Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/launchbynttdata/tf-aws-module_collection-ecs_appmesh_ingress


https://github.com/launchbynttdata/tf-aws-module_collection-ecs_appmesh_ingress

aws collection terraform

Last synced: 5 days ago
JSON representation

Awesome Lists containing this project

README 

        
# tf-aws-module_collection-ecs_appmesh_ingress



[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

[![License: CC BY-NC-ND 4.0](https://img.shields.io/badge/License-CC_BY--NC--ND_4.0-lightgrey.svg)](https://creativecommons.org/licenses/by-nc-nd/4.0/)



## Overview



This terraform module creates an ingress route into the ECS Cluster using App Mesh through an Application Load Balancer and a `Virtual Gateway`.



This module provisions an Application Load Balancer (ALB) with a HTTPs listener, listening on port `443`. All incoming traffic to this App Mesh are routed through this load balancer. The ALB routes traffic to the Virtual Gateway through the `envoy proxy` running as an ECS Service.

Once the traffic reaches the Virtual Gateway listener, there can be multiple `gateway routes` configured at the Virtual gateway to route the traffic to respective backends (ECS Service) through the configured Virtual Services that uses CloudMap service discovery to discover the ECS task instances.

This module just configures a single gateway route `/health` for the ALB to perform health checks on. It is a single HTTP server configured to return `200 OK`.



The following AWS resources are provisioned in this module

- Application Load Balancer

  - Listeners

  - Target Group

  - Security Group

- ACM Certificate for Load Balancer

- Public DNS record for Load Balancer. Optionally, creates a vanity URL (CName record)

- Virtual Gateway

  - ECS Service

  - Task Definition

  - Security Group

  - IAM roles for Task and Task Execution

- Health Check ECS application

  - ECS Service

  - Task Definition

  - Virtual Service

  - Virtual Node

  - Service Discovery Service

  - Private Certificate for Service Discovery Endpoint

- Virtual Gateway route for the above Health Check service



Below are some important considerations for the App Mesh Ingress configuration on ECS cluster

- All ingress traffic must pass through the Virtual Gateway

- In order for the ALB health checks to not fail for a deployed Virtual Gateway in ECS (without any actual apps deployed), it must have a backend configured for health-checks. In this module, we deploy a simple HTTP server for health checks of Virtual gateway.

- The backend services that do not need route from outside the Mesh may not have a route configured in Virtual Gateway.

  - These services can be accessed by other services inside the Mesh using the Service Discovery endpoints (configured using CloudMap)

  - The security group of these services must allow ingress traffic on the `application port` for these services

- All the backend services that need a route from outside the Mesh must have a `gateway route` configured in the Virtual gateway

  - Virtual gateway supports 2 kinds of routing

    - Path based routing

    - Matching Hostname header based routing

- ALB is configured with HTTPs listener. In order to provision certificates for TLS, a custom domain name must be configured for the ALB. TLS certificates cannot be provisioned for the default AWS URL.

  - We use an `internal` ALB in this project

  - An HTTP listener is also configured to redirect all traffic at port `80` to `443`.

  - An `A record` is created in the `public` hosted zone in the AWS account

  - A certificate is provisioned for the `A record` as the first domain name in the ACM certificate

    - Additional SANs can be added for other CNAME records pointing to the ALB. This can be useful for `hostname` header based routing.

- ALB Target Group must be configured for `HTTPS` at port `443`. The health check port should ideally be `443` but can be any other port

  - The health check port must match the `application port` of the `envoy proxy` container in the task definition for Virtual Gateway ECS Service. The Virtual Gateway `listener port` and the `health check port` should also be the same.

  - The health check path can be anything, defaulting to `/`. If anything else is selected like `/health`, the corresponding `gateway route` must be configured to have the same `match_path_prefix`

- ALB Security group should allow ingress traffic on port `443` and optionally `80` (will be auto redirected by HTTP listener)

- Virtual Gateway Security Group configured on the ECS Service allows ingress traffic only from the `ALB Security Group`

  - Optionally, it can allow ingress traffic on `9901` port to check stats on the App Mesh.



## Usage

Several sample variable files [tfvars](./sample-tfvars) are available in the root directory which can be used to test this module. User needs to follow the below steps to execute this module

1. Update the `tfvars` file to manually enter values for all fields marked within `<>` to make the variable file usable

2. Create a file `provider.tf` with the below contents

   ```

    provider "aws" {

      profile = ""

      region  = ""

    }

    ```

   If using `SSO`, make sure you are logged in `aws sso login --profile `

3. Make sure terraform binary is installed on your local. Use command `type terraform` to find the installation location. If you are using `asdf`, you can run `asfd install` and it will install the correct terraform version for you. `.tool-version` contains all the dependencies.

4. Run the `terraform` to provision infrastructure on AWS

    ```

    # Initialize

    terraform init

    # Plan

    terraform plan -var-file example.tfvars

    # Apply (this is create the actual infrastructure)

    terraform apply -var-file example.tfvars -auto-approve

   ```

## Known Issues and Guidelines



1. The ALB is currently set to only work with TLS listener in this module. Unable to make it work for both HTTP and TLS listener in if/else. The parent module is not supporting

2. If `tls_enforce=true` in this module, then ensure that any applications deployed to this cluster that uses this ingress must also have `tls_enforce=true`, else those modules will fail to talk to the ingress

3. Sometimes the `terraform destroy` is unable to destroy all resources and fails with error shown below. But, this is mitigated by running `terraform destroy` again.

```shell

│ Error: deleting App Mesh Virtual Router (a0602f30-46ea-49ce-b545-a9255087d0dd): operation error App Mesh: DeleteVirtualRouter, https response error StatusCode: 409, RequestID: 0f756a18-5adc-43a4-9622-7590885de530, ResourceInUseException: VirtualRouter with name xxxx cannot be deleted because it is a VirtualService provider

```

## Pre-Commit hooks



[.pre-commit-config.yaml](.pre-commit-config.yaml) file defines certain `pre-commit` hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.



`commitlint` hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:



- **fix**: a commit of the type `fix` patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).

- **feat**: a commit of the type `feat` introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).

- **BREAKING CHANGE**: a commit that has a footer `BREAKING CHANGE:`, or appends a `!` after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type.

footers other than BREAKING CHANGE:  may be provided and follow a convention similar to git trailer format.

- **build**: a commit of the type `build` adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)

- **chore**: a commit of the type `chore` adds changes that don't modify src or test files

- **ci**: a commit of the type `ci` adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)

- **docs**: a commit of the type `docs` adds documentation only changes

- **perf**: a commit of the type `perf` adds code change that improves performance

- **refactor**: a commit of the type `refactor` adds code change that neither fixes a bug nor adds a feature

- **revert**: a commit of the type `revert` reverts a previous commit

- **style**: a commit of the type `style` adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)

- **test**: a commit of the type `test` adds missing tests or correcting existing tests



Base configuration used for this project is [commitlint-config-conventional (based on the Angular convention)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional#type-enum)



If you are a developer using vscode, [this](https://marketplace.visualstudio.com/items?itemName=joshbolduc.commitlint) plugin may be helpful.



`detect-secrets-hook` prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS



In order for `pre-commit` hooks to work properly



- You need to have the pre-commit package manager installed. [Here](https://pre-commit.com/#install) are the installation instructions.

- `pre-commit` would install all the hooks when commit message is added by default except for `commitlint` hook. `commitlint` hook would need to be installed manually using the command below



```

pre-commit install --hook-type commit-msg

```



## To test the resource group module locally



1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the `configure` target in the project's [`Makefile`](./Makefile). Before you can run `configure`, familiarize yourself with the variables in the `Makefile` and ensure they're pointing to the right places.



```

make configure

```



This adds in several files and directories that are ignored by `git`. They expose many new Make targets.



2. The first target you care about is `env`. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.



`make configure` command will bring down `aws_env.sh` file on local workstation. Developer would need to modify this file, replace the environment variable values with relevant values.



These environment variables are used by `terratest` integration suit.



Then run this make target to set the environment variables on developer workstation.



```

make env

```



3. The first target you care about is `check`.



**Pre-requisites**

Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are `aws` specific. If primitive/segment under development uses any other cloud provider than AWS, this section may not be relevant.



- A file named `provider.tf` with contents below



```

provider "aws" {

  profile = ""

  region  = ""

}

```



- A file named `terraform.tfvars` which contains key value pair of variables used.



Note that since these files are added in `gitignore` they would not be checked in into primitive/segment's git repo.



After creating these files, for running tests associated with the primitive/segment, run



```

make check

```



If `make check` target is successful, developer is good to commit the code to primitive/segment's git repo.



`make check` target



- runs `terraform commands` to `lint`,`validate` and `plan` terraform code.

- runs `conftests`. `conftests` make sure `policy` checks are successful.

- runs `terratest`. This is integration test suit.

- runs `opa` tests



# Know Issues

Currently, the `encrypt at transit` is not supported in terraform. There is an open issue for this logged with Hashicorp - https://github.com/hashicorp/terraform-provider-aws/pull/26987



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | ~> 1.0 |

|  [aws](#requirement\_aws) | ~> 5.0 |



## Providers



| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | 5.67.0 |



## Modules



| Name | Source | Version |

|------|--------|---------|

|  [resource\_names](#module\_resource\_names) | terraform.registry.launch.nttdata.com/module_library/resource_name/launch | ~> 2.0 |

|  [sg\_alb](#module\_sg\_alb) | terraform-aws-modules/security-group/aws | ~> 4.17.1 |

|  [alb\_logs\_s3](#module\_alb\_logs\_s3) | terraform-aws-modules/s3-bucket/aws | ~> 3.8.2 |

|  [alb](#module\_alb) | terraform-aws-modules/alb/aws | ~> 8.7 |

|  [alb\_dns\_records](#module\_alb\_dns\_records) | terraform.registry.launch.nttdata.com/module_primitive/dns_record/aws | ~> 1.0 |

|  [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 4.3.2 |

|  [sds](#module\_sds) | terraform.registry.launch.nttdata.com/module_primitive/service_discovery_service/aws | ~> 1.0 |

|  [private\_certs](#module\_private\_certs) | terraform.registry.launch.nttdata.com/module_primitive/acm_private_cert/aws | ~> 1.0 |

|  [virtual\_gateway](#module\_virtual\_gateway) | terraform.registry.launch.nttdata.com/module_primitive/virtual_gateway/aws | ~> 1.0 |

|  [ecs\_task\_execution\_policy](#module\_ecs\_task\_execution\_policy) | cloudposse/iam-policy/aws | ~> 2.0.1 |

|  [ecs\_task\_policy](#module\_ecs\_task\_policy) | cloudposse/iam-policy/aws | ~> 2.0.1 |

|  [virtual\_gateway\_container\_definition](#module\_virtual\_gateway\_container\_definition) | git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git | tags/0.61.1 |

|  [sg\_ecs\_service\_vgw](#module\_sg\_ecs\_service\_vgw) | terraform-aws-modules/security-group/aws | ~> 4.17.1 |

|  [virtual\_gateway\_ecs\_service](#module\_virtual\_gateway\_ecs\_service) | cloudposse/ecs-alb-service-task/aws | ~> 0.67.1 |

|  [ecs\_app\_heart\_beat](#module\_ecs\_app\_heart\_beat) | terraform.registry.launch.nttdata.com/module_collection/ecs_appmesh_app/aws | ~> 1.0 |

|  [additional\_cnames](#module\_additional\_cnames) | terraform.registry.launch.nttdata.com/module_primitive/dns_record/aws | ~> 1.0 |



## Resources



| Name | Type |

|------|------|

| [aws_route53_zone.dns_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [logical\_product\_family](#input\_logical\_product\_family) | (Required) Name of the product family for which the resource is created.
    Example: org\_name, department\_name. | `string` | `"launch"` | no |

|  [logical\_product\_service](#input\_logical\_product\_service) | (Required) Name of the product service for which the resource is created.
    For example, backend, frontend, middleware etc. | `string` | `"backend"` | no |

|  [class\_env](#input\_class\_env) | (Required) Environment where resource is going to be deployed. For example. dev, qa, uat | `string` | `"dev"` | no |

|  [instance\_env](#input\_instance\_env) | Number that represents the instance of the environment. | `number` | `0` | no |

|  [instance\_resource](#input\_instance\_resource) | Number that represents the instance of the resource. | `number` | `0` | no |

|  [region](#input\_region) | AWS Region in which the infra needs to be provisioned | `string` | `"us-east-2"` | no |

|  [resource\_names\_map](#input\_resource\_names\_map) | A map of key to resource\_name that will be used by tf-launch-module\_library-resource\_name to generate resource names | 
map(object(
    {
      name       = string
      max_length = optional(number, 60)
    }
  ))
 | 
{
  "acm": {
    "max_length": 60,
    "name": "acm"
  },
  "alb": {
    "max_length": 32,
    "name": "alb"
  },
  "alb_sg": {
    "max_length": 60,
    "name": "albsg"
  },
  "alb_tg": {
    "max_length": 60,
    "name": "albtg"
  },
  "health_check_app_ecs_sg": {
    "max_length": 60,
    "name": "hcappsg"
  },
  "health_check_ecs_app": {
    "max_length": 60,
    "name": "hcsvc"
  },
  "health_check_ecs_td": {
    "max_length": 60,
    "name": "hctd"
  },
  "s3_logs": {
    "max_length": 60,
    "name": "alblogs"
  },
  "sds_vg": {
    "max_length": 60,
    "name": "sdsvg"
  },
  "task_exec_policy": {
    "max_length": 60,
    "name": "execplcy"
  },
  "task_policy": {
    "max_length": 60,
    "name": "taskplcy"
  },
  "vgw_ecs_app": {
    "max_length": 60,
    "name": "vgwsvc"
  },
  "vgw_ecs_sg": {
    "max_length": 60,
    "name": "vgwsg"
  },
  "vgw_ecs_td": {
    "max_length": 60,
    "name": "vgwtd"
  },
  "virtual_gateway": {
    "max_length": 60,
    "name": "vgw"
  }
}
 | no |

|  [vpc\_id](#input\_vpc\_id) | (Required) The VPC ID of the VPC where infrastructure will be provisioned | `string` | n/a | yes |

|  [private\_subnets](#input\_private\_subnets) | (Required) List of private subnets. ECS services provisioned in private subnets would need NAT gateway to access internet.
    Internal ALBs must be provisioned in private subnets | `list(string)` | n/a | yes |

|  [public\_subnets](#input\_public\_subnets) | List of public subnets. ECS services provisioned in public subnets can access internet directly. External ALBs must be
    provisioned in public subnets | `list(string)` | `[]` | no |

|  [subnet\_mapping](#input\_subnet\_mapping) | A list of subnet mapping blocks describing subnets to attach to network load balancer. Required if load\_balancer\_type=network
    More details on the various attributes of subnet\_mapping can be found at
    https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#subnet_mapping
    When subnet\_mapping is specified the private/public subnets variable is ignored. | `list(map(string))` | `[]` | no |

|  [vgw\_security\_group](#input\_vgw\_security\_group) | Security group for the Virtual Gateway ECS application. By default, it allows traffic from ALB on the app\_port

    More details on how to set the below fields can be found at
    https://github.com/terraform-aws-modules/terraform-aws-security-group/blob/master/rules.tf | 
object({
    ingress_rules            = optional(list(string))
    ingress_cidr_blocks      = optional(list(string))
    ingress_with_cidr_blocks = optional(list(map(string)))
    egress_rules             = optional(list(string))
    egress_cidr_blocks       = optional(list(string))
    egress_with_cidr_blocks  = optional(list(map(string)))
    ingress_with_sg          = optional(list(map(string)))
    egress_with_sg           = optional(list(map(string)))
  })
 | `null` | no |

|  [ecs\_cluster\_arn](#input\_ecs\_cluster\_arn) | (Required) ARN of the ECS Cluster where the ingress service will be created | `string` | n/a | yes |

|  [app\_mesh\_id](#input\_app\_mesh\_id) | (Required) ID of the App Mesh where virtual Gateway is to be created. ID and Name are the same for App Mesh | `string` | n/a | yes |

|  [namespace\_name](#input\_namespace\_name) | (Required) Name of the Cloud Map namespace to be used for Service Discovery | `string` | n/a | yes |

|  [namespace\_id](#input\_namespace\_id) | (Required) ID of the Cloud Map namespace to be used for Service Discovery | `string` | n/a | yes |

|  [load\_balancer\_type](#input\_load\_balancer\_type) | The type of the load balancer. Default is 'application'. Can be either application or network. | `string` | `"application"` | no |

|  [is\_internal](#input\_is\_internal) | Whether this load balancer is internal or public facing. If is\_internal=false, then var.public\_subnets or subnet\_mapping must be specified | `bool` | `true` | no |

|  [alb\_sg](#input\_alb\_sg) | (Required) Security Group for the ALB. https://github.com/terraform-aws-modules/terraform-aws-security-group/blob/master/rules.tf | 
object({
    description              = optional(string)
    ingress_rules            = optional(list(string))
    ingress_cidr_blocks      = optional(list(string))
    egress_rules             = optional(list(string))
    egress_cidr_blocks       = optional(list(string))
    ingress_with_cidr_blocks = optional(list(map(string)))
    egress_with_cidr_blocks  = optional(list(map(string)))
  })
 | n/a | yes |

|  [target\_groups](#input\_target\_groups) | (Required) List of target groups for the ALB"
    `target_type` can be ip, instance
    `health_check` must be set for backend\_protocol=HTTPS.
    Valid health\_check attributes are healthy\_threshold, unhealthy\_threshold, path, port, protocol
      - protocol must be HTTP, HTTPS etc. | 
list(object({
    # Need to use name_prefix instead of name as the lifecycle property create_before_destroy is set
    name_prefix      = optional(string, "albtg-")
    backend_protocol = optional(string)
    backend_port     = optional(number)
    target_type      = optional(string)
    health_check     = optional(map(string), {})
  }))
 | n/a | yes |

|  [subject\_alternate\_names](#input\_subject\_alternate\_names) | Additional domain names to be added to the certificate created for ALB. Domain names must be FQDN. | `list(string)` | `[]` | no |

|  [dns\_zone\_name](#input\_dns\_zone\_name) | Name of the Route53 DNS Zone where custom DNS records will be created. Required if use\_https\_listeners=true. var.private\_zone
    must also be specified if this variable is not empty.

    By default, an A record will be created for the ALB with the name as generated by `module.resource_names["alb"].standard`
    In case, additional cnames are required, they can be specified in the `additional_cnames` variable | `string` | n/a | yes |

|  [private\_zone](#input\_private\_zone) | Whether the dns\_zone\_name provided above is a private or public hosted zone. Required if dns\_zone\_name is not empty.
    private\_zone=true means the hosted zone is private and false means it is public. | `string` | `""` | no |

|  [additional\_cnames](#input\_additional\_cnames) | Additional CNAME records to be created in the DNS zone pointing to the ALB. Must be FQDN in form of . | `list(string)` | `[]` | no |

|  [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. | `number` | `60` | no |

|  [alb\_logs\_bucket\_id](#input\_alb\_logs\_bucket\_id) | S3 bucket ID for ALB logs | `string` | `""` | no |

|  [alb\_logs\_bucket\_prefix](#input\_alb\_logs\_bucket\_prefix) | S3 bucket prefix for ALB logs | `string` | `null` | no |

|  [use\_https\_listeners](#input\_use\_https\_listeners) | Whether to enable HTTPs in the ALB | `bool` | `true` | no |

|  [listener\_ssl\_policy\_default](#input\_listener\_ssl\_policy\_default) | The security policy if using HTTPS externally on the load balancer.
    [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html). | `string` | `"ELBSecurityPolicy-TLS13-1-2-2021-06"` | no |

|  [private\_ca\_arn](#input\_private\_ca\_arn) | ARN of the Private CA. This is used to sign private certificates used in App Mesh. Required when tls\_enforce=true | `string` | `""` | no |

|  [tls\_enforce](#input\_tls\_enforce) | Whether to enforce TLS in App Mesh Virtual Gateway and services | `bool` | `true` | no |

|  [vgw\_logs\_text\_format](#input\_vgw\_logs\_text\_format) | The text format. | `string` | `null` | no |

|  [vgw\_tls\_mode](#input\_vgw\_tls\_mode) | The mode for the listener’s Transport Layer Security (TLS) configuration. Must be one of DISABLED, PERMISSIVE, STRICT. | `string` | `"DISABLED"` | no |

|  [vgw\_tls\_ports](#input\_vgw\_tls\_ports) | If you specify a listener port other than 443, you must specify this field. | `list(number)` | `[]` | no |

|  [vgw\_health\_check\_path](#input\_vgw\_health\_check\_path) | The destination path for the health check request. | `string` | `"/"` | no |

|  [vgw\_health\_check\_protocol](#input\_vgw\_health\_check\_protocol) | The protocol for the health check request. Must be one of [http http2 grpc]. | `string` | `"http"` | no |

|  [vgw\_listener\_port](#input\_vgw\_listener\_port) | The port mapping information for the listener. | `number` | n/a | yes |

|  [vgw\_listener\_protocol](#input\_vgw\_listener\_protocol) | The protocol for the port mapping. Must be one of [http http2 grpc]. | `string` | `"http"` | no |

|  [ecs\_exec\_role\_managed\_policy\_arns](#input\_ecs\_exec\_role\_managed\_policy\_arns) | A Map (ARNs) of AWS managed policies to be attached to the ECS Task Exec role. | `map(string)` | `{}` | no |

|  [ecs\_role\_managed\_policy\_arns](#input\_ecs\_role\_managed\_policy\_arns) | A Map (ARNs) of AWS managed policies to be attached to the ECS Task role. | `map(string)` | `{}` | no |

|  [ecs\_exec\_role\_custom\_policy\_json](#input\_ecs\_exec\_role\_custom\_policy\_json) | Custom policy to attach to ecs task execution role. Document must be valid json. | `string` | `""` | no |

|  [ecs\_role\_custom\_policy\_json](#input\_ecs\_role\_custom\_policy\_json) | Custom policy to attach to ecs task role. Document must be valid json. | `string` | `""` | no |

|  [envoy\_proxy\_image](#input\_envoy\_proxy\_image) | Optional docker image of the envoy proxy in the format `:`
    Default is `840364872350.dkr.ecr.us-east-2.amazonaws.com/aws-appmesh-envoy:v1.29.6.0-prod` | `string` | `""` | no |

|  [ignore\_changes\_task\_definition](#input\_ignore\_changes\_task\_definition) | Lifecycle ignore policy for task definition. If true, terraform won't detect changes when task\_definition is changed outside of terraform | `bool` | `true` | no |

|  [assign\_public\_ip](#input\_assign\_public\_ip) | If true, public IP will be assigned to this service task, else private IP | `bool` | `false` | no |

|  [ignore\_changes\_desired\_count](#input\_ignore\_changes\_desired\_count) | Lifecycle ignore policy for desired\_count. If true, terraform won't detect changes when desired\_count is changed outside of terraform | `bool` | `true` | no |

|  [task\_cpu](#input\_task\_cpu) | Amount of CPU to be allocated to the task | `number` | `512` | no |

|  [task\_memory](#input\_task\_memory) | Amount of Memory to be allocated to the task | `number` | `1024` | no |

|  [health\_check\_grace\_period\_seconds](#input\_health\_check\_grace\_period\_seconds) | Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. Only valid for services configured to use load balancers | `number` | `0` | no |

|  [deployment\_minimum\_healthy\_percent](#input\_deployment\_minimum\_healthy\_percent) | The lower limit (as a percentage of `desired_count`) of the number of tasks that must remain running and healthy in a service during a deployment | `number` | `100` | no |

|  [deployment\_maximum\_percent](#input\_deployment\_maximum\_percent) | The upper limit of the number of tasks (as a percentage of `desired_count`) that can be running in a service during a deployment | `number` | `200` | no |

|  [desired\_count](#input\_desired\_count) | The number of instances of the task definition to place and keep running | `number` | `1` | no |

|  [deployment\_controller\_type](#input\_deployment\_controller\_type) | Type of deployment controller. Valid values are `CODE_DEPLOY` and `ECS` | `string` | `"ECS"` | no |

|  [wait\_for\_steady\_state](#input\_wait\_for\_steady\_state) | If true, it will wait for the service to reach a steady state (like aws ecs wait services-stable) before continuing | `bool` | `false` | no |

|  [redeploy\_on\_apply](#input\_redeploy\_on\_apply) | Redeploys the service everytime a terraform apply is executed. force\_new\_deployment should also be true for this flag to work | `bool` | `false` | no |

|  [force\_new\_deployment](#input\_force\_new\_deployment) | Enable to force a new task deployment of the service when terraform apply is executed. | `bool` | `false` | no |

|  [app\_task\_cpu](#input\_app\_task\_cpu) | Amount of CPU to be allocated to the health check app task | `number` | `512` | no |

|  [app\_task\_memory](#input\_app\_task\_memory) | Amount of Memory to be allocated to the health check app task | `number` | `1024` | no |

|  [app\_desired\_count](#input\_app\_desired\_count) | The number of instances of the health check task definition to place and keep running | `number` | `1` | no |

|  [app\_image\_tag](#input\_app\_image\_tag) | Docker image for the heartBeat application, in the format  | `string` | n/a | yes |

|  [app\_port](#input\_app\_port) | The port at which the health check application is running | `number` | n/a | yes |

|  [app\_environment](#input\_app\_environment) | Environment variables to be injected into the heart beat container. Sometimes helpful to set the non standard port | `map(string)` | `{}` | no |

|  [app\_security\_group](#input\_app\_security\_group) | Security group for the health check ECS application. Need to open ports if one wants to access the heart-beat application manually. | 
object({
    ingress_rules            = optional(list(string))
    ingress_cidr_blocks      = optional(list(string))
    ingress_with_cidr_blocks = optional(list(map(string)))
    egress_rules             = optional(list(string))
    egress_cidr_blocks       = optional(list(string))
    egress_with_cidr_blocks  = optional(list(map(string)))
  })
 | `null` | no |

|  [match\_path\_prefix](#input\_match\_path\_prefix) | Virtual gateway route path match. Must be same as the ALB health check path | `string` | `"/"` | no |

|  [tags](#input\_tags) | A map of custom tags to be associated with the resources | `map(string)` | `{}` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [resource\_names](#output\_resource\_names) | A map of resource\_name\_types to generated resource names used in this module |

|  [app\_sg\_id](#output\_app\_sg\_id) | The ID of the VPC Endpoint Security Group |

|  [alb\_dns](#output\_alb\_dns) | AWS provided DNS record of the ALB |

|  [alb\_arn](#output\_alb\_arn) | The ID and ARN of the application load balancer created by the module |

|  [alb\_id](#output\_alb\_id) | The ID and ARN of the application load balancer created by the module |

|  [alb\_sg\_id](#output\_alb\_sg\_id) | ID of the ALB Security Group |

|  [alb\_https\_listener\_arns](#output\_alb\_https\_listener\_arns) | ARNs of the HTTPS Listeners attached to the ALB |

|  [alb\_http\_listener\_arns](#output\_alb\_http\_listener\_arns) | ARNs of the HTTP Listeners attached to the ALB |

|  [dns\_zone\_id](#output\_dns\_zone\_id) | Zone ID of the hosted zone for ALB records provided as input. |

|  [dns\_zone\_name](#output\_dns\_zone\_name) | Name of the Route53 DNS Zone where custom DNS records will be created. Required if use\_https\_listeners=true |

|  [alb\_dns\_records](#output\_alb\_dns\_records) | Custom DNS record for the ALB |

|  [alb\_additional\_dns\_names](#output\_alb\_additional\_dns\_names) | Additional DNS records for the ALB |

|  [private\_ca\_arn](#output\_private\_ca\_arn) | ARN of the Private CA. This is used to sign private certificates used in App Mesh. Required when TLS is enabled in App Mesh |

|  [alb\_cert\_arn](#output\_alb\_cert\_arn) | ARN of the certificate provisioned for ALB by ACM |

|  [virtual\_gateway\_cert\_arn](#output\_virtual\_gateway\_cert\_arn) | ARN of the certificate provisioned for the virtual gateway when var.tls\_enforce is true |

|  [virtual\_gateway\_arn](#output\_virtual\_gateway\_arn) | ARN of the Virtual Gateway |

|  [virtual\_gateway\_task\_definition\_name](#output\_virtual\_gateway\_task\_definition\_name) | Revision of the Virtual Gateway ECS app task definition. |

|  [virtual\_gateway\_task\_definition\_version](#output\_virtual\_gateway\_task\_definition\_version) | Revision of the Virtual Gateway ECS app task definition. |

|  [virtual\_gateway\_name](#output\_virtual\_gateway\_name) | Name of the Virtual Gateway |

|  [tls\_enforce](#output\_tls\_enforce) | Whether TLS is enforced on the Virtual Gateway. If true, all the Virtual Nodes should also enable TLS |

|  [namespace\_id](#output\_namespace\_id) | ID of the Cloud Map namespace to be used for Service Discovery |

|  [namespace\_name](#output\_namespace\_name) | Name of the Cloud Map namespace to be used for Service Discovery |

|  [heartbeat\_app\_task\_definition\_name](#output\_heartbeat\_app\_task\_definition\_name) | Task Definition Version of the HeartBeat application |

|  [heartbeat\_app\_task\_definition\_version](#output\_heartbeat\_app\_task\_definition\_version) | Task Definition Version of the HeartBeat application |