only resolvable within the VPC."
+  value       = "${coalescelist(aws_service_discovery_service.discovery.*.name, [""])[0]}${var.with_service_discovery ? "." : ""}${coalescelist(aws_service_discovery_private_dns_namespace.discovery.*.name, [""])[0]}"
+}
+
+output "alb_access_logs_prefix" {
+  description = "ALB access logs S3 prefix"
+  value       = local.access_logs_prefix
+}
diff --git a/aws-ecs-service-fargate/service.tf b/aws-ecs-service-fargate/service.tf
new file mode 100644
index 00000000..77640b8e
--- /dev/null
+++ b/aws-ecs-service-fargate/service.tf
@@ -0,0 +1,145 @@
+locals {
+  container_name = var.container_name == null ? local.name : var.container_name
+
+  task_definition = "${aws_ecs_task_definition.job.family}:${aws_ecs_task_definition.job.revision}"
+}
+
+module "container-sg" {
+  source      = "terraform-aws-modules/security-group/aws"
+  version     = "3.1.0"
+  name        = local.name
+  description = "ECS ingress port"
+  vpc_id      = var.vpc_id
+  tags        = local.tags
+
+  ingress_with_source_security_group_id = [
+    {
+      from_port                = var.container_port
+      to_port                  = var.container_port
+      protocol                 = "tcp"
+      description              = "Container port"
+      source_security_group_id = module.alb-sg.this_security_group_id
+    },
+  ]
+
+  egress_with_cidr_blocks = length(var.task_egress_cidrs) == 0 ? [] : [
+    {
+      cidr_blocks = join(",", var.task_egress_cidrs)
+      rule        = "all-all"
+    },
+  ]
+
+  egress_with_source_security_group_id = [
+    for sg in var.task_egress_security_group_ids : {
+      rule                     = "all-all"
+      source_security_group_id = sg
+    }
+  ]
+}
+
+# Only one of the following is active at a time, depending on var.manage_task_definition
+resource "aws_ecs_service" "job" {
+  name        = local.name
+  cluster     = var.cluster_id
+  count       = var.manage_task_definition ? 1 : 0
+  launch_type = "FARGATE"
+
+  task_definition                   = local.task_definition
+  desired_count                     = var.desired_count
+  health_check_grace_period_seconds = var.health_check_grace_period_seconds
+
+  network_configuration {
+    subnets         = var.task_subnets
+    security_groups = [module.container-sg.this_security_group_id]
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.service.arn
+    container_name   = local.container_name
+    container_port   = var.container_port
+  }
+
+  dynamic "service_registries" {
+    for_each = aws_service_discovery_service.discovery[*]
+    content {
+      registry_arn = service_registries.arn
+    }
+  }
+
+  tags = local.tags
+
+  depends_on = [aws_lb.service]
+}
+
+resource "aws_ecs_service" "unmanaged-job" {
+  name        = local.name
+  cluster     = var.cluster_id
+  count       = var.manage_task_definition ? 0 : 1
+  launch_type = "FARGATE"
+
+  task_definition                   = local.task_definition
+  desired_count                     = var.desired_count
+  health_check_grace_period_seconds = var.health_check_grace_period_seconds
+
+  network_configuration {
+    subnets         = var.task_subnets
+    security_groups = [module.container-sg.this_security_group_id]
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.service.arn
+    container_name   = local.container_name
+    container_port   = var.container_port
+  }
+
+  dynamic "service_registries" {
+    for_each = aws_service_discovery_service.discovery[*]
+    content {
+      registry_arn = aws_service_discovery_service.discovery[0].arn
+    }
+  }
+
+  # This lifecycle block is the only difference between job and unmanaged-job
+  lifecycle {
+    ignore_changes = [task_definition]
+  }
+
+  tags = local.tags
+
+
+  depends_on = [aws_lb.service]
+}
+
+# Default container definition if manage_task_definition == false.
+# Defaults to a minimal hello-world implementation; should be updated separately from
+# Terraform, e.g. using ecs deploy or czecs
+
+locals {
+  dummy_task = <<TEMPLATE
+[
+  {
+    "name": "${local.container_name}",
+    "image": "library/busybox:1.29",
+    "command": ["sh", "-c", "while true; do { echo -e 'HTTP/1.1 200 OK\r\n\nRunning stub server'; date; } | nc -l -p ${var.container_port}; done"],
+    "portMappings": [
+      {
+        "containerPort": ${var.container_port},
+        "hostPort": ${var.container_port}
+      }
+    ]
+  }
+]
+TEMPLATE
+}
+
+resource "aws_ecs_task_definition" "job" {
+  family                   = local.name
+  container_definitions    = var.manage_task_definition ? var.task_definition : local.dummy_task
+  task_role_arn            = var.task_role_arn
+  tags                     = local.tags
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.cpu
+  memory                   = var.memory
+  network_mode             = "awsvpc"
+  execution_role_arn       = aws_iam_role.task_execution_role.arn
+}
diff --git a/aws-ecs-service-fargate/variables.tf b/aws-ecs-service-fargate/variables.tf
new file mode 100755
index 00000000..553b329e
--- /dev/null
+++ b/aws-ecs-service-fargate/variables.tf
@@ -0,0 +1,192 @@
+variable "project" {
+  type        = string
+  description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
+}
+
+variable "service" {
+  type        = string
+  description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "env" {
+  type        = string
+  description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "owner" {
+  type        = string
+  description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "extra_tags" {
+  type        = map(string)
+  description = "Extra tags that will be added to components created by this module."
+  default     = {}
+}
+
+variable "cluster_id" {
+  type = string
+}
+
+variable "desired_count" {
+  type = number
+}
+
+variable "lb_subnets" {
+  description = "List of subnets in which to deploy the load balancer."
+  type        = list(string)
+}
+
+variable "vpc_id" {
+  type = string
+}
+
+variable "container_name" {
+  description = "Name of the container. Must match name in task definition. If omitted, defaults to name derived from project/env/service."
+  type        = string
+  default     = null
+}
+
+variable "container_port" {
+  description = "The port the container to be exposed to is listening on."
+  type        = number
+}
+
+variable "health_check_path" {
+  type    = string
+  default = "/"
+}
+
+variable "route53_zone_id" {
+  description = "Zone in which to create an alias record to the ALB."
+  type        = string
+}
+
+variable "subdomain" {
+  description = "Subdomain in the zone. Final domain name will be subdomain.zone"
+  type        = string
+}
+
+variable "task_role_arn" {
+  type = string
+}
+
+variable "task_definition" {
+  description = "JSON to describe task. If omitted, defaults to a stub task that is expected to be managed outside of Terraform."
+  type        = string
+  default     = null
+}
+
+variable "acm_certificate_arn" {
+  description = "Certificate for the HTTPS listener."
+  type        = string
+}
+
+variable "ssl_policy" {
+  description = "ELB policy to determine which SSL/TLS encryption protocols are enabled. Probably don't touch this."
+  type        = string
+  default     = null
+}
+
+variable "task_subnets" {
+  description = "List of subnets in which to deploy the task for awsvpc networking mode."
+  type        = list(string)
+  default     = []
+}
+
+variable "task_egress_cidrs" {
+  type        = list(string)
+  description = "CIDRs the task is allowed to communicate with for outbound traffic."
+  default     = ["0.0.0.0/0"]
+}
+
+variable "task_egress_security_group_ids" {
+  type        = list(string)
+  description = "Security groups the task is allowed to communicate with for outbound traffic. Only used if awsvpc_network is true."
+  default     = []
+}
+
+variable "lb_ingress_cidrs" {
+  type    = list(string)
+  default = ["0.0.0.0/0"]
+}
+
+variable "lb_ingress_security_group_ids" {
+  type    = list(string)
+  default = []
+}
+
+variable "lb_idle_timeout_seconds" {
+  type    = number
+  default = 60
+}
+
+variable "internal_lb" {
+  type    = bool
+  default = false
+}
+
+variable "health_check_matcher" {
+  type        = string
+  description = "Range of HTTP status codes considered success for health checks. [Doc](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html#matcher)"
+  default     = "200-399"
+}
+
+variable "disable_http_redirect" {
+  description = "Disable redirecting HTTP to HTTPS."
+  default     = true
+}
+
+variable "health_check_timeout" {
+  description = "Timeout for a health check of the underlying service."
+  type        = number
+  default     = null
+}
+
+variable "health_check_interval" {
+  description = "Time between health checks of the underlying service."
+  type        = number
+  default     = null
+}
+
+variable "health_check_grace_period_seconds" {
+  type        = number
+  description = "Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200."
+  default     = 60
+}
+
+variable "cpu" {
+  description = "CPU units for Fargate task. Used if task_definition provided, or for initial stub task if externally managed."
+  type        = number
+  default     = 256
+}
+
+variable "memory" {
+  description = "Memory in megabytes for Fargate task. Used if task_definition provided, or for initial stub task if externally managed."
+  type        = number
+  default     = 512
+}
+
+variable "registry_secretsmanager_arn" {
+  description = "ARN for AWS Secrets Manager secret for credentials to private registry"
+  type        = string
+  default     = null
+}
+
+variable "with_service_discovery" {
+  description = "Register the service with ECS service discovery. Adds a sub-zone to the given route53_zone_id."
+  type        = bool
+  default     = false
+}
+
+variable "access_logs_bucket" {
+  description = "S3 bucket to write alb access logs to. Null for no access logs."
+  type        = string
+  default     = null
+}
+
+variable "manage_task_definition" {
+  description = "If false, Terraform will not touch the task definition for the ECS service after initial creation"
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/aws-ecs-service/README.md b/aws-ecs-service/README.md
new file mode 100644
index 00000000..74b62542
--- /dev/null
+++ b/aws-ecs-service/README.md
@@ -0,0 +1,186 @@
+# ECS Service
+
+This module creates an ECS service fronted by a public ALB.
+
+## Terraform managed task definition vs czecs
+
+If the user sets `var.manage_task_definition = true`, Terraform will manage the lifecycle
+of the container definition; any external changes are reset on the next Terraform run.
+
+If var.manage_task_definition = false, the user is expected to manage the
+container definition external to Terraform (e.g. using [czecs](https://github.com/chanzuckerberg/czecs)). Upon creation,
+Terraform will use a stub definition, but from that point forward will ignore any
+changes to the definition, allowing external task definition management.
+
+## Example
+
+```hcl
+data "aws_route53_zone" "zone" {
+  name         = "example.com."
+  private_zone = false
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name               = "${var.project}-${var.env}-myservice"
+  description        = "Task role for myservice in ${var.env} environment"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+module "role-policy" {
+  source    = "github.com/chanzuckerberg/cztack//aws-params-reader-policy?ref=v0.19.4"
+  project   = var.project
+  env       = var.env
+  service   = var.component
+  region    = var.region
+  role_name = aws_iam_role.role.name
+}
+
+# This will define a task that runs this (example) container.
+locals {
+  template = <<TEMPLATE
+[
+  {
+    "name": "myservice",
+    "image": "chanzuckerberg/myservice:branch-master",
+    "cpu": 1024,
+    "memoryReservation": 1024,
+    "essential": true,
+    "portMappings": [
+      {
+        "containerPort": 80,
+        "hostPort": 0        # If awsvpc_network_mode is true, must match containerPort so must be 80
+      }
+    ],
+    "environment": [
+      { "name": "AWS_REGION",           "value": "${var.region}" },
+      { "name": "AWS_DEFAULT_REGION",   "value": "${var.region}" },
+      { "name": "ENVIRONMENT",          "value": "${var.env}" },
+    ],
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${var.project}-${var.env}-myservice",
+        "awslogs-region": "${var.region}",
+        "awslogs-stream-prefix": "${var.container_name}"
+      }
+    }
+  }
+]
+TEMPLATE
+}
+
+data "aws_acm_certificate" "staging" {
+  domain   = var.hostname
+  statuses = ["ISSUED"]
+}
+
+module "web-service" {
+  source = "github.com/chanzuckerberg/cztack//aws-ecs-service?ref=v0.20.0"
+
+  # this is the name of the service and many of the resources will have this name
+  service = "myservice"
+
+  # The number of tasks to run (no autoscaling currently)
+  desired_count       = 2
+
+  # These two together will set the domain name for your service.
+  subdomain           = "myservice"
+  route53_zone_id     = data.aws_route53_zone.zone.id
+
+  # Parameters used for naming and tagging, auto-generated by fogg if you are using it.
+  project = var.project
+  owner   = var.owner
+  env     = var.env
+
+  # This port will exposed on this named container. This named container will also be
+  # the one to which the load balancer points. The cert will be attached to the https listener.
+  # The health of that contiainer will be checked with the `health_check_path` path.
+  container_port      = 80
+  container_name      = myservice
+  acm_certificate_arn = data.aws_acm_certificate.staging.arn
+  health_check_path   = "/health"
+
+  # The VPC and subnets in which the load balancer will be created.
+  vpc_id              = data.terraform_remote_state.cloud-env.outputs.vpc_id
+  lb_subnets          = data.terraform_remote_state.cloud-env.outputs.public_subnets
+
+  # The cluster in which the service is run.
+  cluster_id          = data.terraform_remote_state.ecs.outputs.cluster_id
+  # See above. This is what defines the containers that are run.
+  task_definition     = local.template
+
+  # The task is given this role. Useful for services that need to make API calls to AWS.
+  task_role_arn       = aws_iam_role.role.arn
+
+  with_service_discovery = true
+}
+```
+
+## Service Discovery
+
+In addition to a load balancer, this module supports registering all instances of
+tasks with DNS via ECS service discovery. If with_service_discovery is true, a new private
+DNS zone is created, and the tasks are registered in that DNS zone. The domain name is only
+resolvable from within the VPC; it is not publicly resolvable.
+
+<!-- START -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| access\_logs\_bucket | S3 bucket to write alb access logs to. Empty for no access logs. | string | `null` | no |
+| acm\_certificate\_arn | Certificate for the HTTPS listener. | string | n/a | yes |
+| cluster\_id |  | string | n/a | yes |
+| container\_egress\_cidrs | CIDR blocks the task is allowed to communicate with for outbound traffic. Only used if awsvpc_network_mode is true. | list | `["0.0.0.0/0"]` | no |
+| container\_egress\_security\_group\_ids | Security groups the task is allowed to communicate with for outbound traffic. Only used if awsvpc_network_mode is true. | list | `[]` | no |
+| container\_name | Name of the container. Must match name in task definition. If omitted, defaults to name derived from project/env/service. | string | `null` | no |
+| container\_port |  | number | n/a | yes |
+| desired\_count |  | number | n/a | yes |
+| disable\_http\_redirect | Disable redirecting HTTP to HTTPS. | bool | `true` | no |
+| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| extra\_tags | Extra tags that will be added to components created by this module. | map | `{}` | no |
+| health\_check\_grace\_period\_seconds | Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. | number | `60` | no |
+| health\_check\_matcher | Range of HTTP status codes considered success for health checks. [Doc](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html#matcher) | string | `"200-399"` | no |
+| health\_check\_path |  | string | `"/"` | no |
+| internal\_lb |  | bool | `false` | no |
+| lb\_idle\_timeout\_seconds |  | number | `60` | no |
+| lb\_ingress\_cidrs |  | list | `<list>` | no |
+| lb\_ingress\_security\_group\_ids |  | list | `<list>` | no |
+| lb\_subnets | List of subnets in which to deploy the load balancer. | list | n/a | yes |
+| manage\_task\_definition | If false, Terraform will not touch the task definition for the ECS service after initial creation | bool | `true` | no |
+| owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+| registry\_secretsmanager\_arn | ARN for AWS Secrets Manager secret for credentials to private registry | string | `null` | no |
+| route53\_zone\_id | Zone in which to create an alias record to the ALB. | string | n/a | yes |
+| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes |
+| ssl\_policy | ELB policy to determine which SSL/TLS encryption protocols are enabled. Probably don't touch this. | string | `null` | no |
+| subdomain | Subdomain in the zone. Final domain name will be subdomain.zone | string | n/a | yes |
+| task\_definition | JSON to describe task. If omitted, defaults to a stub task that is expected to be managed outside of Terraform. | string | `null` | no |
+| task\_role\_arn |  | string | n/a | yes |
+| task\_subnets | List of subnets in which to deploy the task for awsvpc networking mode. Only used if awsvpc_network_mode is true. | list | `[]` | no |
+| vpc\_id |  | string | n/a | yes |
+| with\_service\_discovery | Register the service with ECS service discovery. Adds a sub-zone to the given route53_zone_id. | bool | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| alb\_access\_logs\_prefix | ALB access logs S3 prefix |
+| alb\_dns\_name |  |
+| alb\_route53\_zone\_id |  |
+| container\_security\_group\_id | Security group id for the container. |
+| ecs\_task\_definition\_family | The family of the task definition defined for the given/generated container definition. |
+| private\_service\_discovery\_domain | Domain name for service discovery, if with_service_discovery=true. Only resolvable within the VPC. |
+
+<!-- END -->
diff --git a/aws-ecs-service/alb.tf b/aws-ecs-service/alb.tf
new file mode 100644
index 00000000..10977b9a
--- /dev/null
+++ b/aws-ecs-service/alb.tf
@@ -0,0 +1,119 @@
+locals {
+  access_logs_prefix = var.access_logs_bucket == null ? "" : local.name
+
+  ingress_rules = ["https-443-tcp", "http-80-tcp"]
+
+  # Default to allowing TLS 1.1 on external facing services, disabling and only allowing TLS 1.2 for internal
+  ssl_policy = compact([var.ssl_policy, var.internal_lb ? "ELBSecurityPolicy-TLS-1-2-2017-01" : "ELBSecurityPolicy-TLS-1-1-2017-01"])[0]
+}
+
+resource "aws_lb_target_group" "service" {
+  name        = local.name
+  port        = var.container_port
+  protocol    = "HTTP"
+  vpc_id      = var.vpc_id
+  target_type = var.awsvpc_network_mode ? "ip" : "instance"
+
+  deregistration_delay = 60
+
+  health_check {
+    path     = var.health_check_path
+    matcher  = var.health_check_matcher
+    timeout  = var.health_check_timeout
+    interval = var.health_check_interval
+  }
+
+  tags = local.tags
+}
+
+resource "aws_lb" "service" {
+  name            = local.name
+  internal        = var.internal_lb
+  security_groups = [module.alb-sg.this_security_group_id]
+  subnets         = var.lb_subnets
+  idle_timeout    = var.lb_idle_timeout_seconds
+
+  dynamic "access_logs" {
+    for_each = compact([var.access_logs_bucket])
+    content {
+      bucket  = var.access_logs_bucket
+      prefix  = local.access_logs_prefix
+      enabled = true
+    }
+  }
+
+  tags = local.tags
+}
+
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.service.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = var.disable_http_redirect ? "forward" : "redirect"
+    target_group_arn = var.disable_http_redirect ? aws_lb_target_group.service.arn : null
+
+    dynamic "redirect" {
+      for_each = compact([var.disable_http_redirect ? "" : "present"])
+      content {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+  }
+}
+
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.service.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = local.ssl_policy
+  certificate_arn   = var.acm_certificate_arn
+
+  default_action {
+    target_group_arn = aws_lb_target_group.service.arn
+    type             = "forward"
+  }
+}
+
+module "alb-sg" {
+  source      = "terraform-aws-modules/security-group/aws"
+  version     = "3.1.0"
+  name        = "${local.name}-alb"
+  description = "Security group for ${var.internal_lb ? "internal" : "internet facing"} ALB"
+  vpc_id      = var.vpc_id
+  tags        = local.tags
+
+  ingress_with_cidr_blocks = length(var.lb_ingress_cidrs) == 0 ? [] : [
+    for rule in local.ingress_rules : {
+      cidr_blocks = join(",", var.lb_ingress_cidrs)
+      rule        = rule
+    }
+  ]
+
+  ingress_with_source_security_group_id = [
+    for sg_rule in setproduct(var.lb_ingress_security_group_ids, local.ingress_rules) : {
+      source_security_group_id = sg_rule[0]
+      rule                     = sg_rule[1]
+    }
+  ]
+
+  egress_with_cidr_blocks = var.awsvpc_network_mode ? [] : [
+    {
+      cidr_blocks = ["0.0.0.0/0"]
+      rule        = "all-all"
+    },
+  ]
+
+  egress_with_source_security_group_id = [
+    {
+      from_port                = var.container_port
+      to_port                  = var.container_port
+      protocol                 = "tcp"
+      description              = "Container port"
+      source_security_group_id = module.container-sg.this_security_group_id
+    },
+  ]
+}
diff --git a/aws-ecs-service/discovery.tf b/aws-ecs-service/discovery.tf
new file mode 100644
index 00000000..dddc1d52
--- /dev/null
+++ b/aws-ecs-service/discovery.tf
@@ -0,0 +1,25 @@
+resource "aws_service_discovery_private_dns_namespace" "discovery" {
+  count       = var.with_service_discovery ? 1 : 0
+  name        = "${local.name}.terraform.local"
+  description = "Namespace for service discovery for ${local.name}"
+  vpc         = var.vpc_id
+}
+
+resource "aws_service_discovery_service" "discovery" {
+  count       = var.with_service_discovery ? 1 : 0
+  name        = local.name
+  description = "Service discovery for ${local.name}"
+
+  health_check_custom_config {
+    failure_threshold = 1
+  }
+
+  dns_config {
+    namespace_id = aws_service_discovery_private_dns_namespace.discovery[0].id
+
+    dns_records {
+      ttl  = 10
+      type = "A"
+    }
+  }
+}
diff --git a/aws-ecs-service/domain.tf b/aws-ecs-service/domain.tf
new file mode 100644
index 00000000..b3d3a0ea
--- /dev/null
+++ b/aws-ecs-service/domain.tf
@@ -0,0 +1,62 @@
+locals {
+  fqdn = join(".", compact([var.subdomain, data.aws_route53_zone.zone.name]))
+}
+
+data "aws_route53_zone" "zone" {
+  zone_id = var.route53_zone_id
+}
+
+resource "aws_route53_record" "ipv4" {
+  zone_id = var.route53_zone_id
+  name    = local.fqdn
+  type    = "A"
+
+  allow_overwrite = false
+
+  alias {
+    name                   = aws_lb.service.dns_name
+    zone_id                = aws_lb.service.zone_id
+    evaluate_target_health = true
+  }
+}
+
+# The following DNS records only exist if doing HTTP redirect
+
+resource "aws_route53_record" "ipv6" {
+  count   = var.disable_http_redirect ? 0 : 1
+  zone_id = var.route53_zone_id
+  name    = local.fqdn
+  type    = "AAAA"
+
+  alias {
+    name                   = aws_lb.service.dns_name
+    zone_id                = aws_lb.service.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "www-ipv4" {
+  count   = var.disable_http_redirect ? 0 : 1
+  zone_id = var.route53_zone_id
+  name    = "www.${local.fqdn}"
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.service.dns_name
+    zone_id                = aws_lb.service.zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "www-ipv6" {
+  count   = var.disable_http_redirect ? 0 : 1
+  zone_id = var.route53_zone_id
+  name    = "www.${local.fqdn}"
+  type    = "AAAA"
+
+  alias {
+    name                   = aws_lb.service.dns_name
+    zone_id                = aws_lb.service.zone_id
+    evaluate_target_health = true
+  }
+}
diff --git a/aws-ecs-service/iam.tf b/aws-ecs-service/iam.tf
new file mode 100644
index 00000000..3caebb47
--- /dev/null
+++ b/aws-ecs-service/iam.tf
@@ -0,0 +1,57 @@
+data "aws_iam_policy_document" "execution_role" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "task_execution_role" {
+  count              = var.registry_secretsmanager_arn != null ? 1 : 0
+  name               = "${local.name}-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.execution_role.json
+}
+
+# TODO: Add support for giving permissions to ECR ARNs and possibly cloudwatch log group
+# Or provide ability to pass in own execution role ARN
+resource "aws_iam_role_policy_attachment" "task_execution_role" {
+  count      = var.registry_secretsmanager_arn != null ? 1 : 0
+  role       = aws_iam_role.task_execution_role[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "registry_secretsmanager" {
+  count = var.registry_secretsmanager_arn != null ? 1 : 0
+
+  statement {
+    actions = [
+      "kms:Decrypt",
+    ]
+
+    resources = [var.registry_secretsmanager_arn]
+  }
+
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    # Limit to only current version of the secret
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "secretsmanager:VersionStage"
+      values   = ["AWSCURRENT"]
+    }
+
+    resources = [var.registry_secretsmanager_arn]
+  }
+}
+
+resource "aws_iam_role_policy" "task_execution_role_secretsmanager" {
+  count  = var.registry_secretsmanager_arn != null ? 1 : 0
+  role   = aws_iam_role.task_execution_role[0].name
+  policy = data.aws_iam_policy_document.registry_secretsmanager[0].json
+}
diff --git a/aws-ecs-service/main.tf b/aws-ecs-service/main.tf
new file mode 100755
index 00000000..06c8dc6b
--- /dev/null
+++ b/aws-ecs-service/main.tf
@@ -0,0 +1,14 @@
+locals {
+  name = "${var.project}-${var.env}-${var.service}"
+
+  default_tags = {
+    managedBy = "terraform"
+    Name      = local.name
+    project   = var.project
+    env       = var.env
+    service   = var.service
+    owner     = var.owner
+  }
+
+  tags = merge(var.extra_tags, local.default_tags)
+}
diff --git a/aws-ecs-service/outputs.tf b/aws-ecs-service/outputs.tf
new file mode 100755
index 00000000..2d22bba7
--- /dev/null
+++ b/aws-ecs-service/outputs.tf
@@ -0,0 +1,27 @@
+output "alb_dns_name" {
+  value = aws_lb.service.dns_name
+}
+
+output "alb_route53_zone_id" {
+  value = aws_lb.service.zone_id
+}
+
+output "ecs_task_definition_family" {
+  description = "The family of the task definition defined for the given/generated container definition."
+  value       = aws_ecs_task_definition.job.family
+}
+
+output "container_security_group_id" {
+  description = "Security group id for the container."
+  value       = module.container-sg.this_security_group_id
+}
+
+output "private_service_discovery_domain" {
+  description = "Domain name for service discovery, if with_service_discovery=true. Only resolvable within the VPC."
+  value       = "${coalescelist(aws_service_discovery_service.discovery.*.name, [""])[0]}${var.with_service_discovery ? "." : ""}${coalescelist(aws_service_discovery_private_dns_namespace.discovery.*.name, [""])[0]}"
+}
+
+output "alb_access_logs_prefix" {
+  description = "ALB access logs S3 prefix"
+  value       = local.access_logs_prefix
+}
diff --git a/aws-ecs-service/service.tf b/aws-ecs-service/service.tf
new file mode 100644
index 00000000..9a7cdb39
--- /dev/null
+++ b/aws-ecs-service/service.tf
@@ -0,0 +1,147 @@
+locals {
+  container_name = var.container_name == null ? local.name : var.container_name
+
+  task_definition = "${aws_ecs_task_definition.job.family}:${aws_ecs_task_definition.job.revision}"
+}
+
+module "container-sg" {
+  source      = "terraform-aws-modules/security-group/aws"
+  version     = "3.1.0"
+  create      = var.awsvpc_network_mode
+  name        = local.name
+  description = "ECS ingress port"
+  vpc_id      = var.vpc_id
+  tags        = local.tags
+
+  ingress_with_source_security_group_id = [
+    {
+      from_port                = var.container_port
+      to_port                  = var.container_port
+      protocol                 = "tcp"
+      description              = "Container port"
+      source_security_group_id = module.alb-sg.this_security_group_id
+    },
+  ]
+
+  egress_with_cidr_blocks = length(var.task_egress_cidrs) == 0 ? [] : [
+    {
+      cidr_blocks = join(",", var.task_egress_cidrs)
+      rule        = "all-all"
+    },
+  ]
+
+  egress_with_source_security_group_id = [
+    for sg in var.task_egress_security_group_ids : {
+      rule                     = "all-all"
+      source_security_group_id = sg
+    }
+  ]
+}
+
+# Only one of the following is active at a time, depending on var.manage_task_definition
+resource "aws_ecs_service" "job" {
+  name    = local.name
+  cluster = var.cluster_id
+  count   = var.manage_task_definition ? 1 : 0
+
+  task_definition                   = local.task_definition
+  desired_count                     = var.desired_count
+  health_check_grace_period_seconds = var.health_check_grace_period_seconds
+
+  dynamic "network_configuration" {
+    for_each = compact([var.awsvpc_network_mode ? "present" : ""])
+    content {
+      subnets         = var.task_subnets
+      security_groups = [module.container-sg.this_security_group_id]
+    }
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.service.arn
+    container_name   = local.container_name
+    container_port   = var.container_port
+  }
+
+  dynamic "service_registries" {
+    for_each = aws_service_discovery_service.discovery[*]
+    content {
+      registry_arn = service_registries.arn
+    }
+  }
+
+  tags = local.tags
+
+  depends_on = [aws_lb.service]
+}
+
+resource "aws_ecs_service" "unmanaged-job" {
+  name    = local.name
+  cluster = var.cluster_id
+  count   = var.manage_task_definition ? 0 : 1
+
+  task_definition                   = local.task_definition
+  desired_count                     = var.desired_count
+  health_check_grace_period_seconds = var.health_check_grace_period_seconds
+
+  dynamic "network_configuration" {
+    for_each = compact([var.awsvpc_network_mode ? "present" : ""])
+    content {
+      subnets         = var.task_subnets
+      security_groups = [module.container-sg.this_security_group_id]
+    }
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.service.arn
+    container_name   = local.container_name
+    container_port   = var.container_port
+  }
+
+  dynamic "service_registries" {
+    for_each = aws_service_discovery_service.discovery[*]
+    content {
+      registry_arn = aws_service_discovery_service.discovery[0].arn
+    }
+  }
+
+  # This lifecycle block is the only difference between job and unmanaged-job
+  lifecycle {
+    ignore_changes = [task_definition]
+  }
+
+  tags = local.tags
+
+  depends_on = [aws_lb.service]
+}
+
+# Default container definition if manage_task_definition == false.
+# Defaults to a minimal hello-world implementation; should be updated separately from
+# Terraform, e.g. using ecs deploy or czecs
+
+locals {
+  dummy_task = <<TEMPLATE
+[
+  {
+    "name": "${local.container_name}",
+    "image": "library/busybox:1.29",
+    "command": ["sh", "-c", "while true; do { echo -e 'HTTP/1.1 200 OK\r\n\nRunning stub server'; date; } | nc -l -p ${var.container_port}; done"],
+    "memoryReservation": 4,
+    "portMappings": [
+      {
+        "containerPort": ${var.container_port},
+        "hostPort": ${var.awsvpc_network_mode ? var.container_port : 0}
+      }
+    ]
+  }
+]
+TEMPLATE
+}
+
+resource "aws_ecs_task_definition" "job" {
+  family                = local.name
+  container_definitions = var.manage_task_definition ? var.task_definition : local.dummy_task
+  task_role_arn         = var.task_role_arn
+  tags                  = local.tags
+  network_mode          = var.awsvpc_network_mode ? "awsvpc" : null
+  execution_role_arn    = var.registry_secretsmanager_arn == null ? null : aws_iam_role.task_execution_role[0].arn
+}
diff --git a/aws-ecs-service/variables.tf b/aws-ecs-service/variables.tf
new file mode 100755
index 00000000..d1881bc9
--- /dev/null
+++ b/aws-ecs-service/variables.tf
@@ -0,0 +1,186 @@
+variable "project" {
+  type        = string
+  description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)"
+}
+
+variable "service" {
+  type        = string
+  description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "env" {
+  type        = string
+  description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "owner" {
+  type        = string
+  description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)."
+}
+
+variable "extra_tags" {
+  type        = map(string)
+  description = "Extra tags that will be added to components created by this module."
+  default     = {}
+}
+
+variable "cluster_id" {
+  type = string
+}
+
+variable "desired_count" {
+  type = number
+}
+
+variable "lb_subnets" {
+  description = "List of subnets in which to deploy the load balancer."
+  type        = list(string)
+}
+
+variable "vpc_id" {
+  type = string
+}
+
+variable "container_name" {
+  description = "Name of the container. Must match name in task definition. If omitted, defaults to name derived from project/env/service."
+  type        = string
+  default     = null
+}
+
+variable "container_port" {
+  description = "The port the container to be exposed to is listening on."
+  type        = number
+}
+
+variable "health_check_path" {
+  type    = string
+  default = "/"
+}
+
+variable "route53_zone_id" {
+  description = "Zone in which to create an alias record to the ALB."
+  type        = string
+}
+
+variable "subdomain" {
+  description = "Subdomain in the zone. Final domain name will be subdomain.zone"
+  type        = string
+}
+
+variable "task_role_arn" {
+  type = string
+}
+
+variable "task_definition" {
+  description = "JSON to describe task. If omitted, defaults to a stub task that is expected to be managed outside of Terraform."
+  type        = string
+  default     = null
+}
+
+variable "acm_certificate_arn" {
+  description = "Certificate for the HTTPS listener."
+  type        = string
+}
+
+variable "ssl_policy" {
+  description = "ELB policy to determine which SSL/TLS encryption protocols are enabled. Probably don't touch this."
+  type        = string
+  default     = null
+}
+
+variable "task_subnets" {
+  description = "List of subnets in which to deploy the task for awsvpc networking mode. Only used if awsvpc_network_mode is true."
+  type        = list(string)
+  default     = []
+}
+
+variable "task_egress_cidrs" {
+  type        = list(string)
+  description = "CIDR blocks the task is allowed to communicate with for outbound traffic. Only used if awsvpc_network_mode is true."
+  default     = ["0.0.0.0/0"]
+}
+
+variable "task_egress_security_group_ids" {
+  type        = list(string)
+  description = "Security groups the task is allowed to communicate with for outbound traffic. Only used if awsvpc_network_mode is true."
+  default     = []
+}
+
+variable "awsvpc_network_mode" {
+  description = "Give the task its own IP and security group if true. Use host EC2 network if false."
+  type        = bool
+  default     = false
+}
+
+variable "lb_ingress_cidrs" {
+  type    = list(string)
+  default = ["0.0.0.0/0"]
+}
+
+variable "lb_ingress_security_group_ids" {
+  type    = list(string)
+  default = []
+}
+
+variable "lb_idle_timeout_seconds" {
+  type    = number
+  default = 60
+}
+
+variable "internal_lb" {
+  type    = bool
+  default = false
+}
+
+variable "health_check_matcher" {
+  type        = string
+  description = "Range of HTTP status codes considered success for health checks. [Doc](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html#matcher)"
+  default     = "200-399"
+}
+
+variable "disable_http_redirect" {
+  description = "Disable redirecting HTTP to HTTPS."
+  default     = true
+}
+
+variable "health_check_timeout" {
+  description = "Timeout for a health check of the underlying service."
+  type        = number
+  default     = null
+}
+
+variable "health_check_interval" {
+  description = "Time between health checks of the underlying service."
+  type        = number
+  default     = null
+}
+
+variable "health_check_grace_period_seconds" {
+  type        = number
+  description = "Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200."
+  default     = 60
+}
+
+variable "registry_secretsmanager_arn" {
+  description = "ARN for AWS Secrets Manager secret for credentials to private registry"
+  type        = string
+  default     = null
+}
+
+variable "with_service_discovery" {
+  description = "Register the service with ECS service discovery. Adds a sub-zone to the given route53_zone_id."
+  type        = bool
+  default     = false
+}
+
+variable "access_logs_bucket" {
+  description = "S3 bucket to write alb access logs to. Null for no access logs."
+  type        = string
+  default     = null
+}
+
+variable "manage_task_definition" {
+  description = "If false, Terraform will not touch the task definition for the ECS service after initial creation"
+  type        = bool
+  default     = true
+}
\ No newline at end of file