Refactored container definitions out of module (#69)

Abdul Wahid · web-flow · commit 990924594970 · 2023-04-12T15:39:16.000+01:00
* Refactored container definitions out of module

* Turn cloudwatch logging optional

Reason: if the creation of cloudwatch logs happens outside of this module, then that can be passed into the container definitions variable

* chore: Update documentation

* Turn cloudwatch logging optional

* Turn cloudwatch logging optional - fix

Despite turning cloudwatch group resource as optional, the module will still expect a log group arn

* Lint fixes

* Remove square brackets as input is a list

* Revert container name to original

* Comment about 'target_type' for Fargate

* Update target group health check parameters

* Documentation update
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ repos:
   - id: check-executables-have-shebangs
   - id: pretty-format-json
     args: ['--autofix', '--no-sort-keys', '--indent=2']
-  - id: check-byte-order-marker
+  - id: fix-byte-order-marker
   - id: check-case-conflict
   - id: check-executables-have-shebangs
   - id: check-merge-conflict
@@ -18,7 +18,7 @@ repos:
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.77.0
+  rev: v1.77.2
   hooks:
   - id: terraform_fmt
   - id: terraform_docs
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 <a name="unreleased"></a>
 ## [Unreleased]
 
+- Comment about 'target_type' for Fargate
+- Revert container name to original
+- Remove square brackets as input is a list
+- Lint fixes
+- Turn cloudwatch logging optional - fix
+- Turn cloudwatch logging optional
+- chore: Update documentation
+- Turn cloudwatch logging optional
+- Refactored container definitions out of module
+
+
+<a name="6.7.0"></a>
+## [6.7.0] - 2023-02-01
+
+- Add ecs-managed-tags parameter ([#66](https://github.com/umotif-public/terraform-aws-ecs-fargate/issues/66))
 - Add readonlyRootFilesystem to container_definition ([#64](https://github.com/umotif-public/terraform-aws-ecs-fargate/issues/64))
 
 
@@ -257,7 +272,8 @@ All notable changes to this project will be documented in this file.
 - Initial commit
 
 
-[Unreleased]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/6.6.0...HEAD
+[Unreleased]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/6.7.0...HEAD
+[6.7.0]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/6.6.0...6.7.0
 [6.6.0]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/6.5.2...6.6.0
 [6.5.2]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/6.5.1...6.5.2
 [6.5.1]: https://github.com/umotif-public/terraform-aws-ecs-fargate/compare/6.5.0...6.5.1
diff --git a/README.md b/README.md
@@ -130,9 +130,11 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_capacity_provider_strategy"></a> [capacity\_provider\_strategy](#input\_capacity\_provider\_strategy) | (Optional) The capacity\_provider\_strategy configuration block. This is a list of maps, where each map should contain "capacity\_provider ", "weight" and "base" | `list(any)` | `[]` | no |
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | The Amazon Resource Name (ARN) that identifies the cluster. | `string` | n/a | yes |
+| <a name="input_container_definitions"></a> [container\_definitions](#input\_container\_definitions) | A string containing json encoded array of container definitions for Task Definition | `string` | `null` | no |
 | <a name="input_container_name"></a> [container\_name](#input\_container\_name) | Optional name for the container to be used instead of name\_prefix. | `string` | `""` | no |
 | <a name="input_cpu_architecture"></a> [cpu\_architecture](#input\_cpu\_architecture) | cpu architecture for the task | `string` | `"X86_64"` | no |
 | <a name="input_create_repository_credentials_iam_policy"></a> [create\_repository\_credentials\_iam\_policy](#input\_create\_repository\_credentials\_iam\_policy) | Set to true if you are specifying `repository_credentials` variable, it will attach IAM policy with necessary permissions to task role. | `bool` | `false` | no |
+| <a name="input_deny_egress_to_anywhere"></a> [deny\_egress\_to\_anywhere](#input\_deny\_egress\_to\_anywhere) | When this parameter is true, no default egress rule will be created | `bool` | `false` | no |
 | <a name="input_deployment_controller_type"></a> [deployment\_controller\_type](#input\_deployment\_controller\_type) | Type of deployment controller. Valid values: CODE\_DEPLOY, ECS, EXTERNAL. Default: ECS. | `string` | `"ECS"` | no |
 | <a name="input_deployment_maximum_percent"></a> [deployment\_maximum\_percent](#input\_deployment\_maximum\_percent) | The upper limit of the number of running tasks that can be running in a service during a deployment | `number` | `200` | no |
 | <a name="input_deployment_minimum_healthy_percent"></a> [deployment\_minimum\_healthy\_percent](#input\_deployment\_minimum\_healthy\_percent) | The lower limit of the number of running tasks that must remain running and healthy in a service during a deployment | `number` | `50` | no |
@@ -141,10 +143,12 @@ No modules.
 | <a name="input_enable_deployment_circuit_breaker_rollback"></a> [enable\_deployment\_circuit\_breaker\_rollback](#input\_enable\_deployment\_circuit\_breaker\_rollback) | Whether to enable Amazon ECS to roll back the service if a service deployment fails. If rollback is enabled, when a service deployment fails, the service is rolled back to the last deployment that completed successfully. | `bool` | `"false"` | no |
 | <a name="input_enable_ecs_managed_tags"></a> [enable\_ecs\_managed\_tags](#input\_enable\_ecs\_managed\_tags) | Specifies whether to enable Amazon ECS managed tags for the tasks within the service | `bool` | `true` | no |
 | <a name="input_enable_execute_command"></a> [enable\_execute\_command](#input\_enable\_execute\_command) | Specifies whether to enable Amazon ECS Exec for the tasks within the service. | `bool` | `true` | no |
+| <a name="input_enable_logs"></a> [enable\_logs](#input\_enable\_logs) | Turn cloudwatch logging optional | `bool` | `true` | no |
 | <a name="input_force_new_deployment"></a> [force\_new\_deployment](#input\_force\_new\_deployment) | Enable to force a new task deployment of the service. This can be used to update tasks to use a newer Docker image with same image/tag combination (e.g. myimage:latest), roll Fargate tasks onto a newer platform version. | `bool` | `false` | no |
-| <a name="input_health_check"></a> [health\_check](#input\_health\_check) | A health block containing health check settings for the target group. Overrides the defaults. | `map(string)` | n/a | yes |
+| <a name="input_health_check"></a> [health\_check](#input\_health\_check) | A health block containing health check settings for the target group. Overrides the defaults. | `map(string)` | `{}` | no |
 | <a name="input_health_check_grace_period_seconds"></a> [health\_check\_grace\_period\_seconds](#input\_health\_check\_grace\_period\_seconds) | Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 7200. Only valid for services configured to use load balancers. | `number` | `300` | no |
 | <a name="input_load_balanced"></a> [load\_balanced](#input\_load\_balanced) | Whether the task should be loadbalanced. | `bool` | `true` | no |
+| <a name="input_log_groups_arn"></a> [log\_groups\_arn](#input\_log\_groups\_arn) | List of CloudWatch Group ARNs to use when enable\_logs is set to false | `list(string)` | `[]` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days the logs will be retained in CloudWatch. | `number` | `30` | no |
 | <a name="input_logs_kms_key"></a> [logs\_kms\_key](#input\_logs\_kms\_key) | The KMS key ARN to use to encrypt container logs. | `string` | `""` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A prefix used for naming resources. | `string` | n/a | yes |
@@ -167,10 +171,10 @@ No modules.
 | <a name="input_task_container_entrypoint"></a> [task\_container\_entrypoint](#input\_task\_container\_entrypoint) | The entrypoint that is passed to the container. | `list(string)` | `[]` | no |
 | <a name="input_task_container_environment"></a> [task\_container\_environment](#input\_task\_container\_environment) | The environment variables to pass to a container. | `map(string)` | `{}` | no |
 | <a name="input_task_container_environment_files"></a> [task\_container\_environment\_files](#input\_task\_container\_environment\_files) | The environment variable files (s3 object arns) to pass to a container. Files must use .env file extension. | `list(string)` | `[]` | no |
-| <a name="input_task_container_image"></a> [task\_container\_image](#input\_task\_container\_image) | The image used to start a container. | `string` | n/a | yes |
+| <a name="input_task_container_image"></a> [task\_container\_image](#input\_task\_container\_image) | The image used to start a container. | `string` | `"marcincuber/2048-game:latest"` | no |
 | <a name="input_task_container_memory"></a> [task\_container\_memory](#input\_task\_container\_memory) | The hard limit (in MiB) of memory for the container. | `number` | `null` | no |
 | <a name="input_task_container_memory_reservation"></a> [task\_container\_memory\_reservation](#input\_task\_container\_memory\_reservation) | The soft limit (in MiB) of memory to reserve for the container. | `number` | `null` | no |
-| <a name="input_task_container_port"></a> [task\_container\_port](#input\_task\_container\_port) | The port number on the container that is bound to the user-specified or automatically assigned host port | `number` | n/a | yes |
+| <a name="input_task_container_port"></a> [task\_container\_port](#input\_task\_container\_port) | The port number on the container that is bound to the user-specified or automatically assigned host port | `number` | `80` | no |
 | <a name="input_task_container_protocol"></a> [task\_container\_protocol](#input\_task\_container\_protocol) | Protocol that the container exposes. | `string` | `"HTTP"` | no |
 | <a name="input_task_container_secrets"></a> [task\_container\_secrets](#input\_task\_container\_secrets) | The secrets variables to pass to a container. | `list(map(string))` | `null` | no |
 | <a name="input_task_container_working_directory"></a> [task\_container\_working\_directory](#input\_task\_container\_working\_directory) | The working directory to run commands inside the container. | `string` | `""` | no |
@@ -179,15 +183,14 @@ No modules.
 | <a name="input_task_definition_memory"></a> [task\_definition\_memory](#input\_task\_definition\_memory) | The soft limit (in MiB) of memory to reserve for the task. | `number` | `512` | no |
 | <a name="input_task_health_check"></a> [task\_health\_check](#input\_task\_health\_check) | An optional healthcheck definition for the task | `map(number)` | `null` | no |
 | <a name="input_task_health_command"></a> [task\_health\_command](#input\_task\_health\_command) | A string array representing the command that the container runs to determine if it is healthy. | `list(string)` | `null` | no |
-| <a name="input_task_host_port"></a> [task\_host\_port](#input\_task\_host\_port) | The port number on the container instance to reserve for your container. | `number` | `0` | no |
+| <a name="input_task_host_port"></a> [task\_host\_port](#input\_task\_host\_port) | The port number on the container instance to reserve for your container. | `number` | `80` | no |
 | <a name="input_task_mount_points"></a> [task\_mount\_points](#input\_task\_mount\_points) | The mount points for data volumes in your container. Each object inside the list requires "sourceVolume", "containerPath" and "readOnly". For more information see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html | `list(object({ sourceVolume = string, containerPath = string, readOnly = bool }))` | `null` | no |
 | <a name="input_task_pseudo_terminal"></a> [task\_pseudo\_terminal](#input\_task\_pseudo\_terminal) | Allocate TTY in the container | `bool` | `null` | no |
 | <a name="input_task_start_timeout"></a> [task\_start\_timeout](#input\_task\_start\_timeout) | Time duration (in seconds) to wait before giving up on resolving dependencies for a container. If this parameter is not specified, the default value of 3 minutes is used (fargate). | `number` | `null` | no |
 | <a name="input_task_stop_timeout"></a> [task\_stop\_timeout](#input\_task\_stop\_timeout) | Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. The max stop timeout value is 120 seconds and if the parameter is not specified, the default value of 30 seconds is used. | `number` | `null` | no |
 | <a name="input_volume"></a> [volume](#input\_volume) | (Optional) A set of volume blocks that containers in your task may use. This is a list of maps, where each map should contain "name", "host\_path", "docker\_volume\_configuration" and "efs\_volume\_configuration". Full set of options can be found at https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html | `list(any)` | `[]` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID. | `string` | n/a | yes |
 | <a name="input_wait_for_steady_state"></a> [wait\_for\_steady\_state](#input\_wait\_for\_steady\_state) | If true, Terraform will wait for the service to reach a steady state (like aws ecs wait services-stable) before continuing. | `bool` | `false` | no |
-| <a name="deny_egress_to_anywhere"></a> [deny\_egress\_to\_anywhere](#deny\_egress\_to\_anywhere) | If true, Terraform will no create the default egress rule which allows all outgoing traffic. | `bool` | `false` | no |
 
 ## Outputs
 
@@ -202,6 +205,7 @@ No modules.
 | <a name="output_target_group_arn"></a> [target\_group\_arn](#output\_target\_group\_arn) | The ARN of the Target Group used by Load Balancer. |
 | <a name="output_target_group_name"></a> [target\_group\_name](#output\_target\_group\_name) | The Name of the Target Group used by Load Balancer. |
 | <a name="output_task_definition_arn"></a> [task\_definition\_arn](#output\_task\_definition\_arn) | The Amazon Resource Name (ARN) of the task definition created |
+| <a name="output_task_definition_container_definitions"></a> [task\_definition\_container\_definitions](#output\_task\_definition\_container\_definitions) | A list of container definitions |
 | <a name="output_task_definition_name"></a> [task\_definition\_name](#output\_task\_definition\_name) | The name of the task definition created |
 | <a name="output_task_role_arn"></a> [task\_role\_arn](#output\_task\_role\_arn) | The Amazon Resource Name (ARN) specifying the ECS service role. |
 | <a name="output_task_role_name"></a> [task\_role\_name](#output\_task\_role\_name) | The name of the Fargate task service role. |
diff --git a/data.tf b/data.tf
@@ -15,18 +15,34 @@ data "aws_iam_policy_document" "task_assume" {
 
 # Task logging privileges
 data "aws_iam_policy_document" "task_permissions" {
-  statement {
-    effect = "Allow"
+  dynamic "statement" {
+    for_each = var.enable_logs ? [1] : []
+    content {
+      effect = "Allow"
+
+      resources = [
+        aws_cloudwatch_log_group.main[0].arn,
+        "${aws_cloudwatch_log_group.main[0].arn}:*"
+      ]
+
+      actions = [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+      ]
+    }
+  }
 
-    resources = [
-      aws_cloudwatch_log_group.main.arn,
-      "${aws_cloudwatch_log_group.main.arn}:*"
-    ]
+  dynamic "statement" {
+    for_each = var.enable_logs ? [] : [1]
 
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-    ]
+    content {
+      effect    = "Allow"
+      resources = var.log_groups_arn
+      actions = [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ]
+    }
   }
 }
 
@@ -118,4 +134,4 @@ data "aws_iam_policy_document" "get_environment_files" {
 
 data "aws_ecs_task_definition" "task" {
   task_definition = aws_ecs_task_definition.task.family
-}
+}
diff --git a/examples/core/main.tf b/examples/core/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 1.0.11"
 
   required_providers {
-    aws = ">= 4.0.0"
+    aws = ">= 4.6.0"
   }
 }
 
diff --git a/examples/external-container-definitions/main.tf b/examples/external-container-definitions/main.tf
@@ -0,0 +1,188 @@
+terraform {
+  required_version = ">= 1.0.11"
+
+  required_providers {
+    aws = ">= 4.8.0"
+  }
+}
+
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#####
+# VPC and subnets
+#####
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnets" "all" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+}
+
+#####
+# ECS cluster and fargate
+#####
+resource "aws_ecs_cluster" "cluster" {
+  name = "ecs-external-container-definitions-test"
+
+  setting {
+    name  = "containerInsights"
+    value = "disabled"
+  }
+}
+
+resource "aws_ecs_cluster_capacity_providers" "cluster" {
+  cluster_name = aws_ecs_cluster.cluster.name
+
+  capacity_providers = ["FARGATE_SPOT", "FARGATE"]
+
+  default_capacity_provider_strategy {
+    capacity_provider = "FARGATE_SPOT"
+  }
+}
+
+module "container_1" {
+  source  = "cloudposse/ecs-container-definition/aws"
+  version = "0.58.2"
+
+  container_name  = "example"
+  container_image = "hello-world:latest"
+
+  port_mappings = [
+    {
+      containerPort = 80
+      hostPort      = 80
+      protocol      = "tcp"
+    }
+  ]
+
+}
+
+module "container_2" {
+  source  = "cloudposse/ecs-container-definition/aws"
+  version = "0.58.2"
+
+  container_name  = "example-2"
+  container_image = "hello-world:latest"
+
+  port_mappings = [
+    {
+      containerPort = 81
+      hostPort      = 81
+      protocol      = "udp"
+    }
+  ]
+
+  container_depends_on = [
+    {
+      containerName = "example"
+      condition     = "START"
+    }
+  ]
+}
+
+#####
+# ALB
+#####
+module "alb" {
+  source  = "umotif-public/alb/aws"
+  version = "~> 2.0"
+
+  name_prefix        = "alb-example"
+  load_balancer_type = "application"
+  internal           = false
+  vpc_id             = data.aws_vpc.default.id
+  subnets            = data.aws_subnets.all.ids
+}
+
+resource "aws_lb_listener" "alb_80" {
+  load_balancer_arn = module.alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = module.fargate.target_group_arn[0]
+  }
+}
+
+#####
+# Security Group Config
+#####
+resource "aws_security_group_rule" "alb_ingress_80" {
+  security_group_id = module.alb.security_group_id
+  type              = "ingress"
+  protocol          = "tcp"
+  from_port         = 80
+  to_port           = 80
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "task_ingress_80" {
+  security_group_id        = module.fargate.service_sg_id
+  type                     = "ingress"
+  protocol                 = "tcp"
+  from_port                = 80
+  to_port                  = 80
+  source_security_group_id = module.alb.security_group_id
+}
+
+module "fargate" {
+  source = "../../"
+
+  name_prefix        = "ecs-fargate-example-2"
+  vpc_id             = data.aws_vpc.default.id
+  private_subnet_ids = data.aws_subnets.all.ids
+
+  cluster_id = aws_ecs_cluster.cluster.id
+
+  container_definitions = jsonencode([
+    module.container_1.json_map_object,
+    module.container_2.json_map_object
+  ])
+
+  capacity_provider_strategy = [
+    {
+      capacity_provider = "FARGATE_SPOT",
+      weight            = 100
+    }
+  ]
+
+  enable_deployment_circuit_breaker          = true
+  enable_deployment_circuit_breaker_rollback = true
+
+  health_check = {
+    port = "traffic-port"
+    path = "/"
+  }
+
+  target_groups = [
+    {
+      container_name    = "example"
+      target_group_name = "tg-example"
+      container_port    = 80
+    }
+  ]
+
+}
+
+output "first_container_json" {
+  description = "Container definition in JSON format"
+  value       = module.container_1.json_map_encoded_list
+}
+
+output "second_container_json" {
+  description = "Container definition in JSON format"
+  value       = module.container_2.json_map_encoded_list
+}
+
+output "task_definition_container_definitions" {
+  description = "A list of container definitions"
+  value       = module.fargate.task_definition_container_definitions
+}
diff --git a/examples/fargate-efs/main.tf b/examples/fargate-efs/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 1.0.11"
 
   required_providers {
-    aws = ">= 4.0.0"
+    aws = ">= 4.8.0"
   }
 }
 
diff --git a/examples/fargate-spot/main.tf b/examples/fargate-spot/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 1.0.11"
 
   required_providers {
-    aws = ">= 4.0.0"
+    aws = ">= 4.6.0"
   }
 }
 
diff --git a/examples/multiple-target-groups/main.tf b/examples/multiple-target-groups/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 1.0.11"
 
   required_providers {
-    aws = ">= 4.0.0"
+    aws = ">= 4.6.0"
   }
 }
 
diff --git a/locals.tf b/locals.tf
diff --git a/main.tf b/main.tf
diff --git a/outputs.tf b/outputs.tf
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ terraform {`
`2`	`2`	`required_version = ">= 1.0.11"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`		`- aws = ">= 4.0.0"`
	`5`	`+ aws = ">= 4.6.0"`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`