A Terraform module which implements a web app on ECS and supporting AWS resources.
This project is part of our comprehensive "SweetOps" approach towards DevOps.
It's 100% Open Source and licensed under the APACHE2.
We literally have hundreds of terraform modules that are Open Source and well-maintained. Check them out!
Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.
IMPORTANT: We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise.
Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required.
For a complete example, see examples/complete.
For automated tests of the complete example using bats and Terratest (which test and deploy the example on AWS), see test.
Other examples:
- without authentication - without authentication
- with Google OIDC authentication - with Google OIDC authentication
- with Cognito authentication - with Cognito authentication
module "default_backend_web_app" {
source = "cloudposse/ecs-web-app/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "testing"
name = "appname"
vpc_id = module.vpc.vpc_id
alb_ingress_unauthenticated_listener_arns = module.alb.listener_arns
alb_ingress_unauthenticated_listener_arns_count = 1
aws_logs_region = "us-east-2"
ecs_cluster_arn = aws_ecs_cluster.default.arn
ecs_cluster_name = aws_ecs_cluster.default.name
ecs_security_group_ids = [module.vpc.vpc_default_security_group_id]
ecs_private_subnet_ids = module.subnets.private_subnet_ids
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_unauthenticated_paths = ["/*"]
codepipeline_enabled = false
container_environment = [
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
}
Available targets:
help Help screen
help/all Display help for all targets
help/short This help short screen
lint Lint terraform code
Name | Version |
---|---|
terraform | >= 0.13.0 |
aws | >= 3.34 |
Name | Version |
---|---|
aws | >= 3.34 |
Name | Source | Version |
---|---|---|
alb_ingress | cloudposse/alb-ingress/aws | 0.24.2 |
alb_target_group_cloudwatch_sns_alarms | cloudposse/alb-target-group-cloudwatch-sns-alarms/aws | 0.17.0 |
container_definition | cloudposse/ecs-container-definition/aws | 0.58.1 |
ecr | cloudposse/ecr/aws | 0.34.0 |
ecs_alb_service_task | cloudposse/ecs-alb-service-task/aws | 0.64.1 |
ecs_cloudwatch_autoscaling | cloudposse/ecs-cloudwatch-autoscaling/aws | 0.7.3 |
ecs_cloudwatch_sns_alarms | cloudposse/ecs-cloudwatch-sns-alarms/aws | 0.12.2 |
ecs_codepipeline | cloudposse/ecs-codepipeline/aws | 0.28.8 |
this | cloudposse/label/null | 0.25.0 |
Name | Type |
---|---|
aws_cloudwatch_log_group.app | resource |
aws_region.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_tag_map | Additional key-value pairs to add to each map in tags_as_list_of_maps . Not added to tags or id .This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration. |
map(string) |
{} |
no |
alb_arn_suffix | ARN suffix of the ALB for the Target Group | string |
"" |
no |
alb_container_name | The name of the container to associate with the ALB. If not provided, the generated container will be used | string |
null |
no |
alb_ingress_authenticated_hosts | Authenticated hosts to match in Hosts header | list(string) |
[] |
no |
alb_ingress_authenticated_listener_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | list(string) |
[] |
no |
alb_ingress_authenticated_listener_arns_count | The number of authenticated ARNs in alb_ingress_authenticated_listener_arns . This is necessary to work around a limitation in Terraform where counts cannot be computed |
number |
0 |
no |
alb_ingress_authenticated_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | list(string) |
[] |
no |
alb_ingress_enable_default_target_group | If true, create a default target group for the ALB ingress | bool |
true |
no |
alb_ingress_health_check_healthy_threshold | The number of consecutive health checks successes required before healthy | number |
2 |
no |
alb_ingress_health_check_interval | The duration in seconds in between health checks | number |
15 |
no |
alb_ingress_health_check_matcher | The HTTP response codes to indicate a healthy check | string |
"200-399" |
no |
alb_ingress_health_check_timeout | The amount of time to wait in seconds before failing a health check request | number |
10 |
no |
alb_ingress_health_check_unhealthy_threshold | The number of consecutive health check failures required before unhealthy | number |
2 |
no |
alb_ingress_healthcheck_path | The path of the healthcheck which the ALB checks | string |
"/" |
no |
alb_ingress_healthcheck_protocol | The protocol to use to connect with the target. Defaults to HTTP . Not applicable when target_type is lambda |
string |
"HTTP" |
no |
alb_ingress_listener_authenticated_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from alb_ingress_listener_unauthenticated_priority since a listener can't have multiple rules with the same priority |
number |
300 |
no |
alb_ingress_listener_unauthenticated_priority | The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from alb_ingress_listener_authenticated_priority since a listener can't have multiple rules with the same priority |
number |
1000 |
no |
alb_ingress_target_group_arn | Existing ALB target group ARN. If provided, set alb_ingress_enable_default_target_group to false to disable creation of the default target group |
string |
"" |
no |
alb_ingress_unauthenticated_hosts | Unauthenticated hosts to match in Hosts header | list(string) |
[] |
no |
alb_ingress_unauthenticated_listener_arns | A list of unauthenticated ALB listener ARNs to attach ALB listener rules to | list(string) |
[] |
no |
alb_ingress_unauthenticated_listener_arns_count | The number of unauthenticated ARNs in alb_ingress_unauthenticated_listener_arns . This is necessary to work around a limitation in Terraform where counts cannot be computed |
number |
0 |
no |
alb_ingress_unauthenticated_paths | Unauthenticated path pattern to match (a maximum of 1 can be defined) | list(string) |
[] |
no |
alb_security_group | Security group of the ALB | string |
n/a | yes |
alb_stickiness_cookie_duration | The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds) | number |
86400 |
no |
alb_stickiness_enabled | Boolean to enable / disable stickiness . Default is true |
bool |
true |
no |
alb_stickiness_type | The type of sticky sessions. The only current possible value is lb_cookie |
string |
"lb_cookie" |
no |
alb_target_group_alarms_3xx_threshold | The maximum number of 3XX HTTPCodes in a given period for ECS Service | number |
25 |
no |
alb_target_group_alarms_4xx_threshold | The maximum number of 4XX HTTPCodes in a given period for ECS Service | number |
25 |
no |
alb_target_group_alarms_5xx_threshold | The maximum number of 5XX HTTPCodes in a given period for ECS Service | number |
25 |
no |
alb_target_group_alarms_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an ALARM state from any other state | list(string) |
[] |
no |
alb_target_group_alarms_enabled | A boolean to enable/disable CloudWatch Alarms for ALB Target metrics | bool |
false |
no |
alb_target_group_alarms_evaluation_periods | The number of periods to analyze for ALB CloudWatch Alarms | number |
1 |
no |
alb_target_group_alarms_insufficient_data_actions | A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an INSUFFICIENT_DATA state from any other state | list(string) |
[] |
no |
alb_target_group_alarms_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an OK state from any other state | list(string) |
[] |
no |
alb_target_group_alarms_period | The period (in seconds) to analyze for ALB CloudWatch Alarms | number |
300 |
no |
alb_target_group_alarms_response_time_threshold | The maximum ALB Target Group response time | number |
0.5 |
no |
assign_public_ip | Assign a public IP address to the ENI (Fargate launch type only). Valid values are true or false . Default false |
bool |
false |
no |
attributes | ID element. Additional attributes (e.g. workers or cluster ) to add to id ,in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the delimiter and treated as a single ID element. |
list(string) |
[] |
no |
authentication_cognito_scope | Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) | string |
null |
no |
authentication_cognito_user_pool_arn | Cognito User Pool ARN | string |
"" |
no |
authentication_cognito_user_pool_client_id | Cognito User Pool Client ID | string |
"" |
no |
authentication_cognito_user_pool_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (xxx ) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) |
string |
"" |
no |
authentication_oidc_authorization_endpoint | OIDC Authorization Endpoint | string |
"" |
no |
authentication_oidc_client_id | OIDC Client ID | string |
"" |
no |
authentication_oidc_client_secret | OIDC Client Secret | string |
"" |
no |
authentication_oidc_issuer | OIDC Issuer | string |
"" |
no |
authentication_oidc_scope | OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP) | string |
null |
no |
authentication_oidc_token_endpoint | OIDC Token Endpoint | string |
"" |
no |
authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string |
"" |
no |
authentication_type | Authentication type. Supported values are COGNITO and OIDC |
string |
"" |
no |
autoscaling_dimension | Dimension to autoscale on (valid options: cpu, memory) | string |
"memory" |
no |
autoscaling_enabled | A boolean to enable/disable Autoscaling policy for ECS Service | bool |
false |
no |
autoscaling_max_capacity | Maximum number of running instances of a Service | number |
2 |
no |
autoscaling_min_capacity | Minimum number of running instances of a Service | number |
1 |
no |
autoscaling_scale_down_adjustment | Scaling adjustment to make during scale down event | number |
-1 |
no |
autoscaling_scale_down_cooldown | Period (in seconds) to wait between scale down events | number |
300 |
no |
autoscaling_scale_up_adjustment | Scaling adjustment to make during scale up event | number |
1 |
no |
autoscaling_scale_up_cooldown | Period (in seconds) to wait between scale up events | number |
60 |
no |
aws_logs_prefix | Custom AWS Logs prefix. If empty name from label module will be used | string |
"" |
no |
aws_logs_region | The region for the AWS Cloudwatch Logs group | string |
null |
no |
badge_enabled | Generates a publicly-accessible URL for the projects build badge. Available as badge_url attribute when enabled | bool |
false |
no |
branch | Branch of the GitHub repository, e.g. master |
string |
"" |
no |
build_environment_variables | A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER_STORE', or 'SECRETS_MANAGER' | list(object( |
[] |
no |
build_image | Docker image for build environment, e.g. aws/codebuild/docker:docker:17.09.0 |
string |
"aws/codebuild/docker:17.09.0" |
no |
build_timeout | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | number |
60 |
no |
buildspec | Declaration to use for building the project. For more info | string |
"" |
no |
capacity_provider_strategies | The capacity provider strategies to use for the service. See capacity_provider_strategy configuration block: https://www.terraform.io/docs/providers/aws/r/ecs_service.html#capacity_provider_strategy |
list(object({ |
[] |
no |
circuit_breaker_deployment_enabled | If true , enable the deployment circuit breaker logic for the service |
bool |
false |
no |
circuit_breaker_rollback_enabled | If true , Amazon ECS will roll back the service if a service deployment fails |
bool |
false |
no |
cloudwatch_log_group_enabled | A boolean to disable cloudwatch log group creation | bool |
true |
no |
codebuild_cache_type | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3. Defaults to NO_CACHE. If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside | string |
"S3" |
no |
codepipeline_build_cache_bucket_suffix_enabled | The codebuild cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache_type is 'S3' | bool |
true |
no |
codepipeline_build_compute_type | CodeBuild instance size. Possible values are: BUILD_GENERAL1_SMALL BUILD_GENERAL1_MEDIUM BUILD_GENERAL1_LARGE |
string |
"BUILD_GENERAL1_SMALL" |
no |
codepipeline_cdn_bucket_buildspec_identifier | Identifier for buildspec section controlling the optional CDN asset deployment. | string |
null |
no |
codepipeline_cdn_bucket_encryption_enabled | If set to true, enable encryption on the optional CDN asset deployment bucket | bool |
false |
no |
codepipeline_cdn_bucket_id | Optional bucket for static asset deployment. If specified, the buildspec must include a secondary artifacts section which controls the files deployed to the bucket For more info | string |
null |
no |
codepipeline_enabled | A boolean to enable/disable AWS Codepipeline and ECR | bool |
true |
no |
codepipeline_s3_bucket_force_destroy | A boolean that indicates all objects should be deleted from the CodePipeline artifact store S3 bucket so that the bucket can be destroyed without error | bool |
false |
no |
command | The command that is passed to the container | list(string) |
null |
no |
container_cpu | The vCPU setting to control cpu limits of container. (If FARGATE launch type is used below, this must be a supported vCPU size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html) | number |
256 |
no |
container_definition | Override the main container_definition | string |
"" |
no |
container_environment | The environment variables to pass to the container. This is a list of maps | list(object({ |
null |
no |
container_image | The default container image to use in container definition | string |
"cloudposse/default-backend" |
no |
container_memory | The amount of RAM to allow container to use in MB. (If FARGATE launch type is used below, this must be a supported Memory size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html) | number |
512 |
no |
container_memory_reservation | The amount of RAM (Soft Limit) to allow container to use in MB. This value must be less than container_memory if set |
number |
128 |
no |
container_port | The port number on the container bound to assigned host_port | number |
80 |
no |
container_repo_credentials | Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials | map(string) |
null |
no |
container_start_timeout | Time duration (in seconds) to wait before giving up on resolving dependencies for a container | number |
30 |
no |
container_stop_timeout | Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own | number |
30 |
no |
context | Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value.Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged. |
any |
{ |
no |
delimiter | Delimiter to be used between ID elements. Defaults to - (hyphen). Set to "" to use no delimiter at all. |
string |
null |
no |
deployment_controller_type | Type of deployment controller. Valid values are CODE_DEPLOY and ECS | string |
"ECS" |
no |
descriptor_formats | Describe additional descriptors to be output in the descriptors output map.Map of maps. Keys are names of descriptors. Values are maps of the form {<br> format = string<br> labels = list(string)<br>} (Type is any so the map values can later be enhanced to provide additional options.)format is a Terraform format string to be passed to the format() function.labels is a list of labels, in order, to pass to format() function.Label values will be normalized before being passed to format() so they will beidentical to how they appear in id .Default is {} (descriptors output will be empty). |
any |
{} |
no |
desired_count | The desired number of tasks to start with. Set this to 0 if using DAEMON Service type. (FARGATE does not suppoert DAEMON Service type) | number |
1 |
no |
ecr_image_tag_mutability | The tag mutability setting for the ecr repository. Must be one of: MUTABLE or IMMUTABLE |
string |
"IMMUTABLE" |
no |
ecr_scan_images_on_push | Indicates whether images are scanned after being pushed to the repository (true) or not (false) | bool |
false |
no |
ecs_alarms_cpu_utilization_high_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High Alarm action | list(string) |
[] |
no |
ecs_alarms_cpu_utilization_high_evaluation_periods | Number of periods to evaluate for the alarm | number |
1 |
no |
ecs_alarms_cpu_utilization_high_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High OK action | list(string) |
[] |
no |
ecs_alarms_cpu_utilization_high_period | Duration in seconds to evaluate for the alarm | number |
300 |
no |
ecs_alarms_cpu_utilization_high_threshold | The maximum percentage of CPU utilization average | number |
80 |
no |
ecs_alarms_cpu_utilization_low_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low Alarm action | list(string) |
[] |
no |
ecs_alarms_cpu_utilization_low_evaluation_periods | Number of periods to evaluate for the alarm | number |
1 |
no |
ecs_alarms_cpu_utilization_low_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low OK action | list(string) |
[] |
no |
ecs_alarms_cpu_utilization_low_period | Duration in seconds to evaluate for the alarm | number |
300 |
no |
ecs_alarms_cpu_utilization_low_threshold | The minimum percentage of CPU utilization average | number |
20 |
no |
ecs_alarms_enabled | A boolean to enable/disable CloudWatch Alarms for ECS Service metrics | bool |
false |
no |
ecs_alarms_memory_utilization_high_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High Alarm action | list(string) |
[] |
no |
ecs_alarms_memory_utilization_high_evaluation_periods | Number of periods to evaluate for the alarm | number |
1 |
no |
ecs_alarms_memory_utilization_high_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High OK action | list(string) |
[] |
no |
ecs_alarms_memory_utilization_high_period | Duration in seconds to evaluate for the alarm | number |
300 |
no |
ecs_alarms_memory_utilization_high_threshold | The maximum percentage of Memory utilization average | number |
80 |
no |
ecs_alarms_memory_utilization_low_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low Alarm action | list(string) |
[] |
no |
ecs_alarms_memory_utilization_low_evaluation_periods | Number of periods to evaluate for the alarm | number |
1 |
no |
ecs_alarms_memory_utilization_low_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low OK action | list(string) |
[] |
no |
ecs_alarms_memory_utilization_low_period | Duration in seconds to evaluate for the alarm | number |
300 |
no |
ecs_alarms_memory_utilization_low_threshold | The minimum percentage of Memory utilization average | number |
20 |
no |
ecs_cluster_arn | The ECS Cluster ARN where ECS Service will be provisioned | string |
n/a | yes |
ecs_cluster_name | The ECS Cluster Name to use in ECS Code Pipeline Deployment step | string |
null |
no |
ecs_private_subnet_ids | List of Private Subnet IDs to provision ECS Service onto if var.network_mode = "awsvpc" |
list(string) |
n/a | yes |
ecs_security_group_ids | Additional Security Group IDs to allow into ECS Service if var.network_mode = "awsvpc" |
list(string) |
[] |
no |
enable_all_egress_rule | A flag to enable/disable adding the all ports egress rule to the ECS security group | bool |
true |
no |
enable_ecs_managed_tags | Specifies whether to enable Amazon ECS managed tags for the tasks within the service | bool |
false |
no |
enabled | Set to false to prevent the module from creating any resources | bool |
null |
no |
entrypoint | The entry point that is passed to the container | list(string) |
null |
no |
environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string |
null |
no |
exec_enabled | Specifies whether to enable Amazon ECS Exec for the tasks within the service | bool |
false |
no |
force_new_deployment | Enable to force a new task deployment of the service. | bool |
false |
no |
github_oauth_token | GitHub Oauth Token with permissions to access private repositories | string |
"" |
no |
github_webhook_events | A list of events which should trigger the webhook. See a list of available events | list(string) |
[ |
no |
github_webhooks_token | GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the GITHUB_TOKEN environment variable |
string |
"" |
no |
health_check_grace_period_seconds | Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. Only valid for services configured to use load balancers | number |
0 |
no |
healthcheck | A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | object({ |
null |
no |
id_length_limit | Limit id to this many characters (minimum 6).Set to 0 for unlimited length.Set to null for keep the existing setting, which defaults to 0 .Does not affect id_full . |
number |
null |
no |
ignore_changes_desired_count | Whether to ignore changes for desired count in the ECS service | bool |
false |
no |
ignore_changes_task_definition | Ignore changes (like environment variables) to the ECS task definition | bool |
true |
no |
init_containers | A list of additional init containers to start. The map contains the container_definition (JSON) and the main container's dependency condition (string) on the init container. The latter can be one of START, COMPLETE, SUCCESS or HEALTHY. | list(object({ |
[] |
no |
label_key_case | Controls the letter case of the tags keys (label names) for tags generated by this module.Does not affect keys of tags passed in via the tags input.Possible values: lower , title , upper .Default value: title . |
string |
null |
no |
label_order | The order in which the labels (ID elements) appear in the id .Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. |
list(string) |
null |
no |
label_value_case | Controls the letter case of ID elements (labels) as included in id ,set as tag values, and output by this module individually. Does not affect values of tags passed in via the tags input.Possible values: lower , title , upper and none (no transformation).Set this to title and set delimiter to "" to yield Pascal Case IDs.Default value: lower . |
string |
null |
no |
labels_as_tags | Set of labels (ID elements) to include as tags in the tags output.Default is to include all labels. Tags with empty values will not be included in the tags output.Set to [] to suppress all generated tags.Notes: The value of the name tag, if included, will be the id , not the name .Unlike other null-label inputs, the initial setting of labels_as_tags cannot bechanged in later chained modules. Attempts to change it will be silently ignored. |
set(string) |
[ |
no |
launch_type | The ECS launch type (valid options: FARGATE or EC2) | string |
"FARGATE" |
no |
log_driver | The log driver to use for the container. If using Fargate launch type, only supported value is awslogs | string |
"awslogs" |
no |
log_retention_in_days | The number of days to retain logs for the log group | number |
90 |
no |
map_container_environment | The environment variables to pass to the container. This is a map of string: {key: value}. environment overrides map_environment |
map(string) |
null |
no |
mount_points | Container mount points. This is a list of maps, where each map should contain a containerPath and sourceVolume |
list(object({ |
[] |
no |
name | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a tag .The "name" tag is set to the full id string. There is no tag with the value of the name input. |
string |
null |
no |
namespace | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | string |
null |
no |
network_mode | The network mode to use for the task. This is required to be awsvpc for FARGATE launch_type or null for EC2 launch_type |
string |
"awsvpc" |
no |
nlb_cidr_blocks | A list of CIDR blocks to add to the ingress rule for the NLB container port | list(string) |
[] |
no |
nlb_container_name | The name of the container to associate with the NLB. If not provided, the generated container will be used | string |
null |
no |
nlb_container_port | The port number on the container bound to assigned NLB host_port | number |
80 |
no |
nlb_ingress_target_group_arn | Target group ARN of the NLB ingress | string |
"" |
no |
permissions_boundary | A permissions boundary ARN to apply to the 3 roles that are created. | string |
"" |
no |
platform_version | The platform version on which to run your service. Only applicable for launch_type set to FARGATE. More information about Fargate platform versions can be found in the AWS ECS User Guide. | string |
"LATEST" |
no |
poll_source_changes | Periodically check the location of your source content and run the pipeline if changes are detected | bool |
false |
no |
port_mappings | The port mappings to configure for the container. This is a list of maps. Each map should contain "containerPort", "hostPort", and "protocol", where "protocol" is one of "tcp" or "udp". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort | list(object({ |
[ |
no |
privileged | When this variable is true , the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type. Due to how Terraform type casts booleans in json it is required to double quote this value |
string |
null |
no |
propagate_tags | Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION | string |
null |
no |
regex_replace_chars | Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits. |
string |
null |
no |
region | AWS Region for S3 bucket | string |
null |
no |
repo_name | GitHub repository name of the application to be built and deployed to ECS | string |
"" |
no |
repo_owner | GitHub Organization or Username | string |
"" |
no |
runtime_platform | Zero or one runtime platform configurations that containers in your task may use. Map of strings with optional keys operating_system_family and cpu_architecture .See runtime_platform docs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#runtime_platform |
list(map(string)) |
[] |
no |
secrets | The secrets to pass to the container. This is a list of maps | list(object({ |
null |
no |
service_registries | The service discovery registries for the service. The maximum number of service_registries blocks is 1. The currently supported service registry is Amazon Route 53 Auto Naming Service - aws_service_discovery_service ; see service_registries docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1 |
list(object({ |
[] |
no |
stage | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | string |
null |
no |
system_controls | A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""} | list(map(string)) |
null |
no |
tags | Additional tags (e.g. {'BusinessUnit': 'XYZ'} ).Neither the tag keys nor the tag values will be modified by this module. |
map(string) |
{} |
no |
task_cpu | The number of CPU units used by the task. If unspecified, it will default to container_cpu . If using FARGATE launch type task_cpu must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) |
number |
null |
no |
task_memory | The amount of memory (in MiB) used by the task. If unspecified, it will default to container_memory . If using Fargate launch type task_memory must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) |
number |
null |
no |
task_policy_arns | A list of IAM Policy ARNs to attach to the generated task role. | list(string) |
[] |
no |
task_role_arn | The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services | string |
"" |
no |
tenant | ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for | string |
null |
no |
ulimits | The ulimits to configure for the container. This is a list of maps. Each map should contain "name", "softLimit" and "hardLimit" | list(object({ |
[] |
no |
use_alb_security_group | A boolean to enable adding an ALB security group rule for the service task | bool |
false |
no |
use_ecr_image | If true, use ECR repo URL for image, otherwise use value in container_image | bool |
false |
no |
use_nlb_cidr_blocks | A flag to enable/disable adding the NLB ingress rule to the security group | bool |
false |
no |
volumes | Task volume definitions as list of configuration objects | list(object({ |
[] |
no |
vpc_id | The VPC ID where resources are created | string |
n/a | yes |
webhook_authentication | The type of authentication to use. One of IP, GITHUB_HMAC, or UNAUTHENTICATED | string |
"GITHUB_HMAC" |
no |
webhook_enabled | Set to false to prevent the module from creating any webhook resources | bool |
true |
no |
webhook_filter_json_path | The JSON path to filter on | string |
"$.ref" |
no |
webhook_filter_match_equals | The value to match on (e.g. refs/heads/{Branch}) | string |
"refs/heads/{Branch}" |
no |
webhook_target_action | The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline | string |
"Source" |
no |
Name | Description |
---|---|
alb_ingress | All outputs from module.alb_ingress |
alb_ingress_target_group_arn | ALB Target Group ARN |
alb_ingress_target_group_arn_suffix | ALB Target Group ARN suffix |
alb_ingress_target_group_name | ALB Target Group name |
alb_target_group_cloudwatch_sns_alarms | All outputs from module.alb_target_group_cloudwatch_sns_alarms |
cloudwatch_log_group | All outputs from aws_cloudwatch_log_group.app |
cloudwatch_log_group_arn | Cloudwatch log group ARN |
cloudwatch_log_group_name | Cloudwatch log group name |
codebuild | All outputs from module.ecs_codepipeline |
codebuild_badge_url | The URL of the build badge when badge_enabled is enabled |
codebuild_cache_bucket_arn | CodeBuild cache S3 bucket ARN |
codebuild_cache_bucket_name | CodeBuild cache S3 bucket name |
codebuild_project_id | CodeBuild project ID |
codebuild_project_name | CodeBuild project name |
codebuild_role_arn | CodeBuild IAM Role ARN |
codebuild_role_id | CodeBuild IAM Role ID |
codepipeline_arn | CodePipeline ARN |
codepipeline_id | CodePipeline ID |
codepipeline_webhook_id | The CodePipeline webhook's ID |
codepipeline_webhook_url | The CodePipeline webhook's URL. POST events to this endpoint to trigger the target |
container_definition | All outputs from module.container_definition |
container_definition_json | JSON encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition |
container_definition_json_map | JSON encoded container definitions for use with other terraform resources such as aws_ecs_task_definition |
ecr | All outputs from module.ecr |
ecr_registry_id | Registry ID |
ecr_registry_url | Repository URL |
ecr_repository_arn | ARN of ECR repository |
ecr_repository_name | Registry name |
ecr_repository_url | Repository URL |
ecs_alarms | All outputs from module.ecs_cloudwatch_sns_alarms |
ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_arn | ECS CPU utilization high CloudWatch metric alarm ARN |
ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_id | ECS CPU utilization high CloudWatch metric alarm ID |
ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_arn | ECS CPU utilization low CloudWatch metric alarm ARN |
ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_id | ECS CPU utilization low CloudWatch metric alarm ID |
ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_arn | ECS Memory utilization high CloudWatch metric alarm ARN |
ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_id | ECS Memory utilization high CloudWatch metric alarm ID |
ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_arn | ECS Memory utilization low CloudWatch metric alarm ARN |
ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_id | ECS Memory utilization low CloudWatch metric alarm ID |
ecs_alb_service_task | All outputs from module.ecs_alb_service_task |
ecs_cloudwatch_autoscaling | All outputs from module.ecs_cloudwatch_autoscaling |
ecs_cloudwatch_autoscaling_scale_down_policy_arn | ARN of the scale down policy |
ecs_cloudwatch_autoscaling_scale_up_policy_arn | ARN of the scale up policy |
ecs_exec_role_policy_id | The ECS service role policy ID, in the form of role_name:role_policy_name |
ecs_exec_role_policy_name | ECS service role name |
ecs_service_name | ECS Service name |
ecs_service_role_arn | ECS Service role ARN |
ecs_service_security_group_id | Security Group ID of the ECS task |
ecs_task_definition_family | ECS task definition family |
ecs_task_definition_revision | ECS task definition revision |
ecs_task_exec_role_arn | ECS Task exec role ARN |
ecs_task_exec_role_name | ECS Task role name |
ecs_task_role_arn | ECS Task role ARN |
ecs_task_role_id | ECS Task role id |
ecs_task_role_name | ECS Task role name |
httpcode_elb_5xx_count_cloudwatch_metric_alarm_arn | ALB 5xx count CloudWatch metric alarm ARN |
httpcode_elb_5xx_count_cloudwatch_metric_alarm_id | ALB 5xx count CloudWatch metric alarm ID |
httpcode_target_3xx_count_cloudwatch_metric_alarm_arn | ALB Target Group 3xx count CloudWatch metric alarm ARN |
httpcode_target_3xx_count_cloudwatch_metric_alarm_id | ALB Target Group 3xx count CloudWatch metric alarm ID |
httpcode_target_4xx_count_cloudwatch_metric_alarm_arn | ALB Target Group 4xx count CloudWatch metric alarm ARN |
httpcode_target_4xx_count_cloudwatch_metric_alarm_id | ALB Target Group 4xx count CloudWatch metric alarm ID |
httpcode_target_5xx_count_cloudwatch_metric_alarm_arn | ALB Target Group 5xx count CloudWatch metric alarm ARN |
httpcode_target_5xx_count_cloudwatch_metric_alarm_id | ALB Target Group 5xx count CloudWatch metric alarm ID |
target_response_time_average_cloudwatch_metric_alarm_arn | ALB Target Group response time average CloudWatch metric alarm ARN |
target_response_time_average_cloudwatch_metric_alarm_id | ALB Target Group response time average CloudWatch metric alarm ID |
Like this project? Please give it a ★ on our GitHub! (it helps us a lot)
Are you using this project or any of our other projects? Consider leaving a testimonial. =)
Check out these related projects.
- terraform-aws-alb - Terraform module to provision a standard ALB for HTTP/HTTP traffic
- terraform-aws-alb-ingress - Terraform module to provision an HTTP style ingress rule based on hostname and path for an ALB
- terraform-aws-codebuild - Terraform Module to easily leverage AWS CodeBuild for Continuous Integration
- terraform-aws-ecr - Terraform Module to manage Docker Container Registries on AWS ECR
- terraform-aws-ecs-alb-service-task - Terraform module which implements an ECS service which exposes a web service via ALB.
- terraform-aws-ecs-codepipeline - Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS
- terraform-aws-ecs-container-definition - Terraform module to generate well-formed JSON documents that are passed to the aws_ecs_task_definition Terraform resource
- terraform-aws-lb-s3-bucket - Terraform module to provision an S3 bucket with built in IAM policy to allow AWS Load Balancers to ship access logs.
- terraform-aws-eks-cluster - Terraform module for provisioning an EKS cluster
- terraform-aws-eks-workers - Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers
- terraform-aws-ec2-autoscale-group - Terraform module to provision Auto Scaling Group and Launch Template on AWS
Got a question? We got answers.
File a GitHub issue, send us an email or join our Slack Community.
We are a DevOps Accelerator. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.
Work directly with our team of DevOps experts via email, slack, and video conferencing.
We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.
- Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
- Release Engineering. You'll have end-to-end CI/CD with unlimited staging environments.
- Site Reliability Engineering. You'll have total visibility into your apps and microservices.
- Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
- GitOps. You'll be able to operate your infrastructure via Pull Requests.
- Training. You'll receive hands-on training so your team can operate what we build.
- Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
- Troubleshooting. You'll get help to triage when things aren't working.
- Code Reviews. You'll receive constructive feedback on Pull Requests.
- Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.
Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.
Participate in our Discourse Forums. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.
Sign up for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.
Join us every Wednesday via Zoom for our weekly "Lunch & Learn" sessions. It's FREE for everyone!
Please use the issue tracker to report any bugs or file feature requests.
If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.
In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
- Fork the repo on GitHub
- Clone the project to your own machine
- Commit changes to your own branch
- Push your work back up to your fork
- Submit a Pull Request so that we can review your changes
NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!
Copyright © 2017-2022 Cloud Posse, LLC
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
All other trademarks referenced herein are the property of their respective owners.
This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!
We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.
We offer paid support on all of our projects.
Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.
Erik Osterman |
Igor Rodionov |
Andriy Knysh |
Sarkis Varozian |
---|