terraform-aws-ecs-alb-service-task

what

• logs:CreateLogGroup added

why

• This allows the ECS Service to create the log group so it does need to be created by the module user before hand.

what

• ssm:GetParameters action added to ecs_exec role

why

• ssm:GetParameters allows to use the secrets and valueFrom for the ssm params

what

• Add option to set NLB ingress rule

why

• NLBs do not support security group membership, but it is nonetheless useful to specify the CIDR ingress rule for the ECS security group, as the code does for the ALB

what

• Add support for "capacity_provider_strategy"

why

• Reduce costs by specifying different capacity_provider

Example configuration for FARGATE_SPOT to reduce ECS Fargate workloads costs

capacity_provider_strategies = [
    {
      capacity_provider = "FARGATE_SPOT"
      weight            = 3
      base              = null
    },
    {
      capacity_provider = "FARGATE"
      weight            = 1
      base              = null
    }
]

what

• Add option to define an empty ALB SGs

why

• This option is for the cases where ECS launch type is EC2 and the network mode is host and there is no ALB fronting the application

what

• Add missing configuration options/blocks that are available in terraform AWS provider:

  • aws_ecs_service

    • placement_constraints
    • platform_version
    • service_registries
    • scheduling_strategy
    • ordered_placement_strategy

  • aws_ecs_task_definition

    • placement_constraints
    • proxy_configuration

why

• Allow to specify the arguments/blocks for ECS service and task definition

what

• Port module to Terraform 0.12
• Pin all providers
• Add example for testing
• Add bats and terratest for the example
• Add Codefresh badge to point to the test pipeline in terraform-modules project
• Update README

why

• Module currently does not work with 0.12. Much easier syntax
• Better regression control
• Automatically test the example on every commit and pull request
• Provision resources on AWS in the test account and check the outputs for the correct values
• terraform-modules project contains pipelines for all terraform modules

related

• Closes #33
• Closes #22
• Cloes #30

test

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

container_definition_json = [{"command":null,"cpu":256,"dependsOn":null,"dnsServers":null,"dockerLabels":null,"entryPoint":null,"environment":[{"name":"false_boolean_var","value":"false"},{"name":"integer_var","value":"42"},{"name":"string_var","value":"I am a string"},{"name":"true_boolean_var","value":"true"}],"essential":true,"firelensConfiguration":null,"healthCheck":null,"image":"cloudposse/geodesic","links":null,"logConfiguration":null,"memory":256,"memoryReservation":128,"mountPoints":null,"name":"geodesic","portMappings":[{"containerPort":80,"hostPort":80,"protocol":"tcp"},{"containerPort":443,"hostPort":443,"protocol":"udp"}],"privileged":null,"readonlyRootFilesystem":false,"repositoryCredentials":null,"secrets":null,"startTimeout":30,"stopTimeout":30,"systemControls":null,"ulimits":null,"user":null,"volumesFrom":null,"workingDirectory":null}]

container_definition_json_map = {"command":null,"cpu":256,"dependsOn":null,"dnsServers":null,"dockerLabels":null,"entryPoint":null,"environment":[{"name":"false_boolean_var","value":"false"},{"name":"integer_var","value":"42"},{"name":"string_var","value":"I am a string"},{"name":"true_boolean_var","value":"true"}],"essential":true,"firelensConfiguration":null,"healthCheck":null,"image":"cloudposse/geodesic","links":null,"logConfiguration":null,"memory":256,"memoryReservation":128,"mountPoints":null,"name":"geodesic","portMappings":[{"containerPort":80,"hostPort":80,"protocol":"tcp"},{"containerPort":443,"hostPort":443,"protocol":"udp"}],"privileged":null,"readonlyRootFilesystem":false,"repositoryCredentials":null,"secrets":null,"startTimeout":30,"stopTimeout":30,"systemControls":null,"ulimits":null,"user":null,"volumesFrom":null,"workingDirectory":null}

ecs_cluster_arn = arn:aws:ecs:us-east-2:126450723953:cluster/eg-test-ecs-alb-service-task
ecs_cluster_id = arn:aws:ecs:us-east-2:126450723953:cluster/eg-test-ecs-alb-service-task
ecs_exec_role_policy_id = eg-test-ecs-alb-service-task-exec:eg-test-ecs-alb-service-task-exec
ecs_exec_role_policy_name = eg-test-ecs-alb-service-task-exec

private_subnet_cidrs = [
  "172.16.0.0/19",
  "172.16.32.0/19",
]

public_subnet_cidrs = [
  "172.16.96.0/19",
  "172.16.128.0/19",
]

service_name = eg-test-ecs-alb-service-task
service_role_arn = arn:aws:iam::126450723953:role/eg-test-ecs-alb-service-task-service
service_security_group_id = sg-00c87f151c0393e7d
task_definition_family = eg-test-ecs-alb-service-task
task_definition_revision = 1
task_exec_role_arn = arn:aws:iam::126450723953:role/eg-test-ecs-alb-service-task-exec
task_exec_role_name = eg-test-ecs-alb-service-task-exec
task_role_arn = arn:aws:iam::126450723953:role/eg-test-ecs-alb-service-task-task
task_role_id = AROAR24IM5RYQGCHM4V3M
task_role_name = eg-test-ecs-alb-service-task-task
vpc_cidr = 172.16.0.0/16

what

• Add support for multiple load_balancer configs

why

• As of AWS provider 2.22, multiple load_balancer configs are supported

references

• https://www.terraform.io/docs/providers/aws/r/ecs_service.html#load_balancer-1
• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html

what

• Add optional "propagate_tags" variable

why

• Variable allows to set optional "propagate_tags" argument on "aws_ecs_service" resource

what

• Add deployment_controller option

why

• ECS Service supports a deployment_controller to enable support for CodeDeploy integration. This further enables the ability to use Blue/Green deployments via CodeDeploy

what

• Allow configuration of auto assign public IP

why

• Add assign_public_ip variable
• Rename variable private_subnet_ids to subnet_ids because it was misleading - public subnet ids can also be set

references

• https://www.terraform.io/docs/providers/aws/r/ecs_service.html#network_configuration-1

what

• Fix name for "aws_security_group" "ecs_service"

why

• Wrong label was used for name in "aws_security_group" "ecs_service". Since the default label was used without any additional attributes to disambiguate the names, when deploying the cluster, there were errors that a Security Group with the same name already existed. For the Security Group for the ECS service, should use the service_label

what

• Add task definition family and revision to module outputs

why

• The outputs can be used in other modules

what

• Make volumes configurable

why

Allows to add volume definitions to task like this

module "alb_service_task" {
  source                    = "../terraform-aws-ecs-alb-service-task"
  volumes = [
    {
      name = "${module.label_base.id}-data"
      docker_volume_configuration = [
        {
          scope         = "shared"
          autoprovision = true
        },
      ]
    },
  ]
}

what

• Enable resource tagging for all resources

why

• Resource tags are uniform across all resources provisioned by this module
• More accurate observability when creating a resource group for said resources