/terraform-aws-ecs

This terraform module builds an Elastic Container Service(ECS) Cluster in AWS.

Primary LanguageHCLApache License 2.0Apache-2.0

terraform-aws-ecs

Lint Status LICENSE

This terraform module builds an Elastic Container Service(ECS) Cluster in AWS.

The following resources will be created:

  • Elastic File System (EFS)
  • Auto Scaling
  • CloudWatch alarms for (Application Load Balancer ,Auto Scale,ECS and EFS)
  • S3 Bucket to store logs from the application Load Balancer access
  • Security groups for (ALB,ALB-INTERNAL,ECS NODES, RDS DB)
  • Web Application Firewall (WAF)
  • Instances for ECS Workers
  • IAM roles and policies for the container instances

In addition you have the option to create or not :

  • Application Load Balancer (ALB)
    • alb - An external ALB
    • alb_internal - A second internal ALB for private APIs
    • alb_only - Deploy only an Application Load Balancer and no cloudFront or not with the cluster

Usage

module "ecs_apps" {
  # source               = "git::https://github.com/DNXLabs/terraform-aws-ecs.git?ref=0.1.0"

  name                 = "${local.workspace["cluster_name"]}"
  intance_types        = ["t3.large","t2.large","m2.xlarge"]
  vpc_id               = "${data.aws_vpc.selected.id}"
  private_subnet_ids   = ["${data.aws_subnet_ids.private.ids}"]
  public_subnet_ids    = ["${data.aws_subnet_ids.public.ids}"]
  secure_subnet_ids    = ["${data.aws_subnet_ids.secure.ids}"]
  certificate_arn      = "${data.aws_acm_certificate.dnx_host.arn}"
  on_demand_percentage = 0
  asg_min              = 1
  asg_max              = 4
  asg_target_capacity    = 50
}

Requirements

Name Version
terraform >= 0.13.0

Providers

Name Version
aws n/a
random n/a
tls n/a

Inputs

Name Description Type Default Required
alarm_alb_400_errors_threshold Max threshold of HTTP 4000 errors allowed in a 5 minutes interval (use 0 to disable this alarm). number 10 no
alarm_alb_500_errors_threshold Max threshold of HTTP 500 errors allowed in a 5 minutes interval (use 0 to disable this alarm). number 10 no
alarm_alb_latency_anomaly_threshold ALB Latency anomaly detection width (use 0 to disable this alarm). number 2 no
alarm_asg_high_cpu_threshold Max threshold average CPU percentage allowed in a 2 minutes interval (use 0 to disable this alarm). number 80 no
alarm_ecs_high_cpu_threshold Max threshold average CPU percentage allowed in a 2 minutes interval (use 0 to disable this alarm). number 80 no
alarm_ecs_high_memory_threshold Max threshold average Memory percentage allowed in a 2 minutes interval (use 0 to disable this alarm). number 80 no
alarm_efs_credits_low_threshold Alerts when EFS credits fell below this number in bytes - default 1000000000000 is 1TB of a maximum of 2.31T of credits (use 0 to disable this alarm). number 1000000000000 no
alarm_prefix String prefix for cloudwatch alarms. (Optional) string "alarm" no
alarm_sns_topics Alarm topics to create and alert on ECS instance metrics. list [] no
alb Whether to deploy an ALB or not with the cluster. bool true no
alb_drop_invalid_header_fields Indicates whether HTTP headers with invalid header fields are removed by the load balancer (true) or routed to targets (false). bool true no
alb_enable_deletion_protection Enable deletion protection for ALBs bool false no
alb_http_listener Whether to enable HTTP listeners bool true no
alb_internal Deploys a second internal ALB for private APIs. bool false no
alb_internal_ssl_policy The name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS. string "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" no
alb_only Whether to deploy only an alb and no cloudFront or not with the cluster. bool false no
alb_sg_allow_alb_test_listener Whether to allow world access to the test listeners bool true no
alb_sg_allow_egress_https_world Whether to allow ALB to access HTTPS endpoints - needed when using OIDC authentication bool true no
alb_ssl_policy The name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS. string "ELBSecurityPolicy-2016-08" no
alb_test_listener Enables a second listener on ports 8080 and 8443 for a phased deploy/cutover (blue/green) bool true no
architecture Architecture to select the AMI, x86_64 or arm64 string "x86_64" no
asg_capacity_rebalance Indicates whether capacity rebalance is enabled bool false no
asg_max Max number of instances for autoscaling group. number 4 no
asg_min Min number of instances for autoscaling group. number 1 no
asg_protect_from_scale_in (Optional) Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events. bool false no
asg_target_capacity Target average capacity percentage for the ECS capacity provider to track for autoscaling. number 70 no
autoscaling_default_cooldown The amount of time, in seconds, after a scaling activity completes before another scaling activity can start. number 300 no
autoscaling_health_check_grace_period The length of time that Auto Scaling waits before checking an instance's health status. The grace period begins when an instance comes into service. number 300 no
backup Assing a backup tag to efs resource - Backup will be performed by AWS Backup. string "true" no
certificate_arn n/a any n/a yes
certificate_internal_arn certificate arn for internal ALB. string "" no
code_deploy Enables CodeDeploy role to be used for deployment bool true no
container_insights Enables CloudWatch Container Insights for a cluster. bool false no
create_efs Enables creation of EFS volume for cluster bool true no
create_iam_service_linked_role Create iam_service_linked_role for ECS or not. bool false no
ebs_key_arn ARN of a KMS Key to use on EBS volumes string "" no
ec2_key_enabled Generate a SSH private key and include in launch template of ECS nodes bool false no
efs_key_arn ARN of a KMS Key to use on EFS volumes string "" no
efs_lifecycle_transition_to_ia Option to enable EFS Lifecycle Transaction to IA string "" no
efs_lifecycle_transition_to_primary_storage_class Option to enable EFS Lifecycle Transaction to Primary Storage Class bool false no
enable_schedule Enables schedule to shut down and start up instances outside business hours. bool false no
extra_certificate_arns Extra ACM certificates to add to ALB Listeners list(string) [] no
extra_task_policies_arn Extra policies to add to the task definition permissions list(string) [] no
fargate_only Enable when cluster is only for fargate and does not require ASG/EC2/EFS infrastructure bool false no
idle_timeout IDLE time for ALB on seconds. number 400 no
instance_types Instance type for ECS workers list(any) [] no
instance_volume_size Volume size for docker volume (in GB). number 30 no
instance_volume_size_root Volume size for root volume (in GB). number 16 no
lb_access_logs_bucket Bucket to store logs from lb access. string "" no
lb_access_logs_prefix Bucket prefix to store lb access logs. string "" no
name Name of this ECS cluster. any n/a yes
on_demand_base_capacity You can designate a base portion of your total capacity as On-Demand. As the group scales, per your settings, the base portion is provisioned first, while additional On-Demand capacity is percentage-based. number 0 no
on_demand_percentage Percentage of on-demand intances vs spot. number 100 no
private_subnet_ids List of private subnet IDs for ECS instances and Internal ALB when enabled. list(string) n/a yes
provisioned_throughput_in_mibps The throughput, measured in MiB/s, that you want to provision for the file system. number 0 no
public_subnet_ids List of public subnet IDs for ECS ALB. list(string) n/a yes
schedule_cron_start Cron expression to define when to trigger a start of the auto-scaling group. E.g. '0 20 * * *' to start at 8pm GMT time. string "" no
schedule_cron_stop Cron expression to define when to trigger a stop of the auto-scaling group. E.g. '0 10 * * *' to stop at 10am GMT time. string "" no
secure_subnet_ids List of secure subnet IDs for EFS. list(string) n/a yes
security_group_ecs_nodes_outbound_cidrs ECS Nodes outbound allowed CIDRs for the security group. list(string)
[
"0.0.0.0/0"
]
no
security_group_ids Extra security groups for instances. list(string) [] no
tags Map of tags that will be added to created resources. By default resources will be tagged with terraform=true. map(string) {} no
target_group_arns List of target groups for ASG to register. list(string) [] no
throughput_mode Throughput mode for the file system. Defaults to bursting. Valid values: bursting, provisioned. string "bursting" no
userdata Extra commands to pass to userdata. string "" no
volume_type The EBS volume type string "gp2" no
vpc_id VPC ID to deploy the ECS cluster. any n/a yes
vpn_cidr Cidr of VPN to grant ssh access to ECS nodes list
[
"10.37.0.0/16"
]
no
wafv2_enable Deploys WAF V2 with Managed rule groups bool false no
wafv2_managed_block_rule_groups List of WAF V2 managed rule groups, set to block list(string) [] no
wafv2_managed_rule_groups List of WAF V2 managed rule groups, set to count list(string)
[
"AWSManagedRulesCommonRuleSet"
]
no
wafv2_rate_limit_rule The limit on requests per 5-minute period for a single originating IP address (leave 0 to disable) number 0 no

Outputs

Name Description
alb_arn n/a
alb_dns_name n/a
alb_id n/a
alb_internal_arn n/a
alb_internal_dns_name n/a
alb_internal_id n/a
alb_internal_listener_https_arn n/a
alb_internal_listener_test_traffic_arn n/a
alb_internal_secgrp_id n/a
alb_internal_zone_id n/a
alb_listener_https_arn n/a
alb_listener_test_traffic_arn n/a
alb_secgrp_id n/a
alb_zone_id n/a
ecs_arn n/a
ecs_codedeploy_iam_role_arn n/a
ecs_iam_role_arn n/a
ecs_iam_role_name n/a
ecs_id n/a
ecs_name n/a
ecs_nodes_secgrp_id n/a
ecs_service_iam_role_arn n/a
ecs_service_iam_role_name n/a
ecs_task_iam_role_arn n/a
ecs_task_iam_role_name n/a
efs_fs_id n/a
private_key_pem n/a

WAF V2 Managed rule groups

The official documentation with the list of groups and individual rules is available here: (https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html).

By default, only the Core rule set (a.k.a Common rules) is deployed with WAF, if you want to customise and add more managed groups to the Web ACL you can find the list of groups expected by Terraform following this developer guide: (https://docs.aws.amazon.com/waf/latest/developerguide/waf-using-managed-rule-groups.html).

Authors

Module managed by DNX Solutions.

License

Apache 2 Licensed. See LICENSE for full details.