feat: adding the capacity provider code and examples + several fixes (#44)

Author: hugoalmeida264

CHANGELOG.md

@@ -14,20 +14,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - fix: CKV_AWS_152 Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
 - fix: CKV2_AWS_20 Ensure that ALB redirects HTTP requests into HTTPS ones
 - fix: CKV_AWS_261 Ensure HTTP HTTPS Target group defines Healthcheck
-- fix: CKV_TF_2 Ensure Terraform module sources use a tag with a version number
-- feat: showcase load balancer protection using WAF
-- feat: more than one security group for ecs service
 - feat: Add EC2 usage example
 - feat: Possibly use lb module for load-balancer resource
-- feat: Review ecs-service arguments, add and test those missing.
 - feat: Use load-balancer module in example
 - feat: Add more options for module cloudwatch log group
 - feat: Exclusively use acm certificate (not self_signed_cert) for complete example
 - feat: consolidate ecs cluster module and ecs service module into one
-- feat: Add missing aws_ecs_task_definition arguments and showcase them in examples
 - feat: expand volume block of the task definition as it has more configuration
 - feat: Add example for service security group using a security group id for `service_ingress_sg`
 
+## [1.13.0] - 2025-07-03
+### Changes
+- fix: deprecated data.aws_region.current.name attribute by upgrading cluster module to v3.0.0
+- fix: VPC data source error by adding state filter to ensure only available VPCs are selected
+- fix: resource naming conflicts by adding random suffix to prevent conflicts with existing resources
+- fix: multiple EC2 VPCs matched error in complete example data sources
+- fix: deprecated data.aws_region.current.name replaced with data.aws_region.current.id in examples
+- feat: add capacity provider strategy support for ECS services with FARGATE and FARGATE_SPOT options
+- feat: add capacity_provider_strategy variable to allow mixed capacity provider deployments
+- feat: add fargate spot service example with capacity provider strategy configuration
+- feat: add fargate spot container definitions with cost optimization environment variables
+- feat: add random resource generation for unique naming in complete example
+
 ## [1.12.2] - 2024-06-10
 ### Changes
 - docs: Improve variables text and change the domain name of the private acm

examples/complete/data.tf

@@ -121,6 +121,11 @@ data "aws_vpc" "supporting" {
     name   = "tag:Name"
     values = [var.supporting_resources_name]
   }
+  
+  filter {
+    name   = "state"
+    values = ["available"]
+  }
 }
 
 data "aws_subnets" "public" {

examples/complete/locals.tf

@@ -9,11 +9,11 @@ locals {
   private_subnets        = local.private_subnet_id
   vpc_id                 = data.aws_vpc.supporting.id
   cluster                = data.aws_ecs_cluster.ecs.arn
-  region                 = data.aws_region.current.name
+  region                 = data.aws_region.current.id
   partition              = data.aws_partition.current.partition
   dns_suffix             = data.aws_partition.current.dns_suffix
-  bucket                 = "${var.name}-access-logs-bucket-boldlink"
-  tags                   = merge({ "Name" = var.name }, var.tags)
+  bucket                 = "${var.name}-access-logs-bucket-${random_id.bucket_suffix.hex}"
+  tags                   = merge({ "Name" = "${var.name}-${random_string.suffix.result}" }, var.tags)
   account_id             = data.aws_caller_identity.current.account_id
   elb_service_account_id = data.aws_elb_service_account.main.id
   alb_container_definitions = jsonencode(
@@ -66,6 +66,42 @@ locals {
       }
     ]
   )
+  fargate_spot_container_definitions = jsonencode(
+    [
+      {
+        name      = var.name
+        image     = var.image
+        cpu       = var.cpu
+        memory    = var.memory
+        essential = var.essential
+        portMappings = [
+          {
+            containerPort = var.containerport
+            hostPort      = var.hostport
+          }
+        ]
+        logConfiguration = {
+          logDriver = "awslogs",
+          options = {
+            awslogs-group         = "/aws/ecs-service/${var.name}-fargate-spot-service",
+            awslogs-region        = local.region,
+            awslogs-stream-prefix = "task"
+          }
+        }
+        environment = [
+          {
+            name  = "DEPLOYMENT_TYPE"
+            value = "FARGATE_SPOT"
+          },
+          {
+            name  = "COST_OPTIMIZATION"
+            value = "enabled"
+          }
+        ]
+      }
+    ]
+  )
+  vpc_cidr = data.aws_vpc.supporting.cidr_block
   task_execution_role_policy_doc = jsonencode(
     {
       Version = "2012-10-17",

examples/complete/main.tf

@@ -1,3 +1,13 @@
+resource "random_id" "bucket_suffix" {
+  byte_length = 4
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
 module "access_logs_bucket" {
   source            = "boldlink/s3/aws"
   version           = "2.3.1"
@@ -194,3 +204,64 @@ module "ecs_service_nlb" {
   lb_ingress_rules = var.nlb_ingress_rules
   depends_on       = [module.access_logs_bucket]
 }
+
+module "ecs_service_fargate_spot" {
+  #checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
+  #checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  source                   = "../../"
+  requires_compatibilities = var.requires_compatibilities
+  network_mode             = var.network_mode
+  name                     = "${var.name}-fargate-spot-service"
+  family                   = "${var.name}-fargate-spot-task-definition"
+  enable_execute_command   = var.enable_execute_command
+  
+  # Use capacity provider strategy instead of launch_type for FARGATE_SPOT
+  capacity_provider_strategy = [
+    {
+      capacity_provider = "FARGATE_SPOT"
+      weight           = 4
+      base             = 0
+    },
+    {
+      capacity_provider = "FARGATE"
+      weight           = 1
+      base             = 1
+    }
+  ]
+  
+  network_configuration = {
+    subnets          = local.private_subnets
+    assign_public_ip = true
+  }
+
+  cluster                           = local.cluster
+  vpc_id                            = local.vpc_id
+  task_assume_role_policy           = data.aws_iam_policy_document.ecs_assume_role_policy.json
+  task_role_policy                  = data.aws_iam_policy_document.task_role_policy_doc.json
+  task_execution_assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
+  task_execution_role_policy        = local.task_execution_role_policy_doc
+  container_definitions             = local.fargate_spot_container_definitions
+  kms_key_id                        = data.aws_kms_alias.supporting_kms.target_key_arn
+  force_new_deployment              = var.force_new_deployment
+  desired_count                     = 3
+  tasks_minimum_healthy_percent     = 50
+  tasks_maximum_percent             = 200
+  propagate_tags                    = "SERVICE"
+  tags                              = merge(local.tags, {
+    CostOptimization = "fargate-spot"
+    Service         = "fargate-spot-demo"
+  })
+
+  # Service security group rules for direct access (no load balancer)
+  service_ingress_rules = [
+    {
+      from_port   = var.containerport
+      to_port     = var.containerport
+      protocol    = "tcp"
+      description = "HTTP access to fargate spot service"
+      cidr_blocks = [local.vpc_cidr]
+    }
+  ]
+
+  retention_in_days = var.retention_in_days
+}

examples/external-lb/locals.tf

@@ -10,7 +10,7 @@ locals {
   vpc_id          = data.aws_vpc.supporting.id
   cluster         = data.aws_ecs_cluster.ecs.arn
   partition       = data.aws_partition.current.partition
-  region          = data.aws_region.current.name
+  region          = data.aws_region.current.id
   tags            = merge({ "Name" = var.name }, var.tags)
 
   default_container_definitions = jsonencode(

examples/fargate/locals.tf

@@ -7,7 +7,7 @@ locals {
   vpc_id          = data.aws_vpc.supporting.id
   cluster         = data.aws_ecs_cluster.ecs.arn
   partition       = data.aws_partition.current.partition
-  region          = data.aws_region.current.name
+  region          = data.aws_region.current.id
   tags            = merge({ "Name" = var.name }, var.tags)
 
   default_container_definitions = jsonencode(

locals.tf

@@ -1,6 +1,6 @@
 locals {
   create_task_definition = var.deployment_controller_type != "EXTERNAL" && var.create_task_definition ? true : false
-  region                 = data.aws_region.current.name
+  region                 = data.aws_region.current.id
   partition              = data.aws_partition.current.partition
   account_id             = data.aws_caller_identity.current.account_id
   dns_suffix             = data.aws_partition.current.dns_suffix

main.tf

@@ -6,7 +6,7 @@ resource "aws_ecs_service" "service" {
   desired_count                      = var.desired_count
   deployment_minimum_healthy_percent = var.tasks_minimum_healthy_percent
   deployment_maximum_percent         = var.tasks_maximum_percent
-  launch_type                        = var.launch_type
+  launch_type                        = length(var.capacity_provider_strategy) > 0 ? null : var.launch_type
   enable_execute_command             = var.enable_execute_command
   force_new_deployment               = var.force_new_deployment
   triggers                           = var.triggers
@@ -17,6 +17,15 @@ resource "aws_ecs_service" "service" {
     type = var.deployment_controller_type
   }
 
+  dynamic "capacity_provider_strategy" {
+    for_each = var.capacity_provider_strategy
+    content {
+      capacity_provider = capacity_provider_strategy.value.capacity_provider
+      weight           = capacity_provider_strategy.value.weight
+      base             = capacity_provider_strategy.value.base
+    }
+  }
+
   dynamic "network_configuration" {
     for_each = var.network_mode == "awsvpc" ? [var.network_configuration] : []
     content {

tests/supportingResources/main.tf

@@ -1,6 +1,6 @@
 module "ecs_vpc" {
   source                 = "boldlink/vpc/aws"
-  version                = "3.0.4"
+  version                = "3.3.0"
   name                   = var.name
   cidr_block             = var.cidr_block
   enable_dns_support     = var.enable_dns_support
@@ -46,7 +46,7 @@ resource "aws_cloudwatch_log_group" "cluster" {
 
 module "cluster" {
   source  = "boldlink/ecs-cluster/aws"
-  version = "1.1.1"
+  version = "3.0.0"
   name    = var.name
   tags    = local.tags
   configuration = {

variables.tf

@@ -519,5 +519,24 @@ variable "propagate_tags" {
   description = "(Optional) Whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION"
   type        = string
   default     = "TASK_DEFINITION"
+}
 
+variable "capacity_provider_strategy" {
+  description = <<-EOT
+  (Optional) Set of capacity provider strategies to use for the service. Can be one or more. List of maps with the following keys:
+  
+  capacity_provider_strategy = [{
+    capacity_provider = string # Name of the capacity provider (FARGATE, FARGATE_SPOT, or custom EC2 capacity provider)
+    weight           = number # Relative percentage of the total number of launched tasks that should use the specified capacity provider
+    base             = number # Number of tasks, at a minimum, to run on the specified capacity provider
+  }]
+  
+  Note: Cannot be used in conjunction with launch_type. If capacity_provider_strategy is specified, launch_type will be ignored.
+  EOT
+  type = list(object({
+    capacity_provider = string
+    weight           = optional(number, 1)
+    base             = optional(number, 0)
+  }))
+  default = []
 }