terraform-aws-ecs-app

This terraform module is an AWS ECS Application Module for Scheduler without an Application Load Balancer(ALB), designed to be used with DNXLabs/terraform-aws-ecs (https://github.com/DNXLabs/terraform-aws-ecs).

The following resources will be created:

• Cloudwatch Metrics alarm - Provides a CloudWatch Metric Alarm resource.

  • Service has less than minimum healthy tasks} healthy tasks

• IAM roles - The cloudwatch event needs an IAM Role to run the ECS task definition. A role is created and a policy will be granted via IAM policy.

• IAM policy - Policy to be attached to the IAM Role. This policy will have a trust with the cloudwatch event service. And it will use the managed policy AmazonEC2ContainerServiceEventsRole created by AWS.

• Simple Notification Service (SNS) topics - Alarm topics to create and alert on ECS service metrics. Leaving empty disables all alarms.

• Auto Scaling

  • You can specify the max number of containers to scale with autoscaling. The default is 4
  • You can specify the nin number of containers to scale with autoscaling. The default is 1

• Cloudwatch Log Groups

  • You can specify the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
  • Export to a S3 Bucket - Whether to mark the log group to export to an S3 bucket (needs the module terraform-aws-log-exporter (https://github.com/DNXLabs/terraform-aws-log-exporter) to be deployed in the account/region)

• ECS task definition - A task definition is required to run Docker containers in Amazon ECS. Some of the parameters you can specify in a task definition include:

  • Image - Docker image to deploy
  • CPU - Hard limit of the CPU for the container
    • Default Value = 0
  • Memory - Hard memory of the container
    • Default Value = 512
  • Name - Name of the ECS Service
  • Set log configuration

• ECS Task-scheduler activated by cloudwatch events

In addition you have the option to create or not :

• Application Load Balancer (ALB)
  • alb - An external ALB
  • alb_internal - A second internal ALB for private APIs
  • alb_only - Deploy only an Application Load Balancer and no cloudFront or not with the cluster
• Autoscaling
  • Enables or not autoscaling based on average CPU tracking
  • Target average CPU percentage to track for autoscaling
• Codedeploy
  • Time in minutes to route the traffic to the new application deployment
  • Time in minutes to terminate the new deployment

Requirements

Name	Version
terraform	>= 0.13
aws	>= 4.0.0

Providers

Name	Version
aws	>= 4.0.0
random	n/a

Inputs

Name	Description	Type	Default	Required
alarm_ecs_running_tasks_threshold	Alarm when the number of ecs service running tasks is lower than a certain value. CloudWatch Container Insights must be enabled for the cluster.	number	0	no
alarm_evaluation_periods	The number of minutes the alarm must be below the threshold before entering the alarm state.	string	"2"	no
alarm_high_cpu_usage_above	Alarm when CPU is above a certain value (use 0 to disable this alarm)	number	80	no
alarm_min_healthy_tasks	Alarm when the number of healthy tasks is less than this number (use 0 to disable this alarm)	number	2	no
alarm_prefix	String prefix for cloudwatch alarms. (Optional)	string	"alarm"	no
alarm_sns_topics	Alarm topics to create and alert on ECS service metrics. Leaving empty disables all alarms.	list	[]	no
alb_dns_name	ALB DNS Name	string	""	no
alb_listener_https_arn	ALB HTTPS Listener created by ECS cluster module	any	n/a	yes
alb_name	ALB name - Required if it is an internal one	string	""	no
alb_only	Whether to deploy only an alb and no cloudFront or not with the cluster	bool	false	no
alb_priority	priority rules ALB (leave 0 to let terraform calculate)	number	0	no
auth_oidc_authorization_endpoint	Authorization endpoint for OIDC (Google: https://accounts.google.com/o/oauth2/v2/auth)	string	""	no
auth_oidc_client_id	Client ID for OIDC authentication	string	""	no
auth_oidc_client_secret	Client Secret for OIDC authentication	string	""	no
auth_oidc_enabled	Enables OIDC-authenticated listener rule	bool	false	no
auth_oidc_hostnames	List of hostnames to use as a condition to authenticate with OIDC	list(string)	[]	no
auth_oidc_issuer	Issuer URL for OIDC authentication (Google: https://accounts.google.com)	string	""	no
auth_oidc_paths	List of paths to use as a condition to authenticate (example: ['/admin*'])	list(string)	[]	no
auth_oidc_session_timeout	Session timeout for OIDC authentication (default 12 hours)	number	43200	no
auth_oidc_token_endpoint	Token Endpoint URL for OIDC authentication (Google: https://oauth2.googleapis.com/token)	string	""	no
auth_oidc_user_info_endpoint	User Info Endpoint URL for OIDC authentication (Google: https://openidconnect.googleapis.com/v1/userinfo)	string	""	no
autoscaling_cpu	Enables autoscaling based on average CPU tracking	bool	false	no
autoscaling_custom	Set one or more app autoscaling by customized metric	list(object({ name = string scale_in_cooldown = number scale_out_cooldown = number target_value = number metric_name = string namespace = string statistic = string }))	[]	no
autoscaling_max	Max number of containers to scale with autoscaling	number	4	no
autoscaling_memory	Enables autoscaling based on average Memory tracking	bool	false	no
autoscaling_min	Min number of containers to scale with autoscaling	number	1	no
autoscaling_scale_in_cooldown	Cooldown in seconds to wait between scale in events	number	300	no
autoscaling_scale_out_cooldown	Cooldown in seconds to wait between scale out events	number	300	no
autoscaling_target_cpu	Target average CPU percentage to track for autoscaling	number	50	no
autoscaling_target_memory	Target average Memory percentage to track for autoscaling	number	90	no
cloudwatch_logs_export	Whether to mark the log group to export to an S3 bucket (needs terraform-aws-log-exporter to be deployed in the account/region)	bool	false	no
cloudwatch_logs_retention	Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.	number	120	no
cluster_name	n/a	string	"Name of existing ECS Cluster to deploy this app to"	no
codedeploy_deployment_config_name	Specifies the deployment configuration for CodeDeploy	string	"CodeDeployDefault.ECSAllAtOnce"	no
codedeploy_role_arn	Existing IAM CodeDeploy role ARN created by ECS cluster module	any	null	no
codedeploy_wait_time_for_cutover	Time in minutes to route the traffic to the new application deployment	number	0	no
codedeploy_wait_time_for_termination	Time in minutes to terminate the new deployment	number	0	no
compat_keep_target_group_naming	Keeps old naming convention for target groups to avoid recreation of resource in production environments	bool	false	no
container_port	Port your container listens (used in the placeholder task definition)	number	8080	no
cpu	Hard limit for CPU for the container	number	0	no
create_iam_codedeployrole	Create Codedeploy IAM Role for ECS or not.	bool	true	no
deployment_controller	Type of deployment controller. Valid values: CODE_DEPLOY, ECS, EXTERNAL.	string	"CODE_DEPLOY"	no
dynamic_stickiness	Target Group stickiness. Used in dynamic block.	any	[]	no
ecs_service_capacity_provider_strategy	(Optional) The capacity provider strategy to use for the service. Can be one or more. These can be updated without destroying and recreating the service only if set to [] and not changing from 0 capacity_provider_strategy blocks to greater than 0, or vice versa.	list	[ {} ]	no
efs_mapping	A map of efs volume ids and paths to mount into the default task definition	map(string)	{}	no
enable_schedule	Enables schedule to shut down and start up instances outside business hours.	bool	false	no
fargate_spot	Set true to use FARGATE_SPOT capacity provider by default (only when launch_type=FARGATE)	bool	false	no
healthcheck_interval	n/a	string	"10"	no
healthcheck_matcher	The HTTP codes to use when checking for a successful response from a target	number	200	no
healthcheck_path	n/a	string	"/"	no
healthcheck_timeout	The amount of time, in seconds, during which no response	number	5	no
healthy_threshold	The number of consecutive health checks successes required before considering an unhealthy target healthy	number	3	no
hosted_zone	Hosted Zone to create DNS record for this app	string	""	no
hosted_zone_id	Hosted Zone ID to create DNS record for this app (use this to avoid data lookup when using hosted_zone)	string	""	no
hosted_zone_is_internal	Set true in case the hosted zone is in an internal VPC, otherwise false	string	"false"	no
hostname_create	Optional parameter to create or not a Route53 record	string	"false"	no
hostname_redirects	List of hostnames to redirect to the main one, comma-separated	string	""	no
hostnames	List of hostnames to create listerner rule and optionally, DNS records for this app	list	[]	no
http_header	Header to use on listerner rule with name e values	list(any)	[]	no
iam_codedeployrolename	Custom name for IAM Code Deploy role, if create_iam_codedeployrole is true	string	null	no
image	Docker image to deploy (can be a placeholder)	string	""	no
launch_type	The launch type on which to run your service. The valid values are EC2 and FARGATE. Defaults to EC2.	string	"EC2"	no
log_subscription_filter_destination_arn	n/a	string	""	no
log_subscription_filter_enabled	n/a	string	false	no
log_subscription_filter_filter_pattern	n/a	string	""	no
log_subscription_filter_role_arn	n/a	string	""	no
memory	Hard memory of the container	number	512	no
name	Name of your ECS service	any	n/a	yes
network_mode	The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. (REQUIRED IF 'LAUCH_TYPE' IS FARGATE)	any	null	no
ordered_placement_strategy	Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. The maximum number of ordered_placement_strategy blocks is 5.	list(object({ field = string type = string }))	[]	no
paths	List of paths to use on listener rule (example: ['/*'])	list(string)	[]	no
placement_constraints	Rules that are taken into consideration during task placement. Maximum number of placement_constraints is 10.	list(object({ type = string expression = string }))	[]	no
platform_version	The platform version on which to run your service. Only applicable for launch_type set to FARGATE. Defaults to LATEST.	string	"LATEST"	no
port	Port for target group to listen	number	80	no
protocol	Protocol to use (HTTP or HTTPS)	string	"HTTP"	no
redirects	Map of path redirects to add to the listener	map	{}	no
schedule_cron_start	Cron expression to define when to trigger a start of the auto-scaling group. E.g. 'cron(00 21 ? * SUN-THU *)' to start at 8am UTC time.	string	""	no
schedule_cron_stop	Cron expression to define when to trigger a stop of the auto-scaling group. E.g. 'cron(00 09 ? * MON-FRI *)' to start at 8am UTC time	string	""	no
security_groups	The security groups associated with the task or service	any	null	no
service_deployment_maximum_percent	Maximum percentage of tasks to run during deployments	number	200	no
service_deployment_minimum_healthy_percent	Minimum healthy percentage during deployments	number	100	no
service_desired_count	Desired count for this service (for use when auto scaling is disabled)	number	1	no
service_health_check_grace_period_seconds	Time until your container starts serving requests	number	0	no
service_role_arn	Existing service role ARN created by ECS cluster module	any	n/a	yes
source_ips	List of source ip to use on listerner rule	list	[]	no
ssm_variables	Map of variables and SSM locations to add to the task definition	map(string)	{}	no
env_variables	Map of variables and static values to add to the task definition	map(string)	{}	no
subnets	The subnets associated with the task or service. (REQUIRED IF 'LAUCH_TYPE' IS FARGATE)	any	null	no
task_definition_arn	Task definition to use for this service (optional)	string	""	no
task_role_arn	Existing task role ARN created by ECS cluster module	any	n/a	yes
test_traffic_route_listener_arn	ALB HTTPS Listener for Test Traffic created by ECS cluster module	any	n/a	yes
ulimits	Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit"	list(object({ name = string hardLimit = number softLimit = number }))	null	no
unhealthy_threshold	The number of consecutive health check failures required before considering the target unhealthy	number	3	no
vpc_id	VPC ID to deploy this app to	any	n/a	yes

Outputs

Name	Description
aws_cloudwatch_log_group_arn	n/a

Authors

Module managed by DNX Solutions.

License

Apache 2 Licensed. See LICENSE for full details.