aws_ecs_container_definition missing several properties from the specification

[nhubbard]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm trying to create a container definition using a data definition with the aws_ecs_container_definition data source, but it appears to be missing several properties from the Container definition specification.

Note: I'm not trying to use all of these properties together, but this is just a list of all of the missing properties that I found by comparing the aws_ecs_container_definition data source to the container definition spec.

Here's a complete list of all of the missing properties that I found:

• Category: Standard container definition properties
  • Port mappings: portMappings
• Category: Advanced container definition properties
  • Health check: healthCheck
  • Environment
    • gpu
    • Elastic Inference accelerator (this property doesn't appear to be named correctly in the AWS docs)
    • essential
    • entryPoint
    • command
    • workingDirectory
    • environmentFiles
    • secrets
  • Network settings
    • links
    • dnsServers
    • dnsSearchDomains
    • extraHosts
    • hostname
    • ipAddress
  • Storage and logging
    • readonlyRootFilesystem
    • mountPoints
    • volumesFrom
    • logConfiguration
    • firelensConfiguration
  • Security
    • privileged
    • user
    • dockerSecurityOptions
  • Resource limits: ulimits
• Category: Other container definition parameters
  • Linux parameters: linuxParameters
  • Container dependency: dependsOn
  • Container timeouts
    • startTimeout
    • stopTimeout
  • System controls: systemControls
  • Interactive: interactive
  • Pseudo terminal: pseudoTerminal

New or Affected Resource(s)

• aws_ecs_container_definition

Potential Terraform Configuration

data "aws_ecs_container_definition" "example" {
    // Insert existing properties here.

    // Port mapping(s)
    portMapping {
        containerPort = number
        // Host port is optional value
        hostPort = number
    }
    portMapping {
        containerPort = number
        // Protocol is optional value
        protocol = string
    }

    // Health check
    healthCheck {
        command = list(string)
        interval = number
        timeout = number
        retries = number
        // Start period is optional value
        startPeriod = number
    }

    // GPU
    gpu {
        // Either "GPU" or "InferenceAccelerator"
        type = string
        // For GPU: the number of physical GPUs that Amazon ECS container agent reserves for the container
        // For InferenceAccelerator: the device name for an InferenceAccelerator object specified in the task definition
        value = string
    }

    // Elastic inference accelerator
    elasticInferenceAccelerator {
        // Uses the same schema (ResourceRequirement) as the GPU object above
    }

    essential = bool
    entryPoint = list(string)
    command = list(string)
    workingDirectory = string
    
    // Environment file(s)
    environmentFile {
        value = string
        // Required, but value must always be "s3"???
        type = "s3"
    }

    // Secret(s)
    secret {
        name = string
        // One of:
        // * An AWS Secrets Manager ARN
        // * A secret name from a same-region AWS Systems Manager Parameter Store
        // * An AWS Systems Manager Parameter Store ARN
        valueFrom = string
    }

    // Network settings
    links = list(string)
    dnsServers = list(string)
    dnsSearchDomains = list(string)
    extraHost {
        hostname = string
        ipAddress = string
    }
    hostname = string
    ipAddress = string

    // Storage and logging
    readonlyRootFilesystem = false
    mountPoint {
        sourceVolume = string
        containerPath = string
        readOnly = false
    }
    volumeFrom {
        sourceContainer = string
        readOnly = bool
    }
    logConfiguration {
        // One of "awslogs", "fluentd", "gelf", "json-file", "journald", "logentries", "splunk", "syslog", "awsfirelens"
        logDriver = "value"
        options = map(string)
        secretOption {
            name = string
            valueFrom = string
        }
    }
    firelensConfiguration {
        type = string
        options = map(string)
    }
    
    // Security
    privileged = bool
    user = string
    dockerSecurityOptions = list(string)
    ulimits {
        // One of the supported ulimit values
        name {
            softLimit = number
            hardLimit = number
        }
    }

    linuxParameters {
        capabilities {
            add = list(string)
            drop = list(string)
        }
        device {
            containerPath = string
            hostPath = string
            permissions = list(string)
        }
        initProcessEnabled = bool
        maxSwap = number
        sharedMemorySize = number
        swappiness = number
        tmpfs {
            containerPath = string
            mountOptions = list(string)
            size = number
        }
    }

    dependsOn {
        containerName = string
        condition = string
    }

    startTimeout = number
    stopTimeout = number
    
    systemControl {
        namespace = string
        value = string
    }

    interactive = bool
    pseudoTerminal = bool
}

Workaround

Use the jsonencode function or a JSON-encoded heredoc string to supply the extra arguments to the aws_ecs_task_definition resource:

resource "aws_ecs_task_definition" "workaround" {
  // Insert any other properties you need here.
  container_definitions = [
    jsonencode({
      name = "container_name",
      image = "image_name",
      // Example with port mappings:
      portMappings = [
        {
          containerPort = 80
          hostPort = 80
          protocol = "tcp"
        }
      ]
    })
  ]
}

References

• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions

[epomatti]

Are there any workarounds on this one? For example, how can I enable container health checks?

[nhubbard]

The workaround I used was using the jsonencode function and manually coding in all of the additional properties. I'll edit the issue with that information.

[justinretzolk]

Hey @nhubbard 👋 Thank you for taking the time to raise this! I'm a bit unclear on what you're looking to accomplish, so wanted to follow up to try to gain a better understanding. Are you looking to read an existing container within ECS using the aws_ecs_container_definition data source, and then use the data returned to pass as an argument to the aws_ecs_task_definition resource, and this is where you're finding that some of the data you would expect to be returned is not being returned?

[nhubbard]

Hi @justinretzolk! I'm actually looking to create a new aws_ecs_container_definition that uses some of the missing properties, and pass it into an aws_ecs_task_definition as part of the task creation process. My use case specifically revolves around AWS Fargate and ECS integration.

See my next comment. I've fundamentally misinterpreted the point of data sources. My mistake was assuming that all data sources work the same way as the AWS IAM policy documents, which just render the policy definition into JSON instead of querying the data.

[nhubbard]

I might have misunderstood the purpose of data sources if I'm reading your comment correctly. I'm quite new to the use of data sources, so it makes sense why these properties might be missing.

However, I still think that it should be possible to query for aws_ecs_container_definition with any of the possible properties.

Additionally, I'm curious as to whether you can create a container definition like a resource, in the same vein as aws_iam_policy_document.

[mattburgess]

Additionally, I'm curious as to whether you can create a container definition like a resource, in the same vein as aws_iam_policy_document.

No, that's not possible right now. The container definitions are contained within the aws_ecs_task_definition resource so as to follow the same model as the underlying AWS API.

I might have misunderstood the purpose of data sources if I'm reading your comment correctly. I'm quite new to the use of data sources, so it makes sense why these properties might be missing.

Given that data sources are used to query existing resources in AWS, coupled with the fact that container definitions don't exist outside of task definitions I suspect that may be the case. I say that, because it looks like from your original report, you're trying to create a task definition containing a container definition that is coming from an existing task definition resource. At that point, you can probably cut out the round trip by removing the data source.

It may be that what you wanted to do, instead, is specify the container definition outside of Terraform (because mixing HCL and JSON can definitely get gnarly). If that's the case, you may want to write the container definition in a plain JSON file and read the contents of that in using the file() function. Also see templatefile() if you need to interpolate Terraform variables into that definition.

However, I still think that it should be possible to query for aws_ecs_container_definition with any of the possible properties.

Looking at the code, this should be possible, but I'm not sure there's a reasonable use case for it given the above? i.e. under what circumstances would you have the name of a aws_ecs_task_definition and then either not have the container's name, or be in a position where you'd want to find all containers in a task with a given property?

[agnaldom]

Hello
I was trying to use this function in task definition

    healthCheck {
        command = list(string)
        interval = number
        timeout = number
        retries = number
        // Start period is optional value
        startPeriod = number
}`
    
   and I didn't find anything in the documentation, does anyone know?