From 3b56fb8476ce6fba6d1ee6a6a25e53784926e583 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 25 May 2021 13:26:07 +0200 Subject: [PATCH 01/15] Add ouputs for task execution role --- outputs.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/outputs.tf b/outputs.tf index 538c74b..b96ff04 100644 --- a/outputs.tf +++ b/outputs.tf @@ -26,6 +26,16 @@ output "task_role_name" { value = aws_iam_role.task.name } +output "task_execution_role_arn" { + description = "The Amazon Resource Name (ARN) specifying the service role." + value = aws_iam_role.execution.arn +} + +output "task_execution_role_name" { + description = "The name of the service role." + value = aws_iam_role.execution.name +} + output "service_sg_id" { description = "The Amazon Resource Name (ARN) that identifies the service security group." value = aws_security_group.ecs_service.id From e1f6181c06fffd99f42a2e7e0eafe8686231e1c5 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 25 May 2021 13:28:21 +0200 Subject: [PATCH 02/15] Typo --- outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/outputs.tf b/outputs.tf index b96ff04..474662a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -27,12 +27,12 @@ output "task_role_name" { } output "task_execution_role_arn" { - description = "The Amazon Resource Name (ARN) specifying the service role." + description = "The Amazon Resource Name (ARN) specifying the execution service role." value = aws_iam_role.execution.arn } output "task_execution_role_name" { - description = "The name of the service role." + description = "The name of the execution service role." value = aws_iam_role.execution.name } From e8cc87cd07074516694df903f35bf63d16f61e07 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 25 May 2021 14:25:30 +0200 Subject: [PATCH 03/15] Add task_definition ignore_changes --- main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.tf b/main.tf index a6d232c..dccdd8b 100644 --- a/main.tf +++ b/main.tf @@ -222,6 +222,9 @@ resource "aws_ecs_service" "service" { container_name = var.container_name != "" ? var.container_name : var.name_prefix } } + lifecycle { + ignore_changes = [task_definition] + } } # HACK: The workaround used in ecs/service does not work for some reason in this module, this fixes the following error: From a5b5c7c051707767fc4703d0b2e49b089d5d5f15 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 1 Jun 2021 14:57:30 +0200 Subject: [PATCH 04/15] Revert "Add task_definition ignore_changes" This reverts commit e8cc87cd07074516694df903f35bf63d16f61e07. --- main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/main.tf b/main.tf index dccdd8b..a6d232c 100644 --- a/main.tf +++ b/main.tf @@ -222,9 +222,6 @@ resource "aws_ecs_service" "service" { container_name = var.container_name != "" ? var.container_name : var.name_prefix } } - lifecycle { - ignore_changes = [task_definition] - } } # HACK: The workaround used in ecs/service does not work for some reason in this module, this fixes the following error: From 74ec418241ed76f59c8607f90bca01c1258d1ef8 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 1 Jun 2021 15:01:59 +0200 Subject: [PATCH 05/15] Add EFS volumes --- examples/basic/main.tf | 17 +++++++++++++++++ main.tf | 16 ++++++++++++++++ variables.tf | 7 +++++++ 3 files changed, 40 insertions(+) diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 566be1d..93280af 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -64,6 +64,16 @@ resource "aws_security_group_rule" "alb_ingress_80" { ipv6_cidr_blocks = ["::/0"] } +resource "aws_efs_file_system" "efs" { + creation_token = "blah" + encrypted = true +} + +resource "aws_efs_access_point" "efs" { + file_system_id = aws_efs_file_system.efs.id +} + + resource "aws_ecs_cluster" "cluster" { name = "${var.name_prefix}-cluster" } @@ -101,6 +111,13 @@ module "fargate" { path = "/" } + efs_volumes = [{ + name = "storage" + file_system_id = aws_efs_file_system.efs.id + root_directory = "/opt/files/" + access_point_id = aws_efs_access_point.efs.id + }] + tags = { environment = "dev" terraform = "True" diff --git a/main.tf b/main.tf index a6d232c..533746a 100644 --- a/main.tf +++ b/main.tf @@ -181,6 +181,22 @@ resource "aws_ecs_task_definition" "task" { "environment": ${jsonencode(local.task_environment)} }] EOF + +dynamic "volume" { + for_each = var.efs_volumes + content { + name = volume.value["name"] + efs_volume_configuration { + file_system_id = volume.value["file_system_id"] + root_directory = volume.value["root_directory"] + transit_encryption = "ENABLED" + authorization_config { + access_point_id = volume.value["access_point_id"] + iam = "ENABLED" + } + } + } +} } resource "aws_ecs_service" "service" { diff --git a/variables.tf b/variables.tf index afdbb35..050c6f7 100644 --- a/variables.tf +++ b/variables.tf @@ -195,3 +195,10 @@ variable "protocol_version" { default = "HTTP1" type = string } + + +variable "efs_volumes" { + description = "Volumes definitions" + default = [] + type = list(any) +} From e6716139e0faa7a938c732c460467ea95b6036e0 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 1 Jun 2021 16:38:27 +0200 Subject: [PATCH 06/15] Remove efs creation_token according to #53 discussion --- examples/basic/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 93280af..a247eb0 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -65,8 +65,7 @@ resource "aws_security_group_rule" "alb_ingress_80" { } resource "aws_efs_file_system" "efs" { - creation_token = "blah" - encrypted = true + encrypted = true } resource "aws_efs_access_point" "efs" { From 463f11dc72e83b980c4e26f0360a393c07c80bc6 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Wed, 2 Jun 2021 13:11:26 +0200 Subject: [PATCH 07/15] Fix missing mountpoints --- examples/basic/main.tf | 4 +++- main.tf | 10 +++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/examples/basic/main.tf b/examples/basic/main.tf index a247eb0..537126c 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -113,7 +113,9 @@ module "fargate" { efs_volumes = [{ name = "storage" file_system_id = aws_efs_file_system.efs.id - root_directory = "/opt/files/" + root_directory = "/" + mount_point = "/opt/files/" + readOnly = false access_point_id = aws_efs_access_point.efs.id }] diff --git a/main.tf b/main.tf index 533746a..38b0228 100644 --- a/main.tf +++ b/main.tf @@ -164,7 +164,15 @@ resource "aws_ecs_task_definition" "task" { "hostPort" : var.task_container_port, "protocol" : "tcp" }] -))}, + ))}, + %{if length(var.efs_volumes) > 0~} + "MountPoints": ${jsonencode([ + for v in var.efs_volumes : { + containerPath = v.mount_point + readOnly = v.readOnly + sourceVolume = v.name +}])}, + %{~endif} "logConfiguration": { "logDriver": "awslogs", "options": { From fb7a4439288f148ee18ae42f4e1f3a4e34d3d398 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Thu, 3 Jun 2021 09:46:08 +0200 Subject: [PATCH 08/15] Add efs_volumes var specifications --- variables.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 050c6f7..6083bb7 100644 --- a/variables.tf +++ b/variables.tf @@ -200,5 +200,12 @@ variable "protocol_version" { variable "efs_volumes" { description = "Volumes definitions" default = [] - type = list(any) + type = list(object({ + name = string + file_system_id = string + root_directory = string + mount_point = string + readOnly = bool + access_point_id = string + })) } From a9888b10708eb485838b7cef5b44acc0da49c570 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 24 Aug 2021 15:24:40 +0200 Subject: [PATCH 09/15] Add wait_for_steady_state & privileged vars. Port is now optional --- main.tf | 9 ++++++--- outputs.tf | 9 +++++++-- variables.tf | 16 +++++++++++++++- 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index 38b0228..2500d94 100644 --- a/main.tf +++ b/main.tf @@ -85,7 +85,8 @@ resource "aws_security_group_rule" "egress_service" { # LB Target group # ------------------------------------------------------------------------------ resource "aws_lb_target_group" "task" { - name = "${var.name_prefix}-${var.task_container_port}" + count = var.lb_arn == "" ? 0 : 1 + name = "${var.name_prefix}-${var.task_container_port}" vpc_id = var.vpc_id protocol = var.task_container_protocol @@ -156,10 +157,11 @@ resource "aws_ecs_task_definition" "task" { "secrets": ${jsonencode(var.task_container_secrets)}, %{~endif} "essential": true, + "privileged": ${var.privileged ? "true" : "false"}, "portMappings": ${jsonencode(concat( var.task_container_port_mappings, - [{ + var.task_container_port == 0 ? [] : [{ "containerPort" : var.task_container_port, "hostPort" : var.task_container_port, "protocol" : "tcp" @@ -217,6 +219,7 @@ resource "aws_ecs_service" "service" { deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent deployment_maximum_percent = var.deployment_maximum_percent health_check_grace_period_seconds = var.lb_arn == "" ? null : var.health_check_grace_period_seconds + wait_for_steady_state = var.wait_for_steady_state network_configuration { subnets = var.private_subnet_ids @@ -229,7 +232,7 @@ resource "aws_ecs_service" "service" { content { container_name = var.container_name != "" ? var.container_name : var.name_prefix container_port = var.task_container_port - target_group_arn = aws_lb_target_group.task.arn + target_group_arn = aws_lb_target_group.task[0].arn } } diff --git a/outputs.tf b/outputs.tf index 474662a..de6b4ba 100644 --- a/outputs.tf +++ b/outputs.tf @@ -8,12 +8,12 @@ output "service_arn" { output "target_group_arn" { description = "The ARN of the Target Group." - value = aws_lb_target_group.task.arn + value = var.lb_arn == "" ? null : aws_lb_target_group.task[0].arn } output "target_group_name" { description = "The Name of the Target Group." - value = aws_lb_target_group.task.name + value = var.lb_arn == "" ? null : aws_lb_target_group.task[0].name } output "task_role_arn" { @@ -51,3 +51,8 @@ output "log_group_name" { value = aws_cloudwatch_log_group.main.name } +output "desired_count" { + description = "Desired count" + value = var.desired_count +} + diff --git a/variables.tf b/variables.tf index 6083bb7..08f3350 100644 --- a/variables.tf +++ b/variables.tf @@ -65,6 +65,7 @@ variable "task_container_assign_public_ip" { variable "task_container_port" { description = "Port that the container exposes." type = number + default = 0 } variable "task_container_port_mappings" { @@ -122,6 +123,7 @@ variable "log_multiline_pattern" { variable "health_check" { description = "A health block containing health check settings for the target group. Overrides the defaults." type = map(string) + default = {} } variable "health_check_grace_period_seconds" { @@ -190,13 +192,18 @@ variable "task_role_permissions_boundary_arn" { type = string } +variable "wait_for_steady_state" { + description = "Wait for steady state" + default = false + type = bool +} + variable "protocol_version" { description = "The protocol (HTTP) version." default = "HTTP1" type = string } - variable "efs_volumes" { description = "Volumes definitions" default = [] @@ -209,3 +216,10 @@ variable "efs_volumes" { access_point_id = string })) } + +variable "privileged" { + description = "When this parameter is true, the container is given elevated privileges on the host container instance" + default = false + type = bool +} + From 08db84642e201b00275c34a3abd0767c91a626a3 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 24 Aug 2021 16:49:45 +0200 Subject: [PATCH 10/15] Fix style https://github.com/telia-oss/terraform-aws-ecs-fargate/pull/53#discussion_r694903518 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 2500d94..6edce4c 100644 --- a/main.tf +++ b/main.tf @@ -157,7 +157,7 @@ resource "aws_ecs_task_definition" "task" { "secrets": ${jsonencode(var.task_container_secrets)}, %{~endif} "essential": true, - "privileged": ${var.privileged ? "true" : "false"}, + "privileged": ${var.privileged}, "portMappings": ${jsonencode(concat( var.task_container_port_mappings, From af6c313fc482ce5b3c144f77165e0687e61aca18 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Wed, 22 Sep 2021 09:59:50 +0200 Subject: [PATCH 11/15] Re-add privileged option support --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index dd80717..05f8799 100644 --- a/main.tf +++ b/main.tf @@ -153,6 +153,7 @@ locals { "logDriver" = "awslogs" "options" = local.log_configuration_options } + "privileged" : var.privileged }, local.task_container_secrets, local.repository_credentials) } From ecb6d16fafb0355f80fa6e27d51d2c592af21652 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Thu, 28 Oct 2021 09:52:20 +0200 Subject: [PATCH 12/15] Prevent port mapping with 0 as port when no port mapping is needed --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b722ba5..6e7db97 100644 --- a/main.tf +++ b/main.tf @@ -129,7 +129,7 @@ locals { log_multiline_pattern = var.log_multiline_pattern != "" ? { "awslogs-multiline-pattern" = var.log_multiline_pattern } : null task_container_secrets = length(var.task_container_secrets) > 0 ? { "secrets" = var.task_container_secrets } : null repository_credentials = length(var.repository_credentials) > 0 ? { "repositoryCredentials" = { "credentialsParameter" = var.repository_credentials } } : null - task_container_port_mappings = concat(var.task_container_port_mappings, [{ containerPort = var.task_container_port, hostPort = var.task_container_port, protocol = "tcp" }]) + task_container_port_mappings = var.task_container_port == 0 ? var.task_container_port_mappings : concat(var.task_container_port_mappings, [{ containerPort = var.task_container_port, hostPort = var.task_container_port, protocol = "tcp" }]) task_container_environment = [for k, v in var.task_container_environment : { name = k, value = v }] task_container_mount_points = [for v in var.efs_volumes : { containerPath = v.mount_point, readOnly = v.readOnly, sourceVolume = v.name }] From 7c10b8bb336a0a34e29895d4c04bb4ca88fa9975 Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Mon, 17 Jul 2023 22:46:15 +0200 Subject: [PATCH 13/15] Add capacity_provider_strategy feature --- main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/main.tf b/main.tf index b5ccf61..e0b2d13 100644 --- a/main.tf +++ b/main.tf @@ -262,6 +262,14 @@ resource "aws_ecs_service" "service" { container_name = var.container_name != "" ? var.container_name : var.name_prefix } } + dynamic "capacity_provider_strategy" { + for_each = var.capacity_provider_strategy + content { + base = lookup(capacity_provider_strategy.value, "base", null) + capacity_provider = lookup(capacity_provider_strategy.value, "capacity_provider", null) + weight = lookup(capacity_provider_strategy.value, "weight", null) + } + } } # HACK: The workaround used in ecs/service does not work for some reason in this module, this fixes the following error: From 5a35a5054b3b64d78f05842393ecde5718aa096b Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Mon, 17 Jul 2023 22:51:24 +0200 Subject: [PATCH 14/15] Add capacity_provider_strategy variable --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index 242c181..1a74d87 100644 --- a/variables.tf +++ b/variables.tf @@ -306,6 +306,12 @@ variable "volumes" { default = [] } +variable "capacity_provider_strategy" { + description = "List capacity provider strategy" + type = list(any) + default = [] +} + variable "extra_target_groups" { description = "List of extra target group configurations used to register a service to multiple target groups" type = list(object({ From a6351671d375543e05d8f2def7f1a2d570e5daba Mon Sep 17 00:00:00 2001 From: Cyril Feraudet Date: Tue, 18 Jul 2023 09:20:12 +0200 Subject: [PATCH 15/15] Fix launch type when capacity_provider_strategy set --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e0b2d13..920c669 100644 --- a/main.tf +++ b/main.tf @@ -214,7 +214,7 @@ resource "aws_ecs_service" "service" { cluster = var.cluster_id task_definition = var.task_definition != "" ? var.task_definition : aws_ecs_task_definition.task.arn desired_count = var.desired_count - launch_type = "FARGATE" + launch_type = length(var.capacity_provider_strategy) == 0 ? "FARGATE" : null deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent deployment_maximum_percent = var.deployment_maximum_percent health_check_grace_period_seconds = var.lb_arn == "" ? null : var.health_check_grace_period_seconds