feat: Add support for restartPolicy (#231)

* feat: Add support for restartPolicy (#230)

* fix precommit error

* fix: Correct defaults and remove redundant validation

---------

Co-authored-by: Bryant Biggs <[email protected]>

Author: psantus

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.96.2
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

README.md

@@ -160,7 +160,7 @@ module "ecs" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.63 |
 
 ## Providers
 

examples/complete/README.md

@@ -27,13 +27,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.63 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.63 |
 
 ## Modules
 

examples/complete/main.tf

@@ -102,6 +102,12 @@ module "ecs" {
             }
           }
           memory_reservation = 100
+
+          restart_policy = {
+            enabled              = true
+            ignoredExitCodes     = [1]
+            restartAttemptPeriod = 60
+          }
         }
       }
 

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

examples/ec2-autoscaling/README.md

@@ -27,13 +27,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.63 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.63 |
 
 ## Modules
 

examples/ec2-autoscaling/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

examples/fargate/README.md

@@ -27,13 +27,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.63 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.63 |
 
 ## Modules
 

examples/fargate/main.tf

@@ -121,6 +121,12 @@ module "ecs_service" {
         }
       }
 
+      restart_policy = {
+        enabled              = true
+        ignoredExitCodes     = [1]
+        restartAttemptPeriod = 60
+      }
+
       # Not required for fluent-bit, just an example
       volumes_from = [{
         sourceContainer = "fluent-bit"

examples/fargate/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

main.tf

@@ -100,14 +100,14 @@ module "service" {
   iam_role_statements           = lookup(each.value, "iam_role_statements", {})
 
   # ECS infrastructure IAM role
-  create_infrastructure_iam_role = try(each.value.create_infrastructure_iam_role, true)
-  infrastructure_iam_role_arn = try(each.value.infrastructure_iam_role_arn, null)
-  infrastructure_iam_role_name = try(each.value.infrastructure_iam_role_name, null)
-  infrastructure_iam_role_use_name_prefix = try(each.value.infrastructure_iam_role_use_name_prefix, true)
-  infrastructure_iam_role_path = try(each.value.infrastructure_iam_role_path, null)
-  infrastructure_iam_role_description = try(each.value.infrastructure_iam_role_description, null)
+  create_infrastructure_iam_role               = try(each.value.create_infrastructure_iam_role, true)
+  infrastructure_iam_role_arn                  = try(each.value.infrastructure_iam_role_arn, null)
+  infrastructure_iam_role_name                 = try(each.value.infrastructure_iam_role_name, null)
+  infrastructure_iam_role_use_name_prefix      = try(each.value.infrastructure_iam_role_use_name_prefix, true)
+  infrastructure_iam_role_path                 = try(each.value.infrastructure_iam_role_path, null)
+  infrastructure_iam_role_description          = try(each.value.infrastructure_iam_role_description, null)
   infrastructure_iam_role_permissions_boundary = try(each.value.infrastructure_iam_role_permissions_boundary, null)
-  infrastructure_iam_role_tags = try(each.value.infrastructure_iam_role_tags, {})
+  infrastructure_iam_role_tags                 = try(each.value.infrastructure_iam_role_tags, {})
 
   # Task definition
   create_task_definition        = try(each.value.create_task_definition, true)

modules/cluster/README.md

@@ -137,13 +137,13 @@ module "ecs_cluster" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.63 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.63 |
 
 ## Modules
 

modules/cluster/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

modules/container-definition/README.md

@@ -116,13 +116,13 @@ module "example_ecs_container_definition" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.63 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.63 |
 
 ## Modules
 
@@ -178,6 +178,7 @@ No modules.
 | <a name="input_readonly_root_filesystem"></a> [readonly\_root\_filesystem](#input\_readonly\_root\_filesystem) | When this parameter is true, the container is given read-only access to its root file system | `bool` | `true` | no |
 | <a name="input_repository_credentials"></a> [repository\_credentials](#input\_repository\_credentials) | Container repository credentials; required when using a private repo.  This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials | `map(string)` | `{}` | no |
 | <a name="input_resource_requirements"></a> [resource\_requirements](#input\_resource\_requirements) | The type and amount of a resource to assign to a container. The only supported resource is a GPU | <pre>list(object({<br/>    type  = string<br/>    value = string<br/>  }))</pre> | `[]` | no |
+| <a name="input_restart_policy"></a> [restart\_policy](#input\_restart\_policy) | Container restart policy; helps overcome transient failures faster and maintain task availability | <pre>object({<br/>    enabled              = optional(bool)<br/>    ignoredExitCodes     = optional(list(number))<br/>    restartAttemptPeriod = optional(number)<br/>  })</pre> | `null` | no |
 | <a name="input_secrets"></a> [secrets](#input\_secrets) | The secrets to pass to the container. For more information, see [Specifying Sensitive Data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the Amazon Elastic Container Service Developer Guide | <pre>list(object({<br/>    name      = string<br/>    valueFrom = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_service"></a> [service](#input\_service) | The name of the service that the container definition is associated with | `string` | `""` | no |
 | <a name="input_start_timeout"></a> [start\_timeout](#input\_start\_timeout) | Time duration (in seconds) to wait before giving up on resolving dependencies for a container | `number` | `30` | no |

modules/container-definition/main.tf

@@ -54,6 +54,7 @@ locals {
     portMappings           = var.port_mappings
     privileged             = local.is_not_windows ? var.privileged : null
     pseudoTerminal         = var.pseudo_terminal
+    restartPolicy          = var.restart_policy
     readonlyRootFilesystem = local.is_not_windows ? var.readonly_root_filesystem : null
     repositoryCredentials  = length(var.repository_credentials) > 0 ? var.repository_credentials : null
     resourceRequirements   = length(var.resource_requirements) > 0 ? var.resource_requirements : null

modules/container-definition/variables.tf

@@ -215,6 +215,16 @@ variable "resource_requirements" {
   default = []
 }
 
+variable "restart_policy" {
+  description = "Container restart policy; helps overcome transient failures faster and maintain task availability"
+  type = object({
+    enabled              = optional(bool)
+    ignoredExitCodes     = optional(list(number))
+    restartAttemptPeriod = optional(number)
+  })
+  default = null
+}
+
 variable "secrets" {
   description = "The secrets to pass to the container. For more information, see [Specifying Sensitive Data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the Amazon Elastic Container Service Developer Guide"
   type = list(object({

modules/container-definition/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

modules/service/README.md

@@ -70,6 +70,12 @@ module "ecs_service" {
         }
       }
       memory_reservation = 100
+
+      restart_policy = {
+        enabled = true
+        ignoredExitCodes = [1]
+        restartAttemptPeriod = 60
+      }
     }
   }
 
@@ -167,13 +173,13 @@ module "ecs_service" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.63 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.63 |
 
 ## Modules
 
@@ -237,7 +243,7 @@ module "ecs_service" {
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | Number of cpu units used by the task. If the `requires_compatibilities` is `FARGATE` this field is required | `number` | `1024` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether the ECS service IAM role should be created | `bool` | `true` | no |
-| <a name="input_create_infrastructure_iam_role"></a> [create\_infrastructure\_iam\_role](#input\_create\_infrastructure\_iam\_role) | Determines whether the ECS infrastructure IAM role should be created | `bool` | `false` | no |
+| <a name="input_create_infrastructure_iam_role"></a> [create\_infrastructure\_iam\_role](#input\_create\_infrastructure\_iam\_role) | Determines whether the ECS infrastructure IAM role should be created | `bool` | `true` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
 | <a name="input_create_service"></a> [create\_service](#input\_create\_service) | Determines whether service resource will be created (set to `false` in case you want to create task definition only) | `bool` | `true` | no |
 | <a name="input_create_task_definition"></a> [create\_task\_definition](#input\_create\_task\_definition) | Determines whether to create a task definition or use existing/provided | `bool` | `true` | no |

modules/service/main.tf

@@ -670,6 +670,7 @@ module "container_definition" {
   readonly_root_filesystem = try(each.value.readonly_root_filesystem, var.container_definition_defaults.readonly_root_filesystem, true)
   repository_credentials   = try(each.value.repository_credentials, var.container_definition_defaults.repository_credentials, {})
   resource_requirements    = try(each.value.resource_requirements, var.container_definition_defaults.resource_requirements, [])
+  restart_policy           = try(each.value.restart_policy, var.container_definition_defaults.restart_policy, { enabled = false })
   secrets                  = try(each.value.secrets, var.container_definition_defaults.secrets, [])
   start_timeout            = try(each.value.start_timeout, var.container_definition_defaults.start_timeout, 30)
   stop_timeout             = try(each.value.stop_timeout, var.container_definition_defaults.stop_timeout, 120)

modules/service/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

wrappers/cluster/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

wrappers/container-definition/main.tf

@@ -42,6 +42,7 @@ module "wrapper" {
   readonly_root_filesystem               = try(each.value.readonly_root_filesystem, var.defaults.readonly_root_filesystem, true)
   repository_credentials                 = try(each.value.repository_credentials, var.defaults.repository_credentials, {})
   resource_requirements                  = try(each.value.resource_requirements, var.defaults.resource_requirements, [])
+  restart_policy                         = try(each.value.restart_policy, var.defaults.restart_policy, null)
   secrets                                = try(each.value.secrets, var.defaults.secrets, [])
   service                                = try(each.value.service, var.defaults.service, "")
   start_timeout                          = try(each.value.start_timeout, var.defaults.start_timeout, 30)

wrappers/container-definition/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

wrappers/service/main.tf

@@ -35,7 +35,7 @@ module "wrapper" {
   cpu                                          = try(each.value.cpu, var.defaults.cpu, 1024)
   create                                       = try(each.value.create, var.defaults.create, true)
   create_iam_role                              = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
-  create_infrastructure_iam_role               = try(each.value.create_infrastructure_iam_role, var.defaults.create_infrastructure_iam_role, false)
+  create_infrastructure_iam_role               = try(each.value.create_infrastructure_iam_role, var.defaults.create_infrastructure_iam_role, true)
   create_security_group                        = try(each.value.create_security_group, var.defaults.create_security_group, true)
   create_service                               = try(each.value.create_service, var.defaults.create_service, true)
   create_task_definition                       = try(each.value.create_task_definition, var.defaults.create_task_definition, true)
@@ -118,7 +118,6 @@ module "wrapper" {
   task_exec_iam_statements                = try(each.value.task_exec_iam_statements, var.defaults.task_exec_iam_statements, {})
   task_exec_secret_arns                   = try(each.value.task_exec_secret_arns, var.defaults.task_exec_secret_arns, ["arn:aws:secretsmanager:*:*:secret:*"])
   task_exec_ssm_param_arns                = try(each.value.task_exec_ssm_param_arns, var.defaults.task_exec_ssm_param_arns, ["arn:aws:ssm:*:*:parameter/*"])
-  task_tags                               = try(each.value.task_tags, var.defaults.task_tags, {})
   tasks_iam_role_arn                      = try(each.value.tasks_iam_role_arn, var.defaults.tasks_iam_role_arn, null)
   tasks_iam_role_description              = try(each.value.tasks_iam_role_description, var.defaults.tasks_iam_role_description, null)
   tasks_iam_role_name                     = try(each.value.tasks_iam_role_name, var.defaults.tasks_iam_role_name, null)
@@ -128,6 +127,7 @@ module "wrapper" {
   tasks_iam_role_statements               = try(each.value.tasks_iam_role_statements, var.defaults.tasks_iam_role_statements, {})
   tasks_iam_role_tags                     = try(each.value.tasks_iam_role_tags, var.defaults.tasks_iam_role_tags, {})
   tasks_iam_role_use_name_prefix          = try(each.value.tasks_iam_role_use_name_prefix, var.defaults.tasks_iam_role_use_name_prefix, true)
+  task_tags                               = try(each.value.task_tags, var.defaults.task_tags, {})
   timeouts                                = try(each.value.timeouts, var.defaults.timeouts, {})
   triggers                                = try(each.value.triggers, var.defaults.triggers, {})
   volume                                  = try(each.value.volume, var.defaults.volume, {})

wrappers/service/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }

wrappers/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.59"
+      version = ">= 5.63"
     }
   }
 }