Skip to main content

Component: ecs-service

This component is responsible for creating an ECS service.


Stack Level: Regional

Here's an example snippet for how to use this component.

# stacks/catalog/ecs-service/defaults.yaml
component: ecs-service
type: abstract
workspace_enabled: true
enabled: true
public_lb_enabled: false
ecr_stage_name: mgmt-automation
launch_type: FARGATE
network_mode: awsvpc
desired_count: 1
ignore_changes_desired_count: true
ignore_changes_task_definition: false
assign_public_ip: false
propagate_tags: SERVICE
wait_for_steady_state: true
circuit_breaker_deployment_enabled: true
circuit_breaker_rollback_enabled: true

This will launch a kong service using an ecr image from mgmt-automation account.

NOTE: Usage of ecr_image instead of image.

- catalog/ecs-service/defaults

component: ecs-service
- ecs-service/defaults
name: kong
public_lb_enabled: true
cluster_attributes: [b2b]
name: "kong-gateway"
ecr_image: kong:latest
KONG_DECLARATIVE_CONFIG: /home/kong/production.yml
- containerPort: 8000
hostPort: 8000
protocol: tcp
desired_count: 1
task_memory: 512
task_cpu: 256

This will launch a httpd service using an external image from dockerhub

NOTE: Usage of image instead of ecr_image.

# stacks/catalog/ecs-service/httpd.yaml
- catalog/ecs-service/defaults

component: ecs-service
- ecs-service/defaults
enabled: true
name: httpd
public_lb_enabled: true
cluster_attributes: [platform]
name: "Hello"
image: httpd:2.4
- containerPort: 80
hostPort: 80
protocol: tcp
- '/bin/sh -c "echo ''<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>'' > /usr/local/apache2/htdocs/index.html && httpd-foreground"'
entrypoint: ["sh", "-c"]
desired_count: 1
task_memory: 512
task_cpu: 256

This will launch google's echoserver using an external image from gcr

NOTE: Usage of image instead of ecr_image.

# stacks/catalog/ecs-service/echoserver.yaml
- catalog/ecs-service/defaults

component: ecs-service
- ecs-service/defaults
enabled: true
name: echoserver
public_lb_enabled: true
cluster_attributes: [platform]
name: "echoserver"
- containerPort: 8080
hostPort: 8080
protocol: tcp
desired_count: 1
task_memory: 512
task_cpu: 256


terraform>= 1.0.0
aws>= 4.66.1
template>= 2.2


aws>= 4.66.1
template>= 2.2




aws_caller_identity.currentdata source
aws_iam_policy_document.github_actions_iam_ecspresso_policydata source
aws_iam_policy_document.github_actions_iam_platform_policydata source
aws_iam_policy_document.github_actions_iam_policydata source
aws_iam_policy_document.thisdata source
aws_kms_alias.selecteddata source
aws_route53_zone.selecteddata source
aws_route53_zone.selected_vanitydata source
aws_s3_object.task_definitiondata source
aws_s3_objects.mirrordata source
aws_ssm_parameters_by_path.defaultdata source
jq_query.service_domain_querydata source
template_file.envsdata source


additional_tag_mapAdditional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.
alb_configurationThe configuration to use for the ALB, specifying which cluster alb configuration to usestring"default"no
alb_nameThe name of the ALB this service should attach tostringnullno
attributesID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.
autoscaling_dimensionThe dimension to use to decide to autoscalestring"cpu"no
autoscaling_enabledShould this service autoscale using SNS alaramsbooltrueno
chamber_serviceSSM parameter service name for use with chamber. This is used in chamber_format where /$chamber_service/$name/$container_name/$parameter would be the default.string"ecs-service"no
cluster_attributesThe attributes of the cluster name e.g. if the full name is namespace-tenant-environment-dev-ecs-b2b then the cluster_name is ecs and this value should be b2b.list(string)[]no
containersFeed inputs into container definition module
name = string
ecr_image = optional(string)
image = optional(string)
memory = optional(number)
memory_reservation = optional(number)
cpu = optional(number)
essential = optional(bool, true)
readonly_root_filesystem = optional(bool, null)
privileged = optional(bool, null)
container_depends_on = optional(list(object({
containerName = string
condition = string # START, COMPLETE, SUCCESS, HEALTHY
})), null)

port_mappings = optional(list(object({
containerPort = number
hostPort = number
protocol = string
})), [])
command = optional(list(string), null)
entrypoint = optional(list(string), null)
healthcheck = optional(object({
command = list(string)
interval = number
retries = number
startPeriod = number
timeout = number
}), null)
ulimits = optional(list(object({
name = string
softLimit = number
hardLimit = number
})), null)
log_configuration = optional(object({
logDriver = string
options = optional(map(string), {})
docker_labels = optional(map(string), null)
map_environment = optional(map(string), {})
map_secrets = optional(map(string), {})
volumes_from = optional(list(object({
sourceContainer = string
readOnly = bool
})), null)
mount_points = optional(list(object({
sourceVolume = string
containerPath = string
readOnly = bool
})), [])
contextSingle object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
cpu_utilization_high_alarm_actionsA list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High Alarm actionlist(string)[]no
cpu_utilization_high_evaluation_periodsNumber of periods to evaluate for the alarmnumber1no
cpu_utilization_high_ok_actionsA list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High OK actionlist(string)[]no
cpu_utilization_high_periodDuration in seconds to evaluate for the alarmnumber300no
cpu_utilization_high_thresholdThe maximum percentage of CPU utilization averagenumber80no
cpu_utilization_low_alarm_actionsA list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low Alarm actionlist(string)[]no
cpu_utilization_low_evaluation_periodsNumber of periods to evaluate for the alarmnumber1no
cpu_utilization_low_ok_actionsA list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low OK actionlist(string)[]no
cpu_utilization_low_periodDuration in seconds to evaluate for the alarmnumber300no
cpu_utilization_low_thresholdThe minimum percentage of CPU utilization averagenumber20no
datadog_agent_sidecar_enabledEnable the Datadog Agent Sidecarboolfalseno
datadog_log_method_is_firelensDatadog logs can be sent via cloudwatch logs (and lambda) or firelens, set this to true to enable firelens via a sidecar container for fluentbitboolfalseno
datadog_logging_default_tags_enabledAdd Default tags to all logs sent to Datadogbooltrueno
datadog_logging_tagsTags to add to all logs sent to Datadogmap(string)nullno
datadog_sidecar_containers_logs_enabledEnable the Datadog Agent Sidecar to send logs to aws cloudwatch group, requires datadog_agent_sidecar_enabled to be truebooltrueno
delimiterDelimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.
descriptor_formatsDescribe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
{<br/> format = string<br/> labels = list(string)<br/>}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).
ecr_regionThe region to use for the fully qualified ECR image URL. Defaults to the current region.string""no
ecr_stage_nameThe ecr stage (account) name to use for the fully qualified ECR image URL.string"auto"no
ecs_cluster_nameThe name of the ECS Cluster this belongs toany"ecs"no
enabledSet to false to prevent the module from creating any resourcesboolnullno
environmentID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'stringnullno
github_actions_allowed_reposA list of the GitHub repositories that are allowed to assume this role from GitHub Actions. For example,
["cloudposse/infra-live"]. Can contain "*" as wildcard.
If org part of repo name is omitted, "cloudposse" will be assumed.
github_actions_ecspresso_enabledCreate IAM policies required for deployments with Ecspressoboolfalseno
github_actions_iam_role_attributesAdditional attributes to add to the role namelist(string)[]no
github_actions_iam_role_enabledFlag to toggle creation of an IAM Role that GitHub Actions can assume to access AWS resourcesboolfalseno
github_oidc_trusted_role_arnsA list of IAM Role ARNs allowed to assume this cluster's GitHub OIDC rolelist(string)[]no
health_check_healthy_thresholdThe number of consecutive health checks successes required before healthynumber2no
health_check_intervalThe duration in seconds in between health checksnumber15no
health_check_matcherThe HTTP response codes to indicate a healthy checkstring"200-404"no
health_check_pathThe destination for the health check requeststring"/health"no
health_check_portThe port to use to connect with the target. Valid values are either ports 1-65536, or traffic-port. Defaults to traffic-portstring"traffic-port"no
health_check_timeoutThe amount of time to wait in seconds before failing a health check requestnumber10no
health_check_unhealthy_thresholdThe number of consecutive health check failures required before unhealthynumber2no
http_protocolWhich http protocol to use in outputs and SSM url params. This value is ignored if a load balancer is not used. If it is null, the redirect value from the ALB determines the protocol.stringnullno
iam_policy_enabledIf set to true will create IAM policy in AWSboolfalseno
iam_policy_statementsMap of IAM policy statements to use in the policy. This can be used with or instead of the var.iam_source_json_url.any{}no
id_length_limitLimit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.
kinesis_enabledEnable Kinesisboolfalseno
kms_alias_name_ssmKMS alias name for SSMstring"alias/aws/ssm"no
kms_key_aliasID of KMS keystring"default"no
label_key_caseControls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.
label_orderThe order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
label_value_caseControls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.
labels_as_tagsSet of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.
lb_catch_allShould this service act as catch all for all subdomain hosts of the vanity domainboolfalseno
logsFeed inputs into cloudwatch logs moduleany{}no
memory_utilization_high_alarm_actionsA list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High Alarm actionlist(string)[]no
memory_utilization_high_evaluation_periodsNumber of periods to evaluate for the alarmnumber1no
memory_utilization_high_ok_actionsA list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High OK actionlist(string)[]no
memory_utilization_high_periodDuration in seconds to evaluate for the alarmnumber300no
memory_utilization_high_thresholdThe maximum percentage of Memory utilization averagenumber80no
memory_utilization_low_alarm_actionsA list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low Alarm actionlist(string)[]no
memory_utilization_low_evaluation_periodsNumber of periods to evaluate for the alarmnumber1no
memory_utilization_low_ok_actionsA list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low OK actionlist(string)[]no
memory_utilization_low_periodDuration in seconds to evaluate for the alarmnumber300no
memory_utilization_low_thresholdThe minimum percentage of Memory utilization averagenumber20no
nameID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.
namespaceID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally uniquestringnullno
nlb_nameThe name of the NLB this service should attach tostringnullno
rds_nameThe name of the RDS database this service should allow access toanynullno
regex_replace_charsTerraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.
regionAWS Regionstringn/ayes
retention_periodLength of time data records are accessible after they are added to the streamnumber48no
s3_mirror_nameThe name of the S3 mirror componentstringnullno
shard_countNumber of shards that the stream will usenumber1no
shard_level_metricsList of shard-level CloudWatch metrics which can be enabled for the streamlist(string)
ssm_enabledIf true create SSM keys for the database user and password.boolfalseno
ssm_key_formatSSM path format. The values will will be used in the following order: var.ssm_key_prefix,, var.ssm_key_*string"/%v/%v/%v"no
ssm_key_prefixSSM path prefix. Omit the leading forward slash /.string"ecs-service"no
stageID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'stringnullno
stickiness_cookie_durationThe time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds)number86400no
stickiness_enabledBoolean to enable / disable stickiness. Default is truebooltrueno
stickiness_typeThe type of sticky sessions. The only current possible value is lb_cookiestring"lb_cookie"no
stream_modeStream mode details for the Kinesis streamstring"PROVISIONED"no
tagsAdditional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.
taskFeed inputs into ecs_alb_service_task module
task_cpu = optional(number)
task_memory = optional(number)
task_role_arn = optional(string, "")
pid_mode = optional(string, null)
ipc_mode = optional(string, null)
network_mode = optional(string)
propagate_tags = optional(string)
assign_public_ip = optional(bool, false)
use_alb_security_groups = optional(bool, true)
launch_type = optional(string, "FARGATE")
scheduling_strategy = optional(string, "REPLICA")
capacity_provider_strategies = optional(list(object({
capacity_provider = string
weight = number
base = number
})), [])

deployment_minimum_healthy_percent = optional(number, null)
deployment_maximum_percent = optional(number, null)
desired_count = optional(number, 0)
min_capacity = optional(number, 1)
max_capacity = optional(number, 2)
wait_for_steady_state = optional(bool, true)
circuit_breaker_deployment_enabled = optional(bool, true)
circuit_breaker_rollback_enabled = optional(bool, true)

ecs_service_enabled = optional(bool, true)
bind_mount_volumes = optional(list(object({
name = string
host_path = string
})), [])
task_enabledWhether or not to use the ECS task modulebooltrueno
task_iam_role_componentA component that outputs an iam_role module as 'role' for adding to the service as a whole.stringnullno
task_policy_arnsThe IAM policy ARNs to attach to the ECS task IAM rolelist(string)
task_security_group_componentA component that outputs security_group_id for adding to the service as a whole.stringnullno
tenantID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is forstringnullno
unauthenticated_pathsUnauthenticated path pattern to matchlist(string)[]no
unauthenticated_priorityThe priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from authenticated_priority since a listener can't have multiple rules with the same prioritystring0no
use_lbWhether use load balancer for the serviceboolfalseno
use_rds_client_sgUse the RDS client security groupboolfalseno
vanity_aliasThe vanity aliases to use for the public LB.list(string)[]no
vanity_domainWhether to use the vanity domain alias for the servicestringnullno
zone_componentThe component name to look up service domain remote-state onstring"dns-delegated"no
zone_component_outputA json query to use to get the zone domain from the remote state. Seestring".default_domain_name"no


ecs_cluster_arnSelected ECS cluster ARN
environment_mapEnvironment variables to pass to the container, this is a map of key/value pairs, where the key is containerName,variableName
full_domainDomain to respond to GET requests
github_actions_iam_role_arnARN of IAM role for GitHub Actions
github_actions_iam_role_nameName of IAM role for GitHub Actions
lb_arnSelected LB ARN
lb_listener_httpsSelected LB HTTPS Listener
lb_sg_idSelected LB SG ID
logsOutput of cloudwatch logs module
service_imageThe image of the service container
ssm_key_prefixSSM prefix
ssm_parametersSSM parameters for the ECS Service
subnet_idsSelected subnet IDs
vpc_idSelected VPC ID
vpc_sg_idSelected VPC SG ID