terraform-aws-ecs-web-app

A Terraform module which implements a web app on ECS and supporting AWS resources.

This project is part of our comprehensive "SweetOps" approach towards DevOps.

It's 100% Open Source and licensed under the APACHE2.

We literally have hundreds of terraform modules that are Open Source and well-maintained. Check them out!

Security & Compliance

Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.

Benchmark	Description
	Infrastructure Security Compliance
	Center for Internet Security, KUBERNETES Compliance
	Center for Internet Security, AWS Compliance
	Center for Internet Security, AZURE Compliance
	Payment Card Industry Data Security Standards Compliance
	National Institute of Standards and Technology Compliance
	Information Security Management System, ISO/IEC 27001 Compliance
	Service Organization Control 2 Compliance
	Center for Internet Security, GCP Compliance
	Health Insurance Portability and Accountability Compliance

Usage

IMPORTANT: We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise.

Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required.

For a complete example, see examples/complete.

For automated tests of the complete example using bats and Terratest (which test and deploy the example on AWS), see test.

Other examples:

without authentication - without authentication
with Google OIDC authentication - with Google OIDC authentication
with Cognito authentication - with Cognito authentication

module "default_backend_web_app" {
  source = "cloudposse/ecs-web-app/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace                                       = "eg"
  stage                                           = "testing"
  name                                            = "appname"
  vpc_id                                          = module.vpc.vpc_id
  alb_ingress_unauthenticated_listener_arns       = module.alb.listener_arns
  alb_ingress_unauthenticated_listener_arns_count = 1
  aws_logs_region                                 = "us-east-2"
  ecs_cluster_arn                                 = aws_ecs_cluster.default.arn
  ecs_cluster_name                                = aws_ecs_cluster.default.name
  ecs_security_group_ids                          = [module.vpc.vpc_default_security_group_id]
  ecs_private_subnet_ids                          = module.subnets.private_subnet_ids
  alb_ingress_healthcheck_path                    = "/healthz"
  alb_ingress_unauthenticated_paths               = ["/*"]
  codepipeline_enabled                            = false

  container_environment = [
    {
      name = "COOKIE"
      value = "cookiemonster"
    },
    {
      name = "PORT"
      value = "80"
    }
  ]
}

Makefile Targets

Available targets:

  help                                Help screen
  help/all                            Display help for all targets
  help/short                          This help short screen
  lint                                Lint terraform code

Requirements

Name	Version
terraform	>= 0.13.0
aws	>= 3.34

Providers

Name	Version
aws	>= 3.34

Modules

Name	Source	Version
alb_ingress	cloudposse/alb-ingress/aws	0.24.2
alb_target_group_cloudwatch_sns_alarms	cloudposse/alb-target-group-cloudwatch-sns-alarms/aws	0.16.1
container_definition	cloudposse/ecs-container-definition/aws	0.58.0
ecr	cloudposse/ecr/aws	0.32.3
ecs_alb_service_task	cloudposse/ecs-alb-service-task/aws	0.60.1
ecs_cloudwatch_autoscaling	cloudposse/ecs-cloudwatch-autoscaling/aws	0.7.2
ecs_cloudwatch_sns_alarms	cloudposse/ecs-cloudwatch-sns-alarms/aws	0.12.1
ecs_codepipeline	cloudposse/ecs-codepipeline/aws	0.28.4
this	cloudposse/label/null	0.25.0

Resources

Name	Type
aws_cloudwatch_log_group.app	resource
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
additional_tag_map	Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration.	`map(string)`	`{}`	no
alb_arn_suffix	ARN suffix of the ALB for the Target Group	`string`	`""`	no
alb_container_name	The name of the container to associate with the ALB. If not provided, the generated container will be used	`string`	`null`	no
alb_ingress_authenticated_hosts	Authenticated hosts to match in Hosts header	`list(string)`	`[]`	no
alb_ingress_authenticated_listener_arns	A list of authenticated ALB listener ARNs to attach ALB listener rules to	`list(string)`	`[]`	no
alb_ingress_authenticated_listener_arns_count	The number of authenticated ARNs in `alb_ingress_authenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed	`number`	`0`	no
alb_ingress_authenticated_paths	Authenticated path pattern to match (a maximum of 1 can be defined)	`list(string)`	`[]`	no
alb_ingress_enable_default_target_group	If true, create a default target group for the ALB ingress	`bool`	`true`	no
alb_ingress_health_check_healthy_threshold	The number of consecutive health checks successes required before healthy	`number`	`2`	no
alb_ingress_health_check_interval	The duration in seconds in between health checks	`number`	`15`	no
alb_ingress_health_check_matcher	The HTTP response codes to indicate a healthy check	`string`	`"200-399"`	no
alb_ingress_health_check_timeout	The amount of time to wait in seconds before failing a health check request	`number`	`10`	no
alb_ingress_health_check_unhealthy_threshold	The number of consecutive health check failures required before unhealthy	`number`	`2`	no
alb_ingress_healthcheck_path	The path of the healthcheck which the ALB checks	`string`	`"/"`	no
alb_ingress_healthcheck_protocol	The protocol to use to connect with the target. Defaults to `HTTP`. Not applicable when `target_type` is `lambda`	`string`	`"HTTP"`	no
alb_ingress_listener_authenticated_priority	The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_unauthenticated_priority` since a listener can't have multiple rules with the same priority	`number`	`300`	no
alb_ingress_listener_unauthenticated_priority	The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_authenticated_priority` since a listener can't have multiple rules with the same priority	`number`	`1000`	no
alb_ingress_target_group_arn	Existing ALB target group ARN. If provided, set `alb_ingress_enable_default_target_group` to `false` to disable creation of the default target group	`string`	`""`	no
alb_ingress_unauthenticated_hosts	Unauthenticated hosts to match in Hosts header	`list(string)`	`[]`	no
alb_ingress_unauthenticated_listener_arns	A list of unauthenticated ALB listener ARNs to attach ALB listener rules to	`list(string)`	`[]`	no
alb_ingress_unauthenticated_listener_arns_count	The number of unauthenticated ARNs in `alb_ingress_unauthenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed	`number`	`0`	no
alb_ingress_unauthenticated_paths	Unauthenticated path pattern to match (a maximum of 1 can be defined)	`list(string)`	`[]`	no
alb_security_group	Security group of the ALB	`string`	n/a	yes
alb_stickiness_cookie_duration	The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds)	`number`	`86400`	no
alb_stickiness_enabled	Boolean to enable / disable `stickiness`. Default is `true`	`bool`	`true`	no
alb_stickiness_type	The type of sticky sessions. The only current possible value is `lb_cookie`	`string`	`"lb_cookie"`	no
alb_target_group_alarms_3xx_threshold	The maximum number of 3XX HTTPCodes in a given period for ECS Service	`number`	`25`	no
alb_target_group_alarms_4xx_threshold	The maximum number of 4XX HTTPCodes in a given period for ECS Service	`number`	`25`	no
alb_target_group_alarms_5xx_threshold	The maximum number of 5XX HTTPCodes in a given period for ECS Service	`number`	`25`	no
alb_target_group_alarms_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an ALARM state from any other state	`list(string)`	`[]`	no
alb_target_group_alarms_enabled	A boolean to enable/disable CloudWatch Alarms for ALB Target metrics	`bool`	`false`	no
alb_target_group_alarms_evaluation_periods	The number of periods to analyze for ALB CloudWatch Alarms	`number`	`1`	no
alb_target_group_alarms_insufficient_data_actions	A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an INSUFFICIENT_DATA state from any other state	`list(string)`	`[]`	no
alb_target_group_alarms_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to execute when ALB Target Group alarms transition into an OK state from any other state	`list(string)`	`[]`	no
alb_target_group_alarms_period	The period (in seconds) to analyze for ALB CloudWatch Alarms	`number`	`300`	no
alb_target_group_alarms_response_time_threshold	The maximum ALB Target Group response time	`number`	`0.5`	no
assign_public_ip	Assign a public IP address to the ENI (Fargate launch type only). Valid values are `true` or `false`. Default `false`	`bool`	`false`	no
attributes	ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the `delimiter` and treated as a single ID element.	`list(string)`	`[]`	no
authentication_cognito_scope	Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)	`string`	`null`	no
authentication_cognito_user_pool_arn	Cognito User Pool ARN	`string`	`""`	no
authentication_cognito_user_pool_client_id	Cognito User Pool Client ID	`string`	`""`	no
authentication_cognito_user_pool_domain	Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com)	`string`	`""`	no
authentication_oidc_authorization_endpoint	OIDC Authorization Endpoint	`string`	`""`	no
authentication_oidc_client_id	OIDC Client ID	`string`	`""`	no
authentication_oidc_client_secret	OIDC Client Secret	`string`	`""`	no
authentication_oidc_issuer	OIDC Issuer	`string`	`""`	no
authentication_oidc_scope	OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP)	`string`	`null`	no
authentication_oidc_token_endpoint	OIDC Token Endpoint	`string`	`""`	no
authentication_oidc_user_info_endpoint	OIDC User Info Endpoint	`string`	`""`	no
authentication_type	Authentication type. Supported values are `COGNITO` and `OIDC`	`string`	`""`	no
autoscaling_dimension	Dimension to autoscale on (valid options: cpu, memory)	`string`	`"memory"`	no
autoscaling_enabled	A boolean to enable/disable Autoscaling policy for ECS Service	`bool`	`false`	no
autoscaling_max_capacity	Maximum number of running instances of a Service	`number`	`2`	no
autoscaling_min_capacity	Minimum number of running instances of a Service	`number`	`1`	no
autoscaling_scale_down_adjustment	Scaling adjustment to make during scale down event	`number`	`-1`	no
autoscaling_scale_down_cooldown	Period (in seconds) to wait between scale down events	`number`	`300`	no
autoscaling_scale_up_adjustment	Scaling adjustment to make during scale up event	`number`	`1`	no
autoscaling_scale_up_cooldown	Period (in seconds) to wait between scale up events	`number`	`60`	no
aws_logs_prefix	Custom AWS Logs prefix. If empty name from label module will be used	`string`	`""`	no
aws_logs_region	The region for the AWS Cloudwatch Logs group	`string`	`null`	no
badge_enabled	Generates a publicly-accessible URL for the projects build badge. Available as badge_url attribute when enabled	`bool`	`false`	no
branch	Branch of the GitHub repository, e.g. `master`	`string`	`""`	no
build_environment_variables	A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER_STORE', or 'SECRETS_MANAGER'	list(object( { name = string value = string type = string }))	`[]`	no
build_image	Docker image for build environment, e.g. `aws/codebuild/docker:docker:17.09.0`	`string`	`"aws/codebuild/docker:17.09.0"`	no
build_timeout	How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed	`number`	`60`	no
buildspec	Declaration to use for building the project. For more info	`string`	`""`	no
capacity_provider_strategies	The capacity provider strategies to use for the service. See `capacity_provider_strategy` configuration block: https://www.terraform.io/docs/providers/aws/r/ecs_service.html#capacity_provider_strategy	list(object({ capacity_provider = string weight = number base = number }))	`[]`	no
circuit_breaker_deployment_enabled	If `true`, enable the deployment circuit breaker logic for the service	`bool`	`false`	no
circuit_breaker_rollback_enabled	If `true`, Amazon ECS will roll back the service if a service deployment fails	`bool`	`false`	no
cloudwatch_log_group_enabled	A boolean to disable cloudwatch log group creation	`bool`	`true`	no
codepipeline_build_cache_bucket_suffix_enabled	The codebuild cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache_type is 'S3'	`bool`	`true`	no
codepipeline_build_compute_type	`CodeBuild` instance size. Possible values are: `BUILD_GENERAL1_SMALL` `BUILD_GENERAL1_MEDIUM` `BUILD_GENERAL1_LARGE`	`string`	`"BUILD_GENERAL1_SMALL"`	no
codepipeline_cdn_bucket_buildspec_identifier	Identifier for buildspec section controlling the optional CDN asset deployment.	`string`	`null`	no
codepipeline_cdn_bucket_encryption_enabled	If set to true, enable encryption on the optional CDN asset deployment bucket	`bool`	`false`	no
codepipeline_cdn_bucket_id	Optional bucket for static asset deployment. If specified, the buildspec must include a secondary artifacts section which controls the files deployed to the bucket For more info	`string`	`null`	no
codepipeline_enabled	A boolean to enable/disable AWS Codepipeline and ECR	`bool`	`true`	no
codepipeline_s3_bucket_force_destroy	A boolean that indicates all objects should be deleted from the CodePipeline artifact store S3 bucket so that the bucket can be destroyed without error	`bool`	`false`	no
command	The command that is passed to the container	`list(string)`	`null`	no
container_cpu	The vCPU setting to control cpu limits of container. (If FARGATE launch type is used below, this must be a supported vCPU size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)	`number`	`256`	no
container_definition	Override the main container_definition	`string`	`""`	no
container_environment	The environment variables to pass to the container. This is a list of maps	list(object({ name = string value = string }))	`null`	no
container_image	The default container image to use in container definition	`string`	`"cloudposse/default-backend"`	no
container_memory	The amount of RAM to allow container to use in MB. (If FARGATE launch type is used below, this must be a supported Memory size from the table here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)	`number`	`512`	no
container_memory_reservation	The amount of RAM (Soft Limit) to allow container to use in MB. This value must be less than `container_memory` if set	`number`	`128`	no
container_port	The port number on the container bound to assigned host_port	`number`	`80`	no
container_repo_credentials	Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials	`map(string)`	`null`	no
container_start_timeout	Time duration (in seconds) to wait before giving up on resolving dependencies for a container	`number`	`30`	no
container_stop_timeout	Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own	`number`	`30`	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as `null` to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	`any`	{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "descriptor_formats": {}, "enabled": true, "environment": null, "id_length_limit": null, "label_key_case": null, "label_order": [], "label_value_case": null, "labels_as_tags": [ "unset" ], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {}, "tenant": null }	no
delimiter	Delimiter to be used between ID elements. Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.	`string`	`null`	no
deployment_controller_type	Type of deployment controller. Valid values are CODE_DEPLOY and ECS	`string`	`"ECS"`	no
descriptor_formats	Describe additional descriptors to be output in the `descriptors` output map. Map of maps. Keys are names of descriptors. Values are maps of the form `{<br> format = string<br> labels = list(string)<br>}` (Type is `any` so the map values can later be enhanced to provide additional options.) `format` is a Terraform format string to be passed to the `format()` function. `labels` is a list of labels, in order, to pass to `format()` function. Label values will be normalized before being passed to `format()` so they will be identical to how they appear in `id`. Default is `{}` (`descriptors` output will be empty).	`any`	`{}`	no
desired_count	The desired number of tasks to start with. Set this to 0 if using DAEMON Service type. (FARGATE does not suppoert DAEMON Service type)	`number`	`1`	no
ecr_image_tag_mutability	The tag mutability setting for the ecr repository. Must be one of: `MUTABLE` or `IMMUTABLE`	`string`	`"IMMUTABLE"`	no
ecr_scan_images_on_push	Indicates whether images are scanned after being pushed to the repository (true) or not (false)	`bool`	`false`	no
ecs_alarms_cpu_utilization_high_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High Alarm action	`list(string)`	`[]`	no
ecs_alarms_cpu_utilization_high_evaluation_periods	Number of periods to evaluate for the alarm	`number`	`1`	no
ecs_alarms_cpu_utilization_high_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization High OK action	`list(string)`	`[]`	no
ecs_alarms_cpu_utilization_high_period	Duration in seconds to evaluate for the alarm	`number`	`300`	no
ecs_alarms_cpu_utilization_high_threshold	The maximum percentage of CPU utilization average	`number`	`80`	no
ecs_alarms_cpu_utilization_low_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low Alarm action	`list(string)`	`[]`	no
ecs_alarms_cpu_utilization_low_evaluation_periods	Number of periods to evaluate for the alarm	`number`	`1`	no
ecs_alarms_cpu_utilization_low_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on CPU Utilization Low OK action	`list(string)`	`[]`	no
ecs_alarms_cpu_utilization_low_period	Duration in seconds to evaluate for the alarm	`number`	`300`	no
ecs_alarms_cpu_utilization_low_threshold	The minimum percentage of CPU utilization average	`number`	`20`	no
ecs_alarms_enabled	A boolean to enable/disable CloudWatch Alarms for ECS Service metrics	`bool`	`false`	no
ecs_alarms_memory_utilization_high_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High Alarm action	`list(string)`	`[]`	no
ecs_alarms_memory_utilization_high_evaluation_periods	Number of periods to evaluate for the alarm	`number`	`1`	no
ecs_alarms_memory_utilization_high_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization High OK action	`list(string)`	`[]`	no
ecs_alarms_memory_utilization_high_period	Duration in seconds to evaluate for the alarm	`number`	`300`	no
ecs_alarms_memory_utilization_high_threshold	The maximum percentage of Memory utilization average	`number`	`80`	no
ecs_alarms_memory_utilization_low_alarm_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low Alarm action	`list(string)`	`[]`	no
ecs_alarms_memory_utilization_low_evaluation_periods	Number of periods to evaluate for the alarm	`number`	`1`	no
ecs_alarms_memory_utilization_low_ok_actions	A list of ARNs (i.e. SNS Topic ARN) to notify on Memory Utilization Low OK action	`list(string)`	`[]`	no
ecs_alarms_memory_utilization_low_period	Duration in seconds to evaluate for the alarm	`number`	`300`	no
ecs_alarms_memory_utilization_low_threshold	The minimum percentage of Memory utilization average	`number`	`20`	no
ecs_cluster_arn	The ECS Cluster ARN where ECS Service will be provisioned	`string`	n/a	yes
ecs_cluster_name	The ECS Cluster Name to use in ECS Code Pipeline Deployment step	`string`	`null`	no
ecs_private_subnet_ids	List of Private Subnet IDs to provision ECS Service onto if `var.network_mode = "awsvpc"`	`list(string)`	n/a	yes
ecs_security_group_ids	Additional Security Group IDs to allow into ECS Service if `var.network_mode = "awsvpc"`	`list(string)`	`[]`	no
enable_all_egress_rule	A flag to enable/disable adding the all ports egress rule to the ECS security group	`bool`	`true`	no
enable_ecs_managed_tags	Specifies whether to enable Amazon ECS managed tags for the tasks within the service	`bool`	`false`	no
enabled	Set to false to prevent the module from creating any resources	`bool`	`null`	no
entrypoint	The entry point that is passed to the container	`list(string)`	`null`	no
environment	ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'	`string`	`null`	no
exec_enabled	Specifies whether to enable Amazon ECS Exec for the tasks within the service	`bool`	`false`	no
force_new_deployment	Enable to force a new task deployment of the service.	`bool`	`false`	no
github_oauth_token	GitHub Oauth Token with permissions to access private repositories	`string`	`""`	no
github_webhook_events	A list of events which should trigger the webhook. See a list of available events	`list(string)`	[ "push" ]	no
github_webhooks_token	GitHub OAuth Token with permissions to create webhooks. If not provided, can be sourced from the `GITHUB_TOKEN` environment variable	`string`	`""`	no
health_check_grace_period_seconds	Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. Only valid for services configured to use load balancers	`number`	`0`	no
healthcheck	A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries)	object({ command = list(string) retries = number timeout = number interval = number startPeriod = number })	`null`	no
id_length_limit	Limit `id` to this many characters (minimum 6). Set to `0` for unlimited length. Set to `null` for keep the existing setting, which defaults to `0`. Does not affect `id_full`.	`number`	`null`	no
ignore_changes_desired_count	Whether to ignore changes for desired count in the ECS service	`bool`	`false`	no
ignore_changes_task_definition	Ignore changes (like environment variables) to the ECS task definition	`bool`	`true`	no
init_containers	A list of additional init containers to start. The map contains the container_definition (JSON) and the main container's dependency condition (string) on the init container. The latter can be one of START, COMPLETE, SUCCESS or HEALTHY.	list(object({ container_definition = any condition = string }))	`[]`	no
label_key_case	Controls the letter case of the `tags` keys (label names) for tags generated by this module. Does not affect keys of tags passed in via the `tags` input. Possible values: `lower`, `title`, `upper`. Default value: `title`.	`string`	`null`	no
label_order	The order in which the labels (ID elements) appear in the `id`. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.	`list(string)`	`null`	no
label_value_case	Controls the letter case of ID elements (labels) as included in `id`, set as tag values, and output by this module individually. Does not affect values of tags passed in via the `tags` input. Possible values: `lower`, `title`, `upper` and `none` (no transformation). Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. Default value: `lower`.	`string`	`null`	no
labels_as_tags	Set of labels (ID elements) to include as tags in the `tags` output. Default is to include all labels. Tags with empty values will not be included in the `tags` output. Set to `[]` to suppress all generated tags. Notes: The value of the `name` tag, if included, will be the `id`, not the `name`. Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be changed in later chained modules. Attempts to change it will be silently ignored.	`set(string)`	[ "default" ]	no
launch_type	The ECS launch type (valid options: FARGATE or EC2)	`string`	`"FARGATE"`	no
log_driver	The log driver to use for the container. If using Fargate launch type, only supported value is awslogs	`string`	`"awslogs"`	no
log_retention_in_days	The number of days to retain logs for the log group	`number`	`90`	no
map_container_environment	The environment variables to pass to the container. This is a map of string: {key: value}. `environment` overrides `map_environment`	`map(string)`	`null`	no
mount_points	Container mount points. This is a list of maps, where each map should contain a `containerPath` and `sourceVolume`	list(object({ containerPath = string sourceVolume = string readOnly = bool }))	`[]`	no
name	ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a `tag`. The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.	`string`	`null`	no
namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	`string`	`null`	no
network_mode	The network mode to use for the task. This is required to be `awsvpc` for `FARGATE` `launch_type` or `null` for `EC2` `launch_type`	`string`	`"awsvpc"`	no
nlb_cidr_blocks	A list of CIDR blocks to add to the ingress rule for the NLB container port	`list(string)`	`[]`	no
nlb_container_name	The name of the container to associate with the NLB. If not provided, the generated container will be used	`string`	`null`	no
nlb_container_port	The port number on the container bound to assigned NLB host_port	`number`	`80`	no
nlb_ingress_target_group_arn	Target group ARN of the NLB ingress	`string`	`""`	no
platform_version	The platform version on which to run your service. Only applicable for launch_type set to FARGATE. More information about Fargate platform versions can be found in the AWS ECS User Guide.	`string`	`"LATEST"`	no
poll_source_changes	Periodically check the location of your source content and run the pipeline if changes are detected	`bool`	`false`	no
port_mappings	The port mappings to configure for the container. This is a list of maps. Each map should contain "containerPort", "hostPort", and "protocol", where "protocol" is one of "tcp" or "udp". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort	list(object({ containerPort = number hostPort = number protocol = string }))	[ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ]	no
privileged	When this variable is `true`, the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type. Due to how Terraform type casts booleans in json it is required to double quote this value	`string`	`null`	no
propagate_tags	Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION	`string`	`null`	no
regex_replace_chars	Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.	`string`	`null`	no
region	AWS Region for S3 bucket	`string`	`null`	no
repo_name	GitHub repository name of the application to be built and deployed to ECS	`string`	`""`	no
repo_owner	GitHub Organization or Username	`string`	`""`	no
secrets	The secrets to pass to the container. This is a list of maps	list(object({ name = string valueFrom = string }))	`null`	no
service_registries	The service discovery registries for the service. The maximum number of service_registries blocks is 1. The currently supported service registry is Amazon Route 53 Auto Naming Service - `aws_service_discovery_service`; see `service_registries` docs https://www.terraform.io/docs/providers/aws/r/ecs_service.html#service_registries-1	list(object({ registry_arn = string port = number container_name = string container_port = number }))	`[]`	no
stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	`string`	`null`	no
system_controls	A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""}	`list(map(string))`	`null`	no
tags	Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). Neither the tag keys nor the tag values will be modified by this module.	`map(string)`	`{}`	no
task_cpu	The number of CPU units used by the task. If unspecified, it will default to `container_cpu`. If using `FARGATE` launch type `task_cpu` must match supported memory values (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size)	`number`	`null`	no
task_memory	The amount of memory (in MiB) used by the task. If unspecified, it will default to `container_memory`. If using Fargate launch type `task_memory` must match supported cpu value (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size)	`number`	`null`	no
task_policy_arns	A list of IAM Policy ARNs to attach to the generated task role.	`list(string)`	`[]`	no
task_role_arn	The ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services	`string`	`""`	no
tenant	ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for	`string`	`null`	no
ulimits	The ulimits to configure for the container. This is a list of maps. Each map should contain "name", "softLimit" and "hardLimit"	list(object({ name = string softLimit = number hardLimit = number }))	`[]`	no
use_alb_security_group	A boolean to enable adding an ALB security group rule for the service task	`bool`	`false`	no
use_ecr_image	If true, use ECR repo URL for image, otherwise use value in container_image	`bool`	`false`	no
use_nlb_cidr_blocks	A flag to enable/disable adding the NLB ingress rule to the security group	`bool`	`false`	no
volumes	Task volume definitions as list of configuration objects	list(object({ host_path = string name = string docker_volume_configuration = list(object({ autoprovision = bool driver = string driver_opts = map(string) labels = map(string) scope = string })) efs_volume_configuration = list(object({ file_system_id = string root_directory = string transit_encryption = string transit_encryption_port = string authorization_config = list(object({ access_point_id = string iam = string })) })) }))	`[]`	no
vpc_id	The VPC ID where resources are created	`string`	n/a	yes
webhook_authentication	The type of authentication to use. One of IP, GITHUB_HMAC, or UNAUTHENTICATED	`string`	`"GITHUB_HMAC"`	no
webhook_enabled	Set to false to prevent the module from creating any webhook resources	`bool`	`true`	no
webhook_filter_json_path	The JSON path to filter on	`string`	`"$.ref"`	no
webhook_filter_match_equals	The value to match on (e.g. refs/heads/{Branch})	`string`	`"refs/heads/{Branch}"`	no
webhook_target_action	The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline	`string`	`"Source"`	no

Outputs

Name	Description
alb_ingress	All outputs from `module.alb_ingress`
alb_ingress_target_group_arn	ALB Target Group ARN
alb_ingress_target_group_arn_suffix	ALB Target Group ARN suffix
alb_ingress_target_group_name	ALB Target Group name
alb_target_group_cloudwatch_sns_alarms	All outputs from `module.alb_target_group_cloudwatch_sns_alarms`
cloudwatch_log_group	All outputs from `aws_cloudwatch_log_group.app`
cloudwatch_log_group_arn	Cloudwatch log group ARN
cloudwatch_log_group_name	Cloudwatch log group name
codebuild	All outputs from `module.ecs_codepipeline`
codebuild_badge_url	The URL of the build badge when badge_enabled is enabled
codebuild_cache_bucket_arn	CodeBuild cache S3 bucket ARN
codebuild_cache_bucket_name	CodeBuild cache S3 bucket name
codebuild_project_id	CodeBuild project ID
codebuild_project_name	CodeBuild project name
codebuild_role_arn	CodeBuild IAM Role ARN
codebuild_role_id	CodeBuild IAM Role ID
codepipeline_arn	CodePipeline ARN
codepipeline_id	CodePipeline ID
codepipeline_webhook_id	The CodePipeline webhook's ID
codepipeline_webhook_url	The CodePipeline webhook's URL. POST events to this endpoint to trigger the target
container_definition	All outputs from `module.container_definition`
container_definition_json	JSON encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition
container_definition_json_map	JSON encoded container definitions for use with other terraform resources such as aws_ecs_task_definition
ecr	All outputs from `module.ecr`
ecr_registry_id	Registry ID
ecr_registry_url	Repository URL
ecr_repository_arn	ARN of ECR repository
ecr_repository_name	Registry name
ecr_repository_url	Repository URL
ecs_alarms	All outputs from `module.ecs_cloudwatch_sns_alarms`
ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_arn	ECS CPU utilization high CloudWatch metric alarm ARN
ecs_alarms_cpu_utilization_high_cloudwatch_metric_alarm_id	ECS CPU utilization high CloudWatch metric alarm ID
ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_arn	ECS CPU utilization low CloudWatch metric alarm ARN
ecs_alarms_cpu_utilization_low_cloudwatch_metric_alarm_id	ECS CPU utilization low CloudWatch metric alarm ID
ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_arn	ECS Memory utilization high CloudWatch metric alarm ARN
ecs_alarms_memory_utilization_high_cloudwatch_metric_alarm_id	ECS Memory utilization high CloudWatch metric alarm ID
ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_arn	ECS Memory utilization low CloudWatch metric alarm ARN
ecs_alarms_memory_utilization_low_cloudwatch_metric_alarm_id	ECS Memory utilization low CloudWatch metric alarm ID
ecs_alb_service_task	All outputs from `module.ecs_alb_service_task`
ecs_cloudwatch_autoscaling	All outputs from `module.ecs_cloudwatch_autoscaling`
ecs_cloudwatch_autoscaling_scale_down_policy_arn	ARN of the scale down policy
ecs_cloudwatch_autoscaling_scale_up_policy_arn	ARN of the scale up policy
ecs_exec_role_policy_id	The ECS service role policy ID, in the form of `role_name:role_policy_name`
ecs_exec_role_policy_name	ECS service role name
ecs_service_name	ECS Service name
ecs_service_role_arn	ECS Service role ARN
ecs_service_security_group_id	Security Group ID of the ECS task
ecs_task_definition_family	ECS task definition family
ecs_task_definition_revision	ECS task definition revision
ecs_task_exec_role_arn	ECS Task exec role ARN
ecs_task_exec_role_name	ECS Task role name
ecs_task_role_arn	ECS Task role ARN
ecs_task_role_id	ECS Task role id
ecs_task_role_name	ECS Task role name
httpcode_elb_5xx_count_cloudwatch_metric_alarm_arn	ALB 5xx count CloudWatch metric alarm ARN
httpcode_elb_5xx_count_cloudwatch_metric_alarm_id	ALB 5xx count CloudWatch metric alarm ID
httpcode_target_3xx_count_cloudwatch_metric_alarm_arn	ALB Target Group 3xx count CloudWatch metric alarm ARN
httpcode_target_3xx_count_cloudwatch_metric_alarm_id	ALB Target Group 3xx count CloudWatch metric alarm ID
httpcode_target_4xx_count_cloudwatch_metric_alarm_arn	ALB Target Group 4xx count CloudWatch metric alarm ARN
httpcode_target_4xx_count_cloudwatch_metric_alarm_id	ALB Target Group 4xx count CloudWatch metric alarm ID
httpcode_target_5xx_count_cloudwatch_metric_alarm_arn	ALB Target Group 5xx count CloudWatch metric alarm ARN
httpcode_target_5xx_count_cloudwatch_metric_alarm_id	ALB Target Group 5xx count CloudWatch metric alarm ID
target_response_time_average_cloudwatch_metric_alarm_arn	ALB Target Group response time average CloudWatch metric alarm ARN
target_response_time_average_cloudwatch_metric_alarm_id	ALB Target Group response time average CloudWatch metric alarm ID

Share the Love

Like this project? Please give it a ★ on our GitHub! (it helps us a lot)

Are you using this project or any of our other projects? Consider leaving a testimonial. =)

Related Projects

Check out these related projects.

terraform-aws-alb - Terraform module to provision a standard ALB for HTTP/HTTP traffic
terraform-aws-alb-ingress - Terraform module to provision an HTTP style ingress rule based on hostname and path for an ALB
terraform-aws-codebuild - Terraform Module to easily leverage AWS CodeBuild for Continuous Integration
terraform-aws-ecr - Terraform Module to manage Docker Container Registries on AWS ECR
terraform-aws-ecs-alb-service-task - Terraform module which implements an ECS service which exposes a web service via ALB.
terraform-aws-ecs-codepipeline - Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS
terraform-aws-ecs-container-definition - Terraform module to generate well-formed JSON documents that are passed to the aws_ecs_task_definition Terraform resource
terraform-aws-lb-s3-bucket - Terraform module to provision an S3 bucket with built in IAM policy to allow AWS Load Balancers to ship access logs.
terraform-aws-eks-cluster - Terraform module for provisioning an EKS cluster
terraform-aws-eks-workers - Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers
terraform-aws-ec2-autoscale-group - Terraform module to provision Auto Scaling Group and Launch Template on AWS

Help

Got a question? We got answers.

File a GitHub issue, send us an email or join our Slack Community.

DevOps Accelerator for Startups

We are a DevOps Accelerator. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.

Work directly with our team of DevOps experts via email, slack, and video conferencing.

We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.

Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
Release Engineering. You'll have end-to-end CI/CD with unlimited staging environments.
Site Reliability Engineering. You'll have total visibility into your apps and microservices.
Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
GitOps. You'll be able to operate your infrastructure via Pull Requests.
Training. You'll receive hands-on training so your team can operate what we build.
Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
Troubleshooting. You'll get help to triage when things aren't working.
Code Reviews. You'll receive constructive feedback on Pull Requests.
Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.

Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

Discourse Forums

Participate in our Discourse Forums. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.

Sign up for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.

Office Hours

Join us every Wednesday via Zoom for our weekly "Lunch & Learn" sessions. It's FREE for everyone!

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Developing

If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

Fork the repo on GitHub
Clone the project to your own machine
Commit changes to your own branch
Push your work back up to your fork
Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

Copyright

License

See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.

About

This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!

We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.

We offer paid support on all of our projects.

Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.

Contributors

Erik Osterman	Igor Rodionov	Andriy Knysh	Sarkis Varozian

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

cloudposse / terraform-aws-ecs-web-app

Programming Languages

Labels

Projects that are alternatives of or similar to terraform-aws-ecs-web-app