Skip to content

goldenrecursion/terraform-aws-ecs-cluster

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

209 Commits
.circleci
.circleci
 
 
.git-crypt
.git-crypt
 
 
.github
.github
 
 
config
config
 
 
docs
docs
 
 
lib
lib
 
 
policies
policies
 
 
scripts/ci
scripts/ci
 
 
user-data
user-data
 
 
.envrc
.envrc
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.rspec
.rspec
 
 
.ruby-version
.ruby-version
 
 
.terraform.lock.hcl
.terraform.lock.hcl
 
 
.tool-versions
.tool-versions
 
 
.whitesource
.whitesource
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
asg.tf
asg.tf
 
 
capacity_provider.tf
capacity_provider.tf
 
 
cloudwatch.tf
cloudwatch.tf
 
 
cluster.tf
cluster.tf
 
 
iam.tf
iam.tf
 
 
key.tf
key.tf
 
 
locals.tf
locals.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
security_groups.tf
security_groups.tf
 
 
terraform.tf
terraform.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Terraform AWS ECS Cluster

CircleCI

A Terraform module for building an ECS Cluster in AWS.

The ECS cluster requires:

  • An existing VPC
  • Some existing subnets

The ECS cluster consists of:

  • A cluster in ECS
  • A launch configuration and auto-scaling group for a cluster of ECS container instances
  • An SSH key to connect to the ECS container instances
  • A security group for the container instances optionally allowing:
    • Outbound internet access for all containers
    • Inbound TCP access on any port from the VPC network
  • An IAM role and policy for the container instances allowing:
    • ECS interactions
    • ECR image pulls
    • S3 object fetches
    • Logging to cloudwatch
  • An IAM role and policy for ECS services allowing:
    • Elastic load balancer registration / deregistration
    • EC2 describe actions and security group ingress rule creation
  • A CloudWatch log group

Diagram of infrastructure managed by this module

Usage

To use the module, include something like the following in your terraform configuration:

module "ecs_cluster" {
  source = "infrablocks/ecs-cluster/aws"
  version = "3.4.0"

  region = "eu-west-2"
  vpc_id = "vpc-fb7dc365"
  subnet_ids = "subnet-eb32c271,subnet-64872d1f"

  component = "important-component"
  deployment_identifier = "production"

  cluster_name = "services"
  cluster_instance_ssh_public_key_path = "~/.ssh/id_rsa.pub"
  cluster_instance_type = "t2.small"

  cluster_minimum_size = 2
  cluster_maximum_size = 10
  cluster_desired_capacity = 4
}

As mentioned above, the ECS cluster deploys into an existing base network. Whilst the base network can be created using any mechanism you like, the AWS Base Networking module will create everything you need. See the docs for usage instructions.

See the Terraform registry entry for more details.

Inputs

Name Description Default Required
region The region into which to deploy the cluster - yes
vpc_id The ID of the VPC into which to deploy the cluster - yes
subnet_ids The IDs of the subnets for container instances - yes
component The component this cluster will contain - yes
deployment_identifier An identifier for this instantiation - yes
tags A map of additional tags to add to all resources - no
cluster_name The name of the cluster to create default yes
cluster_instance_ssh_public_key_path The path to the public key to use for the container instances - yes
cluster_instance_type The instance type of the container instances t2.medium yes
cluster_instance_root_block_device_size The size in GB of the root block device on cluster instances 30 yes
cluster_instance_root_block_device_type The type of the root block device on cluster instances ('standard', 'gp2', or 'io1') standard yes
cluster_instance_user_data_template The contents of a template for container instance user data see user-data no
cluster_instance_amis A map of regions to AMIs for the container instances ECS optimised AMIs yes
cluster_instance_iam_policy_contents The contents of the cluster instance IAM policy see policies no
cluster_service_iam_policy_contents The contents of the cluster service IAM policy see policies no
cluster_minimum_size The minimum size of the ECS cluster 1 yes
cluster_maximum_size The maximum size of the ECS cluster 10 yes
cluster_desired_capacity The desired capacity of the ECS cluster 3 yes
associate_public_ip_addresses Whether or not to associate public IP addresses with ECS container instances ("yes" or "no") "no" yes
include_default_ingress_rule Whether or not to include the default ingress rule on the ECS container instances security group ("yes" or "no") "yes" yes
include_default_egress_rule Whether or not to include the default egress rule on the ECS container instances security group ("yes" or "no") "yes" yes
allowed_cidrs The CIDRs allowed access to containers ["10.0.0.0/8"] if include_default_ingress_rule is "yes"
egress_cidrs The CIDRs accessible from containers ["0.0.0.0/0"] if include_default_egress_rule is "yes"
launch_configuration_create_before_destroy Whether or not to destroy the launch configuration before creating a new one ("yes" or "no") "yes" no
security_groups The list of security group IDs to associate with the cluster in addition to the default security group [] no

Notes:

  • By default, the latest available Amazon Linux 2 AMI is used.
  • For Amazon Linux 1 AMIs use version <= 0.6.0 of this module for terraform 0.11 or version = 1.0.0 for terraform 0.12.
  • When a specific AMI is provided via cluster_instance_amis (a map of region to AMI ID), only the root block device can be customised, using the cluster_instance_root_block_device_size and cluster_instance_root_block_device_type variables.
  • The user data template will get the cluster name as cluster_name. If none is supplied, a default will be used.

Outputs

Name Description
cluster_id The ID of the created ECS cluster
cluster_name The name of the created ECS cluster
cluster_arn The ARN of the created ECS cluster
autoscaling_group_name The name of the autoscaling group for the ECS container instances
launch_configuration_name The name of the launch configuration for the ECS container instances
security_group_id The ID of the default security group associated with the ECS container instances
instance_role_arn The ARN of the container instance role
instance_role_id The ID of the container instance role
instance_policy_arn The ARN of the container instance policy
instance_policy_id The ID of the container instance policy
service_role_arn The ARN of the ECS service role
service_role_id The ID of the ECS service role
service_policy_arn The ARN of the ECS service policy
service_policy_id The ID of the ECS service policy
log_group The name of the default log group for the cluster

Compatibility

This module is compatible with Terraform versions greater than or equal to Terraform 0.14.

Required Permissions

  • iam:GetPolicy
  • iam:GetPolicyVersion
  • iam:ListPolicyVersions
  • iam:ListEntitiesForPolicy
  • iam:CreatePolicy
  • iam:DeletePolicy
  • iam:GetRole
  • iam:PassRole
  • iam:CreateRole
  • iam:DeleteRole
  • iam:ListRolePolicies
  • iam:AttachRolePolicy
  • iam:DetachRolePolicy
  • iam:GetInstanceProfile
  • iam:CreateInstanceProfile
  • iam:ListInstanceProfilesForRole
  • iam:AddRoleToInstanceProfile
  • iam:RemoveRoleFromInstanceProfile
  • iam:DeleteInstanceProfile
  • ec2:DescribeSecurityGroups
  • ec2:CreateSecurityGroup
  • ec2:DeleteSecurityGroup
  • ec2:AuthorizeSecurityGroupIngress
  • ec2:AuthorizeSecurityGroupEgress
  • ec2:RevokeSecurityGroupEgress
  • ec2:ImportKeyPair
  • ec2:DescribeKeyPairs
  • ec2:DeleteKeyPair
  • ec2:CreateTags
  • ec2:DescribeImages
  • ec2:DescribeNetworkInterfaces
  • ecs:DescribeClusters
  • ecs:CreateCluster
  • ecs:DeleteCluster
  • autoscaling:DescribeLaunchConfigurations
  • autoscaling:CreateLaunchConfiguration
  • autoscaling:DeleteLaunchConfiguration
  • autoscaling:DescribeScalingActivities
  • autoscaling:DescribeAutoScalingGroups
  • autoscaling:CreateAutoScalingGroup
  • autoscaling:UpdateAutoScalingGroup
  • autoscaling:DeleteAutoScalingGroup
  • logs:CreateLogGroup
  • logs:DescribeLogGroups
  • logs:ListTagsLogGroup
  • logs:DeleteLogGroup

Development

Machine Requirements

In order for the build to run correctly, a few tools will need to be installed on your development machine:

  • Ruby (2.3.1)
  • Bundler
  • git
  • git-crypt
  • gnupg
  • direnv

Mac OS X Setup

Installing the required tools is best managed by homebrew.

To install homebrew:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then, to install the required tools:

# ruby
brew install rbenv
brew install ruby-build
echo 'eval "$(rbenv init - bash)"' >> ~/.bash_profile
echo 'eval "$(rbenv init - zsh)"' >> ~/.zshrc
eval "$(rbenv init -)"
rbenv install 2.3.1
rbenv rehash
rbenv local 2.3.1
gem install bundler

# git, git-crypt, gnupg
brew install git
brew install git-crypt
brew install gnupg

# direnv
brew install direnv
echo "$(direnv hook bash)" >> ~/.bash_profile
echo "$(direnv hook zsh)" >> ~/.zshrc
eval "$(direnv hook $SHELL)"

direnv allow <repository-directory>

Running the build

To provision module infrastructure, run tests and then destroy that infrastructure, execute:

./go

To provision the module prerequisites:

./go deployment:prerequisites:provision[<deployment_identifier>]

To provision the module contents:

./go deployment:harness:provision[<deployment_identifier>]

To destroy the module contents:

./go deployment:harness:destroy[<deployment_identifier>]

To destroy the module prerequisites:

./go deployment:prerequisites:destroy[<deployment_identifier>]

Common Tasks

Generating an SSH key pair

To generate an SSH key pair:

ssh-keygen -t rsa -b 4096 -C integration-test@example.com -N '' -f config/secrets/keys/bastion/ssh

Managing CircleCI keys

To encrypt a GPG key for use by CircleCI:

openssl aes-256-cbc \
  -e \
  -md sha1 \
  -in ./config/secrets/ci/gpg.private \
  -out ./.circleci/gpg.private.enc \
  -k "<passphrase>"

To check decryption is working correctly:

openssl aes-256-cbc \
  -d \
  -md sha1 \
  -in ./.circleci/gpg.private.enc \
  -k "<passphrase>"

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/infrablocks/terraform-aws-ecs-cluster. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The library is available as open source under the terms of the MIT License.

Requirements

Name Version
terraform >= 1.0

Providers

Name Version
aws 4.31.0
null 3.1.1

Modules

No modules.

Resources

Name Type
aws_autoscaling_group.cluster resource
aws_cloudwatch_log_group.cluster resource
aws_ecs_capacity_provider.autoscaling_group resource
aws_ecs_cluster.cluster resource
aws_ecs_cluster_capacity_providers.capacity_providers resource
aws_iam_instance_profile.cluster resource
aws_iam_policy.cluster_instance_policy resource
aws_iam_policy.cluster_service_policy resource
aws_iam_policy_attachment.cluster_instance_policy_attachment resource
aws_iam_policy_attachment.cluster_service_policy_attachment resource
aws_iam_role.cluster_instance_role resource
aws_iam_role.cluster_service_role resource
aws_iam_role.task_execution_role resource
aws_iam_role_policy.task_execution_role resource
aws_key_pair.cluster resource
aws_launch_configuration.cluster resource
aws_security_group.cluster resource
aws_security_group_rule.cluster_default_egress resource
aws_security_group_rule.cluster_default_ingress resource
null_resource.iam_wait resource
aws_ami.amazon_linux_2 data source
aws_iam_policy_document.task_execution_assume_role data source
aws_iam_policy_document.task_execution_role data source

Inputs

Name Description Type Default Required
allowed_cidrs The CIDRs allowed access to containers. list(string) 
[
  "10.0.0.0/8"
]
 no
asg_capacity_provider_manage_scaling Whether or not to allow ECS to manage scaling for the ASG capacity provider ("yes" or "no"). string "yes" no
asg_capacity_provider_manage_termination_protection Whether or not to allow ECS to manage termination protection for the ASG capacity provider ("yes" or "no"). string "yes" no
asg_capacity_provider_maximum_scaling_step_size The maximum scaling step size for ECS managed scaling of the ASG capacity provider. number 1000 no
asg_capacity_provider_minimum_scaling_step_size The minimum scaling step size for ECS managed scaling of the ASG capacity provider. number 1 no
asg_capacity_provider_target_capacity The target capacity, as a percentage from 1 to 100, for the ASG capacity provider. number 100 no
associate_public_ip_addresses Whether or not to associate public IP addresses with ECS container instances ("yes" or "no"). string "no" no
cluster_desired_capacity The desired capacity of the ECS cluster. string 3 no
cluster_instance_amis A map of regions to AMIs for the container instances. map(string) 
{
  "af-south-1": "",
  "ap-east-1": "",
  "ap-northeast-1": "",
  "ap-northeast-2": "",
  "ap-northeast-3": "",
  "ap-south-1": "",
  "ap-southeast-1": "",
  "ap-southeast-2": "",
  "ca-central-1": "",
  "cn-north-1": "",
  "cn-northwest-1": "",
  "eu-central-1": "",
  "eu-north-1": "",
  "eu-south-1": "",
  "eu-west-1": "",
  "eu-west-2": "",
  "eu-west-3": "",
  "me-south-1": "",
  "sa-east-1": "",
  "us-east-1": "",
  "us-east-2": "",
  "us-west-1": "",
  "us-west-2": ""
}
 no
cluster_instance_iam_policy_contents The contents of the cluster instance IAM policy. string "" no
cluster_instance_root_block_device_size The size in GB of the root block device on cluster instances. number 30 no
cluster_instance_root_block_device_type The type of the root block device on cluster instances ('standard', 'gp2', or 'io1'). string "standard" no
cluster_instance_ssh_public_key_path The path to the public key to use for the container instances. string "" no
cluster_instance_type The instance type of the container instances. string "t2.medium" no
cluster_instance_user_data_template The contents of a template for container instance user data. string "" no
cluster_maximum_size The maximum size of the ECS cluster. string 10 no
cluster_minimum_size The minimum size of the ECS cluster. string 1 no
cluster_name The name of the cluster to create. string "default" no
cluster_service_iam_policy_contents The contents of the cluster service IAM policy. string "" no
component The component this cluster will contain. string n/a yes
cw_log_retention_in_days Cloudwatch Log retention in days number 3 no
deployment_identifier An identifier for this instantiation. string n/a yes
egress_cidrs The CIDRs accessible from containers. list(string) 
[
  "0.0.0.0/0"
]
 no
enable_container_insights Whether or not to enable container insights on the ECS cluster ("yes" or "no"). string "no" no
include_asg_capacity_provider Whether or not to add the created ASG as a capacity provider for the ECS cluster ("yes" or "no"). string "no" no
include_default_egress_rule Whether or not to include the default egress rule on the ECS container instances security group ("yes" or "no"). string "yes" no
include_default_ingress_rule Whether or not to include the default ingress rule on the ECS container instances security group ("yes" or "no"). string "yes" no
protect_cluster_instances_from_scale_in Whether or not to protect cluster instances in the autoscaling group from scale in ("yes" or "no"). string "no" no
region The region into which to deploy the cluster. string n/a yes
security_groups The list of security group IDs to associate with the cluster. list(string) [] no
subnet_ids The IDs of the subnets for container instances. list(string) n/a yes
tags Map of tags to be applied to all resources in cluster map(string) {} no
vpc_id The ID of the VPC into which to deploy the cluster. string n/a yes

Outputs

Name Description
asg_capacity_provider_name The name of the ASG capacity provider associated with the cluster.
autoscaling_group_arn The ARN of the autoscaling group for the ECS container instances.
autoscaling_group_name The name of the autoscaling group for the ECS container instances.
capacity_provider_name The name of the capacity provider.
cluster_arn The ARN of the created ECS cluster.
cluster_id The ID of the created ECS cluster.
cluster_name The name of the created ECS cluster.
instance_policy_arn The ARN of the container instance policy.
instance_policy_id The ID of the container instance policy.
instance_role_arn The ARN of the container instance role.
instance_role_id The ID of the container instance role.
launch_configuration_name The name of the launch configuration for the ECS container instances.
log_group The name of the default log group for the cluster.
security_group_id The ID of the default security group associated with the ECS container instances.
service_policy_arn The ARN of the ECS service policy.
service_policy_id The ID of the ECS service policy.
service_role_arn The ARN of the ECS service role.
service_role_id The ID of the ECS service role.
task_execution_role_arn The ARN of the container instance role.
task_execution_role_id The ID of the container instance role.
task_execution_role_name The ID of the container instance role.

About

Terraform module for building an ECS cluster in AWS

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

98 tags

Packages

No packages published

Languages

  • HCL 78.7%
  • Ruby 11.0%
  • Shell 10.3%