Add support for Fargate. Add option to prevent creation of cluster instances.

Author: tobyclemson

asg.tf

@@ -22,13 +22,15 @@ data "aws_ami" "amazon_linux_2" {
 }
 
 resource "aws_launch_template" "cluster" {
+  count = var.include_cluster_instances ? 1 : 0
+
   name_prefix          = "cluster-${var.component}-${var.deployment_identifier}-${var.cluster_name}-"
   image_id             = local.ami_id
   instance_type        = var.cluster_instance_type
   key_name             = var.cluster_instance_ssh_public_key_path == null ? "" : element(concat(aws_key_pair.cluster.*.key_name, [""]), 0)
 
   iam_instance_profile {
-    name = aws_iam_instance_profile.cluster.name
+    name = aws_iam_instance_profile.cluster[0].name
   }
 
   metadata_options {
@@ -43,7 +45,7 @@ resource "aws_launch_template" "cluster" {
 
   network_interfaces {
     associate_public_ip_address = var.associate_public_ip_addresses
-    security_groups = concat([aws_security_group.cluster.id], var.security_groups)
+    security_groups = concat([aws_security_group.cluster[0].id], var.security_groups)
   }
 
   block_device_mappings {
@@ -79,12 +81,14 @@ resource "aws_launch_template" "cluster" {
 }
 
 resource "aws_autoscaling_group" "cluster" {
+  count = var.include_cluster_instances ? 1 : 0
+
   name_prefix = "asg-${var.component}-${var.deployment_identifier}-${var.cluster_name}-"
 
   vpc_zone_identifier = var.subnet_ids
 
   launch_template {
-    id      = aws_launch_template.cluster.id
+    id      = aws_launch_template.cluster[0].id
     version = "$Latest"
   }
 

capacity_provider.tf

@@ -1,10 +1,10 @@
 resource "aws_ecs_capacity_provider" "autoscaling_group" {
-  count = var.include_asg_capacity_provider ? 1 : 0
+  count = (var.include_cluster_instances && var.include_asg_capacity_provider) ? 1 : 0
 
   name = "cp-${var.component}-${var.deployment_identifier}-${var.cluster_name}"
 
   auto_scaling_group_provider {
-    auto_scaling_group_arn = aws_autoscaling_group.cluster.arn
+    auto_scaling_group_arn = aws_autoscaling_group.cluster[0].arn
 
     managed_termination_protection = var.asg_capacity_provider_manage_termination_protection ? "ENABLED" : "DISABLED"
 
@@ -18,9 +18,9 @@ resource "aws_ecs_capacity_provider" "autoscaling_group" {
 }
 
 resource "aws_ecs_cluster_capacity_providers" "cluster_capacity_providers" {
-  count = var.include_asg_capacity_provider ? 1 : 0
+  count = ((var.include_cluster_instances && var.include_asg_capacity_provider) || length(var.additional_capacity_providers) > 0) ? 1 : 0
 
   cluster_name = aws_ecs_cluster.cluster.name
 
-  capacity_providers = var.include_asg_capacity_provider ? [aws_ecs_capacity_provider.autoscaling_group[0].name] : []
+  capacity_providers = var.include_asg_capacity_provider ? [aws_ecs_capacity_provider.autoscaling_group[0].name] : var.additional_capacity_providers
 }

iam.tf

@@ -5,27 +5,35 @@ locals {
 }
 
 resource "aws_iam_role" "cluster_instance_role" {
+  count = var.include_cluster_instances ? 1 : 0
+
   description        = "cluster-instance-role-${var.component}-${var.deployment_identifier}-${var.cluster_name}"
   assume_role_policy = file("${path.module}/policies/cluster-instance-role.json")
 
   tags = local.tags
 }
 
 resource "aws_iam_policy" "cluster_instance_policy" {
+  count = var.include_cluster_instances ? 1 : 0
+
   description = "cluster-instance-policy-${var.component}-${var.deployment_identifier}-${var.cluster_name}"
   policy      = local.cluster_instance_policy_contents
 }
 
 resource "aws_iam_policy_attachment" "cluster_instance_policy_attachment" {
+  count = var.include_cluster_instances ? 1 : 0
+
   name       = "cluster-instance-policy-attachment-${var.component}-${var.deployment_identifier}-${var.cluster_name}"
-  roles      = [aws_iam_role.cluster_instance_role.id]
-  policy_arn = aws_iam_policy.cluster_instance_policy.arn
+  roles      = [aws_iam_role.cluster_instance_role[0].id]
+  policy_arn = aws_iam_policy.cluster_instance_policy[0].arn
 }
 
 resource "aws_iam_instance_profile" "cluster" {
+  count = var.include_cluster_instances ? 1 : 0
+
   name = "cluster-instance-profile-${var.component}-${var.deployment_identifier}-${var.cluster_name}"
   path = "/"
-  role = aws_iam_role.cluster_instance_role.name
+  role = aws_iam_role.cluster_instance_role[0].name
 }
 
 resource "aws_iam_role" "cluster_service_role" {

outputs.tf

@@ -15,47 +15,47 @@ output "cluster_arn" {
 
 output "autoscaling_group_name" {
   description = "The name of the autoscaling group for the ECS container instances."
-  value       = aws_autoscaling_group.cluster.name
+  value       = try(aws_autoscaling_group.cluster[0].arn, "")
 }
 
 output "autoscaling_group_arn" {
   description = "The ARN of the autoscaling group for the ECS container instances."
-  value       = aws_autoscaling_group.cluster.arn
+  value       = try(aws_autoscaling_group.cluster[0].arn, "")
 }
 
 output "launch_template_name" {
   description = "The name of the launch template for the ECS container instances."
-  value       = aws_launch_template.cluster.name
+  value       = try(aws_launch_template.cluster[0].name, "")
 }
 
 output "launch_template_id" {
   description = "The id of the launch template for the ECS container instances."
-  value       = aws_launch_template.cluster.id
+  value       = try(aws_launch_template.cluster[0].id, "")
 }
 
 output "security_group_id" {
   description = "The ID of the default security group associated with the ECS container instances."
-  value       = aws_security_group.cluster.id
+  value       = try(aws_security_group.cluster[0].id, "")
 }
 
 output "instance_role_arn" {
   description = "The ARN of the container instance role."
-  value       = aws_iam_role.cluster_instance_role.arn
+  value       = try(aws_iam_role.cluster_instance_role[0].arn, "")
 }
 
 output "instance_role_id" {
   description = "The ID of the container instance role."
-  value       = aws_iam_role.cluster_instance_role.unique_id
+  value       = try(aws_iam_role.cluster_instance_role[0].unique_id, "")
 }
 
 output "instance_policy_arn" {
   description = "The ARN of the container instance policy."
-  value       = aws_iam_policy.cluster_instance_policy.arn
+  value       = try(aws_iam_policy.cluster_instance_policy[0].arn, "")
 }
 
 output "instance_policy_id" {
   description = "The ID of the container instance policy."
-  value       = aws_iam_policy.cluster_instance_policy.id
+  value       = try(aws_iam_policy.cluster_instance_policy[0].id, "")
 }
 
 output "service_role_arn" {
@@ -85,5 +85,5 @@ output "log_group" {
 
 output "asg_capacity_provider_name" {
   description = "The name of the ASG capacity provider associated with the cluster."
-  value       = var.include_asg_capacity_provider ? aws_ecs_capacity_provider.autoscaling_group[0].name : ""
+  value       = try(aws_ecs_capacity_provider.autoscaling_group[0].name, "")
 }

security_groups.tf

@@ -1,4 +1,6 @@
 resource "aws_security_group" "cluster" {
+  count = var.include_cluster_instances ? 1 : 0
+
   name        = "${var.component}-${var.deployment_identifier}-${var.cluster_name}"
   description = "Container access for component: ${var.component}, deployment: ${var.deployment_identifier}, cluster: ${var.cluster_name}"
   vpc_id      = var.vpc_id
@@ -10,11 +12,11 @@ resource "aws_security_group" "cluster" {
 }
 
 resource "aws_security_group_rule" "cluster_default_ingress" {
-  count = var.include_default_ingress_rule ? 1 : 0
+  count = (var.include_cluster_instances && var.include_default_ingress_rule) ? 1 : 0
 
   type = "ingress"
 
-  security_group_id = aws_security_group.cluster.id
+  security_group_id = aws_security_group.cluster[0].id
 
   protocol  = "-1"
   from_port = 0
@@ -24,11 +26,11 @@ resource "aws_security_group_rule" "cluster_default_ingress" {
 }
 
 resource "aws_security_group_rule" "cluster_default_egress" {
-  count = var.include_default_egress_rule ? 1 : 0
+  count = (var.include_cluster_instances && var.include_default_egress_rule) ? 1 : 0
 
   type = "egress"
 
-  security_group_id = aws_security_group.cluster.id
+  security_group_id = aws_security_group.cluster[0].id
 
   protocol  = "-1"
   from_port = 0

spec/unit/autoscaling_group_spec.rb

@@ -21,7 +21,7 @@
       @plan = plan(role: :root)
     end
 
-    it 'creates a autoscaling group' do
+    it 'creates an autoscaling group' do
       expect(@plan)
         .to(include_resource_creation(type: 'aws_autoscaling_group')
               .once)
@@ -166,4 +166,32 @@
               .with_attribute_value(:protect_from_scale_in, false))
     end
   end
+
+  context 'when include_cluster_instances is false' do
+    before(:context) do
+      @plan = plan(role: :root) do |vars|
+        vars.include_cluster_instances = false
+      end
+    end
+
+    it 'does not create an autoscaling group' do
+      expect(@plan)
+        .not_to(include_resource_creation(type: 'aws_autoscaling_group'))
+    end
+  end
+
+
+  context 'when include_cluster_instances is true' do
+    before(:context) do
+      @plan = plan(role: :root) do |vars|
+        vars.include_cluster_instances = true
+      end
+    end
+
+    it 'creates an autoscaling group' do
+      expect(@plan)
+        .to(include_resource_creation(type: 'aws_autoscaling_group')
+              .once)
+    end
+  end
 end

spec/unit/capacity_provider_spec.rb

@@ -14,11 +14,12 @@
     @plan = plan(role: :root)
   end
 
-  context 'when capacity provider included' do
+  context 'when include_asg_capacity_provider is true and include_cluster_instances is true' do
     describe 'by default' do
       before(:context) do
         @plan = plan(role: :root) do |vars|
           vars.include_asg_capacity_provider = true
+          vars.include_cluster_instances = true
         end
       end
 
@@ -53,6 +54,7 @@
     context 'with managed termination protection' do
       before(:context) do
         @plan = plan(role: :root) do |vars|
+          vars.include_cluster_instances = true
           vars.include_asg_capacity_provider = true
           vars.asg_capacity_provider_manage_termination_protection = true
         end
@@ -75,6 +77,7 @@
     context 'without managed termination protection' do
       before(:context) do
         @plan = plan(role: :root) do |vars|
+          vars.include_cluster_instances = true
           vars.include_asg_capacity_provider = true
           vars.asg_capacity_provider_manage_termination_protection = false
         end
@@ -97,6 +100,7 @@
     context 'with managed scaling' do
       before(:context) do
         @plan = plan(role: :root) do |vars|
+          vars.include_cluster_instances = true
           vars.include_asg_capacity_provider = true
           vars.asg_capacity_provider_manage_scaling = true
           vars.asg_capacity_provider_minimum_scaling_step_size = 3
@@ -169,6 +173,7 @@
     context 'without managed scaling' do
       before(:context) do
         @plan = plan(role: :root) do |vars|
+          vars.include_cluster_instances = true
           vars.include_asg_capacity_provider = true
           vars.asg_capacity_provider_manage_scaling = false
         end
@@ -191,9 +196,10 @@
     end
   end
 
-  context 'when capacity provider not included' do
+  context 'when include_asg_capacity_provider is false and include_cluster_instances is true' do
     before(:context) do
       @plan = plan(role: :root) do |vars|
+        vars.include_cluster_instances = true
         vars.include_asg_capacity_provider = false
       end
     end
@@ -216,4 +222,92 @@
               ))
     end
   end
+
+  context 'when include_asg_capacity_provider is true and include_cluster_instances is false' do
+    before(:context) do
+      @plan = plan(role: :root) do |vars|
+        vars.include_cluster_instances = false
+        vars.include_asg_capacity_provider = true
+      end
+    end
+
+    it 'does not create a capacity provider for the ECS cluster' do
+      expect(@plan)
+        .not_to(include_resource_creation(type: 'aws_ecs_capacity_provider'))
+    end
+
+    it 'does not include the AmazonECSManaged tag on the ASG' do
+      expect(@plan)
+        .not_to(include_resource_creation(type: 'aws_autoscaling_group')
+                  .with_attribute_value(
+                    :tag,
+                    including({
+                                key: 'AmazonECSManaged',
+                                propagate_at_launch: true,
+                                value: ''
+                              })
+                  ))
+    end
+  end
+
+  context 'when include_asg_capacity_provider is false and include_cluster_instances is false' do
+    before(:context) do
+      @plan = plan(role: :root) do |vars|
+        vars.include_cluster_instances = false
+        vars.include_asg_capacity_provider = false
+      end
+    end
+
+    it 'does not create a capacity provider for the ECS cluster' do
+      expect(@plan)
+        .not_to(include_resource_creation(type: 'aws_ecs_capacity_provider'))
+    end
+
+    it 'does not include the AmazonECSManaged tag on the ASG' do
+      expect(@plan)
+        .not_to(include_resource_creation(type: 'aws_autoscaling_group')
+                  .with_attribute_value(
+                    :tag,
+                    including({
+                                key: 'AmazonECSManaged',
+                                propagate_at_launch: true,
+                                value: ''
+                              })
+                  ))
+    end
+  end
+
+  context 'when additional_capacity_providers are provided' do
+    before(:context) do
+      @plan = plan(role: :root) do |vars|
+        vars.cluster_name = 'special-cluster'
+        vars.include_cluster_instances = false
+        vars.include_asg_capacity_provider = false
+        vars.additional_capacity_providers = ["FARGATE"]
+      end
+    end
+
+    it 'creates a cluster capacity providers resource' do
+      expect(@plan)
+        .to(include_resource_creation(type: 'aws_ecs_cluster_capacity_providers')
+              .once)
+    end
+
+    it 'uses the correct cluster name on the cluster capacity providers resource' do
+      expect(@plan)
+        .to(include_resource_creation(type: 'aws_ecs_cluster_capacity_providers')
+              .with_attribute_value(
+                :cluster_name,
+                "#{component}-#{dep_id}-special-cluster"
+              ))
+    end
+
+    it 'adds the additional capacity providers to the cluster capacity providers' do
+      expect(@plan)
+        .to(include_resource_creation(type: 'aws_ecs_cluster_capacity_providers')
+              .with_attribute_value(
+                :capacity_providers, ["FARGATE"]
+              ))
+    end
+  end
 end