terraform-aws-ecs-alb-service-task

what

• This PR adds a new variable, security_group_enabled (default: true), that lets you disable the creation of aws_security_group.ecs_service

why

• Currently there is no way to disable the creation of aws_security_group.ecs_service, even if you disable its security group rules through var.enable_all_egress_rule, var.enable_icmp_rule, var.use_alb_security_group, and var.use_nlb_cidr_blocks.
• In my case, I wanted to use my own security group by specifying its id in var.security_group_ids. Not being able to disable the creation of aws_security_group.ecs_service led to clutter in the list of security groups in AWS console and potential confusion as to which ones were actually used
• It would also be an option to not create aws_security_group.ecs_service when no security group rules would be created, but I thought it better to have an explicit variable for controlling it

🚀 Enhancements

what

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/155 was meant/stated to fix https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/136, but the PR didn't actually change the line that was causing the issue
• This PR makes the necessary change to fix the issue, which is to change the conditional for determining whether to create an IAM role for the ECS service that this module provisions: don't create the role if var.ecs_load_balancers is empty; otherwise, create it

why

• The IAM role is assigned a policy that allows it to call load balancer APIs, which isn't necessary if no load balancing is needed
• Trying to attach the role to the ECS service anyways with network mode set to bridge results in an error as noted by #136

references

Previous PRs

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/118 (used == at first, later changed to >=)
• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/137 (uses >=, was closed in favor of #118)
• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/145 (uses ==, was closed in favor of #155)

…reated yet only one is needed #146

what

• Removes volumes variable in favor of two variables: efs_volumes and docker_volumes

why

• Currently, both docker_volume_configuration and efs_volume_configuration properties are required on all volumes objects
• This causes 2 volume blocks to be created: one as docker_volume_configuration and the other as efs_volume_configuration regardless of which is actually needed
• The aws_ecs_task_definition resource does not allow multiple types of volumes to be defined and throws the error ClientException: When the volume parameter is specified, only one volume configuration type should be used.

references

• Side effect of Optional arguments in object variable type definition
• closes #146

what

• Adds var.ephemeral_storage_size + usage within the task definition

why

• Enables Fargate tasks to increase the size of their ephemeral storage

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#ephemeral_storage
• https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_EphemeralStorage.html

🚀 Enhancements

what

• Add empty string to the try function in service_name and service_arn outputs.

why

• Prevent error when module enabled is set to false.

🚀 Enhancements

what and why

• Reverts #117, #120, #151 to restore the ability to move forward on bug fixes and new features while maintaining backward compatibility
• Supersedes and closes #118, closes #136, via #137, #145, thanks to @ragumix, @verbalius, @asiragusa
• Reimplements #120 reverted above to maintain that functionality, closes #122, thanks to @flywheelnz, @joe-niland
• Fixes #123
• Supersedes #125, thanks to @nitrocode
• Supersedes and closes #129, closes #130, closes #133
• Supersedes and closes #138, thanks to @mrsufgi
• Closes #139, supersedes and closes #140, thanks to @fentonfentonfenton
• Supersedes #143, closes #142, thanks to @missylbytes
• Supersedes #144, thanks to @mrsufgi
• Supersedes, implements, and closes #151, closes #152, thanks to @ethanrubio
• Supersedes #154, thanks to @korenyoni

what

• add configurable runtime platform to the AWS task definiton

why

• so we can spin up ARM Fargate tasks

references

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#runtime_platform

We are revising and standardizing our handling of security groups and security group rules across all our Terraform modules. This is an early attempt with significant breaking changes. We will make further breaking changes soon, so using this version is not recommended.

what

• Updated to support deployment circuit breaker and optional rollback

why

• AWS feature compatability

We are revising and standardizing our handling of security groups and security group rules across all our Terraform modules. This is an early attempt with significant breaking changes. We will make further breaking changes soon, so using this version is not recommended.

what

• use security-group module instead of resource
• update tests

why

• more flexible than current implementation
• bring configuration of security group/rules to one standard

references

• CPCO-409

what

• Add ignore_desired_count aws_ecs_service that has lifecycle setup to ignore desired_count changes

why

• Desired count is a rough estimate that can be volatile during peak hours of the service that the containers serve
• Autoscaling policies may have scaled the number of tasks to above/below the desired count, so on a deployment of a new feature/change we don't want the desired count to be reset

references

• No GitHub Issue for this as far as I'm aware

🚀 Enhancements

what

I removed the template provider

why

It is not used anywhere and the provider itself is deprecated and without a darwin arm64 release, making it unusable for new macbook users.

what

• enable_execute_command added

why

• to be able to use ECS Exec

references

• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html

🚀 Enhancements

what

• Added the force_new_deployment flag to force new task deployment of the service
• Updated github configs

why

• To make it possible to force a new deployment

🚀 Enhancements

what

• Add name_prefix and lifecycle to sg

why

• Name changes to the security group may not be able to be destroyed easily.

references

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/77

note

Unsure if both the lifecycle and the name_prefix args need to be set. Might be good enough just to do the lifecycle.

I'm thinking it might be better to remove the name_prefix and see if the lifecycle clears the issue for the user.

what

• Add var.service_role_arn

why

• We reuse our service role and would like to reuse it within this module to save us from creating a redundant role

references

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/81

what

• Add input variable for ecs service wait_for_steady_state
• Defaults to false which is the default on the aws_ecs_service resource

why

• Allows the module to wait until the service is in a steady state before applying successfully

references

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/91

what

• Reuse existing task definition family and revision

why

• I'd like to recreate a service on a new cluster without having to recreate the task definition. By supplying the task definition family and revision, I can achieve this.

references

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/80

what

• Only create the sg if network_mode == awsvpc

why

• Looks like the security group is used only if var.network_mode = "awsvpc"

references

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/102

what

• Set enable_icmp_rule default to false

why

• It doesn't make sense to me why icmp is enabled by default. It should be enabled if it's needed. I have to explicitly disable this one each service.

references

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/105

what

• Fixed up the variable descriptions

why

• Fixed markdown formatting of links
• Added more information on var.launch_type = "awsvpc"

references

N/A