Skip to content

Latest commit

 

History

History
559 lines (477 loc) · 80.7 KB

README.md

File metadata and controls

559 lines (477 loc) · 80.7 KB

Project Banner

Latest ReleaseLast UpdatedSlack Community

A Terraform module which implements a web app on ECS and supporting AWS resources.

Tip

👽 Use Atmos with Terraform

Cloud Posse uses atmos to easily orchestrate multiple environments using Terraform.
Works with Github Actions, Atlantis, or Spacelift.

Watch demo of using Atmos with Terraform
Example of running atmos to manage infrastructure from our Quick Start tutorial.

Usage

For a complete example, see examples/complete.

For automated tests of the complete example using bats and Terratest (which test and deploy the example on AWS), see test.

Other examples:

module "default_backend_web_app" {
  source = "cloudposse/ecs-web-app/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace                                       = "eg"
  stage                                           = "testing"
  name                                            = "appname"
  vpc_id                                          = module.vpc.vpc_id
  alb_ingress_unauthenticated_listener_arns       = module.alb.listener_arns
  alb_ingress_unauthenticated_listener_arns_count = 1
  aws_logs_region                                 = "us-east-2"
  ecs_cluster_arn                                 = aws_ecs_cluster.default.arn
  ecs_cluster_name                                = aws_ecs_cluster.default.name
  ecs_security_group_ids                          = [module.vpc.vpc_default_security_group_id]
  ecs_private_subnet_ids                          = module.subnets.private_subnet_ids
  alb_ingress_healthcheck_path                    = "/healthz"
  alb_ingress_unauthenticated_paths               = ["/*"]
  codepipeline_enabled                            = false

  container_environment = [
    {
      name = "COOKIE"
      value = "cookiemonster"
    },
    {
      name = "PORT"
      value = "80"
    }
  ]
}

Important

In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic approach for updating versions to avoid unexpected changes.

Makefile Targets

Available targets:

  help                                Help screen
  help/all                            Display help for all targets
  help/short                          This help short screen
  lint                                Lint terraform code

Requirements

Name Version
terraform >= 1
aws >= 5.0

Providers

Name Version
aws >= 5.0

Modules

Name Source Version
alb_ingress cloudposse/alb-ingress/aws 0.28.0
alb_target_group_cloudwatch_sns_alarms cloudposse/alb-target-group-cloudwatch-sns-alarms/aws 0.17.0
container_definition cloudposse/ecs-container-definition/aws 0.58.1
ecr cloudposse/ecr/aws 0.41.0
ecs_alb_service_task cloudposse/ecs-alb-service-task/aws 0.64.1
ecs_cloudwatch_autoscaling cloudposse/ecs-cloudwatch-autoscaling/aws 0.7.5
ecs_cloudwatch_sns_alarms cloudposse/ecs-cloudwatch-sns-alarms/aws 0.12.2
ecs_codepipeline cloudposse/ecs-codepipeline/aws 0.34.1
this cloudposse/label/null 0.25.0

Resources

Name Type
aws_cloudwatch_log_group.app resource
aws_region.current data source

Inputs

Name Description Type Default Required
additional_tag_map Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.
map(string) {} no
alb_arn_suffix ARN suffix of the ALB for the Target Group string "" no
alb_container_name The name of the container to associate with the ALB. If not provided, the generated container will be used string null no
alb_ingress_authenticated_hosts Authenticated hosts to match in Hosts header list(string) [] no
alb_ingress_authenticated_listener_arns A list of authenticated ALB listener ARNs to attach ALB listener rules to list(string) [] no
alb_ingress_authenticated_listener_arns_count The number of authenticated ARNs in alb_ingress_authenticated_listener_arns. This is necessary to work around a limitation in Terraform where counts cannot be computed number 0 no
alb_ingress_authenticated_paths Authenticated path pattern to match (a maximum of 1 can be defined) list(string) [] no
alb_ingress_enable_default_target_group If true, create a default target group for the ALB ingress bool true no
alb_ingress_health_check_healthy_threshold The number of consecutive health checks successes required before healthy number 2 no
alb_ingress_health_check_interval The duration in seconds in between health checks number 15 no
alb_ingress_health_check_matcher The HTTP response codes to indicate a healthy check string "200-399" no
alb_ingress_health_check_timeout The amount of time to wait in seconds before failing a health check request number 10 no
alb_ingress_health_check_unhealthy_threshold The number of consecutive health check failures required before unhealthy number 2 no
alb_ingress_healthcheck_path The path of the healthcheck which the ALB checks string "/" no
alb_ingress_healthcheck_protocol The protocol to use to connect with the target. Defaults to HTTP. Not applicable when target_type is lambda string "HTTP" no
alb_ingress_listener_authenticated_priority The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from alb_ingress_listener_unauthenticated_priority since a listener can't have multiple rules with the same priority number 300 no
alb_ingress_listener_unauthenticated_priority The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from alb_ingress_listener_authenticated_priority since a listener can't have multiple rules with the same priority number 1000 no
alb_ingress_load_balancing_algorithm_type Determines how the load balancer selects targets when routing requests. Only applicable for Application Load Balancer Target Groups. The value is round_robin or least_outstanding_requests. The default is round_robin. string "round_robin" no
alb_ingress_protocol The protocol for the created ALB target group (if target_group_arn is not set). One of HTTP, HTTPS. Defaults to HTTP. string "HTTP" no
alb_ingress_protocol_version The protocol version. One of HTTP1, HTTP2, GRPC. Only applicable when protocol is HTTP or HTTPS. Specify GRPC to send requests to targets using gRPC. Specify HTTP2 to send requests to targets using HTTP/2. The default is HTTP1, which sends requests to targets using HTTP/1.1 string "HTTP1" no
alb_ingress_target_group_arn Existing ALB target group ARN. If provided, set alb_ingress_enable_default_target_group to false to disable creation of the default target group string "" no
alb_ingress_target_type Target type for the ALB ingress. One of ip, instance, lambda or container. Defaults to ip, for bridge networking mode should be instance string "ip" no
alb_ingress_unauthenticated_hosts Unauthenticated hosts to match in Hosts header list(string) [] no
alb_ingress_unauthenticated_listener_arns A list of unauthenticated ALB listener ARNs to attach ALB listener rules to list(string) [] no
alb_ingress_unauthenticated_listener_arns_count The number of unauthenticated ARNs in alb_ingress_unauthenticated_listener_arns. This is necessary to work around a limitation in Terraform where counts cannot be computed number 0 no
alb_ingress_unauthenticated_paths Unauthenticated path pattern to match (a maximum of 1 can be defined) list(string) [] no
alb_security_group Security group of the ALB string n/a yes
alb_stickiness_cookie_duration The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds) number 86400 no
alb_stickiness_enabled Boolean to enable / disable stickiness. Default is true bool true no
alb_stickiness_type The type of sticky sessions. The only current possible value is lb_cookie string "lb_cookie" no
alb_target_group_alarms_3xx_threshold The maximum number of 3XX HTTPCodes in a given period for ECS Service number 25 no
alb_target_group_alarms_4xx_threshold The maximum number of 4XX HTTPCodes in a given period for ECS Service number 25 no
alb_target_group_alarms_5xx_threshold The maximum number of 5XX HTTPCodes in a given period for ECS Service number 25 no
alb_target_group_alarms_alarm_actions A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an ALARM state from any other state list(string) [] no
alb_target_group_alarms_enabled A boolean to enable/disable CloudWatch Alarms for ALB Target metrics bool false no
alb_target_group_alarms_evaluation_periods The number of periods to analyze for ALB CloudWatch Alarms number 1 no
alb_target_group_alarms_insufficient_data_actions A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an INSUFFICIENT_DATA state from any other state list(string) [] no
alb_target_group_alarms_ok_actions A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an OK state from any other state list(string) [] no
alb_target_group_alarms_period The period (in seconds) to analyze for ALB CloudWatch Alarms number 300 no
alb_target_group_alarms_response_time_threshold The maximum ALB Target Group response time number 0.5 no
assign_public_ip Assign a public IP address to the ENI (Fargate launch type only). Valid values are true or false. Default false bool false no
attributes ID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.
list(string) [] no
authentication_cognito_scope Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) string null no
authentication_cognito_user_pool_arn Cognito User Pool ARN string "" no
authentication_cognito_user_pool_client_id Cognito User Pool Client ID string "" no
authentication_cognito_user_pool_domain Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (xxx) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) string "" no
authentication_oidc_authorization_endpoint OIDC Authorization Endpoint string "" no
authentication_oidc_client_id OIDC Client ID string "" no
authentication_oidc_client_secret OIDC Client Secret string "" no
authentication_oidc_issuer OIDC Issuer string "" no
authentication_oidc_scope OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP) string null no
authentication_oidc_token_endpoint OIDC Token Endpoint string "" no
authentication_oidc_user_info_endpoint OIDC User Info Endpoint string "" no
authentication_type Authentication type. Supported values are COGNITO and OIDC string "" no
autoscaling_dimension Dimension to autoscale on (valid options: cpu, memory) string "memory" no
autoscaling_enabled A boolean to enable/disable Autoscaling policy for ECS Service bool false no
autoscaling_max_capacity Maximum number of running instances of a Service number 2 no
autoscaling_min_capacity Minimum number of running instances of a Service number 1 no
autoscaling_scale_down_adjustment Scaling adjustment to make during scale down event number -1 no
autoscaling_scale_down_cooldown Period (in seconds) to wait between scale down events number 300 no
autoscaling_scale_up_adjustment Scaling adjustment to make during scale up event number 1 no
autoscaling_scale_up_cooldown Period (in seconds) to wait between scale up events number 60 no
aws_logs_prefix Custom AWS Logs prefix. If empty name from label module will be used string "" no
aws_logs_region The region for the AWS Cloudwatch Logs group string null no
badge_enabled Generates a publicly-accessible URL for the projects build badge. Available as badge_url attribute when enabled bool false no
branch Branch of the GitHub repository, e.g. master string "" no
build_environment_variables A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER_STORE', or 'SECRETS_MANAGER'
list(object(
{
name = string
value = string
type = string
}))
[] no
build_image Docker image for build environment, e.g. aws/codebuild/docker:docker:17.09.0 string "aws/codebuild/docker:17.09.0" no
build_timeout How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed number 60 no
buildspec Declaration to use for building the project. For more info string "" no
capacity_provider_strategies The capacity provider strategies to use for the service. See capacity_provider_strategy configuration block: https://www.terraform.io/docs/providers/aws/r/ecs_service.html#capacity_provider_strategy
list(object({
capacity_provider = string
weight = number
base = number
}))
[] no
circuit_breaker_deployment_enabled If true, enable the deployment circuit breaker logic for the service bool false no
circuit_breaker_rollback_enabled If true, Amazon ECS will roll back the service if a service deployment fails bool false no
cloudwatch_log_group_enabled A boolean to disable cloudwatch log group creation bool true no
codebuild_cache_type The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3. Defaults to NO_CACHE. If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside string "S3" no
codepipeline_build_cache_bucket_suffix_enabled The codebuild cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache_type is 'S3' bool true no
codepipeline_build_compute_type CodeBuild instance size. Possible values are: BUILD_GENERAL1_SMALL BUILD_GENERAL1_MEDIUM BUILD_GENERAL1_LARGE string "BUILD_GENERAL1_SMALL" no
codepipeline_cdn_bucket_buildspec_identifier Identifier for buildspec section controlling the optional CDN asset deployment. string null no
codepipeline_cdn_bucket_encryption_enabled If set to true, enable encryption on the optional CDN asset deployment bucket bool false no
codepipeline_cdn_bucket_id Optional bucket for static asset deployment. If specified, the buildspec must include a secondary artifacts section which controls the files deployed to the bucket For more info string null no
codepipeline_enabled A boolean to enable/disable AWS Codepipeline. If false, use ecr_enabled to control if AWS ECR stays enabled. bool true no
codepipeline_s3_bucket_force_destroy A boolean that indicates all objects should be deleted from the CodePipeline artifact store S3 bucket so that the bucket can be destroyed without error bool false no
command The command that is passed to the container list(string) null no
container_cpu The vCPU setting to control cpu limits of container. (If FARGATE launch type is used below, this must be a supported vCPU size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html) number 256 no
container_definition Override the main container_definition string "" no
container_environment The environment variables to pass to the container. This is a list of maps
list(object({
name = string
value = string
}))
null no
container_image The default container image to use in container definition string "cloudposse/default-backend" no
container_memory The amount of RAM to allow container to use in MB. (If FARGATE launch type is used below, this must be a supported Memory size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html) number 512 no
container_memory_reservation The amount of RAM (Soft Limit) to allow container to use in MB. This value must be less than container_memory if set number 128 no
container_port The port number on the container bound to assigned host_port number 80 no
container_repo_credentials Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials map(string) null no
container_start_timeout Time duration (in seconds) to wait before giving up on resolving dependencies for a container number 30 no
container_stop_timeout Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own number 30 no
context Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.
any
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
no
delimiter Delimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.
string null no
deployment_controller_type Type of deployment controller. Valid values are CODE_DEPLOY and ECS string "ECS" no
deployment_maximum_percent The upper limit of the number of tasks (as a percentage of desired_count) that can be running in a service during a deployment number 200 no
deployment_minimum_healthy_percent The lower limit (as a percentage of desired_count) of the number of tasks that must remain running and healthy in a service during a deployment number 100 no
descriptor_formats Describe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
{<br/> format = string<br/> labels = list(string)<br/>}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).
any {} no
desired_count The desired number of tasks to start with. Set this to 0 if using DAEMON Service type. (FARGATE does not suppoert DAEMON Service type) number 1 no
ecr_enabled A boolean to enable/disable AWS ECR bool true no
ecr_image_tag_mutability The tag mutability setting for the ecr repository. Must be one of: MUTABLE or IMMUTABLE string "IMMUTABLE" no
ecr_scan_images_on_push Indicates whether images are scanned after being pushed to the repository (true) or not (false) bool false no
ecs_alarms_cpu_utilization_high_alarm_actions A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High Alarm action list(string) [] no
ecs_alarms_cpu_utilization_high_evaluation_periods Number of periods to evaluate for the alarm number 1 no
ecs_alarms_cpu_utilization_high_ok_actions A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High OK action list(string) [] no
ecs_alarms_cpu_utilization_high_period Duration in seconds to evaluate for the alarm number 300 no
ecs_alarms_cpu_utilization_high_threshold The maximum percentage of CPU utilization average number 80 no
ecs_alarms_cpu_utilization_low_alarm_actions A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low Alarm action list(string) [] no
ecs_alarms_cpu_utilization_low_evaluation_periods Number of periods to evaluate for the alarm number 1 no
ecs_alarms_cpu_utilization_low_ok_actions A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low OK action list(string) [] no
ecs_alarms_cpu_utilization_low_period Duration in seconds to evaluate for the alarm number 300 no
ecs_alarms_cpu_utilization_low_threshold The minimum percentage of CPU utilization average number 20 no
ecs_alarms_enabled A boolean to enable/disable CloudWatch Alarms for ECS Service metrics bool false no
ecs_alarms_memory_utilization_high_alarm_actions A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High Alarm action list(string) [] no
ecs_alarms_memory_utilization_high_evaluation_periods Number of periods to evaluate for the alarm number 1 no
ecs_alarms_memory_utilization_high_ok_actions A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High OK action list(string) [] no
ecs_alarms_memory_utilization_high_period Duration in seconds to evaluate for the alarm number 300 no
ecs_alarms_memory_utilization_high_threshold The maximum percentage of Memory utilization average number 80 no
ecs_alarms_memory_utilization_low_alarm_actions A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low Alarm action list(string) [] no
ecs_alarms_memory_utilization_low_evaluation_periods Number of periods to evaluate for the alarm number 1 no
ecs_alarms_memory_utilization_low_ok_actions A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low OK action list(string) [] no
ecs_alarms_memory_utilization_low_period Duration in seconds to evaluate for the alarm number 300 no
ecs_alarms_memory_utilization_low_threshold The minimum percentage of Memory utilization average number 20 no
ecs_cluster_arn The ECS Cluster ARN where ECS Service will be provisioned string n/a yes
ecs_cluster_name The ECS Cluster Name to use in ECS Code Pipeline Deployment step string null no
ecs_private_subnet_ids List of Private Subnet IDs to provision ECS Service onto if var.network_mode = "awsvpc" list(string) n/a yes
ecs_security_group_enabled Whether to create a security group for the service. bool true no
ecs_security_group_ids Additional Security Group IDs to allow into ECS Service if var.network_mode = "awsvpc" list(string) [] no
enable_all_egress_rule A flag to enable/disable adding the all ports egress rule to the ECS security group bool true no
enable_ecs_managed_tags Specifies whether to enable Amazon ECS managed tags for the tasks within the service bool false no
enabled Set to false to prevent the module from creating any resources bool null no
entrypoint The entry point that is passed to the container list(string) null no
environment ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' string null no
exec_enabled Specifies whether to enable Amazon ECS Exec for the tasks within the service bool false no
force_new_deployment Enable to force a new task deployment of the service. bool false no
github_oauth_token GitHub Oauth Token with permissions to access private repositories string "" no
github_webhook_events A list of events which should trigger the webhook. See a list of available events list(string)
[
"push"
]
no
health_check_grace_period_seconds Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. Only valid for services configured to use load balancers number 0 no
healthcheck A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries)
object({
command = list(string)
retries = number
timeout = number
interval = number
startPeriod = number
})
null no
id_length_limit Limit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.
number null no
ignore_changes_desired_count Whether to ignore changes for desired count in the ECS service bool false no
ignore_changes_task_definition Ignore changes (like environment variables) to the ECS task definition bool true no
init_containers A list of additional init containers to start. The map contains the container_definition (JSON) and the main container's dependency condition (string) on the init container. The latter can be one of START, COMPLETE, SUCCESS, HEALTHY, or null. If null, the init container will not be added to the depends_on list of the main container.
list(object({
container_definition = any
condition = string
}))
[] no
label_key_case Controls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.
string null no
label_order The order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
list(string) null no
label_value_case Controls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.
string null no
labels_as_tags Set of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.
set(string)
[
"default"
]
no
launch_type The ECS launch type (valid options: FARGATE or EC2) string "FARGATE" no
linux_parameters Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LinuxParameters.html
object({
capabilities = optional(object({
add = optional(list(string))
drop = optional(list(string))
}))
devices = optional(list(object({
containerPath = optional(string)
hostPath = optional(string)
permissions = optional(list(string))
})))
initProcessEnabled = optional(bool)
maxSwap = optional(number)
sharedMemorySize = optional(number)
swappiness = optional(number)
tmpfs = optional(list(object({
containerPath = optional(string)
mountOptions = optional(list(string))
size = number
})))
})
{} no
log_driver The log driver to use for the container. If using Fargate launch type, only supported value is awslogs string "awslogs" no
log_retention_in_days The number of days to retain logs for the log group number 90 no
map_container_environment The environment variables to pass to the container. This is a map of string: {key: value}. environment overrides map_environment map(string) null no
mount_points Container mount points. This is a list of maps, where each map should contain a containerPath and sourceVolume
list(object({
containerPath = string
sourceVolume = string
readOnly = bool
}))
[] no
name ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.
string null no
namespace ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique string null no
network_mode The network mode to use for the task. This is required to be awsvpc for FARGATE launch_type or null for EC2 launch_type string "awsvpc" no
nlb_cidr_blocks A list of CIDR blocks to add to the ingress rule for the NLB container port list(string) [] no
nlb_container_name The name of the container to associate with the NLB. If not provided, the generated container will be used string null no
nlb_container_port The port number on the container bound to assigned NLB host_port number 80 no
nlb_ingress_target_group_arn Target group ARN of the NLB ingress string "" no
permissions_boundary A permissions boundary ARN to apply to the 3 roles that are created. string "" no
platform_version The platform version on which to run your service. Only applicable for launch_type set to FARGATE. More information about Fargate platform versions can be found in the AWS ECS User Guide. string "LATEST" no
poll_source_changes Periodically check the location of your source content and run the pipeline if changes are detected bool false no
port_mappings The port mappings to configure for the container. This is a list of maps. Each map should contain "containerPort", "hostPort", and "protocol", where "protocol" is one of "tcp" or "udp". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort
list(object({
containerPort = number
hostPort = number
protocol = string
}))
[
{
"containerPort": 80,
"hostPort": 80,
"protocol": "tcp"
}
]
no
privileged When this variable is true, the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type. Due to how Terraform type casts booleans in json it is required to double quote this value string null no
propagate_tags Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION string null no
regex_replace_chars Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.
string null no
region AWS Region for S3 bucket string null no
repo_name GitHub repository name of the application to be built and deployed to ECS string "" no
repo_owner GitHub Organization or Username string "" no
runtime_platform Zero or one runtime platform configurations that containers in your task may use.
Map of strings with optional keys operating_system_family and cpu_architecture.
See runtime_platform docs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#runtime_platform
list(map(string)) [] no
secrets The secrets to pass to the container. This is a list of maps
list(object({
name = string
valueFrom = string
}))
null no
service_registries The service discovery registries for the service. The maximum number of service_registries blocks is 1. The currently supported service registry is Amazon Route 53 Auto Naming Service - aws_service_discovery_service; see service_registries docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1
list(object({
registry_arn = string
port = number
container_name = string
container_port = number
}))
[] no
stage ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' string null no
system_controls A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""} list(map(string)) null no
tags Additional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.
map(string) {} no
task_cpu The number of CPU units used by the task. If unspecified, it will default to container_cpu. If using FARGATE launch type task_cpu must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) number null no
task_memory The amount of memory (in MiB) used by the task. If unspecified, it will default to container_memory. If using Fargate launch type task_memory must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) number null no
task_policy_arns A list of IAM Policy ARNs to attach to the generated task role. list(string) [] no
task_role_arn The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services string "" no
tenant ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for string null no
ulimits The ulimits to configure for the container. This is a list of maps. Each map should contain "name", "softLimit" and "hardLimit"
list(object({
name = string
softLimit = number
hardLimit = number
}))
[] no
use_alb_security_group A boolean to enable adding an ALB security group rule for the service task bool false no
use_ecr_image If true, use ECR repo URL for image, otherwise use value in container_image bool false no
use_nlb_cidr_blocks A flag to enable/disable adding the NLB ingress rule to the security group bool false no
volumes Task volume definitions as list of configuration objects
list(object({
host_path = string
name = string
docker_volume_configuration = list(object({
autoprovision = bool
driver = string
driver_opts = map(string)
labels = map(string)
scope = string
}))
efs_volume_configuration = list(object({
file_system_id = string
root_directory = string
transit_encryption = string
transit_encryption_port = string
authorization_config = list(object({
access_point_id = string
iam = string
}))
}))
}))
[] no
vpc_id The VPC ID where resources are created string n/a yes
webhook_authentication The type of authentication to use. One of IP, GITHUB_HMAC, or UNAUTHENTICATED string "GITHUB_HMAC" no
webhook_enabled Set to false to prevent the module from creating any webhook resources bool true no
webhook_filter_json_path The JSON path to filter on string "$.ref" no
webhook_filter_match_equals The value to match on (e.g. refs/heads/{Branch}) string "refs/heads/{Branch}" no
webhook_target_action The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline string "Source" no

Outputs

Name Description
alb_ingress All outputs from module.alb_ingress
alb_ingress_target_group_arn ALB Target Group ARN
alb_ingress_target_group_arn_suffix ALB Target Group ARN suffix
alb_ingress_target_group_name ALB Target Group name
alb_target_group_cloudwatch_sns_alarms All outputs from module.alb_target_group_cloudwatch_sns_alarms
cloudwatch_log_group All outputs from aws_cloudwatch_log_group.app
cloudwatch_log_group_arn Cloudwatch log group ARN
cloudwatch_log_group_name Cloudwatch log group name
codebuild All outputs from module.ecs_codepipeline
codebuild_badge_url The URL of the build badge when badge_enabled is enabled
codebuild_cache_bucket_arn CodeBuild cache S3 bucket ARN
codebuild_cache_bucket_name CodeBuild cache S3 bucket name
codebuild_project_id CodeBuild project ID
codebuild_project_name CodeBuild project name
codebuild_role_arn CodeBuild IAM Role ARN
codebuild_role_id CodeBuild IAM Role ID
codepipeline_arn CodePipeline ARN
codepipeline_id CodePipeline ID
codepipeline_webhook_id The CodePipeline webhook's ID
codepipeline_webhook_url The CodePipeline webhook's URL. POST events to this endpoint to trigger the target
container_definition All outputs from module.container_definition
container_definition_json JSON encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition
container_definition_json_map JSON encoded container definitions for use with other terraform resources such as aws_ecs_task_definition
ecr All outputs from module.ecr
ecr_registry_id Registry ID
ecr_registry_url Repository URL
ecr_repository_arn ARN of ECR repository
ecr_repository_name Registry name
ecr_repository_url Repository URL
ecs_alarms All outputs from module.ecs_cloudwatch_sns_alarms
ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_arn ECS CPU utilization high CloudWatch metric alarm ARN
ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_id ECS CPU utilization high CloudWatch metric alarm ID
ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_arn ECS CPU utilization low CloudWatch metric alarm ARN
ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_id ECS CPU utilization low CloudWatch metric alarm ID
ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_arn ECS Memory utilization high CloudWatch metric alarm ARN
ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_id ECS Memory utilization high CloudWatch metric alarm ID
ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_arn ECS Memory utilization low CloudWatch metric alarm ARN
ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_id ECS Memory utilization low CloudWatch metric alarm ID
ecs_alb_service_task All outputs from module.ecs_alb_service_task
ecs_cloudwatch_autoscaling All outputs from module.ecs_cloudwatch_autoscaling
ecs_cloudwatch_autoscaling_scale_down_policy_arn ARN of the scale down policy
ecs_cloudwatch_autoscaling_scale_up_policy_arn ARN of the scale up policy
ecs_exec_role_policy_id The ECS service role policy ID, in the form of role_name:role_policy_name
ecs_exec_role_policy_name ECS service role name
ecs_service_arn ECS Service ARN
ecs_service_name ECS Service name
ecs_service_role_arn ECS Service role ARN
ecs_service_security_group_id Security Group ID of the ECS task
ecs_task_definition_family ECS task definition family
ecs_task_definition_revision ECS task definition revision
ecs_task_exec_role_arn ECS Task exec role ARN
ecs_task_exec_role_name ECS Task role name
ecs_task_role_arn ECS Task role ARN
ecs_task_role_id ECS Task role id
ecs_task_role_name ECS Task role name
httpcode_elb_5xx_count_cloudwatch_metric_alarm_arn ALB 5xx count CloudWatch metric alarm ARN
httpcode_elb_5xx_count_cloudwatch_metric_alarm_id ALB 5xx count CloudWatch metric alarm ID
httpcode_target_3xx_count_cloudwatch_metric_alarm_arn ALB Target Group 3xx count CloudWatch metric alarm ARN
httpcode_target_3xx_count_cloudwatch_metric_alarm_id ALB Target Group 3xx count CloudWatch metric alarm ID
httpcode_target_4xx_count_cloudwatch_metric_alarm_arn ALB Target Group 4xx count CloudWatch metric alarm ARN
httpcode_target_4xx_count_cloudwatch_metric_alarm_id ALB Target Group 4xx count CloudWatch metric alarm ID
httpcode_target_5xx_count_cloudwatch_metric_alarm_arn ALB Target Group 5xx count CloudWatch metric alarm ARN
httpcode_target_5xx_count_cloudwatch_metric_alarm_id ALB Target Group 5xx count CloudWatch metric alarm ID
target_response_time_average_cloudwatch_metric_alarm_arn ALB Target Group response time average CloudWatch metric alarm ARN
target_response_time_average_cloudwatch_metric_alarm_id ALB Target Group response time average CloudWatch metric alarm ID

Related Projects

Check out these related projects.

Tip

Use Terraform Reference Architectures for AWS

Use Cloud Posse's ready-to-go terraform architecture blueprints for AWS to get up and running quickly.

✅ We build it together with your team.
✅ Your team owns everything.
✅ 100% Open Source and backed by fanatical support.

Request Quote

📚 Learn More

Cloud Posse is the leading DevOps Accelerator for funded startups and enterprises.

Your team can operate like a pro today.

Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.

Day-0: Your Foundation for Success

  • Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
  • Deployment Strategy. Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
  • Site Reliability Engineering. Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
  • Security Baseline. Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
  • GitOps. Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.

Request Quote

Day-2: Your Operational Mastery

  • Training. Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
  • Support. Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
  • Troubleshooting. Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
  • Code Reviews. Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
  • Bug Fixes. Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
  • Migration Assistance. Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
  • Customer Workshops. Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.

Request Quote

✨ Contributing

This project is under active development, and we encourage contributions from our community.

Many thanks to our outstanding contributors:

For 🐛 bug reports & feature requests, please use the issue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

  1. Review our Code of Conduct and Contributor Guidelines.
  2. Fork the repo on GitHub
  3. Clone the project to your own machine
  4. Commit changes to your own branch
  5. Push your work back up to your fork
  6. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

🌎 Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

📰 Newsletter

Sign up for our newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read.

📆 Office Hours

Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a live Q&A that you can’t find anywhere else. It's FREE for everyone!

License

License

Preamble to the Apache License, Version 2.0

Complete license is available in the LICENSE file.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.


Copyright © 2017-2025 Cloud Posse, LLC

README footer

Beacon