terraform-aws-ecs-alb-service-task

what

• Allow ECS services to register and deregister targets on a Target Group

why

• To support the use of ALBs

references

• https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/65

** what

bump the label module to the latest and allow the environment to be set; add $self to contributors.

what

• Recently AWS announced support for EFS volumes in ECS fargate. This pull request adds those options to the task defenition.

why

• To reflect the current ecr task definition volume configuration options

references

• ecs_task_definition.html#efs-volume-configuration-arguments
• Amazon ECS and AWS Fargate support for Amazon EFS File Systems now generally available

Change-Id: Ib507b196870340011e8afdfc1f381ae735ba9099

what

• The previous PR (https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/63) was incomplete and gives the following error:

Error: "name" must match [\w+=,.@-]

  on .terraform/modules/ecs_alb_service_task/terraform-aws-ecs-alb-service-task-0.32.0/main.tf line 195, in resource "aws_iam_role_policy" "ecs_exec":
 195: resource "aws_iam_role_policy" "ecs_exec" {

• The fix ensures that aws_iam_role_policy and aws_iam_policy_document are not created if task_exec_role_arn is passed in.

why

• Fix the bug.

what

Add tags to aws_ecs_task_definition

why

Tags were defined but missing from the task

references

N/A

what

Overriding the task role arm instead of the module creating a new task role

why

• When moving an ecs service and task over to this module, there may already be a task role present. If there is already a task role present, we shouldn't have to create a new one, then use the outputs to grab the arn, and attach policies to it. It should be able to reuse an existing role.
• An import of the existing role as the new role also wouldn't work due to the name change which will cause a removal and recreation

references

https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/58/

what

Enable or disable the icmp rule on the security group using a flag

why

You may not need icmp so this will give you the option to enable or disable it

references

https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/pull/54

what

• Added description to the ICMP rule

why

• Describing SG rules is a best practice to help auditors

references

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-ping
• see AWS018 in https://github.com/liamg/tfsec#included-checks

what

• Use the ECS service role for the ECS service

why

• The role was created but never used
• Note that the role does not apply if network_mode = "awsvpc"

references

• https://www.terraform.io/docs/providers/aws/r/ecs_service.html#iam_role

what

• Don't tag resources when using old ARN format

why

• If the old ARN format is still used, then this module should not tag the service as that's not possible with the old ARN format

related

• Closes https://github.com/cloudposse/terraform-aws-ecs-alb-service-task/issues/50

what

• Adds permissions_boundary option for the 3 created roles

why

• allow to configure permissions_boundary

what

• logs:CreateLogGroup added

why

• This allows the ECS Service to create the log group so it does need to be created by the module user before hand.

what

• ssm:GetParameters action added to ecs_exec role

why

• ssm:GetParameters allows to use the secrets and valueFrom for the ssm params

what

• Add option to set NLB ingress rule

why

• NLBs do not support security group membership, but it is nonetheless useful to specify the CIDR ingress rule for the ECS security group, as the code does for the ALB

what

• Add support for "capacity_provider_strategy"

why

• Reduce costs by specifying different capacity_provider

Example configuration for FARGATE_SPOT to reduce ECS Fargate workloads costs

capacity_provider_strategies = [
    {
      capacity_provider = "FARGATE_SPOT"
      weight            = 3
      base              = null
    },
    {
      capacity_provider = "FARGATE"
      weight            = 1
      base              = null
    }
]

what

• Add option to define an empty ALB SGs

why

• This option is for the cases where ECS launch type is EC2 and the network mode is host and there is no ALB fronting the application

what

• Add missing configuration options/blocks that are available in terraform AWS provider:

  • aws_ecs_service

    • placement_constraints
    • platform_version
    • service_registries
    • scheduling_strategy
    • ordered_placement_strategy

  • aws_ecs_task_definition

    • placement_constraints
    • proxy_configuration

why

• Allow to specify the arguments/blocks for ECS service and task definition