Add initial configuration for ecs fargate module

Author: marcincuber

.gitignore

@@ -0,0 +1,7 @@
+*.DS_Store
+errored.tfstate
+.terraform
+crash.log
+terraform.tfstate
+*.tfstate*
+terraform.tfvars

README.md

@@ -1,2 +1,60 @@
-# terraform-ecs-fargate
-Terraform module to create ECS FARGATE services
+# terraform-aws-ecs-fargate
+Terraform module to create AWS ECS FARGATE services
+
+## Terraform versions
+
+Terraform 0.12. Pin module version to `~> v1.0`. Submit pull-requests to `master` branch.
+
+## Usage
+
+### Application Load Balancer
+
+```hcl
+resource "aws_ecs_cluster" "cluster" {
+  name = "example-ecs-cluster"
+}
+
+module "ecs-farage" {
+  source = "umotif-public/ecs-fargate/aws"
+  version = "~> 1.0"
+  
+  name_prefix        = "ecs-fargate-example"
+  vpc_id             = "vpc-abasdasd132"
+  private_subnet_ids = ["subnet-abasdasd132123", "subnet-abasdasd132123132"]
+  lb_arn             = "arn:aws:asdasdasdasdasdasad"
+
+  cluster_id         = aws_ecs_cluster.cluster.id
+
+  task_container_image   = "marcincuber/2048-game:latest"
+  task_definition_cpu    = 256
+  task_definition_memory = 512
+
+  task_container_port             = 80
+  task_container_assign_public_ip = true
+
+  health_check = {
+    port = "traffic-port"
+    path = "/"
+  }
+
+  tags = {
+    Project = "Test"
+  }
+}
+```
+
+## Assumptions
+
+Module is to be used with Terraform > 0.12.
+
+## Examples
+
+* [ECS Fargate](https://github.com/umotif-public/terraform-aws-ecs-fargate/tree/master/examples/core)
+
+## Authors
+
+Module managed by [Marcin Cuber](https://github.com/marcincuber) [linkedin](https://www.linkedin.com/in/marcincuber/).
+
+## License
+
+See LICENSE for full details.

data.tf

@@ -0,0 +1 @@
+data "aws_region" "current" {}

examples/core/main.tf

@@ -0,0 +1,97 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#####
+# VPC and subnets
+#####
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 2.21"
+
+  name = "simple-vpc"
+
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = false
+}
+
+#####
+# ALB
+#####
+module "alb" {
+  source  = "umotif-public/alb/aws"
+  version = "~> 1.0"
+
+  name_prefix        = "alb-example"
+  load_balancer_type = "application"
+  internal           = false
+  vpc_id             = module.vpc.vpc_id
+  subnets            = module.vpc.public_subnets
+}
+
+resource "aws_lb_listener" "alb_80" {
+  load_balancer_arn = module.alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = module.fargate.target_group_arn
+  }
+}
+
+#####
+# Security Group Config
+#####
+resource "aws_security_group_rule" "alb_ingress_80" {
+  security_group_id = module.alb.security_group_id
+  type              = "ingress"
+  protocol          = "tcp"
+  from_port         = 80
+  to_port           = 80
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+resource "aws_security_group_rule" "task_ingress_80" {
+  security_group_id        = module.fargate.service_sg_id
+  type                     = "ingress"
+  protocol                 = "tcp"
+  from_port                = 80
+  to_port                  = 80
+  source_security_group_id = module.alb.security_group_id
+}
+
+#####
+# ECS cluster and fargate
+#####
+resource "aws_ecs_cluster" "cluster" {
+  name = "example-ecs-cluster"
+}
+
+module "fargate" {
+  source = "../../"
+
+  name_prefix        = "ecs-fargate-example"
+  vpc_id             = module.vpc.vpc_id
+  private_subnet_ids = module.vpc.public_subnets
+  lb_arn             = module.alb.arn
+  cluster_id         = aws_ecs_cluster.cluster.id
+
+  task_container_image   = "marcincuber/2048-game:latest"
+  task_definition_cpu    = 256
+  task_definition_memory = 512
+
+  task_container_port             = 80
+  task_container_assign_public_ip = true
+
+  health_check = {
+    port = "traffic-port"
+    path = "/"
+  }
+}

main.tf

@@ -0,0 +1,203 @@
+#####
+# Cloudwatch
+#####
+resource "aws_cloudwatch_log_group" "main" {
+  name              = var.name_prefix
+  retention_in_days = var.log_retention_in_days
+  tags              = var.tags
+}
+
+#####
+# IAM - Task execution role, needed to pull ECR images etc.
+#####
+resource "aws_iam_role" "execution" {
+  name               = "${var.name_prefix}-task-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.task_assume.json
+}
+
+resource "aws_iam_role_policy" "task_execution" {
+  name   = "${var.name_prefix}-task-execution"
+  role   = aws_iam_role.execution.id
+  policy = data.aws_iam_policy_document.task_execution_permissions.json
+}
+
+resource "aws_iam_role_policy" "read_repository_credentials" {
+  count = length(var.repository_credentials) != 0 ? 1 : 0
+
+  name   = "${var.name_prefix}-read-repository-credentials"
+  role   = aws_iam_role.execution.id
+  policy = data.aws_iam_policy_document.read_repository_credentials.json
+}
+
+#####
+# IAM - Task role, basic. Append policies to this role for S3, DynamoDB etc.
+#####
+resource "aws_iam_role" "task" {
+  name               = "${var.name_prefix}-task-role"
+  assume_role_policy = data.aws_iam_policy_document.task_assume.json
+}
+
+resource "aws_iam_role_policy" "log_agent" {
+  name   = "${var.name_prefix}-log-permissions"
+  role   = aws_iam_role.task.id
+  policy = data.aws_iam_policy_document.task_permissions.json
+}
+
+#####
+# Security groups
+#####
+resource "aws_security_group" "ecs_service" {
+  vpc_id      = var.vpc_id
+  name        = "${var.name_prefix}-ecs-service-sg"
+  description = "Fargate service security group"
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.name_prefix}-sg"
+    },
+  )
+}
+
+resource "aws_security_group_rule" "egress_service" {
+  security_group_id = aws_security_group.ecs_service.id
+  type              = "egress"
+  protocol          = "-1"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+#####
+# Load Balancer Target group
+#####
+resource "aws_lb_target_group" "task" {
+  vpc_id      = var.vpc_id
+  protocol    = var.task_container_protocol
+  port        = var.task_container_port
+  target_type = "ip"
+  dynamic "health_check" {
+    for_each = [var.health_check]
+    content {
+      enabled             = lookup(health_check.value, "enabled", null)
+      healthy_threshold   = lookup(health_check.value, "healthy_threshold", null)
+      interval            = lookup(health_check.value, "interval", null)
+      matcher             = lookup(health_check.value, "matcher", null)
+      path                = lookup(health_check.value, "path", null)
+      port                = lookup(health_check.value, "port", null)
+      protocol            = lookup(health_check.value, "protocol", null)
+      timeout             = lookup(health_check.value, "timeout", null)
+      unhealthy_threshold = lookup(health_check.value, "unhealthy_threshold", null)
+    }
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.name_prefix}-target-${var.task_container_port}"
+    },
+  )
+}
+
+#####
+# ECS Task/Service
+#####
+locals {
+  task_environment = [
+    for k, v in var.task_container_environment : {
+      name  = k
+      value = v
+    }
+  ]
+}
+
+resource "aws_ecs_task_definition" "task" {
+  family                   = var.name_prefix
+  execution_role_arn       = aws_iam_role.execution.arn
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.task_definition_cpu
+  memory                   = var.task_definition_memory
+  task_role_arn            = aws_iam_role.task.arn
+
+  container_definitions = <<EOF
+[{
+    "name": "${var.container_name != "" ? var.container_name : var.name_prefix}",
+    "image": "${var.task_container_image}",
+    %{if var.repository_credentials != ""~}
+    "repositoryCredentials": {
+        "credentialsParameter": "${var.repository_credentials}"
+    },
+    %{~endif}
+    "essential": true,
+    "portMappings": [
+        {
+            "containerPort": ${var.task_container_port},
+            "hostPort": ${var.task_container_port},
+            "protocol":"tcp"
+        }
+    ],
+    "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+            "awslogs-group": "${aws_cloudwatch_log_group.main.name}",
+            "awslogs-region": "${data.aws_region.current.name}",
+            "awslogs-stream-prefix": "container"
+        }
+    },
+    "command": ${jsonencode(var.task_container_command)},
+    "environment": ${jsonencode(local.task_environment)}
+}]
+EOF
+}
+
+resource "aws_ecs_service" "service" {
+  depends_on                         = [null_resource.lb_exists]
+  name                               = var.name_prefix
+  cluster                            = var.cluster_id
+  task_definition                    = aws_ecs_task_definition.task.arn
+  desired_count                      = var.desired_count
+  launch_type                        = "FARGATE"
+  deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
+  deployment_maximum_percent         = var.deployment_maximum_percent
+  health_check_grace_period_seconds  = var.health_check_grace_period_seconds
+
+  network_configuration {
+    subnets          = var.private_subnet_ids
+    security_groups  = [aws_security_group.ecs_service.id]
+    assign_public_ip = var.task_container_assign_public_ip
+  }
+
+  load_balancer {
+    container_name   = var.container_name != "" ? var.container_name : var.name_prefix
+    container_port   = var.task_container_port
+    target_group_arn = aws_lb_target_group.task.arn
+  }
+
+  deployment_controller {
+    type = var.deployment_controller_type # CODE_DEPLOY or ECS
+  }
+
+  dynamic "service_registries" {
+    for_each = var.service_registry_arn == "" ? [] : [1]
+    content {
+      registry_arn   = var.service_registry_arn
+      container_port = var.task_container_port
+      container_name = var.container_name != "" ? var.container_name : var.name_prefix
+    }
+  }
+}
+
+# HACK: The workaround used in ecs/service does not work for some reason in this module, this fixes the following error:
+# "The target group with targetGroupArn arn:aws:elasticloadbalancing:... does not have an associated load balancer."
+# see https://github.com/hashicorp/terraform/issues/12634.
+# Service depends on this resources which prevents it from being created until the LB is ready
+resource "null_resource" "lb_exists" {
+  triggers = {
+    alb_name = var.lb_arn
+  }
+}