https://github.com/wearetechnative/terraform-aws-ecs
Terraform module to provision an ECS cluster, with fargate, service and ALB
https://github.com/wearetechnative/terraform-aws-ecs
Last synced: 4 months ago
JSON representation
Terraform module to provision an ECS cluster, with fargate, service and ALB
- Host: GitHub
- URL: https://github.com/wearetechnative/terraform-aws-ecs
- Owner: wearetechnative
- License: apache-2.0
- Created: 2023-10-24T14:06:10.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-05-15T09:14:05.000Z (about 1 year ago)
- Last Synced: 2025-05-15T09:40:43.536Z (about 1 year ago)
- Language: HCL
- Size: 246 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Terraform AWS ECS 
This module implements an ecs cluster.
[](https://www.technative.nl)
## How does it work
### First use after you clone this repository or when .pre-commit-config.yaml is updated
Run `pre-commit install` to install any guardrails implemented using pre-commit.
See [pre-commit installation](https://pre-commit.com/#install) on how to install pre-commit.
## Usage
To use this module ...
```hcl
{
some_conf = "might need explanation"
}
````
## Domain: ecs_service
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.1.0 |
| [aws](#requirement\_aws) | >=4.18.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >=4.18.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [autoscaling](#module\_autoscaling) | ./autoscaling | n/a |
| [dns\_lambda](#module\_dns\_lambda) | ./fargate_dns_lambda | n/a |
| [task\_definition](#module\_task\_definition) | ../ecs_task_definition | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_ecs_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
| [aws_service_discovery_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/service_discovery_service) | resource |
| [aws_arn.ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [capacity\_provider\_name](#input\_capacity\_provider\_name) | Capacity provider name which is always required if var.scheduling\_strategy is set to REPLICA. | `string` | n/a | yes |
| [cloudwatch\_group\_name](#input\_cloudwatch\_group\_name) | Cloudwatch log group name. | `string` | n/a | yes |
| [container\_name](#input\_container\_name) | Unique name for the container. | `string` | `"application"` | no |
| [desired\_count](#input\_desired\_count) | Desired count of instances to start. | `number` | `0` | no |
| [discovery\_service\_namespace\_id](#input\_discovery\_service\_namespace\_id) | Namespace ID of discovery service. The service will have the same name as the var.name value. Requires the use of Fargate and will provide A records only.
WARNING: Enabling this attribute on an existing ecs\_service will not have any effect. Make sure you replace the service when you do so. | `string` | `null` | no |
| [disovery\_service\_name\_override](#input\_disovery\_service\_name\_override) | If var.discovery\_service\_namespace\_id is set then the servicename is equal to the application name if this value is not set. Otherwise this value prevails. | `string` | `null` | no |
| [docker\_image\_tag](#input\_docker\_image\_tag) | Docker image tag. | `string` | n/a | yes |
| [docker\_image\_url](#input\_docker\_image\_url) | Docker image URL without the tag component. | `string` | n/a | yes |
| [ecs\_cluster\_arn](#input\_ecs\_cluster\_arn) | ECS cluster ARN to attach service to. | `string` | n/a | yes |
| [execution\_role\_arn](#input\_execution\_role\_arn) | ARN of the execution role responsible for starting the container. Requires access to ECR and secrets (if used). | `string` | `null` | no |
| [extra\_container\_def\_string](#input\_extra\_container\_def\_string) | n/a | `string` | `""` | no |
| [fargate\_architecture](#input\_fargate\_architecture) | Fargate architecture, defaults to X86\_64. Can also be ARM64. | `string` | `"X86_64"` | no |
| [fargate\_assign\_public\_ip](#input\_fargate\_assign\_public\_ip) | Assign public IP if Fargate is used. | `bool` | `false` | no |
| [force\_new\_deployment](#input\_force\_new\_deployment) | Apply any changes immediatly if a decision can be made. Recommended for testing environments but not for production. | `bool` | n/a | yes |
| [healthcheck\_command](#input\_healthcheck\_command) | If set then will use a command to check the container health. | `string` | `null` | no |
| [healthcheck\_grace\_period](#input\_healthcheck\_grace\_period) | Number of seconds to ignore failing tasks. This is needed for containers that take a long time to start and respond to healthchecks. | `number` | `0` | no |
| [hosted\_zone\_id](#input\_hosted\_zone\_id) | Optionally set hosted zone ID to maintain a DNS record for the Fargate pod. Requires the use of fargate and will only work effectively if only one task is used. | `string` | `null` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key for at rest encryption purposes. | `string` | n/a | yes |
| [linux\_capabilities](#input\_linux\_capabilities) | Add additional capabilities to allow kernel access for e.g. OpenVPN servers. Requires EC2 launch, will not work with Fargate. | `list(string)` | `[]` | no |
| [linux\_expose\_devices](#input\_linux\_expose\_devices) | Expose certain kernel devices that are generally hidden to support e.g. OpenVPN servers. Requires EC2 launch, will not work with Fargate. | `list(string)` | `[]` | no |
| [load\_balancer\_config](#input\_load\_balancer\_config) | Load balancer configuration for target groups. Container\_name is optional and will be overwritten by var.name if not specified. |
map(object({
target_group_arn = string
container_port = number
container_name = string
})) | `{}` | no |
| [max\_number\_of\_tasks](#input\_max\_number\_of\_tasks) | Initial task amount is set to 0. Set to >1 for autoscaling and use this value as a maximum. Use 0 or 1 to disable autoscaling and handle the amount of pods in the web console. | `number` | n/a | yes |
| [min\_number\_of\_tasks](#input\_min\_number\_of\_tasks) | Initial task amount is set to 0. | `number` | `0` | no |
| [name](#input\_name) | Unique name for the service within the ECS cluster. | `string` | n/a | yes |
| [scaling\_down\_cooldown](#input\_scaling\_down\_cooldown) | Amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start when scaling down (agressiveness) | `number` | `900` | no |
| [scaling\_down\_high](#input\_scaling\_down\_high) | Number of tasks to scale down by when upper bound is reached | `number` | `-3` | no |
| [scaling\_down\_low](#input\_scaling\_down\_low) | Number of tasks to scale down by when lower bound is reached | `number` | `-1` | no |
| [scaling\_up\_cooldown](#input\_scaling\_up\_cooldown) | Amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start when scaling up (agressiveness) | `number` | `300` | no |
| [scaling\_up\_high](#input\_scaling\_up\_high) | Number of tasks to scale up by when upper bound is reached | `number` | `5` | no |
| [scaling\_up\_low](#input\_scaling\_up\_low) | Number of tasks to scale up by when lower bound is reached | `number` | `3` | no |
| [scheduling\_strategy](#input\_scheduling\_strategy) | ECS scheduling strategy to use. | `string` | `"REPLICA"` | no |
| [security\_group\_ids](#input\_security\_group\_ids) | Security groups to assign. | `list(string)` | n/a | yes |
| [sqs\_dlq\_arn](#input\_sqs\_dlq\_arn) | SQS DLQ Arn to send failed infra events to. Currently only used for the DNS Fargate Lambda. | `string` | n/a | yes |
| [subnet\_ids](#input\_subnet\_ids) | Private subnets with a NAT gateway to route traffic for tasks. | `list(string)` | n/a | yes |
| [tags](#input\_tags) | Additional tags to be added to resources. | `map(string)` | `{}` | no |
| [task\_cpu\_units](#input\_task\_cpu\_units) | Required CPU units for the task (and Fargate instance). | `number` | n/a | yes |
| [task\_definition\_command](#input\_task\_definition\_command) | overriding docker command, skip to use image default command. | `list(string)` | `[]` | no |
| [task\_definition\_environment\_variables](#input\_task\_definition\_environment\_variables) | Map of nonsecret environment variables with the value of an SSM parameter where this value is stored. | list(object({
name = string
value = string
})) | `[]` | no |
| [task\_definition\_secrets](#input\_task\_definition\_secrets) | Map of secret environment variables with the value of an SSM parameter where this value is stored. | list(object({
name = string
valueFrom = string
})) | `[]` | no |
| [task\_memory\_units](#input\_task\_memory\_units) | Required memory units for the task (and Fargate instance). | `number` | n/a | yes |
| [task\_role\_arn](#input\_task\_role\_arn) | ARN of the role which the container software can use to get privileges. One policy for execution-command will be assigned to this task\_role. | `string` | n/a | yes |
| [threshold\_cpu\_high](#input\_threshold\_cpu\_high) | Theshold for cpu high alarm which will trigger upscaling | `number` | `50` | no |
| [threshold\_cpu\_low](#input\_threshold\_cpu\_low) | Theshold for cpu low alarm which will trigger downscaling | `number` | `20` | no |
## Outputs
| Name | Description |
|------|-------------|
| [ecs\_service\_arn](#output\_ecs\_service\_arn) | n/a |
| [ecs\_task\_definition\_arn](#output\_ecs\_task\_definition\_arn) | n/a |
## Domain: ecs_cluster
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.1.0 |
| [aws](#requirement\_aws) | >=4.18.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >=4.18.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_ecs_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
| [aws_iam_policy_document.instance_ecs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [container\_insights](#input\_container\_insights) | Enable container insights. | `string` | `"enabled"` | no |
| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key arn for CI encryption. | `string` | n/a | yes |
| [name](#input\_name) | Unique name for ECS cluster powered by Fargate. | `string` | n/a | yes |
| [tags](#input\_tags) | Additional tags to be added to resources. | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| [ec2\_instance\_role\_ecs\_policy](#output\_ec2\_instance\_role\_ecs\_policy) | n/a |
| [ecs\_cluster\_arn](#output\_ecs\_cluster\_arn) | n/a |
| [ecs\_cluster\_name](#output\_ecs\_cluster\_name) | n/a |
## Domain: ecs_fargate_capacity_provider
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.1.0 |
| [aws](#requirement\_aws) | >=4.18.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >=4.18.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_ecs_cluster_capacity_providers.fargate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster_capacity_providers) | resource |
| [aws_arn.ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [ecs\_cluster\_arn](#input\_ecs\_cluster\_arn) | ARN of an existing ECS cluster where the capacity provider must be assigned to. This is a requirement in order to use a capacity provider in a service. | `string` | n/a | yes |
| [use\_spot](#input\_use\_spot) | Use spot instances instead of continuous instances. | `bool` | `false` | no |
## Outputs
| Name | Description |
|------|-------------|
| [capacity\_provider\_name](#output\_capacity\_provider\_name) | n/a |
## Domain: ecs_scheduled_task
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.1.0 |
| [aws](#requirement\_aws) | >=4.18.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >=4.18.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [eventbridge\_role](#module\_eventbridge\_role) | git@github.com:TechNative-B-V/modules-aws.git//identity_and_access_management/iam_role | e3c1a1f94ffa77c5f787d44ec98e2028c824220a |
| [task\_definition](#module\_task\_definition) | ../ecs_task_definition | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_cloudwatch_event_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_arn.ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_iam_policy_document.passrole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.runtask](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [cloudwatch\_group\_name](#input\_cloudwatch\_group\_name) | Cloudwatch log group name. | `string` | n/a | yes |
| [docker\_image\_tag](#input\_docker\_image\_tag) | Docker image tag. | `string` | n/a | yes |
| [docker\_image\_url](#input\_docker\_image\_url) | Docker image URL without the tag component. | `string` | n/a | yes |
| [ecs\_cluster\_arn](#input\_ecs\_cluster\_arn) | ECS cluster ARN to attach service to. | `string` | n/a | yes |
| [eventbridge\_event\_rule\_name](#input\_eventbridge\_event\_rule\_name) | Eventbridge rule to write this container to. | `string` | `null` | no |
| [execution\_role\_arn](#input\_execution\_role\_arn) | ARN of the execution role responsible for starting the container. Requires access to ECR and secrets (if used). | `string` | `null` | no |
| [fargate\_architecture](#input\_fargate\_architecture) | Fargate architecture, defaults to X86\_64. Can also be ARM64. | `string` | `"X86_64"` | no |
| [fargate\_assign\_public\_ip](#input\_fargate\_assign\_public\_ip) | Assign public IP if Fargate is used. | `bool` | `false` | no |
| [healthcheck\_command](#input\_healthcheck\_command) | If set then will use a command to check the container health. | `string` | `null` | no |
| [linux\_capabilities](#input\_linux\_capabilities) | Add additional capabilities to allow kernel access for e.g. OpenVPN servers. Requires EC2 launch, will not work with Fargate. | `list(string)` | `[]` | no |
| [linux\_expose\_devices](#input\_linux\_expose\_devices) | Expose certain kernel devices that are generally hidden to support e.g. OpenVPN servers. Requires EC2 launch, will not work with Fargate. | `list(string)` | `[]` | no |
| [name](#input\_name) | Unique name for the service within the ECS cluster. | `string` | n/a | yes |
| [security\_group\_ids](#input\_security\_group\_ids) | Security groups to assign. | `list(string)` | n/a | yes |
| [sqs\_dlq\_arn](#input\_sqs\_dlq\_arn) | SQS DLQ Arn to send failed infra events to. Currently only used for the DNS Fargate Lambda. | `string` | n/a | yes |
| [subnet\_ids](#input\_subnet\_ids) | Private subnets with a NAT gateway to route traffic for tasks. | `list(string)` | n/a | yes |
| [tags](#input\_tags) | Additional tags to be added to resources. | `map(string)` | `{}` | no |
| [task\_cpu\_units](#input\_task\_cpu\_units) | Required CPU units for the task (and Fargate instance). | `number` | n/a | yes |
| [task\_definition\_command](#input\_task\_definition\_command) | overriding docker command, skip to use image default command. | `list(string)` | `[]` | no |
| [task\_definition\_environment\_variables](#input\_task\_definition\_environment\_variables) | Map of nonsecret environment variables with the value of an SSM parameter where this value is stored. |
list(object({
name = string
value = string
})) | `[]` | no |
| [task\_definition\_secrets](#input\_task\_definition\_secrets) | Map of secret environment variables with the value of an SSM parameter where this value is stored. | list(object({
name = string
valueFrom = string
})) | `[]` | no |
| [task\_memory\_units](#input\_task\_memory\_units) | Required memory units for the task (and Fargate instance). | `number` | n/a | yes |
| [task\_role\_arn](#input\_task\_role\_arn) | ARN of the role which the container software can use to get privileges. One policy for execution-command will be assigned to this task\_role. | `string` | n/a | yes |
## Outputs
No outputs.
## Domain: ecs_task_definition
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.1.0 |
| [aws](#requirement\_aws) | >=4.18.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >=4.18.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_ecs_task_definition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
| [aws_iam_policy.ssm_session](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role_policy_attachment.ssm_session](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_policy_document.ssm_session](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [cloudwatch\_group\_name](#input\_cloudwatch\_group\_name) | Cloudwatch log group name. | `string` | n/a | yes |
| [command](#input\_command) | If set then will use a command to override the image command. Format as list with command arguments. E.g. ["bundle", "exec", "rails", "s"] | `list(string)` | `[]` | no |
| [container\_name](#input\_container\_name) | Unique name for the task container. | `string` | `"application"` | no |
| [docker\_image\_tag](#input\_docker\_image\_tag) | Docker image tag. | `string` | n/a | yes |
| [docker\_image\_url](#input\_docker\_image\_url) | Docker image URL without the tag component. | `string` | n/a | yes |
| [execution\_role\_arn](#input\_execution\_role\_arn) | ARN of the execution role responsible for starting the container. Requires access to ECR and secrets (if used). | `string` | `null` | no |
| [extra\_container\_def\_string](#input\_extra\_container\_def\_string) | n/a | `string` | `""` | no |
| [fargate\_architecture](#input\_fargate\_architecture) | Fargate architecture, defaults to X86\_64. Can also be ARM64. | `string` | `"X86_64"` | no |
| [healthcheck\_command](#input\_healthcheck\_command) | If set then will use a command to check the container health. | `string` | `null` | no |
| [linux\_capabilities](#input\_linux\_capabilities) | Add additional capabilities to allow kernel access for e.g. OpenVPN servers. | `list(string)` | `[]` | no |
| [linux\_expose\_devices](#input\_linux\_expose\_devices) | Expose certain kernel devices that are generally hidden to support e.g. OpenVPN servers. | `list(string)` | `[]` | no |
| [load\_balancer\_config](#input\_load\_balancer\_config) | Load balancer configuration for target groups. Container\_name is optional and will be overwritten by var.name if not specified. |
map(object({
target_group_arn = string
container_port = number
container_name = string
})) | `{}` | no |
| [name](#input\_name) | Unique name for the task definition. | `string` | n/a | yes |
| [tags](#input\_tags) | Additional tags to be added to resources. | `map(string)` | `{}` | no |
| [task\_cpu\_units](#input\_task\_cpu\_units) | Required CPU units for the task (and Fargate instance). | `number` | n/a | yes |
| [task\_definition\_environment\_variables](#input\_task\_definition\_environment\_variables) | Map of nonsecret environment variables with the value of an SSM parameter where this value is stored. | list(object({
name = string
value = string
})) | `[]` | no |
| [task\_definition\_secrets](#input\_task\_definition\_secrets) | Map of secret environment variables with the value of an SSM parameter where this value is stored. | list(object({
name = string
valueFrom = string
})) | `[]` | no |
| [task\_memory\_units](#input\_task\_memory\_units) | Required memory units for the task (and Fargate instance). | `number` | n/a | yes |
| [task\_role\_arn](#input\_task\_role\_arn) | ARN of the role which the container software can use to get privileges. One policy for execution-command will be assigned to this task\_role. | `string` | n/a | yes |
| [use\_fargate](#input\_use\_fargate) | Enable Fargate containers. | `bool` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| [task\_definition\_arn](#output\_task\_definition\_arn) | n/a |
## Domain: ecs_account_settings
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.1.0 |
| [aws](#requirement\_aws) | >=4.18.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >=4.18.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_ecs_account_setting_default.aws_vpc_trunking](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_account_setting_default) | resource |
| [aws_ecs_account_setting_default.container_insights](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_account_setting_default) | resource |
| [aws_ecs_account_setting_default.container_instance_long_arn_format](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_account_setting_default) | resource |
| [aws_ecs_account_setting_default.service_long_arn_format](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_account_setting_default) | resource |
| [aws_ecs_account_setting_default.task_long_arn_format](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_account_setting_default) | resource |
## Inputs
No inputs.
## Outputs
No outputs.
## Domain: ecs_default_service_linked_role
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.1.0 |
| [aws](#requirement\_aws) | >=4.18.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >=4.18.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_iam_service_linked_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
## Inputs
No inputs.
## Outputs
No outputs.