Component: ecs-service
This component is responsible for creating an ECS service.
Usage
Stack Level: Regional
Here's an example snippet for how to use this component.
# stacks/catalog/ecs-service/defaults.yaml
components:
terraform:
ecs-service/defaults:
metadata:
component: ecs-service
type: abstract
settings:
spacelift:
workspace_enabled: true
vars:
enabled: true
public_lb_enabled: false
ecr_stage_name: mgmt-automation
task:
launch_type: FARGATE
network_mode: awsvpc
desired_count: 1
ignore_changes_desired_count: true
ignore_changes_task_definition: false
assign_public_ip: false
propagate_tags: SERVICE
wait_for_steady_state: true
circuit_breaker_deployment_enabled: true
circuit_breaker_rollback_enabled: true
This will launch a kong service using an ecr image from mgmt-automation account.
NOTE: Usage of ecr_image instead of image.
import:
- catalog/ecs-service/defaults
components:
terraform:
ecs/b2b/kong/service:
metadata:
component: ecs-service
inherits:
- ecs-service/defaults
vars:
name: kong
public_lb_enabled: true
cluster_attributes: [b2b]
containers:
service:
name: "kong-gateway"
ecr_image: kong:latest
map_environment:
KONG_DECLARATIVE_CONFIG: /home/kong/production.yml
port_mappings:
- containerPort: 8000
hostPort: 8000
protocol: tcp
task:
desired_count: 1
task_memory: 512
task_cpu: 256
This will launch a httpd service using an external image from dockerhub
NOTE: Usage of image instead of ecr_image.
# stacks/catalog/ecs-service/httpd.yaml
import:
- catalog/ecs-service/defaults
components:
terraform:
ecs/platform/httpd/service:
metadata:
component: ecs-service
inherits:
- ecs-service/defaults
vars:
enabled: true
name: httpd
public_lb_enabled: true
cluster_attributes: [platform]
containers:
service:
name: "Hello"
image: httpd:2.4
port_mappings:
- containerPort: 80
hostPort: 80
protocol: tcp
command:
- '/bin/sh -c "echo ''<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>'' > /usr/local/apache2/htdocs/index.html && httpd-foreground"'
entrypoint: ["sh", "-c"]
task:
desired_count: 1
task_memory: 512
task_cpu: 256
This will launch google's echoserver using an external image from gcr
NOTE: Usage of image instead of ecr_image.
# stacks/catalog/ecs-service/echoserver.yaml
import:
- catalog/ecs-service/defaults
components:
terraform:
ecs/platform/echoserver/service:
metadata:
component: ecs-service
inherits:
- ecs-service/defaults
vars:
enabled: true
name: echoserver
public_lb_enabled: true
cluster_attributes: [platform]
containers:
service:
name: "echoserver"
image: gcr.io/google_containers/echoserver:1.10
port_mappings:
- containerPort: 8080
hostPort: 8080
protocol: tcp
task:
desired_count: 1
task_memory: 512
task_cpu: 256
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.66.1 |
| jq | >=0.2.0 |
| template | >= 2.2 |
Providers
| Name | Version |
|---|---|
| aws | >= 4.66.1 |
| jq | >=0.2.0 |
| template | >= 2.2 |
Modules
| Name | Source | Version |
|---|---|---|
| alb | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| alb_ingress | cloudposse/alb-ingress/aws | 0.28.0 |
| container_definition | cloudposse/ecs-container-definition/aws | 0.60.0 |
| datadog_configuration | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| datadog_container_definition | cloudposse/ecs-container-definition/aws | 0.58.1 |
| datadog_fluent_bit_container_definition | cloudposse/ecs-container-definition/aws | 0.58.1 |
| datadog_sidecar_logs | cloudposse/cloudwatch-logs/aws | 0.6.6 |
| ecs_alb_service_task | cloudposse/ecs-alb-service-task/aws | 0.71.0 |
| ecs_cloudwatch_autoscaling | cloudposse/ecs-cloudwatch-autoscaling/aws | 0.7.3 |
| ecs_cloudwatch_sns_alarms | cloudposse/ecs-cloudwatch-sns-alarms/aws | 0.12.3 |
| ecs_cluster | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| gha_assume_role | ../account-map/modules/team-assume-role-policy | n/a |
| gha_role_name | cloudposse/label/null | 0.25.0 |
| iam_role | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| iam_roles | ../account-map/modules/iam-roles | n/a |
| logs | cloudposse/cloudwatch-logs/aws | 0.6.8 |
| nlb | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| rds | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| roles_to_principals | ../account-map/modules/roles-to-principals | n/a |
| s3 | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| security_group | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| service_domain | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
| this | cloudposse/label/null | 0.25.0 |
| vanity_alias | cloudposse/route53-alias/aws | 0.13.0 |
| vpc | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
Resources
| Name | Type |
|---|---|
| aws_iam_policy.default | resource |
| aws_iam_role.github_actions | resource |
| aws_kinesis_stream.default | resource |
| aws_ssm_parameter.full_urls | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.github_actions_iam_ecspresso_policy | data source |
| aws_iam_policy_document.github_actions_iam_platform_policy | data source |
| aws_iam_policy_document.github_actions_iam_policy | data source |
| aws_iam_policy_document.this | data source |
| aws_kms_alias.selected | data source |
| aws_route53_zone.selected | data source |
| aws_route53_zone.selected_vanity | data source |
| aws_s3_object.task_definition | data source |
| aws_s3_objects.mirror | data source |
| aws_ssm_parameters_by_path.default | data source |
| jq_query.service_domain_query | data source |
| template_file.envs | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_tag_map | Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration. | map(string) | {} | no |
| alb_configuration | The configuration to use for the ALB, specifying which cluster alb configuration to use | string | "default" | no |
| alb_name | The name of the ALB this service should attach to | string | null | no |
| attributes | ID element. Additional attributes (e.g. workers or cluster) to add to id,in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the delimiterand treated as a single ID element. | list(string) | [] | no |
| autoscaling_dimension | The dimension to use to decide to autoscale | string | "cpu" | no |
| autoscaling_enabled | Should this service autoscale using SNS alarams | bool | true | no |
| chamber_service | SSM parameter service name for use with chamber. This is used in chamber_format where /$chamber_service/$name/$container_name/$parameter would be the default. | string | "ecs-service" | no |
| cluster_attributes | The attributes of the cluster name e.g. if the full name is namespace-tenant-environment-dev-ecs-b2b then the cluster_name is ecs and this value should be b2b. | list(string) | [] | no |
| containers | Feed inputs into container definition module | | {} | no |
| context | Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value.Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged. | any | | no |
| cpu_utilization_high_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High Alarm action | list(string) | [] | no |
| cpu_utilization_high_evaluation_periods | Number of periods to evaluate for the alarm | number | 1 | no |
| cpu_utilization_high_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High OK action | list(string) | [] | no |
| cpu_utilization_high_period | Duration in seconds to evaluate for the alarm | number | 300 | no |
| cpu_utilization_high_threshold | The maximum percentage of CPU utilization average | number | 80 | no |
| cpu_utilization_low_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low Alarm action | list(string) | [] | no |
| cpu_utilization_low_evaluation_periods | Number of periods to evaluate for the alarm | number | 1 | no |
| cpu_utilization_low_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low OK action | list(string) | [] | no |
| cpu_utilization_low_period | Duration in seconds to evaluate for the alarm | number | 300 | no |
| cpu_utilization_low_threshold | The minimum percentage of CPU utilization average | number | 20 | no |
| datadog_agent_sidecar_enabled | Enable the Datadog Agent Sidecar | bool | false | no |
| datadog_log_method_is_firelens | Datadog logs can be sent via cloudwatch logs (and lambda) or firelens, set this to true to enable firelens via a sidecar container for fluentbit | bool | false | no |
| datadog_logging_default_tags_enabled | Add Default tags to all logs sent to Datadog | bool | true | no |
| datadog_logging_tags | Tags to add to all logs sent to Datadog | map(string) | null | no |
| datadog_sidecar_containers_logs_enabled | Enable the Datadog Agent Sidecar to send logs to aws cloudwatch group, requires datadog_agent_sidecar_enabled to be true | bool | true | no |
| delimiter | Delimiter to be used between ID elements. Defaults to - (hyphen). Set to "" to use no delimiter at all. | string | null | no |
| descriptor_formats | Describe additional descriptors to be output in the descriptors output map.Map of maps. Keys are names of descriptors. Values are maps of the form {<br/> format = string<br/> labels = list(string)<br/>}(Type is any so the map values can later be enhanced to provide additional options.)format is a Terraform format string to be passed to the format() function.labels is a list of labels, in order, to pass to format() function.Label values will be normalized before being passed to format() so they will beidentical to how they appear in id.Default is {} (descriptors output will be empty). | any | {} | no |
| ecr_region | The region to use for the fully qualified ECR image URL. Defaults to the current region. | string | "" | no |
| ecr_stage_name | The ecr stage (account) name to use for the fully qualified ECR image URL. | string | "auto" | no |
| ecs_cluster_name | The name of the ECS Cluster this belongs to | any | "ecs" | no |
| enabled | Set to false to prevent the module from creating any resources | bool | null | no |
| environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string | null | no |
| github_actions_allowed_repos | A list of the GitHub repositories that are allowed to assume this role from GitHub Actions. For example, ["cloudposse/infra-live"]. Can contain "*" as wildcard. If org part of repo name is omitted, "cloudposse" will be assumed. | list(string) | [] | no |
| github_actions_ecspresso_enabled | Create IAM policies required for deployments with Ecspresso | bool | false | no |
| github_actions_iam_role_attributes | Additional attributes to add to the role name | list(string) | [] | no |
| github_actions_iam_role_enabled | Flag to toggle creation of an IAM Role that GitHub Actions can assume to access AWS resources | bool | false | no |
| github_oidc_trusted_role_arns | A list of IAM Role ARNs allowed to assume this cluster's GitHub OIDC role | list(string) | [] | no |
| health_check_healthy_threshold | The number of consecutive health checks successes required before healthy | number | 2 | no |
| health_check_interval | The duration in seconds in between health checks | number | 15 | no |
| health_check_matcher | The HTTP response codes to indicate a healthy check | string | "200-404" | no |
| health_check_path | The destination for the health check request | string | "/health" | no |
| health_check_port | The port to use to connect with the target. Valid values are either ports 1-65536, or traffic-port. Defaults to traffic-port | string | "traffic-port" | no |
| health_check_timeout | The amount of time to wait in seconds before failing a health check request | number | 10 | no |
| health_check_unhealthy_threshold | The number of consecutive health check failures required before unhealthy | number | 2 | no |
| http_protocol | Which http protocol to use in outputs and SSM url params. This value is ignored if a load balancer is not used. If it is null, the redirect value from the ALB determines the protocol. | string | null | no |
| iam_policy_enabled | If set to true will create IAM policy in AWS | bool | false | no |
| iam_policy_statements | Map of IAM policy statements to use in the policy. This can be used with or instead of the var.iam_source_json_url. | any | {} | no |
| id_length_limit | Limit id to this many characters (minimum 6).Set to 0 for unlimited length.Set to null for keep the existing setting, which defaults to 0.Does not affect id_full. | number | null | no |
| kinesis_enabled | Enable Kinesis | bool | false | no |
| kms_alias_name_ssm | KMS alias name for SSM | string | "alias/aws/ssm" | no |
| kms_key_alias | ID of KMS key | string | "default" | no |
| label_key_case | Controls the letter case of the tags keys (label names) for tags generated by this module.Does not affect keys of tags passed in via the tags input.Possible values: lower, title, upper.Default value: title. | string | null | no |
| label_order | The order in which the labels (ID elements) appear in the id.Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | list(string) | null | no |
| label_value_case | Controls the letter case of ID elements (labels) as included in id,set as tag values, and output by this module individually. Does not affect values of tags passed in via the tags input.Possible values: lower, title, upper and none (no transformation).Set this to title and set delimiter to "" to yield Pascal Case IDs.Default value: lower. | string | null | no |
| labels_as_tags | Set of labels (ID elements) to include as tags in the tags output.Default is to include all labels. Tags with empty values will not be included in the tags output.Set to [] to suppress all generated tags.Notes: The value of the name tag, if included, will be the id, not the name.Unlike other null-label inputs, the initial setting of labels_as_tags cannot bechanged in later chained modules. Attempts to change it will be silently ignored. | set(string) | | no |
| lb_catch_all | Should this service act as catch all for all subdomain hosts of the vanity domain | bool | false | no |
| logs | Feed inputs into cloudwatch logs module | any | {} | no |
| memory_utilization_high_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High Alarm action | list(string) | [] | no |
| memory_utilization_high_evaluation_periods | Number of periods to evaluate for the alarm | number | 1 | no |
| memory_utilization_high_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High OK action | list(string) | [] | no |
| memory_utilization_high_period | Duration in seconds to evaluate for the alarm | number | 300 | no |
| memory_utilization_high_threshold | The maximum percentage of Memory utilization average | number | 80 | no |
| memory_utilization_low_alarm_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low Alarm action | list(string) | [] | no |
| memory_utilization_low_evaluation_periods | Number of periods to evaluate for the alarm | number | 1 | no |
| memory_utilization_low_ok_actions | A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low OK action | list(string) | [] | no |
| memory_utilization_low_period | Duration in seconds to evaluate for the alarm | number | 300 | no |
| memory_utilization_low_threshold | The minimum percentage of Memory utilization average | number | 20 | no |
| name | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a tag.The "name" tag is set to the full id string. There is no tag with the value of the name input. | string | null | no |
| namespace | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | string | null | no |
| nlb_name | The name of the NLB this service should attach to | string | null | no |
| rds_name | The name of the RDS database this service should allow access to | any | null | no |
| regex_replace_chars | Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits. | string | null | no |
| region | AWS Region | string | n/a | yes |
| retention_period | Length of time data records are accessible after they are added to the stream | number | 48 | no |
| s3_mirror_name | The name of the S3 mirror component | string | null | no |
| shard_count | Number of shards that the stream will use | number | 1 | no |
| shard_level_metrics | List of shard-level CloudWatch metrics which can be enabled for the stream | list(string) | | no |
| ssm_enabled | If true create SSM keys for the database user and password. | bool | false | no |
| ssm_key_format | SSM path format. The values will will be used in the following order: var.ssm_key_prefix, var.name, var.ssm_key_* | string | "/%v/%v/%v" | no |
| ssm_key_prefix | SSM path prefix. Omit the leading forward slash /. | string | "ecs-service" | no |
| stage | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | string | null | no |
| stickiness_cookie_duration | The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds) | number | 86400 | no |
| stickiness_enabled | Boolean to enable / disable stickiness. Default is true | bool | true | no |
| stickiness_type | The type of sticky sessions. The only current possible value is lb_cookie | string | "lb_cookie" | no |
| stream_mode | Stream mode details for the Kinesis stream | string | "PROVISIONED" | no |
| tags | Additional tags (e.g. {'BusinessUnit': 'XYZ'}).Neither the tag keys nor the tag values will be modified by this module. | map(string) | {} | no |
| task | Feed inputs into ecs_alb_service_task module | | {} | no |
| task_enabled | Whether or not to use the ECS task module | bool | true | no |
| task_iam_role_component | A component that outputs an iam_role module as 'role' for adding to the service as a whole. | string | null | no |
| task_policy_arns | The IAM policy ARNs to attach to the ECS task IAM role | list(string) | | no |
| task_security_group_component | A component that outputs security_group_id for adding to the service as a whole. | string | null | no |
| tenant | ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for | string | null | no |
| unauthenticated_paths | Unauthenticated path pattern to match | list(string) | [] | no |
| unauthenticated_priority | The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from authenticated_priority since a listener can't have multiple rules with the same priority | string | 0 | no |
| use_lb | Whether use load balancer for the service | bool | false | no |
| use_rds_client_sg | Use the RDS client security group | bool | false | no |
| vanity_alias | The vanity aliases to use for the public LB. | list(string) | [] | no |
| vanity_domain | Whether to use the vanity domain alias for the service | string | null | no |
| zone_component | The component name to look up service domain remote-state on | string | "dns-delegated" | no |
| zone_component_output | A json query to use to get the zone domain from the remote state. See | string | ".default_domain_name" | no |
Outputs
| Name | Description |
|---|---|
| ecs_cluster_arn | Selected ECS cluster ARN |
| environment_map | Environment variables to pass to the container, this is a map of key/value pairs, where the key is containerName,variableName |
| full_domain | Domain to respond to GET requests |
| github_actions_iam_role_arn | ARN of IAM role for GitHub Actions |
| github_actions_iam_role_name | Name of IAM role for GitHub Actions |
| lb_arn | Selected LB ARN |
| lb_listener_https | Selected LB HTTPS Listener |
| lb_sg_id | Selected LB SG ID |
| logs | Output of cloudwatch logs module |
| service_image | The image of the service container |
| ssm_key_prefix | SSM prefix |
| ssm_parameters | SSM parameters for the ECS Service |
| subnet_ids | Selected subnet IDs |
| vpc_id | Selected VPC ID |
| vpc_sg_id | Selected VPC SG ID |
References
- cloudposse/terraform-aws-components - Cloud Posse's upstream component