ecs-background: support scheduling of ECS task via EventBridge

- BREAKING CHANGE: var.codepipeline_enabled (default: false) now controls provisioning of CodePipeline and CodeBuild resources. Previously this was enabled by setting var.container_image to null.
- BREAKING CHANGE: the ssm parameter store access policy was changed to use a different path. This can be improved in future by dynamically accessing context values using label_order.
- If var.container_image is null, an ECR repo will be created
- expose ECR mutability via var.ecr_mutability

Author: joe-niland

modules/ecs-background/main.tf

@@ -2,7 +2,9 @@ locals {
 
   default_queue_name = "app"
 
-  codepipeline_enabled = module.this.enabled && var.container_image == null
+  codepipeline_enabled = module.this.enabled && var.codepipeline_enabled
+
+  ecr_enabled = module.this.enabled && var.container_image == null
 
   codepipeline_group_events_map = {
     all = [
@@ -62,12 +64,12 @@ module "ecr" {
   source  = "cloudposse/ecr/aws"
   version = "0.42.1"
 
-  enabled = local.codepipeline_enabled
+  enabled = local.ecr_enabled
 
   use_fullname         = true
   scan_images_on_push  = true
   max_image_count      = var.ecr_max_image_count
-  image_tag_mutability = "MUTABLE"
+  image_tag_mutability = var.ecr_image_tag_mutability
 
   force_delete = var.ecr_force_delete
 
@@ -82,8 +84,9 @@ module "container_label" {
 }
 
 module "container" {
-  source                       = "cloudposse/ecs-container-definition/aws"
-  version                      = "0.61.2"
+  source  = "cloudposse/ecs-container-definition/aws"
+  version = "0.61.2"
+
   container_name               = module.container_label.id
   container_image              = var.container_image == null ? join(":", [module.ecr.repository_url, "latest"]) : var.container_image
   container_memory             = var.container_memory
@@ -93,6 +96,8 @@ module "container" {
   stop_timeout                 = var.container_stop_timeout
   essential                    = true
 
+  container_definition = var.container_overrides
+
   healthcheck = var.container_healthcheck
 
   readonly_root_filesystem = false
@@ -130,7 +135,7 @@ module "container" {
 
 module "ecs_task" {
   source  = "cloudposse/ecs-alb-service-task/aws"
-  version = "0.76.1"
+  version = "0.78.0"
 
   context = module.this.context
 
@@ -210,7 +215,14 @@ data "aws_iam_policy_document" "ecs_task" {
     ]
 
     resources = [
-      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${module.this.namespace}/${module.this.stage}/${var.ssm_param_store_app_key}/*"
+      join("/", compact(["arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter",
+        module.this.namespace,
+        module.this.environment,
+        module.this.stage,
+        var.ssm_param_store_app_key,
+        "*"
+      ]))
+
     ]
 
     effect = "Allow"

modules/ecs-background/outputs.tf

@@ -27,3 +27,13 @@ output "ecs_task_definition_revision" {
   description = "ECS task definition revision"
   value       = module.ecs_task.task_definition_revision
 }
+
+output "ecr_repository_name" {
+  description = "ECR repository name"
+  value       = module.ecr.repository_name
+}
+
+output "ecr_repository_url" {
+  description = "ECR repository URL"
+  value       = module.ecr.repository_url
+}

modules/ecs-background/schedule.tf

@@ -0,0 +1,117 @@
+# ECS Scheduled Task using EventBridge
+
+locals {
+  schedule_enabled = module.this.enabled && var.schedule_expression != null && var.schedule_expression != ""
+}
+
+module "schedule_label" {
+  source     = "cloudposse/label/null"
+  version    = "0.25.0"
+  attributes = ["scheduled-task"]
+  enabled    = local.schedule_enabled
+  context    = module.this.context
+}
+
+resource "aws_iam_role" "scheduler" {
+  name = module.schedule_label.id
+
+  count = local.schedule_enabled ? 1 : 0
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = ["scheduler.amazonaws.com"]
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "scheduler" {
+
+  count = local.schedule_enabled ? 1 : 0
+
+  policy_arn = join("", aws_iam_policy.scheduler[*].arn)
+  role       = join("", aws_iam_role.scheduler[*].name)
+}
+
+resource "aws_iam_policy" "scheduler" {
+  name = module.schedule_label.id
+
+  count = local.schedule_enabled ? 1 : 0
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # allow scheduler to execute the task
+        Effect = "Allow",
+        Action = [
+          "ecs:RunTask"
+        ]
+        Resource = [module.ecs_task.task_definition_arn_without_revision]
+      },
+      { # allow scheduler to set the IAM roles of your task
+        Effect = "Allow",
+        Action = [
+          "iam:PassRole"
+        ]
+        Resource = [module.ecs_task.task_role_arn, module.ecs_task.task_exec_role_arn]
+      },
+    ]
+  })
+}
+
+resource "aws_scheduler_schedule" "scheduled_task" {
+  name = module.schedule_label.id
+
+  count = local.schedule_enabled ? 1 : 0
+
+  group_name = "default"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  schedule_expression          = var.schedule_expression
+  schedule_expression_timezone = var.schedule_expression_timezone
+
+  target {
+    arn = var.ecs_cluster_arn
+    # role that allows scheduler to start the task
+    role_arn = join("", aws_iam_role.scheduler[*].arn)
+
+    ecs_parameters {
+      # schedule always uses latest revision
+      task_definition_arn = module.ecs_task.task_definition_arn_without_revision
+      launch_type         = var.ecs_launch_type
+      dynamic "capacity_provider_strategy" {
+        for_each = var.ecs_capacity_provider_strategies
+
+        content {
+          base              = capacity_provider_strategy.value.base
+          capacity_provider = capacity_provider_strategy.value.capacity_provider
+          weight            = capacity_provider_strategy.value.weight
+        }
+      }
+
+
+      network_configuration {
+        assign_public_ip = var.assign_public_ip
+        security_groups  = var.ecs_security_group_ids
+        subnets          = var.subnet_ids
+      }
+
+      propagate_tags = "TASK_DEFINITION"
+    }
+
+    retry_policy {
+      maximum_event_age_in_seconds = 600
+      maximum_retry_attempts       = 5
+    }
+  }
+}