Terraform module that creates an ECS service with the following features
- Runs an ECS service with or without an AWS load balancer.
- Stream logs to a CloudWatch log group encrypted with a KMS key.
- Associate multiple target groups with Network Load Balancers (NLB) and Application Load Balancers (ALB).
- Supports running ECS tasks on EC2 instances or Fargate.
We create an initial task definition using the golang:alpine
image as a way
to validate the initial infrastructure is working: visiting the site shows
a simple Go hello world page listening on two configurable ports. This is
meant to get a proof of concept instance up and running and to help with
testing.
If you want to customize the listener ports for the hello world app, you can
modify the hello_world_container_ports
variable.
In production usage, we expect deployment tooling to manage the container definitions going forward, not Terraform.
Terraform 0.12. Pin module version to ~> 3.0. Submit pull-requests to master branch.
Terraform 0.11. Pin module version to ~> 1.14. Submit pull-requests to terraform011 branch.
module "app_ecs_service" {
source = "trussworks/ecs-service/aws"
name = "app"
environment = "prod"
ecs_cluster = aws_ecs_cluster.mycluster
ecs_vpc_id = module.vpc.vpc_id
ecs_subnet_ids = module.vpc.private_subnets
kms_key_id = aws_kms_key.main.arn
tasks_desired_count = 2
associate_alb = true
alb_security_group = module.security_group.id
target_groups =
[
{
container_port = 8443
container_healthcheck_port = 8443
lb_target_group_arn = module.alb.arn
}
]
}
module "app_ecs_service" {
source = "trussworks/ecs-service/aws"
name = "app"
environment = "prod"
ecs_cluster = aws_ecs_cluster.mycluster
ecs_vpc_id = module.vpc.vpc_id
ecs_subnet_ids = module.vpc.private_subnets
kms_key_id = aws_kms_key.main.arn
tasks_desired_count = 2
associate_nlb = true
nlb_subnet_cidr_blocks = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
lb_target_groups =
[
{
container_port = 8443
container_healthcheck_port = 8080
lb_target_group_arn = module.nlb.arn
}
]
}
module "app_ecs_service" {
source = "trussworks/ecs-service/aws"
name = "app"
environment = "prod"
ecs_cluster = aws_ecs_cluster.mycluster
ecs_vpc_id = module.vpc.vpc_id
ecs_subnet_ids = module.vpc.private_subnets
kms_key_id = aws_kms_key.main.arn
}
No requirements.
Name | Version |
---|---|
aws | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_security_group_ids | In addition to the security group created for the service, a list of security groups the ECS service should also be added to. | list(string) |
[] |
no |
alb_security_group | Application Load Balancer (ALB) security group ID to allow traffic from. | string |
"" |
no |
assign_public_ip | Whether this instance should be accessible from the public internet. Default is false. | bool |
false |
no |
associate_alb | Whether to associate an Application Load Balancer (ALB) with the ECS service. | bool |
false |
no |
associate_nlb | Whether to associate a Network Load Balancer (NLB) with the ECS service. | bool |
false |
no |
cloudwatch_alarm_actions | The list of actions to take for cloudwatch alarms | list(string) |
[] |
no |
cloudwatch_alarm_cpu_enable | Enable the CPU Utilization CloudWatch metric alarm | bool |
true |
no |
cloudwatch_alarm_cpu_threshold | The CPU Utilization threshold for the CloudWatch metric alarm | number |
80 |
no |
cloudwatch_alarm_mem_enable | Enable the Memory Utilization CloudWatch metric alarm | bool |
true |
no |
cloudwatch_alarm_mem_threshold | The Memory Utilization threshold for the CloudWatch metric alarm | number |
80 |
no |
cloudwatch_alarm_name | Generic name used for CPU and Memory Cloudwatch Alarms | string |
"" |
no |
container_definitions | Container definitions provided as valid JSON document. Default uses golang:alpine running a simple hello world. | string |
"" |
no |
container_image | The image of the container. | string |
"golang:alpine" |
no |
ecr_repo_arns | The ARNs of the ECR repos. By default, allows all repositories. | list(string) |
[ |
no |
ecs_cluster | ECS cluster object for this task. | object({ |
n/a | yes |
ecs_instance_role | The name of the ECS instance role. | string |
"" |
no |
ecs_subnet_ids | Subnet IDs for the ECS tasks. | list(string) |
n/a | yes |
ecs_use_fargate | Whether to use Fargate for the task definition. | bool |
false |
no |
ecs_vpc_id | VPC ID to be used by ECS. | string |
n/a | yes |
environment | Environment tag, e.g prod. | string |
n/a | yes |
fargate_task_cpu | Number of cpu units used in initial task definition. Default is minimum. | number |
256 |
no |
fargate_task_memory | Amount (in MiB) of memory used in initial task definition. Default is minimum. | number |
512 |
no |
hello_world_container_ports | List of ports for the hello world container app to listen on. The app currently supports listening on two ports. | list(number) |
[ |
no |
kms_key_id | KMS customer managed key (CMK) ARN for encrypting application logs. | string |
n/a | yes |
lb_target_groups | List of load balancer target group objects containing the lb_target_group_arn, container_port and container_health_check_port. The container_port is the port on which the container will receive traffic. The container_health_check_port is an additional port on which the container can receive a health check. The lb_target_group_arn is either Application Load Balancer (ALB) or Network Load Balancer (NLB) target group ARN tasks will register with. | list( |
[] |
no |
logs_cloudwatch_group | CloudWatch log group to create and use. Default: /ecs/{name}-{environment} | string |
"" |
no |
logs_cloudwatch_retention | Number of days you want to retain log events in the log group. | number |
90 |
no |
name | The service name. | string |
n/a | yes |
nlb_subnet_cidr_blocks | List of Network Load Balancer (NLB) CIDR blocks to allow traffic from. | list(string) |
[] |
no |
service_registries | List of service registry objects as per https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1. List can only have a single object until hashicorp/terraform-provider-aws#9573 is resolved. | list(object({ |
[] |
no |
target_container_name | Name of the container the Load Balancer should target. Default: {name}-{environment} | string |
"" |
no |
tasks_desired_count | The number of instances of a task definition. | number |
1 |
no |
tasks_maximum_percent | Upper limit on the number of running tasks. | number |
200 |
no |
tasks_minimum_healthy_percent | Lower limit on the number of running tasks. | number |
100 |
no |
Name | Description |
---|---|
awslogs_group | Name of the CloudWatch Logs log group containers should use. |
awslogs_group_arn | ARN of the CloudWatch Logs log group containers should use. |
ecs_security_group_id | Security Group ID assigned to the ECS tasks. |
task_definition_arn | Full ARN of the Task Definition (including both family and revision). |
task_definition_family | The family of the Task Definition. |
task_execution_role | The role object of the task execution role that the Amazon ECS container agent and the Docker daemon can assume. |
task_execution_role_arn | The ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume. |
task_execution_role_name | The name of the task execution role that the Amazon ECS container agent and the Docker daemon can assume. |
task_role | The IAM role object assumed by Amazon ECS container tasks. |
task_role_arn | The ARN of the IAM role assumed by Amazon ECS container tasks. |
task_role_name | The name of the IAM role assumed by Amazon ECS container tasks. |
In 3.0.0 the module added support for multiple load balancer target groups. To support this change, container_port
, container_health_check_port
and lb_target_group
are being replaced with lb_target_groups
If you are using this module without an ALB or NLB then you can remove any references to container_port
, container_health_check_port
and lb_target_group
if you were doing so.
If you are using an NLB or NLB target groups with this module then you will need replace the values of container_port
, container_health_check_port
and lb_target_group
with
Below is an example of how the module would be instantiated prior to version 3.0.0
module "app_ecs_service" {
source = "trussworks/ecs-service/aws"
...
container_port = 8443
container_health_check_port = 8080
lb_target_group_arn = module.alb.arn
...
}
In 3.0.0 the same example will look like the following
module "app_ecs_service" {
source = "trussworks/ecs-service/aws"
...
lb_target_groups =
[
{
container_port = 8443
container_health_check_port = 8080
lb_target_group_arn = module.alb.arn
}
]
...
}
In 2.1.0 KMS log encryption is required by default. This requires that you create and attach a new AWS KMS key ARN. As an example here is how to set that up (please review on your own):
data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
]
}
actions = [
"kms:*",
]
resources = ["*"]
}
statement {
sid = "Allow logs KMS access"
effect = "Allow"
principals {
type = "Service"
identifiers = ["logs.us-west-2.amazonaws.com"]
}
actions = [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
]
resources = ["*"]
}
}
resource "aws_kms_key" "main" {
description = "Key for ECS log encryption"
enable_key_rotation = true
policy = data.aws_iam_policy_document.cloudwatch_logs_allow_kms.json
}
NOTE: Best practice is to use a separate KMS key per ECS Service. Do not re-use KMS keys if it can be avoided.
v2.0.0 of this module is built against Terraform v0.12. In addition to requiring this upgrade, the v1.15.0 version of the module took the name of the ECS cluster as a parameter; v2.0.0 takes the actual object of the ECS cluster as a parameter instead. You will need to update previous instances of this module with the altered parameter.
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docs
Terratest is being used for
automated testing with this module. Tests in the test
folder can be run
locally by running the following command:
make test
Or with aws-vault:
AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test