- Serverless deployment using ECS, Application Load Balancer, and CloudFront
- Ability to reference existing VPCs, Subnets, Security Groups, and IAM Roles/Policies
- Automated build of Docker Images
- Automated push of Docker Images to Amazon Elastic Container Registry (ECR)
- Configurable automated CloudFront Invalidations
- Dynamic rollback to previous app versions via image tag
Note: The basic deployment will create necessary networking and security services for you with the default values defined in the module variables. If you need to reference existing security and networking resources (VPCs, Subnets, Security Groups, IAM Roles/Policies), please visit review the example for existing resources in the examples directory.
Note: Ensure the architecture of your ECS Task matches your CodeBuild project. For example, if your CodeBuild project uses an ARM environment such as BUILD_GENERAL1_SMALL and an ARM image such as aws/codebuild/amazonlinux2-aarch64-standard:3.0, you must also set the architecture of your ECS task to be ARM64.
The module provides variables named ecs_cpu_architecture codebuild_compute_type, and codebuild_image which can be modified to your desired values. The default values are using ARM.
Relevant docs:
- CodeBuild - Docker images provided by CodeBuild
- CodeBuild - Build environment compute modes and types
// This is a template file for a basic deployment.
// Modify the parameters below with your desired values
module "serverless-streamlit-app" {
source = "aws-ia/serverless-streamlit-app/aws"
app_name = "streamlit-app"
environment = "dev"
app_version = "v0.0.1" # used as one of the tags for Docker image. Update this when you wish to push new changes to ECR.
}See the CONTRIBUTING.md file for information on how to contribute.
| Name | Version |
|---|---|
| terraform | >= 1.0.7 |
| archive | >= 2.2.0 |
| aws | >= 5.0.0 |
| awscc | >= 0.24.0 |
| null | >= 3.1.0 |
| random | >= 3.1.0 |
| Name | Version |
|---|---|
| archive | >= 2.2.0 |
| aws | >= 5.0.0 |
| null | >= 3.1.0 |
| random | >= 3.1.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_listener_ssl_policy_https | The SSL policy for the ALB HTTPS listener. The default uses the AWS security policy that enables TLS 1.3 with backwards compatibility with TLS 1.2. | string |
"ELBSecurityPolicy-TLS13-1-2-2021-06" |
no |
| app_name | The name of your application. This value is appended at the beginning of resource names. | string |
"streamlit" |
no |
| app_version | The version of the application. This is set to be used as the tag for the Docker image. Defaults to latest. Update this variable when making changes to your application to ensure you don't overwrite your previous image. Overwriting your previous image will prevent you from being able to roll back if you need. | string |
"v0.0.1" |
no |
| aws_region | The AWS region where the resources will be deployed. Default functionality is to use the region of your current AWS credentials. | string |
null |
no |
| codebuild_compute_type | The compute type for CodeBuild. Default is building a small instance with ARM architecture. | string |
"BUILD_GENERAL1_SMALL" |
no |
| codebuild_image | The Docker image for CodeBuild. Default is the official AWS CodeBuild Docker image with ARM architecture. | string |
"aws/codebuild/amazonlinux2-aarch64-standard:3.0" |
no |
| codebuild_image_type | The type of Docker image for CodeBuild. Default is 'ARM_CONTAINER'. | string |
"ARM_CONTAINER" |
no |
| container_port | The port number for the ECS container. Default is 8501 (Streamlit default port). | number |
8501 |
no |
| create_alb_security_group | Whether to create default ALB security group. If this is set to false, you'll need to provide your own list of security group IDs to the existing_alb_security_groups variable. |
bool |
true |
no |
| create_ecs_default_policy | Whether to create a default ECS policy for the cluster. | bool |
true |
no |
| create_ecs_default_role | Whether to create a default ECS role for the cluster. | bool |
true |
no |
| create_ecs_security_group | Whether to create default ECS security group. If this is set to false, you'll need to provide your own list of security group IDs to the existing_ecs_security_groups variable. |
bool |
true |
no |
| create_streamlit_ecr_repo_lifecycle_policy | Conditional creation of ECR Lifecycle policy for the Streamlit ECR repo. Default is to not create any policy. | bool |
false |
no |
| create_vpc_resources | Whether to create VPC resources. If this is set to false, you must provide the relevant ids for your existing resources (e.g VPC, Subnets, Security Groups, etc.) |
bool |
true |
no |
| custom_header_name | Name of the CloudFront custom header. Prevents ALB from accepting requests from other clients than CloudFront. Any random string is fine. | string |
"X-Verify-Origin" |
no |
| custom_header_value | Value of the CloudFront custom header. Prevents ALB from accepting requests from other clients than CloudFront. Any random string is fine. | string |
"streamlit-CloudFront-Distribution" |
no |
| desired_count | The desired number of ECS tasks to run. Default is 1. | number |
1 |
no |
| ecs_cpu_architecture | ECS CPU architecture (x86_64 or arm64). Acceptable values are 'X86_64' or 'ARM64' (case-sensistive). | string |
"ARM64" |
no |
| ecs_operating_system_family | Operating system family (windows or linux) for the ECS task (x86_64 or arm64). Default is linux. Valid values are listed here: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RuntimePlatform.html | string |
"LINUX" |
no |
| ecs_task_desired_image_tag | The desired tag of the image in ECR you wish to use for your ECS Task. If using multiple tags, you can use this to speficy a specific tag (e.g. v0.0.1) to use. Default value is to use the version id image tag. |
string |
null |
no |
| enable_alb_deletion_protection | Whether to enable deletion protection for the Streamlit App Application Load Balancer. | bool |
false |
no |
| enable_alb_http_listener | Whether to create the ALB HTTP listener. | bool |
true |
no |
| enable_alb_https_listener | Whether to create the ALB HTTPS listener. | bool |
false |
no |
| enable_auto_cloudfront_invalidation | This variable conditionally enables CloudFront invalidations to automatically occur when there are updates to your Streamlit App. | bool |
true |
no |
| enable_force_detach_policies | Enable force detaching any policies from IAM roles. | bool |
true |
no |
| enable_streamlit_ecr_repo_scan_on_push | Whether to enable image scanning on push for ECR repo. This uses the Amazon Inspector service, which will incur additional cost. | bool |
false |
no |
| environment | The application environment where the resources will be deployed. e.g. 'dev', 'prod', etc. | string |
"dev" |
no |
| eventbridge_rules_enable_force_destroy | Enable force destroy on all EventBridge rules. This allows the destruction of all events in the rule. | bool |
true |
no |
| existing_alb_https_listener_cert | The ARN of an existing ACM certificate to use for the ALB HTTPS listener. | string |
null |
no |
| existing_alb_security_groups | A list of existing security group IDs to attach to the Streamlit ECS service load balancer. | list(string) |
null |
no |
| existing_alb_subnets | A list of existing subnets to launch the ALB in. Public subnets are recommended. | list(string) |
null |
no |
| existing_ecs_role | The ARN of an existing ECS role to assign to the cluster. | string |
null |
no |
| existing_ecs_security_groups | A list of existing security group IDs to attach to the Streamlit ECS service. | list(string) |
null |
no |
| existing_ecs_subnets | A list of existing subnets to launch the ECS service in. Private subnets are recommended. | list(string) |
null |
no |
| path_to_app_dir | The path to the directory that contains all assets for your Streamlit project. Any changes made to this directory will trigger the Docker image to be rebuilt and pushed to ECR during subsequent applies. | string |
null |
no |
| path_to_build_spec | The path to the build spec file for CodeBuild. This file should be a YAML file that defines the build process. | string |
null |
no |
| streamlit_ecr_repo_enable_force_delete | Enable force delete on the ECR repo. This allows the destruction of all images in the repository. | bool |
true |
no |
| streamlit_ecr_repo_encryption_type | The type of encryption for the ECR repo. Valid values are 'AES256' or 'KMS'. | string |
"AES256" |
no |
| streamlit_ecr_repo_image_tag_mutability | Whether to enforce images tags to be immutable or not. Valid values are 'MUTABLE' or IMMUTABLE'. | string |
"MUTABLE" |
no |
| streamlit_ecr_repo_kms_key | The KMS key ID used to encrypt the ECR repo. This is required if encryption_type is 'KMS'. If not specified, the default AWS managed key for ECR is used. | string |
null |
no |
| streamlit_ecr_repo_lifecycle_policy | A JSON string containing the ECR Lifecycle policy for the Streamlit ECR repo. | string |
null |
no |
| streamlit_ecs_service_log_group_kms_key | The KMS key ID used to encrypt the log group for the ECS service. | string |
null |
no |
| tags | Tags to apply to resources. | map(any) |
{ |
no |
| task_cpu | The CPU resources (in CPU units) allocated to each task. Default is 256. | number |
256 |
no |
| task_memory | The memory (in MiB) allocated to each task. Default is 512. | number |
512 |
no |
| vpc_cidr_block | The CIDR block for the VPC. | string |
"10.0.0.0/16" |
no |
| Name | Description |
|---|---|
| azs | A list of availability zones for the region of the current AWS profile. |
| streamlit_alb_dns_name | DNS name of the Streamlit ALB. |
| streamlit_cloudfront_distribution_url | URL of the Streamlit CloudFront distribution. |
| streamlit_ecr_repo_image_uri | URI of the Streamlit image in the ECR repository. |