Skip to main content
Sponsor @cloudposse

Module: ecs-web-app

A Terraform module which implements a web app on ECS and supporting AWS resources.

Usage

For a complete example, see examples/complete.

For automated tests of the complete example using bats and Terratest (which test and deploy the example on AWS), see test.

Other examples:

module "default_backend_web_app" {
  source = "cloudposse/ecs-web-app/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace                                       = "eg"
  stage                                           = "testing"
  name                                            = "appname"
  vpc_id                                          = module.vpc.vpc_id
  alb_ingress_unauthenticated_listener_arns       = module.alb.listener_arns
  alb_ingress_unauthenticated_listener_arns_count = 1
  aws_logs_region                                 = "us-east-2"
  ecs_cluster_arn                                 = aws_ecs_cluster.default.arn
  ecs_cluster_name                                = aws_ecs_cluster.default.name
  ecs_security_group_ids                          = [module.vpc.vpc_default_security_group_id]
  ecs_private_subnet_ids                          = module.subnets.private_subnet_ids
  alb_ingress_healthcheck_path                    = "/healthz"
  alb_ingress_unauthenticated_paths               = ["/*"]
  codepipeline_enabled                            = false

  container_environment = [
    {
      name = "COOKIE"
      value = "cookiemonster"
    },
    {
      name = "PORT"
      value = "80"
    }
  ]
}

Variables

Required Variables

alb_security_group (string) required

Security group of the ALB

ecs_cluster_arn (string) required

The ECS Cluster ARN where ECS Service will be provisioned

ecs_private_subnet_ids (list(string)) required

List of Private Subnet IDs to provision ECS Service onto if var.network_mode = "awsvpc"

vpc_id (string) required

The VPC ID where resources are created

Optional Variables

alb_arn_suffix (string) optional

ARN suffix of the ALB for the Target Group


Default value: ""

alb_container_name (string) optional

The name of the container to associate with the ALB. If not provided, the generated container will be used


Default value: null

alb_ingress_authenticated_hosts (list(string)) optional

Authenticated hosts to match in Hosts header


Default value: [ ]

alb_ingress_authenticated_listener_arns (list(string)) optional

A list of authenticated ALB listener ARNs to attach ALB listener rules to


Default value: [ ]

alb_ingress_authenticated_listener_arns_count (number) optional

The number of authenticated ARNs in alb_ingress_authenticated_listener_arns. This is necessary to work around a limitation in Terraform where counts cannot be computed


Default value: 0

alb_ingress_authenticated_paths (list(string)) optional

Authenticated path pattern to match (a maximum of 1 can be defined)


Default value: [ ]

alb_ingress_enable_default_target_group (bool) optional

If true, create a default target group for the ALB ingress


Default value: true

alb_ingress_health_check_healthy_threshold (number) optional

The number of consecutive health checks successes required before healthy


Default value: 2

alb_ingress_health_check_interval (number) optional

The duration in seconds in between health checks


Default value: 15

alb_ingress_health_check_matcher (string) optional

The HTTP response codes to indicate a healthy check


Default value: "200-399"

alb_ingress_health_check_timeout (number) optional

The amount of time to wait in seconds before failing a health check request


Default value: 10

alb_ingress_health_check_unhealthy_threshold (number) optional

The number of consecutive health check failures required before unhealthy


Default value: 2

alb_ingress_healthcheck_path (string) optional

The path of the healthcheck which the ALB checks


Default value: "/"

alb_ingress_healthcheck_protocol (string) optional

The protocol to use to connect with the target. Defaults to HTTP. Not applicable when target_type is lambda


Default value: "HTTP"

alb_ingress_listener_authenticated_priority (number) optional

The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from alb_ingress_listener_unauthenticated_priority since a listener can't have multiple rules with the same priority


Default value: 300

alb_ingress_listener_unauthenticated_priority (number) optional

The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from alb_ingress_listener_authenticated_priority since a listener can't have multiple rules with the same priority


Default value: 1000

alb_ingress_load_balancing_algorithm_type (string) optional

Determines how the load balancer selects targets when routing requests. Only applicable for Application Load Balancer Target Groups. The value is round_robin or least_outstanding_requests. The default is round_robin.


Default value: "round_robin"

alb_ingress_protocol (string) optional

The protocol for the created ALB target group (if target_group_arn is not set). One of HTTP, HTTPS. Defaults to HTTP.


Default value: "HTTP"

alb_ingress_protocol_version (string) optional

The protocol version. One of HTTP1, HTTP2, GRPC. Only applicable when protocol is HTTP or HTTPS. Specify GRPC to send requests to targets using gRPC. Specify HTTP2 to send requests to targets using HTTP/2. The default is HTTP1, which sends requests to targets using HTTP/1.1


Default value: "HTTP1"

alb_ingress_target_group_arn (string) optional

Existing ALB target group ARN. If provided, set alb_ingress_enable_default_target_group to false to disable creation of the default target group


Default value: ""

alb_ingress_target_type (string) optional

Target type for the ALB ingress. One of ip, instance, lambda or container. Defaults to ip, for bridge networking mode should be instance


Default value: "ip"

alb_ingress_unauthenticated_hosts (list(string)) optional

Unauthenticated hosts to match in Hosts header


Default value: [ ]

alb_ingress_unauthenticated_listener_arns (list(string)) optional

A list of unauthenticated ALB listener ARNs to attach ALB listener rules to


Default value: [ ]

alb_ingress_unauthenticated_listener_arns_count (number) optional

The number of unauthenticated ARNs in alb_ingress_unauthenticated_listener_arns. This is necessary to work around a limitation in Terraform where counts cannot be computed


Default value: 0

alb_ingress_unauthenticated_paths (list(string)) optional

Unauthenticated path pattern to match (a maximum of 1 can be defined)


Default value: [ ]

alb_stickiness_cookie_duration (number) optional

The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds)


Default value: 86400

alb_stickiness_enabled (bool) optional

Boolean to enable / disable stickiness. Default is true


Default value: true

alb_stickiness_type (string) optional

The type of sticky sessions. The only current possible value is lb_cookie


Default value: "lb_cookie"

alb_target_group_alarms_3xx_threshold (number) optional

The maximum number of 3XX HTTPCodes in a given period for ECS Service


Default value: 25

alb_target_group_alarms_4xx_threshold (number) optional

The maximum number of 4XX HTTPCodes in a given period for ECS Service


Default value: 25

alb_target_group_alarms_5xx_threshold (number) optional

The maximum number of 5XX HTTPCodes in a given period for ECS Service


Default value: 25

alb_target_group_alarms_alarm_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an ALARM state from any other state


Default value: [ ]

alb_target_group_alarms_enabled (bool) optional

A boolean to enable/disable CloudWatch Alarms for ALB Target metrics


Default value: false

alb_target_group_alarms_evaluation_periods (number) optional

The number of periods to analyze for ALB CloudWatch Alarms


Default value: 1

alb_target_group_alarms_insufficient_data_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an INSUFFICIENT_DATA state from any other state


Default value: [ ]

alb_target_group_alarms_ok_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an OK state from any other state


Default value: [ ]

alb_target_group_alarms_period (number) optional

The period (in seconds) to analyze for ALB CloudWatch Alarms


Default value: 300

alb_target_group_alarms_response_time_threshold (number) optional

The maximum ALB Target Group response time


Default value: 0.5

assign_public_ip (bool) optional

Assign a public IP address to the ENI (Fargate launch type only). Valid values are true or false. Default false


Default value: false

authentication_cognito_scope (string) optional

Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)


Default value: null

authentication_cognito_user_pool_arn (string) optional

Cognito User Pool ARN


Default value: ""

authentication_cognito_user_pool_client_id (string) optional

Cognito User Pool Client ID


Default value: ""

authentication_cognito_user_pool_domain (string) optional

Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (xxx) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com)


Default value: ""

authentication_oidc_authorization_endpoint (string) optional

OIDC Authorization Endpoint


Default value: ""

authentication_oidc_client_id (string) optional

OIDC Client ID


Default value: ""

authentication_oidc_client_secret (string) optional

OIDC Client Secret


Default value: ""

authentication_oidc_issuer (string) optional

OIDC Issuer


Default value: ""

authentication_oidc_scope (string) optional

OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP)


Default value: null

authentication_oidc_token_endpoint (string) optional

OIDC Token Endpoint


Default value: ""

authentication_oidc_user_info_endpoint (string) optional

OIDC User Info Endpoint


Default value: ""

authentication_type (string) optional

Authentication type. Supported values are COGNITO and OIDC


Default value: ""

autoscaling_dimension (string) optional

Dimension to autoscale on (valid options: cpu, memory)


Default value: "memory"

autoscaling_enabled (bool) optional

A boolean to enable/disable Autoscaling policy for ECS Service


Default value: false

autoscaling_max_capacity (number) optional

Maximum number of running instances of a Service


Default value: 2

autoscaling_min_capacity (number) optional

Minimum number of running instances of a Service


Default value: 1

autoscaling_scale_down_adjustment (number) optional

Scaling adjustment to make during scale down event


Default value: -1

autoscaling_scale_down_cooldown (number) optional

Period (in seconds) to wait between scale down events


Default value: 300

autoscaling_scale_up_adjustment (number) optional

Scaling adjustment to make during scale up event


Default value: 1

autoscaling_scale_up_cooldown (number) optional

Period (in seconds) to wait between scale up events


Default value: 60

aws_logs_prefix (string) optional

Custom AWS Logs prefix. If empty name from label module will be used


Default value: ""

aws_logs_region (string) optional

The region for the AWS Cloudwatch Logs group


Default value: null

badge_enabled (bool) optional

Generates a publicly-accessible URL for the projects build badge. Available as badge_url attribute when enabled


Default value: false

branch (string) optional

Branch of the GitHub repository, e.g. master


Default value: ""

build_environment_variables optional

A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER_STORE', or 'SECRETS_MANAGER'


Type:

list(object(
{
  name  = string
  value = string
  type  = string
}))

Default value: [ ]

build_image (string) optional

Docker image for build environment, e.g. aws/codebuild/docker:docker:17.09.0


Default value: "aws/codebuild/docker:17.09.0"

build_timeout (number) optional

How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed


Default value: 60

buildspec (string) optional

Declaration to use for building the project. For more info


Default value: ""

capacity_provider_strategies optional

The capacity provider strategies to use for the service. See capacity_provider_strategy configuration block: https://www.terraform.io/docs/providers/aws/r/ecs_service.html#capacity_provider_strategy


Type:

list(object({
capacity_provider = string
weight            = number
base              = number
}))

Default value: [ ]

circuit_breaker_deployment_enabled (bool) optional

If true, enable the deployment circuit breaker logic for the service


Default value: false

circuit_breaker_rollback_enabled (bool) optional

If true, Amazon ECS will roll back the service if a service deployment fails


Default value: false

cloudwatch_log_group_enabled (bool) optional

A boolean to disable cloudwatch log group creation


Default value: true

codebuild_cache_type (string) optional

The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3. Defaults to NO_CACHE. If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside


Default value: "S3"

codepipeline_build_cache_bucket_suffix_enabled (bool) optional

The codebuild cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache_type is 'S3'


Default value: true

codepipeline_build_compute_type (string) optional

CodeBuild instance size. Possible values are: BUILD_GENERAL1_SMALL BUILD_GENERAL1_MEDIUM BUILD_GENERAL1_LARGE


Default value: "BUILD_GENERAL1_SMALL"

codepipeline_cdn_bucket_buildspec_identifier (string) optional

Identifier for buildspec section controlling the optional CDN asset deployment.


Default value: null

codepipeline_cdn_bucket_encryption_enabled (bool) optional

If set to true, enable encryption on the optional CDN asset deployment bucket


Default value: false

codepipeline_cdn_bucket_id (string) optional

Optional bucket for static asset deployment. If specified, the buildspec must include a secondary artifacts section which controls the files deployed to the bucket For more info


Default value: null

codepipeline_enabled (bool) optional

A boolean to enable/disable AWS Codepipeline. If false, use ecr_enabled to control if AWS ECR stays enabled.


Default value: true

codepipeline_s3_bucket_force_destroy (bool) optional

A boolean that indicates all objects should be deleted from the CodePipeline artifact store S3 bucket so that the bucket can be destroyed without error


Default value: false

command (list(string)) optional

The command that is passed to the container


Default value: null

container_cpu (number) optional

The vCPU setting to control cpu limits of container. (If FARGATE launch type is used below, this must be a supported vCPU size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)


Default value: 256

container_definition (string) optional

Override the main container_definition


Default value: ""

container_environment optional

The environment variables to pass to the container. This is a list of maps


Type:

list(object({
name  = string
value = string
}))

Default value: null

container_image (string) optional

The default container image to use in container definition


Default value: "cloudposse/default-backend"

container_memory (number) optional

The amount of RAM to allow container to use in MB. (If FARGATE launch type is used below, this must be a supported Memory size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)


Default value: 512

container_memory_reservation (number) optional

The amount of RAM (Soft Limit) to allow container to use in MB. This value must be less than container_memory if set


Default value: 128

container_port (number) optional

The port number on the container bound to assigned host_port


Default value: 80

container_repo_credentials (map(string)) optional

Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials


Default value: null

container_start_timeout (number) optional

Time duration (in seconds) to wait before giving up on resolving dependencies for a container


Default value: 30

container_stop_timeout (number) optional

Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own


Default value: 30

deployment_controller_type (string) optional

Type of deployment controller. Valid values are CODE_DEPLOY and ECS


Default value: "ECS"

deployment_maximum_percent (number) optional

The upper limit of the number of tasks (as a percentage of desired_count) that can be running in a service during a deployment


Default value: 200

deployment_minimum_healthy_percent (number) optional

The lower limit (as a percentage of desired_count) of the number of tasks that must remain running and healthy in a service during a deployment


Default value: 100

desired_count (number) optional

The desired number of tasks to start with. Set this to 0 if using DAEMON Service type. (FARGATE does not suppoert DAEMON Service type)


Default value: 1

ecr_enabled (bool) optional

A boolean to enable/disable AWS ECR


Default value: true

ecr_image_tag_mutability (string) optional

The tag mutability setting for the ecr repository. Must be one of: MUTABLE or IMMUTABLE


Default value: "IMMUTABLE"

ecr_scan_images_on_push (bool) optional

Indicates whether images are scanned after being pushed to the repository (true) or not (false)


Default value: false

ecs_alarms_cpu_utilization_high_alarm_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High Alarm action


Default value: [ ]

ecs_alarms_cpu_utilization_high_evaluation_periods (number) optional

Number of periods to evaluate for the alarm


Default value: 1

ecs_alarms_cpu_utilization_high_ok_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High OK action


Default value: [ ]

ecs_alarms_cpu_utilization_high_period (number) optional

Duration in seconds to evaluate for the alarm


Default value: 300

ecs_alarms_cpu_utilization_high_threshold (number) optional

The maximum percentage of CPU utilization average


Default value: 80

ecs_alarms_cpu_utilization_low_alarm_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low Alarm action


Default value: [ ]

ecs_alarms_cpu_utilization_low_evaluation_periods (number) optional

Number of periods to evaluate for the alarm


Default value: 1

ecs_alarms_cpu_utilization_low_ok_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low OK action


Default value: [ ]

ecs_alarms_cpu_utilization_low_period (number) optional

Duration in seconds to evaluate for the alarm


Default value: 300

ecs_alarms_cpu_utilization_low_threshold (number) optional

The minimum percentage of CPU utilization average


Default value: 20

ecs_alarms_enabled (bool) optional

A boolean to enable/disable CloudWatch Alarms for ECS Service metrics


Default value: false

ecs_alarms_memory_utilization_high_alarm_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High Alarm action


Default value: [ ]

ecs_alarms_memory_utilization_high_evaluation_periods (number) optional

Number of periods to evaluate for the alarm


Default value: 1

ecs_alarms_memory_utilization_high_ok_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High OK action


Default value: [ ]

ecs_alarms_memory_utilization_high_period (number) optional

Duration in seconds to evaluate for the alarm


Default value: 300

ecs_alarms_memory_utilization_high_threshold (number) optional

The maximum percentage of Memory utilization average


Default value: 80

ecs_alarms_memory_utilization_low_alarm_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low Alarm action


Default value: [ ]

ecs_alarms_memory_utilization_low_evaluation_periods (number) optional

Number of periods to evaluate for the alarm


Default value: 1

ecs_alarms_memory_utilization_low_ok_actions (list(string)) optional

A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low OK action


Default value: [ ]

ecs_alarms_memory_utilization_low_period (number) optional

Duration in seconds to evaluate for the alarm


Default value: 300

ecs_alarms_memory_utilization_low_threshold (number) optional

The minimum percentage of Memory utilization average


Default value: 20

ecs_cluster_name (string) optional

The ECS Cluster Name to use in ECS Code Pipeline Deployment step


Default value: null

ecs_security_group_enabled (bool) optional

Whether to create a security group for the service.


Default value: true

ecs_security_group_ids (list(string)) optional

Additional Security Group IDs to allow into ECS Service if var.network_mode = "awsvpc"


Default value: [ ]

enable_all_egress_rule (bool) optional

A flag to enable/disable adding the all ports egress rule to the ECS security group


Default value: true

enable_ecs_managed_tags (bool) optional

Specifies whether to enable Amazon ECS managed tags for the tasks within the service


Default value: false

entrypoint (list(string)) optional

The entry point that is passed to the container


Default value: null

exec_enabled (bool) optional

Specifies whether to enable Amazon ECS Exec for the tasks within the service


Default value: false

force_new_deployment (bool) optional

Enable to force a new task deployment of the service.


Default value: false

github_oauth_token (string) optional

GitHub Oauth Token with permissions to access private repositories


Default value: ""

github_webhook_events (list(string)) optional

A list of events which should trigger the webhook. See a list of available events


Default value:

[
  "push"
]
health_check_grace_period_seconds (number) optional

Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. Only valid for services configured to use load balancers


Default value: 0

healthcheck optional

A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries)


Type:

object({
command     = list(string)
retries     = number
timeout     = number
interval    = number
startPeriod = number
})

Default value: null

ignore_changes_desired_count (bool) optional

Whether to ignore changes for desired count in the ECS service


Default value: false

ignore_changes_task_definition (bool) optional

Ignore changes (like environment variables) to the ECS task definition


Default value: true

init_containers optional

A list of additional init containers to start. The map contains the container_definition (JSON) and the main container's dependency condition (string) on the init container. The latter can be one of START, COMPLETE, SUCCESS, HEALTHY, or null. If null, the init container will not be added to the depends_on list of the main container.


Type:

list(object({
container_definition = any
condition            = string
}))

Default value: [ ]

launch_type (string) optional

The ECS launch type (valid options: FARGATE or EC2)


Default value: "FARGATE"

linux_parameters optional

Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LinuxParameters.html


Type:

object({
capabilities = optional(object({
  add  = optional(list(string))
  drop = optional(list(string))
}))
devices = optional(list(object({
  containerPath = optional(string)
  hostPath      = optional(string)
  permissions   = optional(list(string))
})))
initProcessEnabled = optional(bool)
maxSwap            = optional(number)
sharedMemorySize   = optional(number)
swappiness         = optional(number)
tmpfs = optional(list(object({
  containerPath = optional(string)
  mountOptions  = optional(list(string))
  size          = number
})))
})

Default value: { }

log_driver (string) optional

The log driver to use for the container. If using Fargate launch type, only supported value is awslogs


Default value: "awslogs"

log_retention_in_days (number) optional

The number of days to retain logs for the log group


Default value: 90

map_container_environment (map(string)) optional

The environment variables to pass to the container. This is a map of string: {key: value}. environment overrides map_environment


Default value: null

mount_points optional

Container mount points. This is a list of maps, where each map should contain a containerPath and sourceVolume


Type:

list(object({
containerPath = string
sourceVolume  = string
readOnly      = bool
}))

Default value: [ ]

network_mode (string) optional

The network mode to use for the task. This is required to be awsvpc for FARGATE launch_type or null for EC2 launch_type


Default value: "awsvpc"

nlb_cidr_blocks (list(string)) optional

A list of CIDR blocks to add to the ingress rule for the NLB container port


Default value: [ ]

nlb_container_name (string) optional

The name of the container to associate with the NLB. If not provided, the generated container will be used


Default value: null

nlb_container_port (number) optional

The port number on the container bound to assigned NLB host_port


Default value: 80

nlb_ingress_target_group_arn (string) optional

Target group ARN of the NLB ingress


Default value: ""

permissions_boundary (string) optional

A permissions boundary ARN to apply to the 3 roles that are created.


Default value: ""

platform_version (string) optional

The platform version on which to run your service. Only applicable for launch_type set to FARGATE. More information about Fargate platform versions can be found in the AWS ECS User Guide.


Default value: "LATEST"

poll_source_changes (bool) optional

Periodically check the location of your source content and run the pipeline if changes are detected


Default value: false

port_mappings optional

The port mappings to configure for the container. This is a list of maps. Each map should contain "containerPort", "hostPort", and "protocol", where "protocol" is one of "tcp" or "udp". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort


Type:

list(object({
containerPort = number
hostPort      = number
protocol      = string
}))

Default value:

[
  {
    "containerPort": 80,
    "hostPort": 80,
    "protocol": "tcp"
  }
]
privileged (string) optional

When this variable is true, the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type. Due to how Terraform type casts booleans in json it is required to double quote this value


Default value: null

propagate_tags (string) optional

Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION


Default value: null

region (string) optional

AWS Region for S3 bucket


Default value: null

repo_name (string) optional

GitHub repository name of the application to be built and deployed to ECS


Default value: ""

repo_owner (string) optional

GitHub Organization or Username


Default value: ""

runtime_platform (list(map(string))) optional

Zero or one runtime platform configurations that containers in your task may use.
Map of strings with optional keys operating_system_family and cpu_architecture.
See runtime_platform docs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#runtime_platform



Default value: [ ]

secrets optional

The secrets to pass to the container. This is a list of maps


Type:

list(object({
name      = string
valueFrom = string
}))

Default value: null

service_registries optional

The service discovery registries for the service. The maximum number of service_registries blocks is 1. The currently supported service registry is Amazon Route 53 Auto Naming Service - aws_service_discovery_service; see service_registries docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1


Type:

list(object({
registry_arn   = string
port           = number
container_name = string
container_port = number
}))

Default value: [ ]

system_controls (list(map(string))) optional

A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""}


Default value: null

task_cpu (number) optional

The number of CPU units used by the task. If unspecified, it will default to container_cpu. If using FARGATE launch type task_cpu must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size)


Default value: null

task_memory (number) optional

The amount of memory (in MiB) used by the task. If unspecified, it will default to container_memory. If using Fargate launch type task_memory must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size)


Default value: null

task_policy_arns (list(string)) optional

A list of IAM Policy ARNs to attach to the generated task role.


Default value: [ ]

task_role_arn (string) optional

The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services


Default value: ""

ulimits optional

The ulimits to configure for the container. This is a list of maps. Each map should contain "name", "softLimit" and "hardLimit"


Type:

list(object({
name      = string
softLimit = number
hardLimit = number
}))

Default value: [ ]

use_alb_security_group (bool) optional

A boolean to enable adding an ALB security group rule for the service task


Default value: false

use_ecr_image (bool) optional

If true, use ECR repo URL for image, otherwise use value in container_image


Default value: false

use_nlb_cidr_blocks (bool) optional

A flag to enable/disable adding the NLB ingress rule to the security group


Default value: false

volumes optional

Task volume definitions as list of configuration objects


Type:

list(object({
host_path = string
name      = string
docker_volume_configuration = list(object({
  autoprovision = bool
  driver        = string
  driver_opts   = map(string)
  labels        = map(string)
  scope         = string
}))
efs_volume_configuration = list(object({
  file_system_id          = string
  root_directory          = string
  transit_encryption      = string
  transit_encryption_port = string
  authorization_config = list(object({
    access_point_id = string
    iam             = string
  }))
}))
}))

Default value: [ ]

webhook_authentication (string) optional

The type of authentication to use. One of IP, GITHUB_HMAC, or UNAUTHENTICATED


Default value: "GITHUB_HMAC"

webhook_enabled (bool) optional

Set to false to prevent the module from creating any webhook resources


Default value: true

webhook_filter_json_path (string) optional

The JSON path to filter on


Default value: "$.ref"

webhook_filter_match_equals (string) optional

The value to match on (e.g. refs/heads/{Branch})


Default value: "refs/heads/{Branch}"

webhook_target_action (string) optional

The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline


Default value: "Source"

Context Variables

The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.

additional_tag_map (map(string)) optional

Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.


Required: No

Default value: { }

attributes (list(string)) optional

ID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.


Required: No

Default value: [ ]

context (any) optional

Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.


Required: No

Default value:

{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
delimiter (string) optional

Delimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.


Required: No

Default value: null

descriptor_formats (any) optional

Describe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
\{<br/> format = string<br/> labels = list(string)<br/> \}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).


Required: No

Default value: { }

enabled (bool) optional

Set to false to prevent the module from creating any resources
Required: No

Default value: null

environment (string) optional

ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'
Required: No

Default value: null

id_length_limit (number) optional

Limit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.


Required: No

Default value: null

label_key_case (string) optional

Controls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.


Required: No

Default value: null

label_order (list(string)) optional

The order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.


Required: No

Default value: null

label_value_case (string) optional

Controls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.


Required: No

Default value: null

labels_as_tags (set(string)) optional

Set of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.


Required: No

Default value:

[
  "default"
]
name (string) optional

ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.


Required: No

Default value: null

namespace (string) optional

ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique
Required: No

Default value: null

regex_replace_chars (string) optional

Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.


Required: No

Default value: null

stage (string) optional

ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'
Required: No

Default value: null

tags (map(string)) optional

Additional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.


Required: No

Default value: { }

tenant (string) optional

ID element (Rarely used, not included by default). A customer identifier, indicating who this instance of a resource is for
Required: No

Default value: null

Outputs

alb_ingress

All outputs from module.alb_ingress

alb_ingress_target_group_arn

ALB Target Group ARN

alb_ingress_target_group_arn_suffix

ALB Target Group ARN suffix

alb_ingress_target_group_name

ALB Target Group name

alb_target_group_cloudwatch_sns_alarms

All outputs from module.alb_target_group_cloudwatch_sns_alarms

cloudwatch_log_group

All outputs from aws_cloudwatch_log_group.app

cloudwatch_log_group_arn

Cloudwatch log group ARN

cloudwatch_log_group_name

Cloudwatch log group name

codebuild

All outputs from module.ecs_codepipeline

codebuild_badge_url

The URL of the build badge when badge_enabled is enabled

codebuild_cache_bucket_arn

CodeBuild cache S3 bucket ARN

codebuild_cache_bucket_name

CodeBuild cache S3 bucket name

codebuild_project_id

CodeBuild project ID

codebuild_project_name

CodeBuild project name

codebuild_role_arn

CodeBuild IAM Role ARN

codebuild_role_id

CodeBuild IAM Role ID

codepipeline_arn

CodePipeline ARN

codepipeline_id

CodePipeline ID

codepipeline_webhook_id

The CodePipeline webhook's ID

codepipeline_webhook_url

The CodePipeline webhook's URL. POST events to this endpoint to trigger the target

container_definition

All outputs from module.container_definition

container_definition_json

JSON encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition

container_definition_json_map

JSON encoded container definitions for use with other terraform resources such as aws_ecs_task_definition

ecr

All outputs from module.ecr

ecr_registry_id

Registry ID

ecr_registry_url

Repository URL

ecr_repository_arn

ARN of ECR repository

ecr_repository_name

Registry name

ecr_repository_url

Repository URL

ecs_alarms

All outputs from module.ecs_cloudwatch_sns_alarms

ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_arn

ECS CPU utilization high CloudWatch metric alarm ARN

ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_id

ECS CPU utilization high CloudWatch metric alarm ID

ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_arn

ECS CPU utilization low CloudWatch metric alarm ARN

ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_id

ECS CPU utilization low CloudWatch metric alarm ID

ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_arn

ECS Memory utilization high CloudWatch metric alarm ARN

ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_id

ECS Memory utilization high CloudWatch metric alarm ID

ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_arn

ECS Memory utilization low CloudWatch metric alarm ARN

ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_id

ECS Memory utilization low CloudWatch metric alarm ID

ecs_alb_service_task

All outputs from module.ecs_alb_service_task

ecs_cloudwatch_autoscaling

All outputs from module.ecs_cloudwatch_autoscaling

ecs_cloudwatch_autoscaling_scale_down_policy_arn

ARN of the scale down policy

ecs_cloudwatch_autoscaling_scale_up_policy_arn

ARN of the scale up policy

ecs_exec_role_policy_id

The ECS service role policy ID, in the form of role_name:role_policy_name

ecs_exec_role_policy_name

ECS service role name

ecs_service_arn

ECS Service ARN

ecs_service_name

ECS Service name

ecs_service_role_arn

ECS Service role ARN

ecs_service_security_group_id

Security Group ID of the ECS task

ecs_task_definition_family

ECS task definition family

ecs_task_definition_revision

ECS task definition revision

ecs_task_exec_role_arn

ECS Task exec role ARN

ecs_task_exec_role_name

ECS Task role name

ecs_task_role_arn

ECS Task role ARN

ecs_task_role_id

ECS Task role id

ecs_task_role_name

ECS Task role name

httpcode_elb_5xx_count_cloudwatch_metric_alarm_arn

ALB 5xx count CloudWatch metric alarm ARN

httpcode_elb_5xx_count_cloudwatch_metric_alarm_id

ALB 5xx count CloudWatch metric alarm ID

httpcode_target_3xx_count_cloudwatch_metric_alarm_arn

ALB Target Group 3xx count CloudWatch metric alarm ARN

httpcode_target_3xx_count_cloudwatch_metric_alarm_id

ALB Target Group 3xx count CloudWatch metric alarm ID

httpcode_target_4xx_count_cloudwatch_metric_alarm_arn

ALB Target Group 4xx count CloudWatch metric alarm ARN

httpcode_target_4xx_count_cloudwatch_metric_alarm_id

ALB Target Group 4xx count CloudWatch metric alarm ID

httpcode_target_5xx_count_cloudwatch_metric_alarm_arn

ALB Target Group 5xx count CloudWatch metric alarm ARN

httpcode_target_5xx_count_cloudwatch_metric_alarm_id

ALB Target Group 5xx count CloudWatch metric alarm ID

target_response_time_average_cloudwatch_metric_alarm_arn

ALB Target Group response time average CloudWatch metric alarm ARN

target_response_time_average_cloudwatch_metric_alarm_id

ALB Target Group response time average CloudWatch metric alarm ID

Dependencies

Requirements

  • terraform, version: >= 1
  • aws, version: >= 5.0

Providers

  • aws, version: >= 5.0

Modules

NameVersionSourceDescription
alb_ingress0.28.0cloudposse/alb-ingress/awsn/a
alb_target_group_cloudwatch_sns_alarms0.17.0cloudposse/alb-target-group-cloudwatch-sns-alarms/awsn/a
container_definition0.58.1cloudposse/ecs-container-definition/awsn/a
ecr0.41.0cloudposse/ecr/awsn/a
ecs_alb_service_task0.64.1cloudposse/ecs-alb-service-task/awsn/a
ecs_cloudwatch_autoscaling0.7.5cloudposse/ecs-cloudwatch-autoscaling/awsn/a
ecs_cloudwatch_sns_alarms0.12.2cloudposse/ecs-cloudwatch-sns-alarms/awsn/a
ecs_codepipeline0.34.1cloudposse/ecs-codepipeline/awsn/a
this0.25.0cloudposse/label/nulln/a

Resources

The following resources are used by this module:

Data Sources

The following data sources are used by this module: