bootstrap service by service

Author: ivankatliarchuk

README.md

@@ -1,38 +1,38 @@
 # ECS Services Module
 
-Terraform ECS services
+Terraform ECS services bootstrap
 
 ---
 
-![](https://github.com/terraform-module/terraform-aws-ecs-services/workflows/release/badge.svg)
-![](https://github.com/terraform-module/terraform-aws-ecs-services/workflows/commit-check/badge.svg)
-![](https://github.com/terraform-module/terraform-aws-ecs-services/workflows/labeler/badge.svg)
-
-[![](https://img.shields.io/github/license/terraform-module/terraform-aws-ecs-services)](https://github.com/terraform-module/terraform-aws-ecs-services)
-![](https://img.shields.io/github/v/tag/terraform-module/terraform-aws-ecs-services)
-![](https://img.shields.io/issues/github/terraform-module/terraform-aws-ecs-services)
-![](https://img.shields.io/github/issues/terraform-module/terraform-aws-ecs-services)
-![](https://img.shields.io/github/issues-closed/terraform-module/terraform-aws-ecs-services)
-[![](https://img.shields.io/github/languages/code-size/terraform-module/terraform-aws-ecs-services)](https://github.com/terraform-module/terraform-aws-ecs-services)
-[![](https://img.shields.io/github/repo-size/terraform-module/terraform-aws-ecs-services)](https://github.com/terraform-module/terraform-aws-ecs-services)
-![](https://img.shields.io/github/languages/top/terraform-module/terraform-aws-ecs-services?color=green&logo=terraform&logoColor=blue)
-![](https://img.shields.io/github/commit-activity/m/terraform-module/terraform-aws-ecs-services)
-![](https://img.shields.io/github/contributors/terraform-module/terraform-aws-ecs-services)
-![](https://img.shields.io/github/last-commit/terraform-module/terraform-aws-ecs-services)
-[![Maintenance](https://img.shields.io/badge/Maintenu%3F-oui-green.svg)](https://GitHub.com/terraform-module/terraform-aws-ecs-services/graphs/commit-activity)
-[![GitHub forks](https://img.shields.io/github/forks/terraform-module/terraform-aws-ecs-services.svg?style=social&label=Fork)](https://github.com/terraform-module/terraform-aws-ecs-services)
+![](https://github.com/terraform-module/terraform-aws-ecs-bootstrap/workflows/release/badge.svg)
+![](https://github.com/terraform-module/terraform-aws-ecs-bootstrap/workflows/commit-check/badge.svg)
+![](https://github.com/terraform-module/terraform-aws-ecs-bootstrap/workflows/labeler/badge.svg)
+
+[![](https://img.shields.io/github/license/terraform-module/terraform-aws-ecs-bootstrap)](https://github.com/terraform-module/terraform-aws-ecs-bootstrap)
+![](https://img.shields.io/github/v/tag/terraform-module/terraform-aws-ecs-bootstrap)
+![](https://img.shields.io/issues/github/terraform-module/terraform-aws-ecs-bootstrap)
+![](https://img.shields.io/github/issues/terraform-module/terraform-aws-ecs-bootstrap)
+![](https://img.shields.io/github/issues-closed/terraform-module/terraform-aws-ecs-bootstrap)
+[![](https://img.shields.io/github/languages/code-size/terraform-module/terraform-aws-ecs-bootstrap)](https://github.com/terraform-module/terraform-aws-ecs-bootstrap)
+[![](https://img.shields.io/github/repo-size/terraform-module/terraform-aws-ecs-bootstrap)](https://github.com/terraform-module/terraform-aws-ecs-bootstrap)
+![](https://img.shields.io/github/languages/top/terraform-module/terraform-aws-ecs-bootstrap?color=green&logo=terraform&logoColor=blue)
+![](https://img.shields.io/github/commit-activity/m/terraform-module/terraform-aws-ecs-bootstrap)
+![](https://img.shields.io/github/contributors/terraform-module/terraform-aws-ecs-bootstrap)
+![](https://img.shields.io/github/last-commit/terraform-module/terraform-aws-ecs-bootstrap)
+[![Maintenance](https://img.shields.io/badge/Maintenu%3F-oui-green.svg)](https://GitHub.com/terraform-module/terraform-aws-ecs-bootstrap/graphs/commit-activity)
+[![GitHub forks](https://img.shields.io/github/forks/terraform-module/terraform-aws-ecs-bootstrap.svg?style=social&label=Fork)](https://github.com/terraform-module/terraform-aws-ecs-bootstrap)
 
 ---
 
 ## Usage example
 
-IMPORTANT: The master branch is used in source just as an example. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z) of one of our [latest releases](https://github.com/terraform-module/terraform-aws-ecs-services/releases).
+IMPORTANT: The master branch is used in source just as an example. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z) of one of our [latest releases](https://github.com/terraform-module/terraform-aws-ecs-bootstrap/releases).
 
 See `examples` directory for working examples to reference:
 
 ```hcl
-module "ecs-services" {
-  source  = "terraform-module/ecs-services/aws"
+module "ecs-bootstrap" {
+  source  = "terraform-module/ecs-bootstrap/aws"
   version = "~> 1"
 }
 ```
@@ -41,15 +41,14 @@ module "ecs-services" {
 
 See `examples` directory for working examples to reference
 
-- [Complete ECS](https://github.com/terraform-module/terraform-aws-ecs-services/tree/master/examples)
+- [Complete ECS](https://github.com/terraform-module/terraform-aws-ecs-bootstrap/tree/master/examples)
 
 ## Assumptions
 
 ## Available features
 
-- Create ECS tasks
-- Create ECS services
-- Memory based autoscaling
+- Create/Update ECS tasks
+- Create/Update ECS services
 - CPU based autoscaling
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -114,17 +113,23 @@ Submit a pull request
 
 # Authors
 
-Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) and these [awesome contributors](https://github.com/terraform-module/terraform-aws-ecs-services/graphs/contributors).
+Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) and these [awesome contributors](https://github.com/terraform-module/terraform-aws-ecs-bootstrap/graphs/contributors).
 
 [![ForTheBadge uses-git](http://ForTheBadge.com/images/badges/uses-git.svg)](https://GitHub.com/)
 
 ## Terraform Registry
 
-- [Module](https://registry.terraform.io/modules/terraform-module/ecs-services/aws)
+- [Module](https://registry.terraform.io/modules/terraform-module/ecs-bootstrap/aws)
 
 ## Resources
 
 - [TFLint Rules](https://github.com/terraform-linters/tflint/tree/master/docs/rules)
 - [Terraform modules](https://registry.terraform.io/namespaces/terraform-module)
 - [Blog: ECS with Fargate and Terraform](https://engineering.finleap.com/posts/2020-02-20-ecs-fargate-terraform/)
 - [Tfm: example](https://github.com/finleap/tf-ecs-fargate-tmpl)
+
+## TODO
+
+- [ ] Tags per resource
+- [ ] Pass default values
+- [ ] Strongly typed objects

ecs.tf

@@ -0,0 +1,71 @@
+resource "aws_ecs_task_definition" "this" {
+  count = try(var.service.create, false) ? 1 : 0
+
+  family                   = try(var.service.family, format("%s-task", var.name_prefix))
+  network_mode             = try(var.service.network_mode, local.defaults.network_mode)
+  requires_compatibilities = try(var.service.compatibilities, [local.defaults.compatibilities])
+  cpu                      = try(var.service.cpu, local.defaults.cpu)
+  memory                   = try(var.service.memory, local.defaults.memory)
+  execution_role_arn       = aws_iam_role.task_execution_role[0].arn
+  task_role_arn            = aws_iam_role.task_role[0].arn
+  container_definitions    = jsonencode(var.service.container_definitions)
+
+  tags = merge(var.tags, {
+    Name = format("%s-task", var.name_prefix)
+  })
+}
+
+resource "aws_ecs_service" "this" {
+  count = try(var.service.create, false) ? 1 : 0
+
+  name                               = local.service_name
+  cluster                            = local.cluster_id
+  task_definition                    = aws_ecs_task_definition.this[count.index].family
+  desired_count                      = try(var.service.desired_count, local.defaults.desired_count)
+  deployment_minimum_healthy_percent = try(var.service.deployment_minimum_healthy_percent, local.defaults.deployment_minimum_healthy_percent)
+  deployment_maximum_percent         = try(var.service.deployment_maximum_percent, local.defaults.deployment_maximum_percent)
+  # InvalidParameterException: Health check grace period is only valid for services configured to use load balancers
+  health_check_grace_period_seconds = try(var.lb.create, false) ? try(var.service.health_check_grace_period_seconds, local.defaults.health_check_grace_period_seconds) : null
+  enable_execute_command            = local.defaults.enable_execute_command
+  launch_type                       = local.defaults.compatibilities
+  scheduling_strategy               = try(var.service.scheduling_strategy, local.defaults.scheduling_strategy)
+
+  network_configuration {
+    security_groups = aws_security_group.this.*.id
+    subnets         = var.subnets
+  }
+
+  dynamic "service_registries" {
+    for_each = var.service.visibility == "private" ? { for k, v in aws_service_discovery_service.this : k => v } : {}
+    content {
+      registry_arn = service_registries.value.arn
+    }
+  }
+
+  dynamic "load_balancer" {
+    for_each = try(var.lb.create, false) ? aws_lb_target_group.this : []
+
+    content {
+      target_group_arn = load_balancer.value.arn
+      container_name   = var.service.container_definitions[count.index].name
+      container_port   = var.service.exposed_port
+    }
+  }
+
+  tags = merge(var.tags, {
+    Name = local.service_name
+  })
+
+  depends_on = [
+    aws_cloudwatch_log_group.this,
+    aws_service_discovery_service.this
+  ]
+
+  # Optional: Allow external changes without Terraform plan difference
+  # we ignore task_definition changes as the revision changes on deploy
+  # of a new version of the application
+  # desired_count is ignored as it can change due to autoscaling policy
+  lifecycle {
+    ignore_changes = [desired_count]
+  }
+}

iam.tf

@@ -1,10 +1,10 @@
-# This role required is due to the fact that the tasks will be executed “serverless” with the Fargate configuration.
-# This means there’s no EC2 instances involved, meaning the permissions that usually go to the EC2 instances have to go somewhere else: the Fargate service. This enables the service to e.g. pull the image from ECR, spin up or deregister tasks etc. AWS provides you with a predefined policy for this, so I just attached this to my role:
-resource "aws_iam_role" "ecs_task_execution_role" {
-  for_each = { for k, v in var.services : k => v if v.create }
-
-  name = "${each.key}-ecs-task-execution-role"
-  tags = merge(var.tags, try(each.value.tags, null))
+################################################################################
+# IAM Actions
+################################################################################
+resource "aws_iam_role" "task_execution_role" {
+  count = try(var.iam.create, false) ? 1 : 0
+  name  = format("%s-ecs-task-execution-role", var.name_prefix)
+  tags  = var.tags
 
   assume_role_policy = <<EOF
 {
@@ -23,12 +23,16 @@ resource "aws_iam_role" "ecs_task_execution_role" {
 EOF
 }
 
-# This role provide permissions what AWS services the task has access to
-resource "aws_iam_role" "ecs_task_role" {
-  for_each = { for k, v in var.services : k => v if v.create }
+resource "aws_iam_role_policy_attachment" "task_execution_role_policy_attachment" {
+  for_each   = { for k, v in local.iam_role_policies : k => v if var.iam.create }
+  role       = aws_iam_role.task_execution_role[0].id
+  policy_arn = each.value
+}
 
-  name = "${each.key}-ecs-task-role"
-  tags = merge(var.tags, try(each.value.tags, null))
+resource "aws_iam_role" "task_role" {
+  count = try(var.iam.create, false) ? 1 : 0
+  name  = format("%s-ecs-task-role", var.name_prefix)
+  tags  = var.tags
 
   assume_role_policy = <<EOF
 {
@@ -45,13 +49,31 @@ resource "aws_iam_role" "ecs_task_role" {
   ]
 }
 EOF
+  depends_on         = [aws_iam_role.task_execution_role]
+}
+
+resource "aws_iam_role_policy" "task_additional_policies_attach" {
+  for_each = { for k, v in var.iam.additional_policies : k => v if var.iam.create }
 
-  depends_on = [aws_iam_role.ecs_task_execution_role]
+  name   = format("%s-%s-ecs-task-service-permissions", var.name_prefix, each.key)
+  role   = aws_iam_role.task_role[0].name
+  policy = each.value
 }
 
-# Why: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
-resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attachment" {
-  for_each   = { for k, v in aws_iam_role.ecs_task_execution_role : k => v }
-  role       = each.value.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+################################################################################
+# ECS Autoscaling
+################################################################################
+resource "aws_iam_role" "autoscaling" {
+  count = try(var.scaling.create, false) && try(var.scaling.create_iam_role, false) ? 1 : 0
+
+  name               = format("%s-appautoscaling-role", local.service_name)
+  assume_role_policy = file("${path.module}/templates/autoscaling-role.json")
+}
+
+resource "aws_iam_role_policy" "autoscaling" {
+  count = try(var.scaling.create, false) && try(var.scaling.create_iam_role, false) ? 1 : 0
+
+  name   = format("%s-appautoscaling-policy", local.service_name)
+  policy = file("${path.module}/templates/autoscaling-policy.json")
+  role   = aws_iam_role.autoscaling[count.index].id
 }

lb.tf

@@ -0,0 +1,78 @@
+resource "random_string" "tg" {
+  length  = 3
+  special = false
+
+  keepers = {
+    # Generate a new pet name each time we switch a port
+    lb_port = var.lb.port
+  }
+}
+
+resource "aws_lb_target_group" "this" {
+  count = try(var.lb.create, false) ? 1 : 0
+  # "name" cannot be longer than 32 characters
+  name        = substr(format("%s-%s-tg-ecs", var.name_prefix, random_string.tg.id), 0, 32)
+  port        = var.lb.port
+  protocol    = "HTTP"
+  vpc_id      = var.vpc_id
+  target_type = "ip"
+
+  deregistration_delay = try(var.lb.deregistration_delay, local.defaults.deregistration_delay)
+
+  dynamic "health_check" {
+    iterator = el
+    for_each = { for k, v in { onlyone = var.lb.health_check } : k => v }
+
+    content {
+      enabled             = lookup(el.value, "enabled", true)
+      interval            = lookup(el.value, "interval", 30)
+      path                = lookup(el.value, "path", "/")
+      port                = lookup(el.value, "port", "traffic-port")
+      healthy_threshold   = lookup(el.value, "healthy_threshold", 3)
+      unhealthy_threshold = lookup(el.value, "unhealthy_threshold", 2)
+      timeout             = lookup(el.value, "timeout", 3)
+      protocol            = lookup(el.value, "protocol", "HTTP")
+      matcher             = lookup(el.value, "matcher", 200)
+    }
+  }
+
+  tags = merge(var.tags, {
+    Name = format("%s-tg-ecs", var.name_prefix)
+  })
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_lb_listener_rule" "this" {
+  count = try(var.lb.create, false) ? 1 : 0
+
+  listener_arn = var.lb.listener_arn
+  priority     = var.lb.priority
+
+  dynamic "action" {
+    for_each = aws_lb_target_group.this
+
+    content {
+      type             = "forward"
+      target_group_arn = action.value.arn
+    }
+  }
+
+  dynamic "condition" {
+    for_each = var.lb.lb_rules
+
+    content {
+      host_header {
+        values = formatlist("%s.*", condition.value)
+      }
+    }
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}

locals.tf

@@ -1,11 +1,32 @@
 locals {
+  cluster_id   = var.cluster_id
+  cluster_name = var.cluster_name
+  service_name = format("%s-svc", var.name_prefix)
+
   defaults = {
-    cpu           = 256
-    memory        = 512
-    desired_count = 2
+    cpu    = 256
+    memory = 512
+
+    enable_execute_command = true
+    deregistration_delay   = 30
+    retention_in_days      = 1
+
+    deployment_minimum_healthy_percent = 100
+    deployment_maximum_percent         = 200
+    health_check_grace_period_seconds  = 10
+
+    compatibilities     = "FARGATE"
+    network_mode        = "awsvpc"
+    scheduling_strategy = "REPLICA"
+  }
+
+  defaults_sds = {
+    routing_policy    = "MULTIVALUE"
+    failure_threshold = 2
+  }
 
-    deregistration_delay = 30
-    network_mode         = "awsvpc"
-    compatibilities      = ["FARGATE"]
+  iam_role_policies = {
+    AmazonEC2ContainerServiceforEC2Role = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+    AmazonSSMManagedInstanceCore        = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
   }
 }