Skip to content
Switch branches/tags


Latest Release Slack Community


Cloud Posse

Terraform module to generate well-formed JSON documents that are passed to the aws_ecs_task_definition Terraform resource as container definitions.

This project is part of our comprehensive "SweetOps" approach towards DevOps.

Terraform Open Source Modules

It's 100% Open Source and licensed under the APACHE2.

We literally have hundreds of terraform modules that are Open Source and well-maintained. Check them out!

Security & Compliance

Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.

Benchmark Description
Infrastructure Security Infrastructure Security Compliance
CIS KUBERNETES Center for Internet Security, KUBERNETES Compliance
CIS AWS Center for Internet Security, AWS Compliance
CIS AZURE Center for Internet Security, AZURE Compliance
PCI-DSS Payment Card Industry Data Security Standards Compliance
NIST-800-53 National Institute of Standards and Technology Compliance
ISO27001 Information Security Management System, ISO/IEC 27001 Compliance
SOC2 Service Organization Control 2 Compliance
CIS GCP Center for Internet Security, GCP Compliance
HIPAA Health Insurance Portability and Accountability Compliance


IMPORTANT: We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise.

Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required.

This module is meant to be used as output only, meaning it will be used to create outputs which are consumed as a parameter by Terraform resources or other modules.

Caution: This module, unlike nearly all other Cloud Posse Terraform modules, does not use terraform-null-label. Furthermore, it has an input named environment which has a completely different meaning than the one in terraform-null-label. Do not call this module with the conventional context = module.this.context. See the documentation below for the usage of environment.

For complete examples, see

For a complete example with automated tests, see examples/complete with bats and Terratest for the example test.

module "container_definition" {
  source = "cloudposse/ecs-container-definition/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  container_name  = "geodesic"
  container_image = "cloudposse/geodesic"

The output of this module can then be used with one of our other modules.

module "ecs_alb_service_task" {
  source = "cloudposse/ecs-alb-service-task/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  # ...
  container_definition_json = module.container_definition.json_map_encoded_list
  # ...

Makefile Targets

Available targets:

  help                                Help screen
  help/all                            Display help for all targets
  help/short                          This help short screen
  lint                                Lint terraform code


Name Version
terraform >= 0.13.0
local >= 1.2


No providers.


No modules.


No resources.


Name Description Type Default Required
command The command that is passed to the container list(string) null no
container_cpu The number of cpu units to reserve for the container. This is optional for tasks using Fargate launch type and the total amount of container_cpu of all containers in a task will need to be lower than the task-level cpu value number 0 no
container_definition Container definition overrides which allows for extra keys or overriding existing keys. map(any) {} no
container_depends_on The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY
containerName = string
condition = string
null no
container_image The image used to start the container. Images in the Docker Hub registry available by default string n/a yes
container_memory The amount of memory (in MiB) to allow the container to use. This is a hard limit, if the container attempts to exceed the container_memory, the container is killed. This field is optional for Fargate launch type and the total amount of container_memory of all containers in a task will need to be lower than the task memory value number null no
container_memory_reservation The amount of memory (in MiB) to reserve for the container. If container needs to exceed this threshold, it can do so up to the set container_memory hard limit number null no
container_name The name of the container. Up to 255 characters ([a-z], [A-Z], [0-9], -, _ allowed) string n/a yes
disable_networking When this parameter is true, networking is disabled within the container. bool null no
dns_search_domains Container DNS search domains. A list of DNS search domains that are presented to the container list(string) null no
dns_servers Container DNS servers. This is a list of strings specifying the IP addresses of the DNS servers list(string) null no
docker_labels The configuration options to send to the docker_labels map(string) null no
docker_security_options A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. list(string) null no
entrypoint The entry point that is passed to the container list(string) null no
environment The environment variables to pass to the container. This is a list of maps. map_environment overrides environment
name = string
value = string
[] no
environment_files One or more files containing the environment variables to pass to the container. This maps to the --env-file option to docker run. The file must be hosted in Amazon S3. This option is only available to tasks using the EC2 launch type. This is a list of maps
value = string
type = string
null no
essential Determines whether all other containers in a task are stopped, if this container fails or stops for any reason. Due to how Terraform type casts booleans in json it is required to double quote this value bool true no
extra_hosts A list of hostnames and IP address mappings to append to the /etc/hosts file on the container. This is a list of maps
ipAddress = string
hostname = string
null no
firelens_configuration The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more details, see
type = string
options = map(string)
null no
healthcheck A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries)
command = list(string)
retries = number
timeout = number
interval = number
startPeriod = number
null no
hostname The hostname to use for your container. string null no
interactive When this parameter is true, this allows you to deploy containerized applications that require stdin or a tty to be allocated. bool null no
links List of container names this container can communicate with without port mappings list(string) null no
linux_parameters Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more details, see
capabilities = object({
add = list(string)
drop = list(string)
devices = list(object({
containerPath = string
hostPath = string
permissions = list(string)
initProcessEnabled = bool
maxSwap = number
sharedMemorySize = number
swappiness = number
tmpfs = list(object({
containerPath = string
mountOptions = list(string)
size = number
null no
log_configuration Log configuration options to send to a custom log driver for the container. For more details, see any null no
map_environment The environment variables to pass to the container. This is a map of string: {key: value}. map_environment overrides environment map(string) null no
map_secrets The secrets variables to pass to the container. This is a map of string: {key: value}. map_secrets overrides secrets map(string) null no
mount_points Container mount points. This is a list of maps, where each map should contain containerPath, sourceVolume and readOnly
containerPath = string
sourceVolume = string
readOnly = bool
[] no
port_mappings The port mappings to configure for the container. This is a list of maps. Each map should contain "containerPort", "hostPort", and "protocol", where "protocol" is one of "tcp" or "udp". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort
containerPort = number
hostPort = number
protocol = string
[] no
privileged When this variable is true, the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type. bool null no
pseudo_terminal When this parameter is true, a TTY is allocated. bool null no
readonly_root_filesystem Determines whether a container is given read-only access to its root filesystem. Due to how Terraform type casts booleans in json it is required to double quote this value bool false no
repository_credentials Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials map(string) null no
resource_requirements The type and amount of a resource to assign to a container. The only supported resource is a GPU.
type = string
value = string
null no
secrets The secrets to pass to the container. This is a list of maps
name = string
valueFrom = string
[] no
start_timeout Time duration (in seconds) to wait before giving up on resolving dependencies for a container number null no
stop_timeout Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own number null no
system_controls A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""} list(map(string)) null no
ulimits Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit"
name = string
hardLimit = number
softLimit = number
null no
user The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured USER directive or root if not set. string null no
volumes_from A list of VolumesFrom maps which contain "sourceContainer" (name of the container that has the volumes to mount) and "readOnly" (whether the container can write to the volume)
sourceContainer = string
readOnly = bool
[] no
working_directory The working directory to run commands inside the container string null no


Name Description
json_map_encoded JSON string encoded container definitions for use with other terraform resources such as aws_ecs_task_definition
json_map_encoded_list JSON string encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition
json_map_object JSON map encoded container definition
sensitive_json_map_encoded JSON string encoded container definitions for use with other terraform resources such as aws_ecs_task_definition (sensitive)
sensitive_json_map_encoded_list JSON string encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition (sensitive)
sensitive_json_map_object JSON map encoded container definition (sensitive)

Share the Love

Like this project? Please give it a ★ on our GitHub! (it helps us a lot)

Are you using this project or any of our other projects? Consider leaving a testimonial. =)

Related Projects

Check out these related projects.


Got a question? We got answers.

File a GitHub issue, send us an email or join our Slack Community.

README Commercial Support

DevOps Accelerator for Startups

We are a DevOps Accelerator. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.

Learn More

Work directly with our team of DevOps experts via email, slack, and video conferencing.

We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.

  • Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
  • Release Engineering. You'll have end-to-end CI/CD with unlimited staging environments.
  • Site Reliability Engineering. You'll have total visibility into your apps and microservices.
  • Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
  • GitOps. You'll be able to operate your infrastructure via Pull Requests.
  • Training. You'll receive hands-on training so your team can operate what we build.
  • Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
  • Troubleshooting. You'll get help to triage when things aren't working.
  • Code Reviews. You'll receive constructive feedback on Pull Requests.
  • Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.

Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

Discourse Forums

Participate in our Discourse Forums. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.


Sign up for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.

Office Hours

Join us every Wednesday via Zoom for our weekly "Lunch & Learn" sessions. It's FREE for everyone!



Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.


If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

  1. Fork the repo on GitHub
  2. Clone the project to your own machine
  3. Commit changes to your own branch
  4. Push your work back up to your fork
  5. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!


Copyright © 2017-2021 Cloud Posse, LLC



See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.


All other trademarks referenced herein are the property of their respective owners.


This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!

Cloud Posse

We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.

We offer paid support on all of our projects.

Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.


Erik Osterman
Erik Osterman
Sarkis Varozian
Sarkis Varozian
Andriy Knysh
Andriy Knysh
Igor Rodionov
Igor Rodionov
Yonatan Koren
Yonatan Koren

README Footer Beacon