-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
260 lines (231 loc) · 11 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
module "label" {
source = "git::https://github.com/cloudposse/terraform-terraform-label?ref=0.8.0"
name = var.name
namespace = var.project
stage = var.environment
tags = var.tags
}
locals {
use_default_log_config = var.log_configuration == null
default_log_configuration_secrets = length(var.secrets) > 0 ? [
for key in var.secrets :
{
name = "${lookup(key, "name")}_SECRET"
valueFrom = lookup(key, "valueFrom")
}
] : var.secrets
}
resource "aws_cloudwatch_log_group" "app" {
count = local.use_default_log_config ? 1 : 0
name = "/aws/ecs/${module.label.id}"
tags = module.label.tags
retention_in_days = var.log_retention
}
module "container" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition?ref=0.61.1"
container_name = module.label.id
container_image = "${var.container_image}:${var.container_tag}"
essential = var.essential
secrets = var.secrets
environment = var.envs
entrypoint = var.entrypoint
command = var.command
healthcheck = var.healthcheck
readonly_root_filesystem = var.readonly_root_filesystem
working_directory = var.working_directory
container_cpu = var.container_cpu
container_memory = var.container_memory
container_memory_reservation = var.container_memory_reservation
firelens_configuration = var.firelens_configuration
mount_points = var.mount_points
dns_servers = var.dns_servers
ulimits = var.ulimits
repository_credentials = var.repository_credentials
volumes_from = var.volumes_from
links = var.links
user = var.user
container_depends_on = var.container_depends_on
docker_labels = var.docker_labels
start_timeout = var.start_timeout
stop_timeout = var.stop_timeout
privileged = var.privileged
system_controls = var.system_controls
linux_parameters = var.linux_parameters
extra_hosts = var.extra_hosts
port_mappings = concat([
{
containerPort = var.container_port
hostPort = var.container_port
protocol = "tcp"
name = var.container_port_name
},
], var.additional_port_mappings)
log_configuration = local.use_default_log_config ? {
logDriver = "awslogs"
secretOptions = local.default_log_configuration_secrets
options = {
awslogs-region = var.logs_region
awslogs-group = join("", aws_cloudwatch_log_group.app.*.name)
awslogs-stream-prefix = var.name
}
} : var.log_configuration
}
locals {
container_definitions = compact(concat([module.container.json_map_encoded], var.additional_containers))
container_definitions_json = "[${join(",", local.container_definitions)}]"
ecs_default_alb = var.ecs_default_alb_enabled ? [{
elb_name = null
target_group_arn = var.alb_target_group_arn
container_name = module.label.id
container_port = var.container_port
}] : []
ecs_load_balancers = concat(local.ecs_default_alb, var.ecs_load_balancers)
}
module "task" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-alb-service-task?ref=v0.76.0"
name = var.name
namespace = var.project
stage = var.environment
tags = var.tags
container_definition_json = local.container_definitions_json
ecs_load_balancers = local.ecs_load_balancers
efs_volumes = var.efs_volumes
docker_volumes = var.docker_volumes
launch_type = var.launch_type
network_mode = var.network_mode
task_cpu = var.task_cpu
task_memory = var.task_memory
desired_count = var.desired_count
health_check_grace_period_seconds = var.health_check_grace_period_seconds
ecs_cluster_arn = var.ecs_cluster_arn
propagate_tags = var.propagate_tags
vpc_id = var.vpc_id
proxy_configuration = var.proxy_configuration
service_registries = var.service_registries
platform_version = var.platform_version
scheduling_strategy = var.scheduling_strategy
ordered_placement_strategy = var.ordered_placement_strategy
task_placement_constraints = var.task_placement_constraints
service_placement_constraints = var.service_placement_constraints
security_group_ids = var.security_group_ids
alb_security_group = var.alb_security_group
subnet_ids = var.subnet_ids
assign_public_ip = var.assign_public_ip
ignore_changes_task_definition = var.ignore_changes_task_definition
ignore_changes_desired_count = var.ignore_changes_desired_count
deployment_controller_type = var.deployment_controller_type
deployment_maximum_percent = var.deployment_maximum_percent
deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
enable_ecs_managed_tags = var.enable_ecs_managed_tags
capacity_provider_strategies = var.capacity_provider_strategies
task_role_arn = var.task_role_arn
exec_enabled = var.exec_enabled
force_new_deployment = var.force_new_deployment
security_group_description = var.security_group_description
circuit_breaker_deployment_enabled = var.circuit_breaker_deployment_enabled
circuit_breaker_rollback_enabled = var.circuit_breaker_rollback_enabled
runtime_platform = var.runtime_platform
redeploy_on_apply = var.redeploy_on_apply
service_connect_configurations = var.service_connect_configurations
}
data "aws_iam_policy_document" "ecs-exec-ssm-secrets" {
count = var.ssm_secrets_enabled ? 1 : 0
statement {
effect = "Allow"
resources = var.ssm_secrets_resources
actions = ["ssm:GetParameters"]
}
}
resource "aws_iam_role_policy" "ecs-exec-ssm-secrets" {
count = var.ssm_secrets_enabled ? 1 : 0
name = "${module.task.ecs_exec_role_policy_name}-ssm-secrets"
policy = data.aws_iam_policy_document.ecs-exec-ssm-secrets[0].json
role = module.task.task_exec_role_name
}
data "aws_iam_policy_document" "ecs-exec-secret-manager" {
count = var.secret_manager_enabled ? 1 : 0
statement {
effect = "Allow"
resources = var.secretsmanager_secrets_resources
actions = ["secretsmanager:GetSecretValue"]
}
}
resource "aws_iam_role_policy" "ecs-exec-secret-manager" {
count = var.secret_manager_enabled ? 1 : 0
name = "${module.task.ecs_exec_role_policy_name}-secret-manager"
policy = data.aws_iam_policy_document.ecs-exec-secret-manager[0].json
role = module.task.task_exec_role_name
}
locals {
cpu_utilization_high_alarm_actions = var.autoscaling_enabled && var.autoscaling_dimension == "cpu" ? module.autoscaling.scale_up_policy_arn : ""
cpu_utilization_low_alarm_actions = var.autoscaling_enabled && var.autoscaling_dimension == "cpu" ? module.autoscaling.scale_down_policy_arn : ""
memory_utilization_high_alarm_actions = var.autoscaling_enabled && var.autoscaling_dimension == "memory" ? module.autoscaling.scale_up_policy_arn : ""
memory_utilization_low_alarm_actions = var.autoscaling_enabled && var.autoscaling_dimension == "memory" ? module.autoscaling.scale_down_policy_arn : ""
}
module "ecs-service-alarms" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-sns-alarms.git?ref=0.13.0"
enabled = var.ecs_alarms_enabled
name = var.name
namespace = var.project
stage = var.environment
tags = var.tags
cluster_name = var.ecs_cluster_name
service_name = module.task.service_name
alarm_description = var.ecs_alarms_alarm_description
cpu_utilization_high_threshold = var.ecs_alarms_cpu_utilization_high_threshold
cpu_utilization_high_evaluation_periods = var.ecs_alarms_cpu_utilization_high_evaluation_periods
cpu_utilization_high_period = var.ecs_alarms_cpu_utilization_high_period
cpu_utilization_high_alarm_actions = compact(
concat(
var.ecs_alarms_cpu_utilization_high_alarm_actions,
[local.cpu_utilization_high_alarm_actions],
),
)
cpu_utilization_high_ok_actions = var.ecs_alarms_cpu_utilization_high_ok_actions
cpu_utilization_low_threshold = var.ecs_alarms_cpu_utilization_low_threshold
cpu_utilization_low_evaluation_periods = var.ecs_alarms_cpu_utilization_low_evaluation_periods
cpu_utilization_low_period = var.ecs_alarms_cpu_utilization_low_period
cpu_utilization_low_alarm_actions = compact(
concat(
var.ecs_alarms_cpu_utilization_low_alarm_actions,
[local.cpu_utilization_low_alarm_actions],
),
)
cpu_utilization_low_ok_actions = var.ecs_alarms_cpu_utilization_low_ok_actions
memory_utilization_high_threshold = var.ecs_alarms_memory_utilization_high_threshold
memory_utilization_high_evaluation_periods = var.ecs_alarms_memory_utilization_high_evaluation_periods
memory_utilization_high_period = var.ecs_alarms_memory_utilization_high_period
memory_utilization_high_alarm_actions = compact(
concat(
var.ecs_alarms_memory_utilization_high_alarm_actions,
[local.memory_utilization_high_alarm_actions],
),
)
memory_utilization_high_ok_actions = var.ecs_alarms_memory_utilization_high_ok_actions
memory_utilization_low_threshold = var.ecs_alarms_memory_utilization_low_threshold
memory_utilization_low_evaluation_periods = var.ecs_alarms_memory_utilization_low_evaluation_periods
memory_utilization_low_period = var.ecs_alarms_memory_utilization_low_period
memory_utilization_low_alarm_actions = compact(
concat(
var.ecs_alarms_memory_utilization_low_alarm_actions,
[local.memory_utilization_low_alarm_actions],
),
)
memory_utilization_low_ok_actions = var.ecs_alarms_memory_utilization_low_ok_actions
}
module "autoscaling" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-cloudwatch-autoscaling.git?ref=0.7.5"
enabled = var.autoscaling_enabled
name = var.name
namespace = var.project
stage = var.environment
tags = var.tags
service_name = module.task.service_name
cluster_name = var.ecs_cluster_name
min_capacity = var.autoscaling_min_capacity
max_capacity = var.autoscaling_max_capacity
scale_down_adjustment = var.autoscaling_scale_down_adjustment
scale_down_cooldown = var.autoscaling_scale_down_cooldown
scale_up_adjustment = var.autoscaling_scale_up_adjustment
scale_up_cooldown = var.autoscaling_scale_up_cooldown
}