-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathecs.tf
145 lines (129 loc) · 4.57 KB
/
ecs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
/**
* Elastic Container Service (ecs)
* This component is required to create the Fargate ECS service. It will create a Fargate cluster
* based on the application name and enironment. It will create a "Task Definition", which is required
* to run a Docker container, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html.
* Next it creates a ECS Service, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html
* It attaches the Load Balancer created in `lb.tf` to the service, and sets up the networking required.
* It also creates a role with the correct permissions. And lastly, ensures that logs are captured in CloudWatch.
*
* When building for the first time, it will install a "default backend", which is a simple web service that just
* responds with a HTTP 200 OK. It's important to uncomment the lines noted below after you have successfully
* migrated the real application containers to the task definition.
*/
# How many containers to run
variable "replicas" {
default = "1"
}
# The name of the container to run
variable "container_name" {
default = "app"
}
resource "aws_ecs_cluster" "app" {
name = "${var.app}-${var.environment}"
}
# The default docker image to deploy with the infrastructure.
# Note that you can use the fargate CLI for application concerns
# like deploying actual application images and environment variables
# on top of the infrastructure provisioned by this template
# https://github.com/turnerlabs/fargate
# note that the source for the turner default backend image is here:
# https://github.com/turnerlabs/turner-defaultbackend
variable "default_backend_image" {
default = "quay.io/turner/turner-defaultbackend:0.2.0"
}
resource "aws_ecs_task_definition" "app" {
family = "${var.app}-${var.environment}"
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = "256"
memory = "512"
execution_role_arn = "${aws_iam_role.ecsTaskExecutionRole.arn}"
# defined in role.tf
task_role_arn = "${aws_iam_role.app_role.arn}"
container_definitions = <<DEFINITION
[
{
"name": "${var.container_name}",
"image": "${var.default_backend_image}",
"essential": true,
"portMappings": [
{
"protocol": "tcp",
"containerPort": ${var.container_port},
"hostPort": ${var.container_port}
}
],
"environment": [
{
"name": "PORT",
"value": "${var.container_port}"
},
{
"name": "ENABLE_LOGGING",
"value": "false"
},
{
"name": "PRODUCT",
"value": "${var.app}"
},
{
"name": "ENVIRONMENT",
"value": "${var.environment}"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/fargate/service/${var.app}-${var.environment}",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
}
}
]
DEFINITION
}
resource "aws_ecs_service" "app" {
name = "${var.app}-${var.environment}"
cluster = "${aws_ecs_cluster.app.id}"
launch_type = "FARGATE"
task_definition = "${aws_ecs_task_definition.app.arn}"
desired_count = "${var.replicas}"
network_configuration {
security_groups = ["${aws_security_group.nsg_task.id}"]
subnets = ["${split(",", var.private_subnets)}"]
}
service_registries {
registry_arn = "${aws_service_discovery_service.fargate.arn}"
port = "${var.container_port}"
}
# [after initial apply] don't override changes made to task_definition
# from outside of terrraform (i.e.; fargate cli)
lifecycle {
ignore_changes = ["task_definition"]
}
}
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
resource "aws_iam_role" "ecsTaskExecutionRole" {
name = "${var.app}-${var.environment}-ecs"
assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}"
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" {
role = "${aws_iam_role.ecsTaskExecutionRole.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
resource "aws_cloudwatch_log_group" "logs" {
name = "/fargate/service/${var.app}-${var.environment}"
retention_in_days = "14"
tags = "${var.tags}"
}