Terraform module to create AWS ECS application.
Security scanning is graciously provided by Bridgecrew.
| Benchmark | Description |
|---|---|
| Infrastructure Security Compliance | |
| Center for Internet Security, AWS V1.2 Compliance | |
| Center for Internet Security, AZURE V1.1 Compliance | |
| Payment Card Industry Data Security Standards V3.2 Compliance | |
| National Institute of Standards and Technology Compliance | |
| Information Security Management System, ISO/IEC 27001 Compliance | |
| Service Organization Control 2 Compliance | |
| Center for Internet Security, GCP Compliance | |
| Health Insurance Portability and Accountability Compliance | |
| PCI-DSS V3.2.1 Compliance | |
| FEDRAMP (MODERATE) Compliance | |
| Center for Internet Security, KUBERNETES V1.5 Compliance | |
| Center for Internet Security, AWS V1.3 Compliance | |
| Center for Internet Security, AZURE V1.3 Compliance | |
| Center for Internet Security, Docker V1.2 Compliance | |
| Center for Internet Security, EKS V1.1 Compliance | |
| Center for Internet Security, GKE V1.1 Compliance | |
| Center for Internet Security, KUBERNETES V1.6 Compliance |
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| Name | Version |
|---|---|
| aws | n/a |
| template | n/a |
| Name | Source | Version |
|---|---|---|
| alb | registry.terraform.io/terraform-aws-modules/alb/aws | ~> 5.0 |
| autoscaling | terraform-aws-modules/autoscaling/aws | ~> 4.0 |
| datadog | registry.terraform.io/hazelops/ecs-datadog-agent/aws | ~> 3.2 |
| ecr | registry.terraform.io/hazelops/ecr/aws | ~> 1.0 |
| efs | registry.terraform.io/cloudposse/efs/aws | ~> 0.31 |
| nginx | registry.terraform.io/hazelops/ecs-nginx-proxy/aws | ~> 1.0 |
| route_53_health_check | registry.terraform.io/hazelops/route53-healthcheck/aws | ~> 1.0 |
| service | ./ecs-modules/ecs-service | n/a |
| Name | Type |
|---|---|
| aws_eip.autoscaling | resource |
| aws_iam_role_policy.ec2_auto_eip | resource |
| aws_route53_record.alb | resource |
| aws_route53_record.ec2 | resource |
| aws_caller_identity.current | data source |
| aws_iam_instance_profile.this | data source |
| aws_region.current | data source |
| template_file.asg_ecs_ec2_user_data | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_container_definition_parameters | Additional parameters passed straight to the container definition, eg. tmpfs config | any |
{} |
no |
| alb_deregistration_delay | n/a | number |
5 |
no |
| alb_health_check_healthy_threshold | n/a | number |
3 |
no |
| alb_health_check_interval | n/a | number |
30 |
no |
| alb_health_check_path | ALB health check path | string |
"/health" |
no |
| alb_health_check_timeout | n/a | number |
6 |
no |
| alb_health_check_unhealthy_threshold | n/a | number |
3 |
no |
| alb_health_check_valid_response_codes | n/a | string |
"200-399" |
no |
| alb_idle_timeout | The time in seconds that the connection is allowed to be idle. | number |
60 |
no |
| alb_security_groups | Security groups to assign to ALB | list(any) |
[] |
no |
| app_secrets | List of SSM ParameterStore secret parameters - by default, /$var.env/$var.name/* | list(any) |
[] |
no |
| app_type | ECS application type. Valid values: web (with ALB), worker (without ALB). | string |
"web" |
no |
| assign_public_ip | ECS service network configuration - assign public IP | bool |
false |
no |
| autoscale_enabled | ECS Autoscaling enabled | bool |
false |
no |
| autoscale_scheduled_down | List of Cron-like expressions for scheduled ecs autoscale DOWN | list |
[] |
no |
| autoscale_scheduled_timezone | Time Zone for the scheduled event | string |
"UTC" |
no |
| autoscale_scheduled_up | List of Cron-like expressions for scheduled ecs autoscale UP | list |
[] |
no |
| autoscale_target_value_cpu | ECS Service Average CPU Utilization threshold. Integer value for percentage - IE 80 | number |
50 |
no |
| autoscale_target_value_memory | ECS Service Average Memory Utilization threshold. Integer value for percentage. IE 60 | number |
50 |
no |
| autoscaling_health_check_type | ECS 'EC2' or 'ELB' health check type | string |
"EC2" |
no |
| autoscaling_max_size | Maximum number of running ECS tasks during scheduled-up-autoscaling action | number |
2 |
no |
| autoscaling_min_size | Minimum number of running ECS tasks during scheduled-up-autoscaling action | number |
2 |
no |
| aws_service_discovery_private_dns_namespace | Amazon ECS Service Discovery private DNS namespace | string |
"" |
no |
| cloudwatch_schedule_expressions | List of Cron-like Cloudwatch Event Rule schedule expressions (UTC time zone) | list(any) |
[] |
no |
| cpu | Fargate CPU value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html) | number |
256 |
no |
| cpu_architecture | When you register a task definition, you specify the CPU architecture. The valid values are X86_64 and ARM64 | string |
"X86_64" |
no |
| create_schedule | Determines whether to create autoscaling group schedule or not | bool |
false |
no |
| datadog_enabled | Datadog agent is enabled | bool |
false |
no |
| datadog_jmx_enabled | Enables / Disables jmx monitor via the datadog agent | bool |
false |
no |
| deployment_minimum_healthy_percent | Lower limit on the number of running tasks | number |
100 |
no |
| desired_capacity | Desired number (capacity) of running ECS tasks | number |
1 |
no |
| docker_container_command | Docker container command | list(string) |
[] |
no |
| docker_container_entrypoint | Docker container entrypoint | list(string) |
[] |
no |
| docker_container_port | Docker container port | number |
3000 |
no |
| docker_host_port | Docker host port. 0 means Auto-assign. | number |
0 |
no |
| docker_image_name | Docker image name | string |
"" |
no |
| docker_image_tag | Docker image tag | string |
"latest" |
no |
| docker_labels | Labels to be added to the docker. Used for auto-configuration, for instance of JMX discovery | map(any) |
null |
no |
| docker_registry | ECR or any other docker registry | string |
"docker.io" |
no |
| domain_names | Domain names for AWS Route53 A records | list(any) |
[] |
no |
| ec2_eip_count | Count of EIPs to create | number |
0 |
no |
| ec2_eip_dns_enabled | Whether to manage DNS records to be attached to the EIP | bool |
false |
no |
| ec2_eip_enabled | Enable EC2 ASG Auto Assign EIP mode | bool |
false |
no |
| ec2_service_group | Service group name, e.g. app, service name etc. | string |
"app" |
no |
| ecr_repo_create | Creation of a ECR repo | bool |
false |
no |
| ecr_repo_name | ECR repository name | string |
"" |
no |
| ecs_cluster_arn | ECS cluster arn. Should be specified to avoid data query by cluster name | string |
"" |
no |
| ecs_cluster_name | ECS cluster name | string |
"" |
no |
| ecs_exec_custom_prompt_enabled | Enable Custom shell prompt on ECS Exec | bool |
false |
no |
| ecs_exec_enabled | Turns on the Amazon ECS Exec for the task | bool |
true |
no |
| ecs_exec_prompt_string | Shell prompt that contains ENV and APP_NAME is enabled | string |
`"\e[1;35m★\e[0m $ENV-$APP_NAME:$(wget -qO- $ECS_CONTAINER_METADATA_URI_V4 | sed -n 's/."com.amazonaws.ecs.task-definition-version":"\([^\"]\).*/\1/p') \e[1;36m★\e[0m $(wget -qO- $ECS_CONTAINER_METADATA_URI_V4 |
| ecs_launch_type | ECS launch type: FARGATE or EC2 | string |
"FARGATE" |
no |
| ecs_network_mode | Corresponds to networkMode in an ECS task definition. Supported values are none, bridge, host, or awsvpc | string |
"awsvpc" |
no |
| ecs_platform_version | The platform version on which to run your service. Only applicable when using Fargate launch type | string |
"LATEST" |
no |
| ecs_service_deployed | This service resource doesn't have task definition lifecycle policy, so terraform is used to deploy it (instead of ecs cli) | bool |
false |
no |
| ecs_service_discovery_enabled | ECS service can optionally be configured to use Amazon ECS Service Discovery | bool |
false |
no |
| ecs_service_name | The ECS service name | string |
"" |
no |
| ecs_task_health_check_command | Command to check for the health of the container | string |
"" |
no |
| ecs_volumes_from | The VolumeFrom property specifies details on a data volume from another container in the same task definition | list(any) |
[] |
no |
| efs_enabled | EFS Enabled | bool |
false |
no |
| efs_mount_point | EFS mount point | string |
"/mnt/efs" |
no |
| efs_root_directory | EFS root directory | string |
"/" |
no |
| env | Target environment name of the infrastructure | string |
n/a | yes |
| environment | Set of environment variables | map(string) |
n/a | yes |
| firelens_ecs_log_enabled | AWSFirelens ECS logs enabled | bool |
false |
no |
| global_secrets | List of SSM ParameterStore global secrets - by default, /$var.env/global/* | list(any) |
[] |
no |
| gpu | GPU-enabled container instances | number |
0 |
no |
| http_port | Port that is used for HTTP protocol | number |
80 |
no |
| https_enabled | Whether enable https or not (still needs tls_cert_arn) | string |
true |
no |
| iam_instance_profile | IAM Instance Profile | string |
null |
no |
| iam_role_policy_statement | ECS Service IAM Role policy statement | list(any) |
[] |
no |
| image_id | EC2 AMI id | string |
null |
no |
| instance_type | EC2 instance type for ECS | string |
"t3.small" |
no |
| key_name | EC2 key name | string |
null |
no |
| max_size | Maximum number of running ECS tasks | number |
1 |
no |
| memory | Fargate Memory value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html) | number |
512 |
no |
| memory_reservation | The soft limit (in MiB) of memory to reserve for the container | number |
256 |
no |
| min_size | Minimum number of running ECS tasks | number |
1 |
no |
| name | ECS app name | string |
n/a | yes |
| namespace | Namespace name within the infrastructure | string |
n/a | yes |
| operating_system_family | Platform to be used with ECS. The valid values for Amazon ECS tasks hosted on Fargate are LINUX, WINDOWS_SERVER_2019_FULL, and WINDOWS_SERVER_2019_CORE. The valid values for Amazon ECS tasks hosted on EC2 are LINUX, WINDOWS_SERVER_2022_CORE, WINDOWS_SERVER_2022_FULL, WINDOWS_SERVER_2019_FULL, and WINDOWS_SERVER_2019_CORE, WINDOWS_SERVER_2016_FULL, WINDOWS_SERVER_2004_CORE, and WINDOWS_SERVER_20H2_CORE. | string |
"LINUX" |
no |
| port_mappings | List of ports to open from a service | list(any) |
[] |
no |
| private_subnets | VPC Private subnets to place ECS resources | list(any) |
[] |
no |
| proxy_docker_container_command | Proxy docker container CMD | list(string) |
[ |
no |
| proxy_docker_entrypoint | Proxy docker container entrypoint | list |
[ |
no |
| proxy_docker_image_name | Nginx proxy docker image name | string |
"nginx" |
no |
| public | It's publicity accessible application | bool |
true |
no |
| public_ecs_service | It's publicity accessible service | bool |
false |
no |
| public_subnets | VPC Public subnets to place ECS resources | list(any) |
[] |
no |
| resource_requirements | The ResourceRequirement property specifies the type and amount of a resource to assign to a container. The only supported resource is a GPU | list(any) |
[] |
no |
| root_block_device_size | n/a | number |
"50" |
no |
| root_block_device_type | n/a | string |
"gp2" |
no |
| root_domain_name | Domain name of AWS Route53 Zone | string |
"example.com" |
no |
| route53_health_check_enabled | AWS Route53 health check is enabled | bool |
false |
no |
| schedules | Map of autoscaling group schedule to create | map(any) |
{} |
no |
| security_groups | Security groups to assign to ECS Fargate task/ECS EC2 | list(any) |
[] |
no |
| shared_memory_size | Size of the /dev/shm shared memory in MB | number |
0 |
no |
| sidecar_container_definitions | Sidecar container definitions for ECS task | any |
[] |
no |
| sns_service_subscription_endpoint | You can use different endpoints, such as email, Pagerduty, Slack, etc. | string |
"exmple@example.com" |
no |
| sns_service_subscription_endpoint_protocol | See valid protocols here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#protocol-support | string |
"email" |
no |
| ssm_global_secret_path | AWS SSM root path to global environment secrets like /dev/global | string |
null |
no |
| ssm_secret_path | AWS SSM root path to environment secrets of an app like /dev/app1 | string |
null |
no |
| tls_cert_arn | TLS certificate ARN | string |
null |
no |
| tmpfs_container_path | Path where tmpfs shm would be mounted | string |
"/tmp/" |
no |
| tmpfs_enabled | TMPFS support for non-Fargate deployments | bool |
false |
no |
| tmpfs_mount_options | Options for the mount of the ram disk. noatime by default to speed up access | list(string) |
[ |
no |
| tmpfs_size | Size of the tmpfs in MB | number |
1024 |
no |
| volumes | Amazon data volumes for ECS Task (efs/FSx/Docker volume/Bind mounts) | list(any) |
[] |
no |
| vpc_id | AWS VPC ID | string |
n/a | yes |
| web_proxy_docker_container_port | Proxy docker container port | number |
80 |
no |
| web_proxy_docker_image_tag | Nginx proxy docker image tag | string |
"1.19.2-alpine" |
no |
| web_proxy_enabled | Nginx proxy enabled | bool |
false |
no |
| zone_id | AWS Route53 Zone ID | string |
"AWS123456789" |
no |
| Name | Description |
|---|---|
| alb_arn | n/a |
| alb_dns_name | n/a |
| alb_dns_zone | n/a |
| cloudwatch_log_group | n/a |
| ec2_dns_name | n/a |
| efs | n/a |
| eips | n/a |
| public_ip | n/a |
| this_target_group_arn | n/a |
| this_task_definition_arn | n/a |