terraform-aws-ecs-web-app

A Terraform module which implements a web app on ECS and supporting AWS resources.

Tip

👽 Use Atmos with Terraform

Cloud Posse uses atmos to easily orchestrate multiple environments using Terraform.
Works with Github Actions, Atlantis, or Spacelift.

Watch demo of using Atmos with Terraform

Example of running atmos to manage infrastructure from our Quick Start tutorial.

Usage

For a complete example, see examples/complete.

For automated tests of the complete example using bats and Terratest (which test and deploy the example on AWS), see test.

Other examples:

• without authentication - without authentication
• with Google OIDC authentication - with Google OIDC authentication
• with Cognito authentication - with Cognito authentication

module "default_backend_web_app" {
  source = "cloudposse/ecs-web-app/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace                                       = "eg"
  stage                                           = "testing"
  name                                            = "appname"
  vpc_id                                          = module.vpc.vpc_id
  alb_ingress_unauthenticated_listener_arns       = module.alb.listener_arns
  alb_ingress_unauthenticated_listener_arns_count = 1
  aws_logs_region                                 = "us-east-2"
  ecs_cluster_arn                                 = aws_ecs_cluster.default.arn
  ecs_cluster_name                                = aws_ecs_cluster.default.name
  ecs_security_group_ids                          = [module.vpc.vpc_default_security_group_id]
  ecs_private_subnet_ids                          = module.subnets.private_subnet_ids
  alb_ingress_healthcheck_path                    = "/healthz"
  alb_ingress_unauthenticated_paths               = ["/*"]
  codepipeline_enabled                            = false

  container_environment = [
    {
      name = "COOKIE"
      value = "cookiemonster"
    },
    {
      name = "PORT"
      value = "80"
    }
  ]
}

Important

In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic approach for updating versions to avoid unexpected changes.

Makefile Targets

Available targets:

  help                                Help screen
  help/all                            Display help for all targets
  help/short                          This help short screen
  lint                                Lint terraform code

Requirements

Name	Version
terraform	>= 0.13.0
aws	>= 3.34, < 5.0

Providers

Name	Version
aws	>= 3.34, < 5.0

Modules

Name	Source	Version
alb_ingress	cloudposse/alb-ingress/aws	0.26.0
alb_target_group_cloudwatch_sns_alarms	cloudposse/alb-target-group-cloudwatch-sns-alarms/aws	0.17.0
container_definition	cloudposse/ecs-container-definition/aws	0.58.1
ecr	cloudposse/ecr/aws	0.41.0
ecs_alb_service_task	cloudposse/ecs-alb-service-task/aws	0.64.1
ecs_cloudwatch_autoscaling	cloudposse/ecs-cloudwatch-autoscaling/aws	0.7.3
ecs_cloudwatch_sns_alarms	cloudposse/ecs-cloudwatch-sns-alarms/aws	0.12.2
ecs_codepipeline	cloudposse/ecs-codepipeline/aws	0.33.0
this	cloudposse/label/null	0.25.0

Resources

Name	Type
aws_cloudwatch_log_group.app	resource
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
additional_tag_map	Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id. This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration.	map(string)	{}	no
alb_arn_suffix	ARN suffix of the ALB for the Target Group	string	""	no
alb_container_name	The name of the container to associate with the ALB. If not provided, the generated container will be used	string	null	no
alb_ingress_authenticated_hosts	Authenticated hosts to match in Hosts header	list(string)	[]	no
alb_ingress_authenticated_listener_arns	A list of authenticated ALB listener ARNs to attach ALB listener rules to	list(string)	[]	no
alb_ingress_authenticated_listener_arns_count	The number of authenticated ARNs in alb_ingress_authenticated_listener_arns. This is necessary to work around a limitation in Terraform where counts cannot be computed	number	0	no
alb_ingress_authenticated_paths	Authenticated path pattern to match (a maximum of 1 can be defined)	list(string)	[]	no
alb_ingress_enable_default_target_group	If true, create a default target group for the ALB ingress	bool	true	no
alb_ingress_health_check_healthy_threshold	The number of consecutive health checks successes required before healthy	number	2	no
alb_ingress_health_check_interval	The duration in seconds in between health checks	number	15	no
alb_ingress_health_check_matcher	The HTTP response codes to indicate a healthy check	string	"200-399"	no
alb_ingress_health_check_timeout	The amount of time to wait in seconds before failing a health check request	number	10	no
alb_ingress_health_check_unhealthy_threshold	The number of consecutive health check failures required before unhealthy	number	2	no
alb_ingress_healthcheck_path	The path of the healthcheck which the ALB checks	string	"/"	no
alb_ingress_healthcheck_protocol	The protocol to use to connect with the target. Defaults to HTTP. Not applicable when target_type is lambda	string	"HTTP"	no
alb_ingress_listener_authenticated_priority	The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from alb_ingress_listener_unauthenticated_priority since a listener can't have multiple rules with the same priority	number	300	no
alb_ingress_listener_unauthenticated_priority	The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from alb_ingress_listener_authenticated_priority since a listener can't have multiple rules with the same priority	number	1000	no
alb_ingress_load_balancing_algorithm_type	Determines how the load balancer selects targets when routing requests. Only applicable for Application Load Balancer Target Groups. The value is round_robin or least_outstanding_requests. The default is round_robin.	string	"round_robin"	no
alb_ingress_protocol	The protocol for the created ALB target group (if target_group_arn is not set). One of HTTP, HTTPS. Defaults to HTTP.	string	"HTTP"	no
alb_ingress_protocol_version	The protocol version. One of HTTP1, HTTP2, GRPC. Only applicable when protocol is HTTP or HTTPS. Specify GRPC to send requests to targets using gRPC. Specify HTTP2 to send requests to targets using HTTP/2. The default is HTTP1, which sends requests to targets using HTTP/1.1	string	"HTTP1"	no
alb_ingress_target_group_arn	Existing ALB target group ARN. If provided, set alb_ingress_enable_default_target_group to false to disable creation of the default target group	string	""	no
alb_ingress_unauthenticated_hosts	Unauthenticated hosts to match in Hosts header	list(string)	[]	no
alb_ingress_unauthenticated_listener_arns	A list of unauthenticated ALB listener ARNs to attach ALB listener rules to	list(string)	[]	no
alb_ingress_unauthenticated_listener_arns_count	The number of unauthenticated ARNs in alb_ingress_unauthenticated_listener_arns. This is necessary to work around a limitation in Terraform where counts cannot be computed	number	0	no
alb_ingress_unauthenticated_paths	Unauthenticated path pattern to match (a maximum of 1 can be defined)	list(string)	[]	no
alb_security_group	Security group of the ALB	string	n/a	yes
alb_stickiness_cookie_duration	The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds)	number	86400	no
alb_stickiness_enabled	Boolean to enable / disable stickiness. Default is true	bool	true	no
alb_stickiness_type	The type of sticky sessions. The only current possible value is lb_cookie	string	"lb_cookie"	no
alb_target_group_alarms_3xx_threshold	The maximum number of 3XX HTTPCodes in a given period for ECS Service	number	25	no
alb_target_group_alarms_4xx_threshold	The maximum number of 4XX HTTPCodes in a given period for ECS Service	number	25	no
alb_target_group_alarms_5xx_threshold	The maximum number of 5XX HTTPCodes in a given period for ECS Service	number	25	no
alb_target_group_alarms_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an ALARM state from any other state	list(string)	[]	no
alb_target_group_alarms_enabled	A boolean to enable/disable CloudWatch Alarms for ALB Target metrics	bool	false	no
alb_target_group_alarms_evaluation_periods	The number of periods to analyze for ALB CloudWatch Alarms	number	1	no
alb_target_group_alarms_insufficient_data_actions	A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an INSUFFICIENT_DATA state from any other state	list(string)	[]	no
alb_target_group_alarms_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an OK state from any other state	list(string)	[]	no
alb_target_group_alarms_period	The period (in seconds) to analyze for ALB CloudWatch Alarms	number	300	no
alb_target_group_alarms_response_time_threshold	The maximum ALB Target Group response time	number	0.5	no
assign_public_ip	Assign a public IP address to the ENI (Fargate launch type only). Valid values are true or false. Default false	bool	false	no
attributes	ID element. Additional attributes (e.g. workers or cluster) to add to id, in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the delimiter and treated as a single ID element.	list(string)	[]	no
authentication_cognito_scope	Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)	string	null	no
authentication_cognito_user_pool_arn	Cognito User Pool ARN	string	""	no
authentication_cognito_user_pool_client_id	Cognito User Pool Client ID	string	""	no
authentication_cognito_user_pool_domain	Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (xxx) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com)	string	""	no
authentication_oidc_authorization_endpoint	OIDC Authorization Endpoint	string	""	no
authentication_oidc_client_id	OIDC Client ID	string	""	no
authentication_oidc_client_secret	OIDC Client Secret	string	""	no
authentication_oidc_issuer	OIDC Issuer	string	""	no
authentication_oidc_scope	OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP)	string	null	no
authentication_oidc_token_endpoint	OIDC Token Endpoint	string	""	no
authentication_oidc_user_info_endpoint	OIDC User Info Endpoint	string	""	no
authentication_type	Authentication type. Supported values are COGNITO and OIDC	string	""	no
autoscaling_dimension	Dimension to autoscale on (valid options: cpu, memory)	string	"memory"	no
autoscaling_enabled	A boolean to enable/disable Autoscaling policy for ECS Service	bool	false	no
autoscaling_max_capacity	Maximum number of running instances of a Service	number	2	no
autoscaling_min_capacity	Minimum number of running instances of a Service	number	1	no
autoscaling_scale_down_adjustment	Scaling adjustment to make during scale down event	number	-1	no
autoscaling_scale_down_cooldown	Period (in seconds) to wait between scale down events	number	300	no
autoscaling_scale_up_adjustment	Scaling adjustment to make during scale up event	number	1	no
autoscaling_scale_up_cooldown	Period (in seconds) to wait between scale up events	number	60	no
aws_logs_prefix	Custom AWS Logs prefix. If empty name from label module will be used	string	""	no
aws_logs_region	The region for the AWS Cloudwatch Logs group	string	null	no
badge_enabled	Generates a publicly-accessible URL for the projects build badge. Available as badge_url attribute when enabled	bool	false	no
branch	Branch of the GitHub repository, e.g. master	string	""	no
build_environment_variables	A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER_STORE', or 'SECRETS_MANAGER'	list(object( { name = string value = string type = string }))	[]	no
build_image	Docker image for build environment, e.g. aws/codebuild/docker:docker:17.09.0	string	"aws/codebuild/docker:17.09.0"	no
build_timeout	How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed	number	60	no
buildspec	Declaration to use for building the project. For more info	string	""	no
capacity_provider_strategies	The capacity provider strategies to use for the service. See capacity_provider_strategy configuration block: https://www.terraform.io/docs/providers/aws/r/ecs_service.html#capacity_provider_strategy	list(object({ capacity_provider = string weight = number base = number }))	[]	no
circuit_breaker_deployment_enabled	If true, enable the deployment circuit breaker logic for the service	bool	false	no
circuit_breaker_rollback_enabled	If true, Amazon ECS will roll back the service if a service deployment fails	bool	false	no
cloudwatch_log_group_enabled	A boolean to disable cloudwatch log group creation	bool	true	no
codebuild_cache_type	The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3. Defaults to NO_CACHE. If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside	string	"S3"	no
codepipeline_build_cache_bucket_suffix_enabled	The codebuild cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache_type is 'S3'	bool	true	no
codepipeline_build_compute_type	CodeBuild instance size. Possible values are: BUILD_GENERAL1_SMALL BUILD_GENERAL1_MEDIUM BUILD_GENERAL1_LARGE	string	"BUILD_GENERAL1_SMALL"	no
codepipeline_cdn_bucket_buildspec_identifier	Identifier for buildspec section controlling the optional CDN asset deployment.	string	null	no
codepipeline_cdn_bucket_encryption_enabled	If set to true, enable encryption on the optional CDN asset deployment bucket	bool	false	no
codepipeline_cdn_bucket_id	Optional bucket for static asset deployment. If specified, the buildspec must include a secondary artifacts section which controls the files deployed to the bucket For more info	string	null	no
codepipeline_enabled	A boolean to enable/disable AWS Codepipeline. If false, use ecr_enabled to control if AWS ECR stays enabled.	bool	true	no
codepipeline_s3_bucket_force_destroy	A boolean that indicates all objects should be deleted from the CodePipeline artifact store S3 bucket so that the bucket can be destroyed without error	bool	false	no
command	The command that is passed to the container	list(string)	null	no
container_cpu	The vCPU setting to control cpu limits of container. (If FARGATE launch type is used below, this must be a supported vCPU size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)	number	256	no
container_definition	Override the main container_definition	string	""	no
container_environment	The environment variables to pass to the container. This is a list of maps	list(object({ name = string value = string }))	null	no
container_image	The default container image to use in container definition	string	"cloudposse/default-backend"	no
container_memory	The amount of RAM to allow container to use in MB. (If FARGATE launch type is used below, this must be a supported Memory size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)	number	512	no
container_memory_reservation	The amount of RAM (Soft Limit) to allow container to use in MB. This value must be less than container_memory if set	number	128	no
container_port	The port number on the container bound to assigned host_port	number	80	no
container_repo_credentials	Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials	map(string)	null	no
container_start_timeout	Time duration (in seconds) to wait before giving up on resolving dependencies for a container	number	30	no
container_stop_timeout	Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own	number	30	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	any	{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "descriptor_formats": {}, "enabled": true, "environment": null, "id_length_limit": null, "label_key_case": null, "label_order": [], "label_value_case": null, "labels_as_tags": [ "unset" ], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {}, "tenant": null }	no
delimiter	Delimiter to be used between ID elements. Defaults to - (hyphen). Set to "" to use no delimiter at all.	string	null	no
deployment_controller_type	Type of deployment controller. Valid values are CODE_DEPLOY and ECS	string	"ECS"	no
deployment_maximum_percent	The upper limit of the number of tasks (as a percentage of desired_count) that can be running in a service during a deployment	number	200	no
deployment_minimum_healthy_percent	The lower limit (as a percentage of desired_count) of the number of tasks that must remain running and healthy in a service during a deployment	number	100	no
descriptor_formats	Describe additional descriptors to be output in the descriptors output map. Map of maps. Keys are names of descriptors. Values are maps of the form {<br> format = string<br> labels = list(string)<br>} (Type is any so the map values can later be enhanced to provide additional options.) format is a Terraform format string to be passed to the format() function. labels is a list of labels, in order, to pass to format() function. Label values will be normalized before being passed to format() so they will be identical to how they appear in id. Default is {} (descriptors output will be empty).	any	{}	no
desired_count	The desired number of tasks to start with. Set this to 0 if using DAEMON Service type. (FARGATE does not suppoert DAEMON Service type)	number	1	no
ecr_enabled	A boolean to enable/disable AWS ECR	bool	true	no
ecr_image_tag_mutability	The tag mutability setting for the ecr repository. Must be one of: MUTABLE or IMMUTABLE	string	"IMMUTABLE"	no
ecr_scan_images_on_push	Indicates whether images are scanned after being pushed to the repository (true) or not (false)	bool	false	no
ecs_alarms_cpu_utilization_high_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High Alarm action	list(string)	[]	no
ecs_alarms_cpu_utilization_high_evaluation_periods	Number of periods to evaluate for the alarm	number	1	no
ecs_alarms_cpu_utilization_high_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High OK action	list(string)	[]	no
ecs_alarms_cpu_utilization_high_period	Duration in seconds to evaluate for the alarm	number	300	no
ecs_alarms_cpu_utilization_high_threshold	The maximum percentage of CPU utilization average	number	80	no
ecs_alarms_cpu_utilization_low_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low Alarm action	list(string)	[]	no
ecs_alarms_cpu_utilization_low_evaluation_periods	Number of periods to evaluate for the alarm	number	1	no
ecs_alarms_cpu_utilization_low_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low OK action	list(string)	[]	no
ecs_alarms_cpu_utilization_low_period	Duration in seconds to evaluate for the alarm	number	300	no
ecs_alarms_cpu_utilization_low_threshold	The minimum percentage of CPU utilization average	number	20	no
ecs_alarms_enabled	A boolean to enable/disable CloudWatch Alarms for ECS Service metrics	bool	false	no
ecs_alarms_memory_utilization_high_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High Alarm action	list(string)	[]	no
ecs_alarms_memory_utilization_high_evaluation_periods	Number of periods to evaluate for the alarm	number	1	no
ecs_alarms_memory_utilization_high_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High OK action	list(string)	[]	no
ecs_alarms_memory_utilization_high_period	Duration in seconds to evaluate for the alarm	number	300	no
ecs_alarms_memory_utilization_high_threshold	The maximum percentage of Memory utilization average	number	80	no
ecs_alarms_memory_utilization_low_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low Alarm action	list(string)	[]	no
ecs_alarms_memory_utilization_low_evaluation_periods	Number of periods to evaluate for the alarm	number	1	no
ecs_alarms_memory_utilization_low_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low OK action	list(string)	[]	no
ecs_alarms_memory_utilization_low_period	Duration in seconds to evaluate for the alarm	number	300	no
ecs_alarms_memory_utilization_low_threshold	The minimum percentage of Memory utilization average	number	20	no
ecs_cluster_arn	The ECS Cluster ARN where ECS Service will be provisioned	string	n/a	yes
ecs_cluster_name	The ECS Cluster Name to use in ECS Code Pipeline Deployment step	string	null	no
ecs_private_subnet_ids	List of Private Subnet IDs to provision ECS Service onto if var.network_mode = "awsvpc"	list(string)	n/a	yes
ecs_security_group_enabled	Whether to create a security group for the service.	bool	true	no
ecs_security_group_ids	Additional Security Group IDs to allow into ECS Service if var.network_mode = "awsvpc"	list(string)	[]	no
enable_all_egress_rule	A flag to enable/disable adding the all ports egress rule to the ECS security group	bool	true	no
enable_ecs_managed_tags	Specifies whether to enable Amazon ECS managed tags for the tasks within the service	bool	false	no
enabled	Set to false to prevent the module from creating any resources	bool	null	no
entrypoint	The entry point that is passed to the container	list(string)	null	no
environment	ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'	string	null	no
exec_enabled	Specifies whether to enable Amazon ECS Exec for the tasks within the service	bool	false	no
force_new_deployment	Enable to force a new task deployment of the service.	bool	false	no
github_oauth_token	GitHub Oauth Token with permissions to access private repositories	string	""	no
github_webhook_events	A list of events which should trigger the webhook. See a list of available events	list(string)	[ "push" ]	no
health_check_grace_period_seconds	Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. Only valid for services configured to use load balancers	number	0	no
healthcheck	A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries)	object({ command = list(string) retries = number timeout = number interval = number startPeriod = number })	null	no
id_length_limit	Limit id to this many characters (minimum 6). Set to 0 for unlimited length. Set to null for keep the existing setting, which defaults to 0. Does not affect id_full.	number	null	no
ignore_changes_desired_count	Whether to ignore changes for desired count in the ECS service	bool	false	no
ignore_changes_task_definition	Ignore changes (like environment variables) to the ECS task definition	bool	true	no
init_containers	A list of additional init containers to start. The map contains the container_definition (JSON) and the main container's dependency condition (string) on the init container. The latter can be one of START, COMPLETE, SUCCESS or HEALTHY.	list(object({ container_definition = any condition = string }))	[]	no
label_key_case	Controls the letter case of the tags keys (label names) for tags generated by this module. Does not affect keys of tags passed in via the tags input. Possible values: lower, title, upper. Default value: title.	string	null	no
label_order	The order in which the labels (ID elements) appear in the id. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.	list(string)	null	no
label_value_case	Controls the letter case of ID elements (labels) as included in id, set as tag values, and output by this module individually. Does not affect values of tags passed in via the tags input. Possible values: lower, title, upper and none (no transformation). Set this to title and set delimiter to "" to yield Pascal Case IDs. Default value: lower.	string	null	no
labels_as_tags	Set of labels (ID elements) to include as tags in the tags output. Default is to include all labels. Tags with empty values will not be included in the tags output. Set to [] to suppress all generated tags. Notes: The value of the name tag, if included, will be the id, not the name. Unlike other null-label inputs, the initial setting of labels_as_tags cannot be changed in later chained modules. Attempts to change it will be silently ignored.	set(string)	[ "default" ]	no
launch_type	The ECS launch type (valid options: FARGATE or EC2)	string	"FARGATE"	no
log_driver	The log driver to use for the container. If using Fargate launch type, only supported value is awslogs	string	"awslogs"	no
log_retention_in_days	The number of days to retain logs for the log group	number	90	no
map_container_environment	The environment variables to pass to the container. This is a map of string: {key: value}. environment overrides map_environment	map(string)	null	no
mount_points	Container mount points. This is a list of maps, where each map should contain a containerPath and sourceVolume	list(object({ containerPath = string sourceVolume = string readOnly = bool }))	[]	no
name	ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a tag. The "name" tag is set to the full id string. There is no tag with the value of the name input.	string	null	no
namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	string	null	no
network_mode	The network mode to use for the task. This is required to be awsvpc for FARGATE launch_type or null for EC2 launch_type	string	"awsvpc"	no
nlb_cidr_blocks	A list of CIDR blocks to add to the ingress rule for the NLB container port	list(string)	[]	no
nlb_container_name	The name of the container to associate with the NLB. If not provided, the generated container will be used	string	null	no
nlb_container_port	The port number on the container bound to assigned NLB host_port	number	80	no
nlb_ingress_target_group_arn	Target group ARN of the NLB ingress	string	""	no
permissions_boundary	A permissions boundary ARN to apply to the 3 roles that are created.	string	""	no
platform_version	The platform version on which to run your service. Only applicable for launch_type set to FARGATE. More information about Fargate platform versions can be found in the AWS ECS User Guide.	string	"LATEST"	no
poll_source_changes	Periodically check the location of your source content and run the pipeline if changes are detected	bool	false	no
port_mappings	The port mappings to configure for the container. This is a list of maps. Each map should contain "containerPort", "hostPort", and "protocol", where "protocol" is one of "tcp" or "udp". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort	list(object({ containerPort = number hostPort = number protocol = string }))	[ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ]	no
privileged	When this variable is true, the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type. Due to how Terraform type casts booleans in json it is required to double quote this value	string	null	no
propagate_tags	Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION	string	null	no
regex_replace_chars	Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.	string	null	no
region	AWS Region for S3 bucket	string	null	no
repo_name	GitHub repository name of the application to be built and deployed to ECS	string	""	no
repo_owner	GitHub Organization or Username	string	""	no
runtime_platform	Zero or one runtime platform configurations that containers in your task may use. Map of strings with optional keys operating_system_family and cpu_architecture. See runtime_platform docs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#runtime_platform	list(map(string))	[]	no
secrets	The secrets to pass to the container. This is a list of maps	list(object({ name = string valueFrom = string }))	null	no
service_registries	The service discovery registries for the service. The maximum number of service_registries blocks is 1. The currently supported service registry is Amazon Route 53 Auto Naming Service - aws_service_discovery_service; see service_registries docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1	list(object({ registry_arn = string port = number container_name = string container_port = number }))	[]	no
stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	string	null	no
system_controls	A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""}	list(map(string))	null	no
tags	Additional tags (e.g. {'BusinessUnit': 'XYZ'}). Neither the tag keys nor the tag values will be modified by this module.	map(string)	{}	no
task_cpu	The number of CPU units used by the task. If unspecified, it will default to container_cpu. If using FARGATE launch type task_cpu must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size)	number	null	no
task_memory	The amount of memory (in MiB) used by the task. If unspecified, it will default to container_memory. If using Fargate launch type task_memory must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size)	number	null	no
task_policy_arns	A list of IAM Policy ARNs to attach to the generated task role.	list(string)	[]	no
task_role_arn	The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services	string	""	no
tenant	ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for	string	null	no
ulimits	The ulimits to configure for the container. This is a list of maps. Each map should contain "name", "softLimit" and "hardLimit"	list(object({ name = string softLimit = number hardLimit = number }))	[]	no
use_alb_security_group	A boolean to enable adding an ALB security group rule for the service task	bool	false	no
use_ecr_image	If true, use ECR repo URL for image, otherwise use value in container_image	bool	false	no
use_nlb_cidr_blocks	A flag to enable/disable adding the NLB ingress rule to the security group	bool	false	no
volumes	Task volume definitions as list of configuration objects	list(object({ host_path = string name = string docker_volume_configuration = list(object({ autoprovision = bool driver = string driver_opts = map(string) labels = map(string) scope = string })) efs_volume_configuration = list(object({ file_system_id = string root_directory = string transit_encryption = string transit_encryption_port = string authorization_config = list(object({ access_point_id = string iam = string })) })) }))	[]	no
vpc_id	The VPC ID where resources are created	string	n/a	yes
webhook_authentication	The type of authentication to use. One of IP, GITHUB_HMAC, or UNAUTHENTICATED	string	"GITHUB_HMAC"	no
webhook_enabled	Set to false to prevent the module from creating any webhook resources	bool	true	no
webhook_filter_json_path	The JSON path to filter on	string	"$.ref"	no
webhook_filter_match_equals	The value to match on (e.g. refs/heads/{Branch})	string	"refs/heads/{Branch}"	no
webhook_target_action	The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline	string	"Source"	no

Outputs

Name	Description
alb_ingress	All outputs from module.alb_ingress
alb_ingress_target_group_arn	ALB Target Group ARN
alb_ingress_target_group_arn_suffix	ALB Target Group ARN suffix
alb_ingress_target_group_name	ALB Target Group name
alb_target_group_cloudwatch_sns_alarms	All outputs from module.alb_target_group_cloudwatch_sns_alarms
cloudwatch_log_group	All outputs from aws_cloudwatch_log_group.app
cloudwatch_log_group_arn	Cloudwatch log group ARN
cloudwatch_log_group_name	Cloudwatch log group name
codebuild	All outputs from module.ecs_codepipeline
codebuild_badge_url	The URL of the build badge when badge_enabled is enabled
codebuild_cache_bucket_arn	CodeBuild cache S3 bucket ARN
codebuild_cache_bucket_name	CodeBuild cache S3 bucket name
codebuild_project_id	CodeBuild project ID
codebuild_project_name	CodeBuild project name
codebuild_role_arn	CodeBuild IAM Role ARN
codebuild_role_id	CodeBuild IAM Role ID
codepipeline_arn	CodePipeline ARN
codepipeline_id	CodePipeline ID
codepipeline_webhook_id	The CodePipeline webhook's ID
codepipeline_webhook_url	The CodePipeline webhook's URL. POST events to this endpoint to trigger the target
container_definition	All outputs from module.container_definition
container_definition_json	JSON encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition
container_definition_json_map	JSON encoded container definitions for use with other terraform resources such as aws_ecs_task_definition
ecr	All outputs from module.ecr
ecr_registry_id	Registry ID
ecr_registry_url	Repository URL
ecr_repository_arn	ARN of ECR repository
ecr_repository_name	Registry name
ecr_repository_url	Repository URL
ecs_alarms	All outputs from module.ecs_cloudwatch_sns_alarms
ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_arn	ECS CPU utilization high CloudWatch metric alarm ARN
ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_id	ECS CPU utilization high CloudWatch metric alarm ID
ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_arn	ECS CPU utilization low CloudWatch metric alarm ARN
ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_id	ECS CPU utilization low CloudWatch metric alarm ID
ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_arn	ECS Memory utilization high CloudWatch metric alarm ARN
ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_id	ECS Memory utilization high CloudWatch metric alarm ID
ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_arn	ECS Memory utilization low CloudWatch metric alarm ARN
ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_id	ECS Memory utilization low CloudWatch metric alarm ID
ecs_alb_service_task	All outputs from module.ecs_alb_service_task
ecs_cloudwatch_autoscaling	All outputs from module.ecs_cloudwatch_autoscaling
ecs_cloudwatch_autoscaling_scale_down_policy_arn	ARN of the scale down policy
ecs_cloudwatch_autoscaling_scale_up_policy_arn	ARN of the scale up policy
ecs_exec_role_policy_id	The ECS service role policy ID, in the form of role_name:role_policy_name
ecs_exec_role_policy_name	ECS service role name
ecs_service_arn	ECS Service ARN
ecs_service_name	ECS Service name
ecs_service_role_arn	ECS Service role ARN
ecs_service_security_group_id	Security Group ID of the ECS task
ecs_task_definition_family	ECS task definition family
ecs_task_definition_revision	ECS task definition revision
ecs_task_exec_role_arn	ECS Task exec role ARN
ecs_task_exec_role_name	ECS Task role name
ecs_task_role_arn	ECS Task role ARN
ecs_task_role_id	ECS Task role id
ecs_task_role_name	ECS Task role name
httpcode_elb_5xx_count_cloudwatch_metric_alarm_arn	ALB 5xx count CloudWatch metric alarm ARN
httpcode_elb_5xx_count_cloudwatch_metric_alarm_id	ALB 5xx count CloudWatch metric alarm ID
httpcode_target_3xx_count_cloudwatch_metric_alarm_arn	ALB Target Group 3xx count CloudWatch metric alarm ARN
httpcode_target_3xx_count_cloudwatch_metric_alarm_id	ALB Target Group 3xx count CloudWatch metric alarm ID
httpcode_target_4xx_count_cloudwatch_metric_alarm_arn	ALB Target Group 4xx count CloudWatch metric alarm ARN
httpcode_target_4xx_count_cloudwatch_metric_alarm_id	ALB Target Group 4xx count CloudWatch metric alarm ID
httpcode_target_5xx_count_cloudwatch_metric_alarm_arn	ALB Target Group 5xx count CloudWatch metric alarm ARN
httpcode_target_5xx_count_cloudwatch_metric_alarm_id	ALB Target Group 5xx count CloudWatch metric alarm ID
target_response_time_average_cloudwatch_metric_alarm_arn	ALB Target Group response time average CloudWatch metric alarm ARN
target_response_time_average_cloudwatch_metric_alarm_id	ALB Target Group response time average CloudWatch metric alarm ID

Related Projects

Check out these related projects.

• terraform-aws-alb - Terraform module to provision a standard ALB for HTTP/HTTP traffic
• terraform-aws-alb-ingress - Terraform module to provision an HTTP style ingress rule based on hostname and path for an ALB
• terraform-aws-codebuild - Terraform Module to easily leverage AWS CodeBuild for Continuous Integration
• terraform-aws-ecr - Terraform Module to manage Docker Container Registries on AWS ECR
• terraform-aws-ecs-alb-service-task - Terraform module which implements an ECS service which exposes a web service via ALB.
• terraform-aws-ecs-codepipeline - Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS
• terraform-aws-ecs-container-definition - Terraform module to generate well-formed JSON documents that are passed to the aws_ecs_task_definition Terraform resource
• terraform-aws-lb-s3-bucket - Terraform module to provision an S3 bucket with built in IAM policy to allow AWS Load Balancers to ship access logs.
• terraform-aws-eks-cluster - Terraform module for provisioning an EKS cluster
• terraform-aws-eks-workers - Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers
• terraform-aws-ec2-autoscale-group - Terraform module to provision Auto Scaling Group and Launch Template on AWS

Tip

Use Terraform Reference Architectures for AWS

Use Cloud Posse's ready-to-go terraform architecture blueprints for AWS to get up and running quickly.

✅ We build it with you.
✅ You own everything.
✅ Your team wins.

📚 Learn More

Cloud Posse is the leading DevOps Accelerator for funded startups and enterprises.

Your team can operate like a pro today.

Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.

Day-0: Your Foundation for Success

• Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
• Deployment Strategy. Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
• Site Reliability Engineering. Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
• Security Baseline. Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
• GitOps. Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.

Day-2: Your Operational Mastery

• Training. Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
• Support. Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
• Troubleshooting. Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
• Code Reviews. Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
• Bug Fixes. Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
• Migration Assistance. Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
• Customer Workshops. Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.

✨ Contributing

This project is under active development, and we encourage contributions from our community.

Many thanks to our outstanding contributors:

For 🐛 bug reports & feature requests, please use the issue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

1. Review our Code of Conduct and Contributor Guidelines.
2. Fork the repo on GitHub
3. Clone the project to your own machine
4. Commit changes to your own branch
5. Push your work back up to your fork
6. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

🌎 Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

📰 Newsletter

Sign up for our newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read.

📆 Office Hours

Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a live Q&A that you can’t find anywhere else. It's FREE for everyone!

License

Preamble to the Apache License, Version 2.0

Complete license is available in the LICENSE file.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.

---

Copyright © 2017-2024 Cloud Posse, LLC