Terraform module for deploying strongDM gateways/relays on AWS ECS Fargate
data "aws_region" "current" {}
resource "aws_ecs_cluster" "strongdm" {
name = "strongdm"
capacity_providers = ["FARGATE", "FARGATE_SPOT"]
default_capacity_provider_strategy {
capacity_provider = "FARGATE_SPOT"
weight = 1
}
}
module "ecs_strongdm" {
source = "github.com/highwingio/terraform-aws-strongdm:v1.0.0"
region = data.aws_region.current.name
vpc_id = data.vpc.my_vpc.vpc_id
ecs_cluster_arn = aws_ecs_cluster.strongdm.arn
sdm_admin_token_parameter_arn = "arn::aws::ssm:<SDM_ADMIN_TOKEN>"
private_subnet_ids = <PRIVATE_SUBNETS>
public_subnet_ids = <PUBLIC_SUBNETS>
security_group_ids = <SECURITY_GROUPS>
}
No requirements.
| Name | Version |
|---|---|
| aws | 4.51.0 |
| sdm | 3.5.4 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.task | resource |
| aws_ecs_service.service | resource |
| aws_ecs_task_definition.task | resource |
| aws_iam_role.service | resource |
| aws_iam_role.task | resource |
| aws_iam_role_policy.service | resource |
| aws_iam_role_policy_attachment.service | resource |
| aws_iam_role_policy_attachment.task_extra | resource |
| aws_lb.nlb | resource |
| aws_lb_listener.frontend | resource |
| aws_lb_target_group.gateway | resource |
| aws_security_group.nlb_listener_traffic | resource |
| aws_ssm_parameter.gateway_token | resource |
| sdm_node.gateway | resource |
| aws_iam_policy_document.assume_role_service | data source |
| aws_iam_policy_document.assume_role_task | data source |
| aws_iam_policy_document.service_policy | data source |
| aws_iam_policy_document.task_policy | data source |
| aws_region.region | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| ecs_cluster_arn | ARN of ECS cluster in which the service will be deployed | string |
n/a | yes |
| ecs_deployment_maximum_percent | Upper limit in percentage of tasks that can be running during a deployment (default 200) | string |
"200" |
no |
| ecs_deployment_minimum_healthy_percent | Lower limit in percentage of tasks that must remain healthy during a deployment (default 100) | string |
"100" |
no |
| ecs_desired_count | Desired number of containers in the task (default 1) | number |
1 |
no |
| ecs_health_check_grace_period | Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 1800. (default 0) | string |
"0" |
no |
| ecs_log_retention | Number of days of ECS task logs to retain (default 365) | number |
365 |
no |
| extra_task_policy_arns | List of ARNs of IAM policies to be attached to the ECS task role (in addition to the default policy, so cannot be more than 9 ARNs) | list(any) |
[] |
no |
| gateway_listen_port | Port for SDM gateway to listen on | number |
5000 |
no |
| log_group_name | Name for CloudWatch Log Group that will receive collector logs (must be unique, default is created from service_identifier and task_identifier) | string |
"" |
no |
| private_subnet_ids | List of private subnet IDs in which to place the ECS tasks | list(string) |
n/a | yes |
| public_subnet_ids | List of public subnet IDs in which to place the load balancer | list(string) |
n/a | yes |
| region | AWS region in which ECS cluster is located (default is 'us-east-1') | string |
"us-east-1" |
no |
| sdm_relay_token_parameter_arn | ARN of an SSM parameter holding an SDM relay token | string |
n/a | yes |
| security_group_ids | Additional security groups for the SDM gateway (e.g. to access data sources) | list(string) |
[] |
no |
| service_identifier | Unique identifier for this service (used in log prefix, service name etc.) | string |
"sdm" |
no |
| task_identifier | Unique identifier for this task (used in log prefix, service name etc.) | string |
"gateway" |
no |
| vpc_id | ID of VPC in which ECS cluster is located | string |
n/a | yes |
No outputs.
Based off of https://github.com/asicsdigital/terraform-aws-strongdm
1.0.0 - Initial release.
This software is released under the MIT License (see LICENSE).