turnerlabs / terraform-ecs-fargate Goto Github PK

View Code? Open in Web Editor NEW

417.0 18.0 160.0 5.01 MB

A Terraform template used for provisioning web application stacks on AWS ECS Fargate

License: Apache License 2.0

HCL 97.87% Shell 2.13%

aws ecs fargate terraform template containers alb web

terraform-ecs-fargate's Introduction

Terraform ECS Fargate

A set of Terraform templates used for provisioning web application stacks on AWS ECS Fargate.

Note: We suggest moving away from this template to our newer modular version. This repo will still receive updates to maintain compatability as terraform and the AWS providers evolve, but most newer features will be implemented in the module. You can find the module here: https://github.com/turnerlabs/terraform-ecs-fargate-module

The templates are designed to be customized. The optional components can be removed by simply deleting the .tf file.

The templates are used for managing infrastructure concerns and, as such, the templates deploy a default backend docker image. We recommend using the fargate CLI for managing application concerns like deploying your actual application images and environment variables on top of this infrastructure. The fargate CLI can be used to deploy applications from your laptop or in CI/CD pipelines.

Components

base

These components are shared by all environments.

Name	Description	Optional
main.tf	AWS provider, output
state.tf	S3 bucket backend for storing Terraform remote state
ecr.tf	ECR repository for application (all environments share)

env/dev

These components are for a specific environment. There should be a corresponding directory for each environment that is needed.

Name	Description	Optional
main.tf	Terrform remote state, AWS provider, output
ecs.tf	ECS Cluster, Service, Task Definition, ecsTaskExecutionRole, CloudWatch Log Group
lb.tf	ALB, Target Group, S3 bucket for access logs
nsg.tf	NSG for ALB and Task
lb-http.tf	HTTP listener, NSG rule. Delete if HTTPS only	Yes
lb-https.tf	HTTPS listener, NSG rule. Delete if HTTP only	Yes
dashboard.tf	CloudWatch dashboard: CPU, memory, and HTTP-related metrics	Yes
role.tf	Application Role for container	Yes
cicd.tf	IAM user that can be used by CI/CD systems	Yes
autoscale-perf.tf	Performance-based auto scaling	Yes
autoscale-time.tf	Time-based auto scaling	Yes
logs-logzio.tf	Ship container logs to logz.io	Yes
secretsmanager.tf	Add a Secrets Manager secret with a CMK KMS key. Also gives app role and ECS task definition role access to read secrets from Secrets Manager	Yes
secrets-sidecar.tf	Adds a task definition configuration for deploying your app along with a sidecar container that writes your secrets manager secret to a file. Note that this is dependent upon opting in to `secretsmanager.tf`.	Yes
ssm-parameters.tf	Add a CMK KMS key for use with SSM Parameter Store. Also gives ECS task definition role access to read secrets from parameter store.	Yes
ecs-event-stream.tf	Add an ECS event log dashboard	Yes

Usage

Typically, the base Terraform will only need to be run once, and then should only need changes very infrequently. After the base is built, each environment can be built.

# Move into the base directory
$ cd base

# Sets up Terraform to run
$ terraform init

# Executes the Terraform run
$ terraform apply

# Now, move into the dev environment
$ cd ../env/dev

# Sets up Terraform to run
$ terraform init

# Executes the Terraform run
$ terraform apply

Important (after initial `terraform apply`)

The generated base .tfstate is not stored in the remote state S3 bucket. Ensure the base .tfstate is checked into your infrastructure repo. The default Terraform .gitignore generated by GitHub will ignore all .tfstate files; you'll need to modify this!

fargate-create

Alternatively you can use the fargate-create CLI to scaffold new projects based on this template.

install

curl -s get-fargate-create.turnerlabs.io | sh

create an input vars file (terraform.tfvars)

# app/env to scaffold
app = "my-app"
environment = "dev"

internal = true
container_port = "8080"
replicas = "1"
health_check = "/health"
region = "us-east-1"
aws_profile = "default"
saml_role = "admin"
vpc = "vpc-123"
private_subnets = "subnet-123,subnet-456"
public_subnets = "subnet-789,subnet-012"
tags = {
  application   = "my-app"
  environment   = "dev"
  team          = "my-team"
  customer      = "my-customer"
  contact-email = "[email protected]"
}

$ fargate-create -f terraform.tfvars

Additional Information

Install pre-commit hook that checks terraform code for formatting

ln -s ../../pre-commit.sh .git/hooks/pre-commit

terraform-ecs-fargate's People

Contributors

Stargazers

Watchers

Forkers

codeclout pachomski ajliv numidiasoft aleksandrtymoshchuk slimeril robertaves patrykk2252 cdjones32 iconvert-bet flavioleandro sakhtar1979 rkhozinov sameer5876 udaykanth469 jevgeny-migusa frjtrifork luishxy jbeninson ik-terraform nabil-boag bartalcorn grengojbo au79 thys-unomena kasunmadura amslezak luisalbertogh ckriutz codeangler xjbych2810 shobu007 describeme yzhanggithub sacheen12 clockworknet devops-ua volodymyr1213 excoriate eduardbulai arithmos-app soidk cdnuzzo ariherna abhurtun hamishfor alamscode tristal satnami karim-agha oisinmulvihill ashekr trung85-terraform chrisbarrett ahodges22 trigun539 missylbytes sivaavuthu rongyj lanru2001 nazeeronline fsilvestre90 richardinemi cba3x gregorywiltshire thrashy romanr777 burto1m motatoes sjl2 srudenkord raghavanrrs 0xyao menuzen tysoncung kagodarog shloima dooheehong dubrovskyi hannut91 arun9theja pbijwe007 hostsguru philippeaquino igor-dmitriev thespamer ositadinma jj-scoll travismoran vlad-yanum-akveo avijitdhar jamesrtubman az-data-eng timdev prasanthkp89 jritsema lineuve mkamrani ahmed-aleryani stackdumper

terraform-ecs-fargate's Issues

terrform init issue

Error refreshing state: InvalidParameter: 1 validation error(s) found.

minimum field size of 1, GetObjectInput.Bucket.

lb-https.tf still uses 0.11 syntax

https://github.com/turnerlabs/terraform-ecs-fargate/blob/master/env/dev/lb-https.tf

Failed to get existing workspaces...

Hi..

im pretty new to TF.. seem to have run into the following issue .. any ideas?

➜ base git:(master) ✗ terraform state list
data.aws_caller_identity.current
data.aws_iam_policy_document.ecr
aws_ecr_repository.app
aws_ecr_repository_policy.app
module.tf_remote_state.data.aws_iam_role.role
module.tf_remote_state.aws_s3_bucket.bucket
module.tf_remote_state.aws_s3_bucket_policy.bucket_policy
➜ base git:(master) ✗ cd ../env/dev
➜ dev git:(master) ✗ terraform init

Initializing the backend...

Error: Failed to get existing workspaces: InvalidParameter: 1 validation error(s) found.

minimum field size of 1, ListObjectsInput.Bucket.

nodejs8.10 lambda is deprecated

Deprecation of creating nodejs8.10 lambda is Jan 6, 2020 and updating is Feb 3, 2020.
https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html

It was a simple lambda and we just need to update the runtime in ecs-event-stream.tf file. I tested in an app bootstrapped from fargate-create.

I did a PR for terraform-ecs-fargate-nlb (python3 and nodejs10.x), not sure if that's the right repo. There are a few fargate repos which contain logz lambdas and a nodejs8.10 lambda, are the files kept in sync in some way or are they updated separately?

Add support for dynamodb state locking

Add support in the base/state.tf for dynamodb state locking, either with a question or by default.

Node 10 Lambda phase 1 support ends by July 30, 2021

There is a Node 10 lambda in the repo. It may cause issue to create (or update later) when Node 10 Lambda support ends in AWS.
Workaround if not updated in the release:
In env/dev/ecs-event-stream.tf, change the runtime to either value - "nodejs12.x" or "nodejs14.x"

Add block_public_access variable for alb logs s3 bucket

How to deploy multiple Services in the cluster?

The below gives an example of deploying only 1 service, what if I want to deploy new services with new routes?

Terraform init in env/dev fails with "Duplicate variable definition"

Hello, I'm trying to run terraform init in a clean env/dev folder and am receiving multiple errors due to "Duplicated local value definition".

Terraform version: v0.14.0

Error: Duplicate local value definition

  on ssm-parameters.tf line 3, in locals:
   3:   kms_write_actions = [
   4:     "kms:CancelKeyDeletion",
   5:     "kms:CreateAlias",
   6:     "kms:CreateGrant",
   7:     "kms:CreateKey",
   8:     "kms:DeleteAlias",
   9:     "kms:DeleteImportedKeyMaterial",
  10:     "kms:DisableKey",
  11:     "kms:DisableKeyRotation",
  12:     "kms:EnableKey",
  13:     "kms:EnableKeyRotation",
  14:     "kms:Encrypt",
  15:     "kms:GenerateDataKey",
  16:     "kms:GenerateDataKeyWithoutPlaintext",
  17:     "kms:GenerateRandom",
  18:     "kms:GetKeyPolicy",
  19:     "kms:GetKeyRotationStatus",
  20:     "kms:GetParametersForImport",
  21:     "kms:ImportKeyMaterial",
  22:     "kms:PutKeyPolicy",
  23:     "kms:ReEncryptFrom",
  24:     "kms:ReEncryptTo",
  25:     "kms:RetireGrant",
  26:     "kms:RevokeGrant",
  27:     "kms:ScheduleKeyDeletion",
  28:     "kms:TagResource",
  29:     "kms:UntagResource",
  30:     "kms:UpdateAlias",
  31:     "kms:UpdateKeyDescription",
  32:   ]

A local value named "kms_write_actions" was already defined at
secretsmanager.tf:4,3-33,4. Local value names must be unique within a module.


Error: Duplicate local value definition

  on ssm-parameters.tf line 35, in locals:
  35:   kms_read_actions = [
  36:     "kms:Decrypt",
  37:     "kms:DescribeKey",
  38:     "kms:List*",
  39:   ]

A local value named "kms_read_actions" was already defined at
secretsmanager.tf:36,3-40,4. Local value names must be unique within a module.


Error: Duplicate local value definition

  on ssm-parameters.tf line 42, in locals:
  42:   saml_user_ids = flatten([
  43:     data.aws_caller_identity.current.user_id,
  44:     data.aws_caller_identity.current.account_id,
  45:     formatlist(
  46:       "%s:%s",
  47:       data.aws_iam_role.saml_role_ssm.unique_id,
  48:       var.secrets_saml_users,
  49:     ),
  50:   ])

A local value named "saml_user_ids" was already defined at
secretsmanager.tf:65,3-73,5. Local value names must be unique within a module.


Error: Duplicate local value definition

  on ssm-parameters.tf line 53, in locals:
  53:   role_and_saml_ids = flatten([
  54:     "${aws_iam_role.ecsTaskExecutionRole.unique_id}:*",
  55:     local.saml_user_ids,
  56:   ])

A local value named "role_and_saml_ids" was already defined at
secretsmanager.tf:76,3-80,5. Local value names must be unique within a module.


Error: Duplicate variable declaration

  on ssm-parameters.tf line 66:
  66: variable "secrets_saml_users" {

A variable named "secrets_saml_users" was already declared at
secretsmanager.tf:281,1-30. Variable names must be unique within a module

Workspaces

Thank you for this template. Looks great, especially the documentation!

I have a question about the environment guide.

Say that you have a couple of environments, production and dev for example, and you want them to share a lot of the things in this template that currently live in env/dev. Is the idea for the user to move things into base as they become shared dependencies across environments?