terraform-aws-ecs-container-definition

Terraform module to generate well-formed JSON documents that are passed to the aws_ecs_task_definition Terraform resource as container definitions.

This project is part of our comprehensive "SweetOps" approach towards DevOps.

It's 100% Open Source and licensed under the APACHE2.

We literally have hundreds of terraform modules that are Open Source and well-maintained. Check them out!

Security & Compliance

Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.

Benchmark	Description
	Infrastructure Security Compliance
	Center for Internet Security, KUBERNETES Compliance
	Center for Internet Security, AWS Compliance
	Center for Internet Security, AZURE Compliance
	Payment Card Industry Data Security Standards Compliance
	National Institute of Standards and Technology Compliance
	Information Security Management System, ISO/IEC 27001 Compliance
	Service Organization Control 2 Compliance
	Center for Internet Security, GCP Compliance
	Health Insurance Portability and Accountability Compliance

Usage

IMPORTANT: We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise.

Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required.

This module is meant to be used as output only, meaning it will be used to create outputs which are consumed as a parameter by Terraform resources or other modules.

Caution: This module, unlike nearly all other Cloud Posse Terraform modules, does not use terraform-null-label. Furthermore, it has an input named environment which has a completely different meaning than the one in terraform-null-label. Do not call this module with the conventional context = module.this.context. See the documentation below for the usage of environment.

For complete examples, see

For a complete example with automated tests, see examples/complete with bats and Terratest for the example test.

module "container_definition" {
  source = "cloudposse/ecs-container-definition/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  container_name  = "geodesic"
  container_image = "cloudposse/geodesic"
}

The output of this module can then be used with one of our other modules.

module "ecs_alb_service_task" {
  source = "cloudposse/ecs-alb-service-task/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  # ...
  container_definition_json = module.container_definition.json_map_encoded_list
  # ...
}

Makefile Targets

Available targets:

  help                                Help screen
  help/all                            Display help for all targets
  help/short                          This help short screen
  lint                                Lint terraform code

Requirements

Name	Version
terraform	>= 0.13.0
local	>= 1.2

Providers

No providers.

Modules

No modules.

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
command	The command that is passed to the container	`list(string)`	`null`	no
container_cpu	The number of cpu units to reserve for the container. This is optional for tasks using Fargate launch type and the total amount of container_cpu of all containers in a task will need to be lower than the task-level cpu value	`number`	`0`	no
container_definition	Container definition overrides which allows for extra keys or overriding existing keys.	`map(any)`	`{}`	no
container_depends_on	The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY	list(object({ containerName = string condition = string }))	`null`	no
container_image	The image used to start the container. Images in the Docker Hub registry available by default	`string`	n/a	yes
container_memory	The amount of memory (in MiB) to allow the container to use. This is a hard limit, if the container attempts to exceed the container_memory, the container is killed. This field is optional for Fargate launch type and the total amount of container_memory of all containers in a task will need to be lower than the task memory value	`number`	`null`	no
container_memory_reservation	The amount of memory (in MiB) to reserve for the container. If container needs to exceed this threshold, it can do so up to the set container_memory hard limit	`number`	`null`	no
container_name	The name of the container. Up to 255 characters ([a-z], [A-Z], [0-9], -, _ allowed)	`string`	n/a	yes
disable_networking	When this parameter is true, networking is disabled within the container.	`bool`	`null`	no
dns_search_domains	Container DNS search domains. A list of DNS search domains that are presented to the container	`list(string)`	`null`	no
dns_servers	Container DNS servers. This is a list of strings specifying the IP addresses of the DNS servers	`list(string)`	`null`	no
docker_labels	The configuration options to send to the `docker_labels`	`map(string)`	`null`	no
docker_security_options	A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems.	`list(string)`	`null`	no
entrypoint	The entry point that is passed to the container	`list(string)`	`null`	no
environment	The environment variables to pass to the container. This is a list of maps. map_environment overrides environment	list(object({ name = string value = string }))	`[]`	no
environment_files	One or more files containing the environment variables to pass to the container. This maps to the --env-file option to docker run. The file must be hosted in Amazon S3. This option is only available to tasks using the EC2 launch type. This is a list of maps	list(object({ value = string type = string }))	`null`	no
essential	Determines whether all other containers in a task are stopped, if this container fails or stops for any reason. Due to how Terraform type casts booleans in json it is required to double quote this value	`bool`	`true`	no
extra_hosts	A list of hostnames and IP address mappings to append to the /etc/hosts file on the container. This is a list of maps	list(object({ ipAddress = string hostname = string }))	`null`	no
firelens_configuration	The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html	object({ type = string options = map(string) })	`null`	no
healthcheck	A map containing command (string), timeout, interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy), and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries)	object({ command = list(string) retries = number timeout = number interval = number startPeriod = number })	`null`	no
hostname	The hostname to use for your container.	`string`	`null`	no
interactive	When this parameter is true, this allows you to deploy containerized applications that require stdin or a tty to be allocated.	`bool`	`null`	no
links	List of container names this container can communicate with without port mappings	`list(string)`	`null`	no
linux_parameters	Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LinuxParameters.html	object({ capabilities = object({ add = list(string) drop = list(string) }) devices = list(object({ containerPath = string hostPath = string permissions = list(string) })) initProcessEnabled = bool maxSwap = number sharedMemorySize = number swappiness = number tmpfs = list(object({ containerPath = string mountOptions = list(string) size = number })) })	`null`	no
log_configuration	Log configuration options to send to a custom log driver for the container. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html	`any`	`null`	no
map_environment	The environment variables to pass to the container. This is a map of string: {key: value}. map_environment overrides environment	`map(string)`	`null`	no
map_secrets	The secrets variables to pass to the container. This is a map of string: {key: value}. map_secrets overrides secrets	`map(string)`	`null`	no
mount_points	Container mount points. This is a list of maps, where each map should contain `containerPath`, `sourceVolume` and `readOnly`	list(object({ containerPath = string sourceVolume = string readOnly = bool }))	`[]`	no
port_mappings	The port mappings to configure for the container. This is a list of maps. Each map should contain "containerPort", "hostPort", and "protocol", where "protocol" is one of "tcp" or "udp". If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort	list(object({ containerPort = number hostPort = number protocol = string }))	`[]`	no
privileged	When this variable is `true`, the container is given elevated privileges on the host container instance (similar to the root user). This parameter is not supported for Windows containers or tasks using the Fargate launch type.	`bool`	`null`	no
pseudo_terminal	When this parameter is true, a TTY is allocated.	`bool`	`null`	no
readonly_root_filesystem	Determines whether a container is given read-only access to its root filesystem. Due to how Terraform type casts booleans in json it is required to double quote this value	`bool`	`false`	no
repository_credentials	Container repository credentials; required when using a private repo. This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials	`map(string)`	`null`	no
resource_requirements	The type and amount of a resource to assign to a container. The only supported resource is a GPU.	list(object({ type = string value = string }))	`null`	no
secrets	The secrets to pass to the container. This is a list of maps	list(object({ name = string valueFrom = string }))	`[]`	no
start_timeout	Time duration (in seconds) to wait before giving up on resolving dependencies for a container	`number`	`null`	no
stop_timeout	Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own	`number`	`null`	no
system_controls	A list of namespaced kernel parameters to set in the container, mapping to the --sysctl option to docker run. This is a list of maps: { namespace = "", value = ""}	`list(map(string))`	`null`	no
ulimits	Container ulimit settings. This is a list of maps, where each map should contain "name", "hardLimit" and "softLimit"	list(object({ name = string hardLimit = number softLimit = number }))	`null`	no
user	The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set.	`string`	`null`	no
volumes_from	A list of VolumesFrom maps which contain "sourceContainer" (name of the container that has the volumes to mount) and "readOnly" (whether the container can write to the volume)	list(object({ sourceContainer = string readOnly = bool }))	`[]`	no
working_directory	The working directory to run commands inside the container	`string`	`null`	no

Outputs

Name	Description
json_map_encoded	JSON string encoded container definitions for use with other terraform resources such as aws_ecs_task_definition
json_map_encoded_list	JSON string encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition
json_map_object	JSON map encoded container definition
sensitive_json_map_encoded	JSON string encoded container definitions for use with other terraform resources such as aws_ecs_task_definition (sensitive)
sensitive_json_map_encoded_list	JSON string encoded list of container definitions for use with other terraform resources such as aws_ecs_task_definition (sensitive)
sensitive_json_map_object	JSON map encoded container definition (sensitive)

Share the Love

Like this project? Please give it a ★ on our GitHub! (it helps us a lot)

Are you using this project or any of our other projects? Consider leaving a testimonial. =)

Related Projects

Check out these related projects.

terraform-aws-ecs-codepipeline - Terraform module for CI/CD with AWS Code Pipeline and Code Build for ECS
terraform-aws-ecs-events - Provides a standard set of ECS events that notify an SNS topic
terraform-aws-ecs-cloudwatch-autoscaling - Terraform module to autoscale ECS Service based on CloudWatch metrics
terraform-aws-ecs-container-definition - Terraform module to generate well-formed JSON documents (container definitions) that are passed to the aws_ecs_task_definition Terraform resource
terraform-aws-ecs-launch-template - Terraform module for generating an AWS Launch Template for ECS that handles draining on Spot Termination Requests
terraform-aws-ecs-web-app - Terraform module that implements a web app on ECS and supporting AWS resources
terraform-aws-ecs-spot-fleet - Terraform module to create a diversified spot fleet for ECS clusters
terraform-aws-ecs-cloudwatch-sns-alarms - Terraform module to create CloudWatch Alarms on ECS Service level metrics
terraform-aws-ecs-alb-service-task - Terraform module which implements an ECS service which exposes a web service via ALB

Help

Got a question? We got answers.

File a GitHub issue, send us an email or join our Slack Community.

DevOps Accelerator for Startups

We are a DevOps Accelerator. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.

Work directly with our team of DevOps experts via email, slack, and video conferencing.

We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.

Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
Release Engineering. You'll have end-to-end CI/CD with unlimited staging environments.
Site Reliability Engineering. You'll have total visibility into your apps and microservices.
Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
GitOps. You'll be able to operate your infrastructure via Pull Requests.
Training. You'll receive hands-on training so your team can operate what we build.
Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
Troubleshooting. You'll get help to triage when things aren't working.
Code Reviews. You'll receive constructive feedback on Pull Requests.
Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.

Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

Discourse Forums

Participate in our Discourse Forums. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.

Sign up for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.

Office Hours

Join us every Wednesday via Zoom for our weekly "Lunch & Learn" sessions. It's FREE for everyone!

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Developing

If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

Fork the repo on GitHub
Clone the project to your own machine
Commit changes to your own branch
Push your work back up to your fork
Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

Copyright

License

See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.

About

This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!

We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.

We offer paid support on all of our projects.

Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.

Contributors

Erik Osterman	Sarkis Varozian	Andriy Knysh	Igor Rodionov	Yonatan Koren	RB

eddideku/terraform-aws-ecs-container-definition