Initial commit

Author: chrisshiplet

README.md

@@ -1 +1,3 @@
-# terraform-aws-ecs-service
+# terraform-aws-ecs-service
+
+This is a highly-opinionated ECS Service module for the Synapse Platform. It currently does NOT support blue-green deploys, autoscaling, customizing container sizes, or sidecar containers. It is also overly restrictive with the task role permissions.

alb_target_group.tf

@@ -0,0 +1,42 @@
+resource "aws_lb_target_group" "this" {
+  name_prefix          = substr(var.service_name, 0, 6)
+  port                 = 80
+  deregistration_delay = 5
+  protocol             = "HTTP"
+  target_type          = "ip"
+  vpc_id               = var.vpc_id
+  #  tags                 = var.tags # TODO
+
+  health_check {
+    enabled             = true
+    interval            = 5
+    path                = var.health_check_path
+    port                = var.container_port
+    protocol            = "HTTP"
+    timeout             = 3
+    healthy_threshold   = 2
+    unhealthy_threshold = 3
+    matcher             = "200"
+  }
+
+  stickiness {
+    enabled         = true
+    type            = "lb_cookie"
+    cookie_duration = 86400
+  }
+}
+
+resource "aws_lb_listener_rule" "this" {
+  listener_arn = var.listener_arn
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.this.arn
+  }
+
+  condition {
+    host_header {
+      values = [var.hostname]
+    }
+  }
+}

db.tf

@@ -0,0 +1,11 @@
+module "database" {
+  count                           = var.use_database_cluster ? 1 : 0
+  source                          = "git::https://github.com/synapsestudios/terraform-aws-rds-aurora-cluster.git?ref=a8f4ea6a6a5886b2bfeb43d1403a7abfe8e3f0e2"
+  availability_zones              = var.azs
+  database_subnets                = var.subnets
+  db_cluster_parameter_group_name = "default.aurora-postgresql14"
+  instance_class                  = "db.t4g.medium"
+  name                            = "backend"
+  vpc_id                          = var.vpc_id
+  database_name                   = "backend"
+}

ecs_service.tf

@@ -0,0 +1,34 @@
+resource "aws_ecs_service" "this" {
+  name            = var.service_name
+  launch_type     = "FARGATE"
+  cluster         = var.cluster_arn
+  task_definition = aws_ecs_task_definition.service.arn
+  desired_count   = var.ecs_desired_count
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.this.arn
+    container_name   = var.service_name
+    container_port   = var.container_port
+  }
+
+  network_configuration {
+    subnets         = var.subnets
+    security_groups = [aws_security_group.ecs_task.id]
+    # If you are using Fargate tasks, in order for the task to pull the container image it must either use a public subnet and be assigned a
+    # public IP address or a private subnet that has a route to the internet or a NAT gateway that can route requests to the internet.
+    assign_public_ip = false
+  }
+
+  # This allows dynamic scaling and external deployments
+  lifecycle {
+    ignore_changes = [
+      desired_count,
+      task_definition,
+      load_balancer
+    ]
+  }
+
+  deployment_controller {
+    type = "ECS"
+  }
+}

ecs_task_definitions.tf

@@ -0,0 +1,44 @@
+
+resource "aws_ecs_task_definition" "service" {
+  family                   = var.service_name
+  container_definitions    = "[${module.service_container_definition.json_map_encoded}]"
+  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_task_role.arn
+  network_mode             = "awsvpc"
+  memory                   = 2048
+  cpu                      = 1024
+  requires_compatibilities = ["FARGATE"]
+  #  tags                     = var.tags # TODO
+}
+
+resource "aws_cloudwatch_log_group" "service" {
+  name_prefix = var.service_name
+  #  tags = var.tags # TODO
+}
+
+module "service_container_definition" {
+  source  = "cloudposse/ecs-container-definition/aws"
+  version = "0.58.1"
+
+  container_name   = var.service_name
+  container_image  = "${var.ecr_host}/${var.service_name}:60"
+  container_memory = 2048
+  essential        = true
+  environment      = var.environment_variables
+  port_mappings    = [{ hostPort = var.container_port, containerPort = var.container_port, protocol = "tcp" }]
+  command          = var.command
+  secrets = var.use_database_cluster ? concat([{
+    name      = "DATABASE_URL"
+    valueFrom = module.database[0].connection_string_arn
+  }], var.container_secrets) : var.container_secrets
+
+  log_configuration = {
+    logDriver     = "awslogs"
+    secretOptions = null,
+    options = {
+      awslogs-group         = aws_cloudwatch_log_group.service.name
+      awslogs-region        = data.aws_region.current.name
+      awslogs-stream-prefix = "ecs"
+    }
+  }
+}

ecs_task_execution_role.tf

@@ -0,0 +1,29 @@
+resource "aws_iam_role" "ecs_task_execution_role" {
+  name_prefix = "${substr(var.service_name, 0, 14)}-ecs-task-execution-role"
+
+  assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Action": "sts:AssumeRole",
+     "Principal": {
+       "Service": "ecs-tasks.amazonaws.com"
+     },
+     "Effect": "Allow",
+     "Sid": ""
+   }
+ ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "secrets_manager" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
+}

ecs_task_role.tf

@@ -0,0 +1,29 @@
+resource "aws_iam_role" "ecs_task_role" {
+  name_prefix        = "${substr(var.service_name, 0, 24)}-ecs-task-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_ecs_role_policy.json
+}
+
+data "aws_iam_policy_document" "assume_ecs_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "cognito" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonCognitoPowerUser"
+}
+
+resource "aws_iam_role_policy_attachment" "ses" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSESFullAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "s3" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+}

ecs_task_security_group.tf

@@ -0,0 +1,24 @@
+resource "aws_security_group" "ecs_task" {
+  description = "ECS Tasks traffic rules"
+  vpc_id      = var.vpc_id
+  name_prefix = "${var.service_name}-ecs-task-default"
+  #  tags        = merge(var.tags, { Name = "ECSTasks" }) # TODO
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow outgoing connections"
+  }
+}
+
+resource "aws_security_group_rule" "ecs_task_alb_access" {
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  source_security_group_id = var.alb_security_group_id
+  description              = "Allow incoming connections from ALB"
+  security_group_id        = aws_security_group.ecs_task.id
+}

main.tf

@@ -0,0 +1,2 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}

variables.tf

@@ -0,0 +1,93 @@
+variable "vpc_id" {
+  type        = string
+  description = "VPC to deploy into"
+}
+
+variable "cluster_arn" {
+  type        = string
+  description = "ECS cluster to deploy into"
+}
+
+variable "subnets" {
+  type        = list(string)
+  description = "List of subnet names the service will reside on."
+}
+
+variable "ecr_host" {
+  type        = string
+  description = "Hostname of the ECR repository with no trailing slash"
+}
+
+variable "azs" {
+  type        = list(string)
+  description = "Availability zones"
+}
+
+variable "environment_variables" {
+  type = list(object({
+    name  = string
+    value = string
+  }))
+  description = "The environment variables to pass to the container. This is a list of maps."
+  default     = []
+}
+
+variable "container_secrets" {
+  type = list(object({
+    name      = string
+    valueFrom = string
+  }))
+  description = "The Secrets to Pass to the container."
+  default     = []
+}
+
+variable "listener_arn" {
+  type        = string
+  description = "ALB listener ARN to add listener rule to"
+}
+
+variable "alb_security_group_id" {
+  type        = string
+  description = "Security Group ID for the ALB"
+}
+
+variable "command" {
+  type        = list(string)
+  description = "Container startup command"
+}
+
+variable "hostname" {
+  type        = string
+  description = "Hostname to use for listener rule"
+}
+
+variable "service_name" {
+  type        = string
+  description = "Service directory in the application git repo"
+}
+
+variable "container_port" {
+  type        = number
+  description = "Port exposed by the container"
+}
+
+variable "health_check_path" {
+  type        = string
+  description = "Path to use for health checks"
+}
+
+variable "use_database_cluster" {
+  type        = bool
+  description = "Whether or not we should create a DB cluster and inject the database connection string into the container"
+}
+
+variable "use_hostname" {
+  type = bool
+  description = "Whether or not we should create a target group and listener to attach this service to a load balancer"
+}
+
+variable "ecs_desired_count" {
+  type        = number
+  default     = 1
+  description = "How many tasks to launch in ECS service"
+}