This terraform module builds an Elastic Container Service(ECS) Cluster in AWS.
The following resources will be created:
- Elastic File System (EFS)
- Auto Scaling
- CloudWatch alarms for (Application Load Balancer ,Auto Scale,ECS and EFS)
- S3 Bucket to store logs from the application Load Balancer access
- Security groups for (ALB,ALB-INTERNAL,ECS NODES, RDS DB)
- Web Application Firewall (WAF)
- Instances for ECS Workers
- IAM roles and policies for the container instances
In addition you have the option to create or not :
- Application Load Balancer (ALB)
- alb - An external ALB
- alb_internal - A second internal ALB for private APIs
- alb_only - Deploy only an Application Load Balancer and no cloudFront or not with the cluster
module "ecs_apps" {
# source = "git::https://github.com/DNXLabs/terraform-aws-ecs.git?ref=0.1.0"
name = "${local.workspace["cluster_name"]}"
intance_types = ["t3.large","t2.large","m2.xlarge"]
vpc_id = "${data.aws_vpc.selected.id}"
private_subnet_ids = ["${data.aws_subnet_ids.private.ids}"]
public_subnet_ids = ["${data.aws_subnet_ids.public.ids}"]
secure_subnet_ids = ["${data.aws_subnet_ids.secure.ids}"]
certificate_arn = "${data.aws_acm_certificate.dnx_host.arn}"
on_demand_percentage = 0
asg_min = 1
asg_max = 4
asg_memory_target = 50
}
Name | Version |
---|---|
terraform | >= 0.13.0 |
Name | Version |
---|---|
aws | n/a |
random | n/a |
template | n/a |
tls | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
alarm_alb_400_errors_threshold | Max threshold of HTTP 4000 errors allowed in a 5 minutes interval (use 0 to disable this alarm). | number |
10 |
no |
alarm_alb_500_errors_threshold | Max threshold of HTTP 500 errors allowed in a 5 minutes interval (use 0 to disable this alarm). | number |
10 |
no |
alarm_alb_latency_anomaly_threshold | ALB Latency anomaly detection width (use 0 to disable this alarm). | number |
2 |
no |
alarm_asg_high_cpu_threshold | Max threshold average CPU percentage allowed in a 2 minutes interval (use 0 to disable this alarm). | number |
80 |
no |
alarm_ecs_high_cpu_threshold | Max threshold average CPU percentage allowed in a 2 minutes interval (use 0 to disable this alarm). | number |
80 |
no |
alarm_ecs_high_memory_threshold | Max threshold average Memory percentage allowed in a 2 minutes interval (use 0 to disable this alarm). | number |
80 |
no |
alarm_efs_credits_low_threshold | Alerts when EFS credits fell below this number in bytes - default 1000000000000 is 1TB of a maximum of 2.31T of credits (use 0 to disable this alarm). | number |
1000000000000 |
no |
alarm_prefix | String prefix for cloudwatch alarms. (Optional) | string |
"alarm" |
no |
alarm_sns_topics | Alarm topics to create and alert on ECS instance metrics. | list |
[] |
no |
alb | Whether to deploy an ALB or not with the cluster. | bool |
true |
no |
alb_drop_invalid_header_fields | Indicates whether HTTP headers with invalid header fields are removed by the load balancer (true) or routed to targets (false). | bool |
true |
no |
alb_enable_deletion_protection | Enable deletion protection for ALBs | bool |
false |
no |
alb_http_listener | Whether to enable HTTP listeners | bool |
true |
no |
alb_internal | Deploys a second internal ALB for private APIs. | bool |
false |
no |
alb_internal_ssl_policy | The name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS. | string |
"ELBSecurityPolicy-TLS-1-2-Ext-2018-06" |
no |
alb_only | Whether to deploy only an alb and no cloudFront or not with the cluster. | bool |
false |
no |
alb_sg_allow_egress_https_world | Whether to allow ALB to access HTTPS endpoints - needed when using OIDC authentication | bool |
true |
no |
alb_sg_allow_test_listener | Whether to allow world access to the test listeners | bool |
true |
no |
alb_ssl_policy | The name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS. | string |
"ELBSecurityPolicy-2016-08" |
no |
architecture | Architecture to select the AMI, x86_64 or arm64 | string |
"x86_64" |
no |
asg_capacity_rebalance | Indicates whether capacity rebalance is enabled | bool |
false |
no |
asg_max | Max number of instances for autoscaling group. | number |
4 |
no |
asg_min | Min number of instances for autoscaling group. | number |
1 |
no |
asg_protect_from_scale_in | (Optional) Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events. | bool |
false |
no |
asg_target_capacity | Target average capacity percentage for the ECS capacity provider to track for autoscaling. | number |
70 |
no |
autoscaling_default_cooldown | The amount of time, in seconds, after a scaling activity completes before another scaling activity can start. | number |
300 |
no |
autoscaling_health_check_grace_period | The length of time that Auto Scaling waits before checking an instance's health status. The grace period begins when an instance comes into service. | number |
300 |
no |
backup | Assing a backup tag to efs resource - Backup will be performed by AWS Backup. | string |
"true" |
no |
certificate_arn | n/a | any |
n/a | yes |
certificate_internal_arn | certificate arn for internal ALB. | string |
"" |
no |
create_efs | Enables creation of EFS volume for cluster | bool |
true |
no |
create_iam_service_linked_role | Create iam_service_linked_role for ECS or not. | bool |
false |
no |
ebs_key_arn | ARN of a KMS Key to use on EBS volumes | string |
"" |
no |
ec2_key_enabled | Generate a SSH private key and include in launch template of ECS nodes | bool |
false |
no |
efs_key_arn | ARN of a KMS Key to use on EFS volumes | string |
"" |
no |
efs_lifecycle_transition_to_ia | Option to enable EFS Lifecycle Transaction to IA | string |
"" |
no |
efs_lifecycle_transition_to_primary_storage_class | Option to enable EFS Lifecycle Transaction to Primary Storage Class | bool |
false |
no |
enable_schedule | Enables schedule to shut down and start up instances outside business hours. | bool |
false |
no |
extra_certificate_arns | Extra ACM certificates to add to ALB Listeners | list(string) |
[] |
no |
fargate_only | Enable when cluster is only for fargate and does not require ASG/EC2/EFS infrastructure | bool |
false |
no |
instance_types | Instance type for ECS workers | list(any) |
[] |
no |
instance_volume_size | Volume size for docker volume (in GB). | number |
30 |
no |
instance_volume_size_root | Volume size for root volume (in GB). | number |
16 |
no |
lb_access_logs_bucket | Bucket to store logs from lb access. | string |
"" |
no |
lb_access_logs_prefix | Bucket prefix to store lb access logs. | string |
"" |
no |
name | Name of this ECS cluster. | any |
n/a | yes |
on_demand_base_capacity | You can designate a base portion of your total capacity as On-Demand. As the group scales, per your settings, the base portion is provisioned first, while additional On-Demand capacity is percentage-based. | number |
0 |
no |
on_demand_percentage | Percentage of on-demand intances vs spot. | number |
100 |
no |
private_subnet_ids | List of private subnet IDs for ECS instances and Internal ALB when enabled. | list(string) |
n/a | yes |
provisioned_throughput_in_mibps | The throughput, measured in MiB/s, that you want to provision for the file system. | number |
0 |
no |
public_subnet_ids | List of public subnet IDs for ECS ALB. | list(string) |
n/a | yes |
schedule_cron_start | Cron expression to define when to trigger a start of the auto-scaling group. E.g. '0 20 * * *' to start at 8pm GMT time. | string |
"" |
no |
schedule_cron_stop | Cron expression to define when to trigger a stop of the auto-scaling group. E.g. '0 10 * * *' to stop at 10am GMT time. | string |
"" |
no |
secure_subnet_ids | List of secure subnet IDs for EFS. | list(string) |
n/a | yes |
security_group_ecs_nodes_outbound_cidrs | ECS Nodes outbound allowed CIDRs for the security group. | list(string) |
[ |
no |
security_group_ids | Extra security groups for instances. | list(string) |
[] |
no |
target_group_arns | List of target groups for ASG to register. | list(string) |
[] |
no |
throughput_mode | Throughput mode for the file system. Defaults to bursting. Valid values: bursting, provisioned. | string |
"bursting" |
no |
userdata | Extra commands to pass to userdata. | string |
"" |
no |
volume_type | The EBS volume type | string |
"gp2" |
no |
vpc_id | VPC ID to deploy the ECS cluster. | any |
n/a | yes |
vpn_cidr | Cidr of VPN to grant ssh access to ECS nodes | list |
[ |
no |
wafv2_enable | Deploys WAF V2 with Managed rule groups | bool |
false |
no |
wafv2_managed_block_rule_groups | List of WAF V2 managed rule groups, set to block | list(string) |
[] |
no |
wafv2_managed_rule_groups | List of WAF V2 managed rule groups, set to count | list(string) |
[ |
no |
wafv2_rate_limit_rule | The limit on requests per 5-minute period for a single originating IP address (leave 0 to disable) | number |
0 |
no |
Name | Description |
---|---|
alb_arn | n/a |
alb_dns_name | n/a |
alb_id | n/a |
alb_internal_arn | n/a |
alb_internal_dns_name | n/a |
alb_internal_id | n/a |
alb_internal_listener_https_arn | n/a |
alb_internal_listener_test_traffic_arn | n/a |
alb_internal_zone_id | n/a |
alb_listener_https_arn | n/a |
alb_listener_test_traffic_arn | n/a |
alb_secgrp_id | n/a |
alb_zone_id | n/a |
ecs_arn | n/a |
ecs_codedeploy_iam_role_arn | n/a |
ecs_iam_role_arn | n/a |
ecs_iam_role_name | n/a |
ecs_id | n/a |
ecs_name | n/a |
ecs_nodes_secgrp_id | n/a |
ecs_service_iam_role_arn | n/a |
ecs_service_iam_role_name | n/a |
ecs_task_iam_role_arn | n/a |
ecs_task_iam_role_name | n/a |
efs_fs_id | n/a |
private_key_pem | n/a |
The official documentation with the list of groups and individual rules is available here: (https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html).
By default, only the Core rule set (a.k.a Common rules) is deployed with WAF, if you want to customise and add more managed groups to the Web ACL you can find the list of groups expected by Terraform following this developer guide: (https://docs.aws.amazon.com/waf/latest/developerguide/waf-using-managed-rule-groups.html).
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.