Skip to content
HCL Go Makefile
Branch: master
Clone or download
dynamike Merge pull request #38 from trussworks/dependabot-go_modules-github.c…
…om-gruntwork-io-terratest-0.23.4

Bump github.com/gruntwork-io/terratest from 0.23.3 to 0.23.4
Latest commit 4d2b4ec Jan 27, 2020

README.md

Creates an ECS service.

Creates the following resources:

  • CloudWatch log group.
  • Security Groups for the ECS service.
  • ECS service.
  • Task definition using golang:alpine (see below).
  • Configurable associations with Network Load Balancers (NLB) and Application Load Balancers (ALB).

We create an initial task definition using the golang:alpine image as a way to validate the initial infrastructure is working: visiting the site shows a simple Go hello world page. We expect deployments to manage the container definitions going forward, not Terraform.

Terraform Versions

Terraform 0.12. Pin module version to ~> 2.0.1. Submit pull-requests to master branch.

Terraform 0.11. Pin module version to ~> 1.14.0. Submit pull-requests to terraform011 branch.

Usage

ECS service associated with an Application Load Balancer (ALB)

module "app_ecs_service" {
  source = "trussworks/ecs-service/aws"

  name        = "app"
  environment = "prod"

  ecs_cluster                   = aws_ecs_cluster.mycluster
  ecs_vpc_id                    = module.vpc.vpc_id
  ecs_subnet_ids                = module.vpc.private_subnets
  kms_key_id                    = aws_kms_key.main.arn
  tasks_desired_count           = 2
  tasks_minimum_healthy_percent = 50
  tasks_maximum_percent         = 200

  associate_alb      = true
  alb_security_group = module.security_group.id
  lb_target_group    = module.target_group.id
}

ECS Service associated with a Network Load Balancer(NLB)

module "app_ecs_service" {
  source = "trussworks/ecs-service/aws"

  name        = "app"
  environment = "prod"

  ecs_cluster                   = aws_ecs_cluster.mycluster
  ecs_vpc_id                    = module.vpc.vpc_id
  ecs_subnet_ids                = module.vpc.private_subnets
  kms_key_id                    = aws_kms_key.main.arn
  tasks_desired_count           = 2
  tasks_minimum_healthy_percent = 50
  tasks_maximum_percent         = 200

  associate_nlb          = true
  nlb_subnet_cidr_blocks = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
  lb_target_group   = module.target_group.id
}

Providers

Name Version
aws n/a

Inputs

Name Description Type Default Required
alb_security_group Application Load Balancer (ALB) security group ID to allow traffic from. string "" no
assign_public_ip Whether this instance should be accessible from the public internet. Default is false. bool false no
associate_alb Whether to associate an Application Load Balancer (ALB) with the ECS service. bool false no
associate_nlb Whether to associate a Network Load Balancer (NLB) with the ECS service. bool false no
cloudwatch_alarm_actions The list of actions to take for cloudwatch alarms list(string) [] no
cloudwatch_alarm_cpu_enable Enable the CPU Utilization CloudWatch metric alarm bool true no
cloudwatch_alarm_cpu_threshold The CPU Utilization threshold for the CloudWatch metric alarm string 80 no
cloudwatch_alarm_mem_enable Enable the Memory Utilization CloudWatch metric alarm bool true no
cloudwatch_alarm_mem_threshold The Memory Utilization threshold for the CloudWatch metric alarm string 80 no
cloudwatch_alarm_name Generic name used for CPU and Memory Cloudwatch Alarms string "" no
container_definitions Container definitions provided as valid JSON document. Default uses golang:alpine running a simple hello world. string "" no
container_health_check_port An additional port on which the container can receive a health check. Zero means the container port can only receive a health check on the port set by the container_port variable. string 0 no
container_image The image of the container. string "golang:alpine" no
container_port The port on which the container will receive traffic. string 80 no
ecr_repo_arns The ARNs of the ECR repos. By default, allows all repositories. list(string)
[
"*"
]
no
ecs_cluster ECS cluster object for this task.
object({
arn = string
name = string
})
n/a yes
ecs_instance_role The name of the ECS instance role. string "" no
ecs_subnet_ids Subnet IDs for the ECS tasks. list(string) n/a yes
ecs_use_fargate Whether to use Fargate for the task definition. bool false no
ecs_vpc_id VPC ID to be used by ECS. string n/a yes
environment Environment tag, e.g prod. string n/a yes
fargate_task_cpu Number of cpu units used in initial task definition. Default is minimum. string 256 no
fargate_task_memory Amount (in MiB) of memory used in initial task definition. Default is minimum. string 512 no
kms_key_id KMS customer managed key (CMK) ARN for encrypting application logs. string n/a yes
lb_target_group Either Application Load Balancer (ALB) or Network Load Balancer (NLB) target group ARN tasks will register with. string "" no
logs_cloudwatch_group CloudWatch log group to create and use. Default: /ecs/{name}-{environment} string "" no
logs_cloudwatch_retention Number of days you want to retain log events in the log group. string 90 no
name The service name. string n/a yes
nlb_subnet_cidr_blocks List of Network Load Balancer (NLB) CIDR blocks to allow traffic from. list(string) [] no
target_container_name Name of the container the Load Balancer should target. Default: {name}-{environment} string "" no
tasks_desired_count The number of instances of a task definition. string 1 no
tasks_maximum_percent Upper limit on the number of running tasks. string "200" no
tasks_minimum_healthy_percent Lower limit on the number of running tasks. string "100" no

Outputs

Name Description
awslogs_group Name of the CloudWatch Logs log group containers should use.
awslogs_group_arn ARN of the CloudWatch Logs log group containers should use.
ecs_security_group_id Security Group ID assigned to the ECS tasks.
task_definition_arn Full ARN of the Task Definition (including both family and revision).
task_definition_family The family of the Task Definition.
task_execution_role_arn The ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume.
task_execution_role_name The name of the task execution role that the Amazon ECS container agent and the Docker daemon can assume.
task_role_arn The ARN of the IAM role assumed by Amazon ECS container tasks.
task_role_name The name of the IAM role assumed by Amazon ECS container tasks.

Upgrade Path

2.0.0 to 2.1.0

In 2.1.0 KMS log encryption is required by default. This requires that you create and attach a new AWS KMS key ARN. As an example here is how to set that up (please review on your own):

data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
  statement {
    sid    = "Enable IAM User Permissions"
    effect = "Allow"

    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
      ]
    }

    actions = [
      "kms:*",
    ]
    resources = ["*"]
  }

  statement {
    sid    = "Allow logs KMS access"
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["logs.us-west-2.amazonaws.com"]
    }

    actions = [
      "kms:Encrypt*",
      "kms:Decrypt*",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:Describe*"
    ]
    resources = ["*"]
  }
}

resource "aws_kms_key" "main" {
  description         = "Key for ECS log encryption"
  enable_key_rotation = true

  policy = data.aws_iam_policy_document.cloudwatch_logs_allow_kms.json
}

NOTE: Best practice is to use a separate KMS key per ECS Service. Do not re-use KMS keys if it can be avoided.

1.15.0 to 2.0.0

v2.0.0 of this module is built against Terraform v0.12. In addition to requiring this upgrade, the v1.15.0 version of the module took the name of the ECS cluster as a parameter; v2.0.0 takes the actual object of the ECS cluster as a parameter instead. You will need to update previous instances of this module with the altered parameter.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs

Testing

Terratest is being used for automated testing with this module. Tests in the test folder can be run locally by running the following command:

make test

Or with aws-vault:

AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test
You can’t perform that action at this time.