{"id":16514745,"url":"https://github.com/andgineer/terraform-aws-cloudmap","last_synced_at":"2026-05-19T07:04:40.506Z","repository":{"id":163940149,"uuid":"638800666","full_name":"andgineer/terraform-aws-cloudmap","owner":"andgineer","description":"Terraform Project Template for Service Discovery in ECS Clusters with EC2 and Fargate","archived":false,"fork":false,"pushed_at":"2024-10-19T05:32:21.000Z","size":46,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-19T06:31:38.797Z","etag":null,"topics":["aws","cloudmap","dns","ecs-fargate","route53","service-discovery","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andgineer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-10T06:17:18.000Z","updated_at":"2024-10-19T05:32:24.000Z","dependencies_parsed_at":"2024-10-20T20:09:32.711Z","dependency_job_id":null,"html_url":"https://github.com/andgineer/terraform-aws-cloudmap","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andgineer%2Fterraform-aws-cloudmap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andgineer%2Fterraform-aws-cloudmap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andgineer%2Fterraform-aws-cloudmap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andgineer%2Fterraform-aws-cloudmap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andgineer","download_url":"https://codeload.github.com/andgineer/terraform-aws-cloudmap/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241511760,"owners_count":19974456,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloudmap","dns","ecs-fargate","route53","service-discovery","terraform"],"created_at":"2024-10-11T16:13:41.228Z","updated_at":"2026-05-19T07:04:40.498Z","avatar_url":"https://github.com/andgineer.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Battle-tested AWS ECS infrastructure: CloudMap service discovery for Fargate (Service Connect) and EC2 (DNS) clusters\n\nThis template helps set up Fargate and EC2-based ECS clusters using AWS CloudMap for communication.\n\n\u003e **⚠️ Example Project - Not Production Ready**\n\u003e\n\u003e This is a demonstration project. Before using in production, address these security issues:\n\u003e - Enable RDS encryption with KMS, IAM authentication, and CloudWatch logs\n\u003e - Configure S3 state bucket encryption and add DynamoDB table for state locking\n\u003e - Replace wildcard IAM permissions with least-privilege policies\n\u003e - Add secrets rotation for database passwords\n\n## Service Discovery\n\n- **Fargate:** Uses AWS Service Connect, creating HTTP-only CloudMap services. Includes an automatic proxy container.\n- **EC2-based ECS:** Uses DNS-based discovery.\n\n### AWS Service Connect (Fargate)\n\n- Creates HTTP-only CloudMap services (no DNS resolution)\n- Requires an additional proxy container (managed by AWS)\n\n### DNS-based Service Discovery (EC2-based ECS)\n\n- If containers use `bridge` mode, creates `SRV` records instead of `A` records (Nginx free version cannot resolve `SRV` records)\n- To get `A` records, use `awsvpc` mode\n\n## Rationale\n\n### Environments (dev, prod, etc)\n\nTo avoid duplicating code, the same `my-application` folder is used for different environments.\nHowever, it is necessary to re-initialize the local Terraform state from S3 every time the environment is switched.\n\nTo switch environments, follow these steps:\n\n- Clear the local state, including the `.terraform` folder and `.terraform.lock.hcl` file.\n- Run `terraform init` with the appropriate environment variables.\n\nIt is crucial to clear the local state to avoid merging states from different environments.\nDelete the local state, and `terraform init` will restore it from S3, which is always safe.\n\n## Structure\n\n* `terraform/my-application/` - AWS resources for the ECS clusters\n* `terraform/environments/` - Environment-specific variables\n* `terraform/modules/` - Common Terraform code\n* `tests/features/` - BDD tests for the Terraform configuration\n* `Makefile` - Commands for Terraform and tests\n\n## Usage\n\nTo use AWS CLI:\n1. Create an IAM user and include it in the admin group.\n2. Attach `AutoScalingFullAccess` policy.\n3. Create Access Key credentials.\n4. Set credentials in environment variables or `~/.aws/credentials`:\n\n```shell\nexport AWS_ACCESS_KEY_ID=...\nexport AWS_SECRET_ACCESS_KEY=...\n```\n\n### Configure VPC ID\n\nBefore running Terraform, update the VPC ID in your environment configuration file.\n\nTo find available VPCs in your AWS account:\n\n```shell\n# List all VPCs with their details\naws ec2 describe-vpcs --region eu-west-2 \\\n  --query 'Vpcs[*].[VpcId,IsDefault,CidrBlock]' \\\n  --output table\n\n# Get just the default VPC ID\naws ec2 describe-vpcs --region eu-west-2 \\\n  --filters \"Name=isDefault,Values=true\" \\\n  --query 'Vpcs[0].VpcId' \\\n  --output text\n```\n\nUpdate the `vpc_id` value in `terraform/environments/dev/tfvars.hcl` (or the appropriate environment file) with your VPC ID.\n\n## Debugging in the Cloud\n\nIn the configuration, the debug mode for ECS containers is enabled (marked with `# ecs execute-command`).\nSee details in [AWS ECS EXEC](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html).\n\nYou should locally install [Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#install-plugin-macos).\n\nA useful utility to check your system's readiness for ECS EXEC is\n[Exec-checker](https://github.com/aws-containers/amazon-ecs-exec-checker).\n\nYou can connect to the container in ECS using:\n\n```shell\naws ecs execute-command --cluster ec2 \\\n  --task $(aws ecs list-tasks --cluster ec2 --query \"taskArns\" --output text) \\\n  --container ec2 --interactive --command \"/bin/sh\"\n```\n\nTo inspect an active task:\n\n```shell\naws ecs describe-tasks --cluster ec2 \\\n  --tasks $(aws ecs list-tasks --cluster ec2 --query \"taskArns\" --output text)\n```\n\n\n## Developer environment\n\n### Terraform\n\nInstall Terraform from the official website or via Homebrew (macOS).\n\n```shell\nbrew install hashicorp/tap/terraform\n```\n\n### Pre-commit\n\nUse [pre-commit](https://pre-commit.com/#install) hooks to validate the Terraform code quality:\n\n```shell\npre-commit install\n```\n\n#### Terraform code analysis\n\n```shell\nbrew tap liamg/tfsec\nbrew install terraform-docs tflint tfsec checkov\nbrew install pre-commit gawk coreutils\n```\n\n## BDD Testing\n\n### AWS Credentials Setup\n\nThe BDD tests use `terraform plan` to validate your infrastructure configuration **without creating any AWS resources**. This means:\n\n✅ **Tests are completely free** - No AWS resources are created or modified\n✅ **Safe to run** - Only generates a plan, never applies changes\n⚠️ **AWS credentials still required** - Terraform needs to query existing AWS resources (VPCs, availability zones, etc.)\n\n#### Setting Up Credentials Locally\n\nYou have several options to configure AWS credentials:\n\n**Option 1: AWS Configure (Recommended for development)**\n```shell\naws configure\n# Enter your AWS Access Key ID, Secret Access Key, and default region\n```\n\n**Option 2: Environment Variables**\n```shell\nexport AWS_ACCESS_KEY_ID=\"your-access-key-id\"\nexport AWS_SECRET_ACCESS_KEY=\"your-secret-access-key\"\nexport AWS_DEFAULT_REGION=\"eu-west-2\"\n```\n\n**Option 3: AWS SSO**\n```shell\naws sso login --profile your-profile\nexport AWS_PROFILE=your-profile\n```\n\n**Option 4: AWS Credentials File**\n\nCreate or edit `~/.aws/credentials`:\n```ini\n[default]\naws_access_key_id = your-access-key-id\naws_secret_access_key = your-secret-access-key\n```\n\nAnd `~/.aws/config`:\n```ini\n[default]\nregion = eu-west-2\n```\n\nFor detailed instructions on creating IAM credentials, see the [Usage](#usage) section.\n\n### virtualenv\n\nInstall and/or activate Python virtual environment (you need [uv](https://github.com/astral-sh/uv) installed):\n\n```shell\n. ./activate.sh\n```\n\nNote the spaces after the first dot.\n\nFor this to work, you need [uv](https://github.com/astral-sh/uv) installed.\n\n### Terraform\n\nInitialize Terraform (requires active AWS credentials) with:\n\n```shell\nmake init\n```\n\n### BDD tests\n\nRun comprehensive infrastructure tests covering security, networking, IAM, and resource configuration:\n\n```shell\nmake test\n```\n\n**Test Coverage:**\n- 52 test scenarios across 6 test suites\n- Security: Encryption, IAM policies, network isolation\n- Configuration: ECS, RDS, CloudMap, load balancers\n- Integration: Service discovery, health checks, database setup\n\nSee [tests/TEST_COVERAGE.md](tests/TEST_COVERAGE.md) for detailed test documentation.\n\nVisit [terraform-compliance](https://terraform-compliance.com/pages/Examples/) for more on writing tests.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandgineer%2Fterraform-aws-cloudmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandgineer%2Fterraform-aws-cloudmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandgineer%2Fterraform-aws-cloudmap/lists"}