Initial implementation (#1)

* Initial implementation

Author: rickardl

.gitignore

@@ -5,3 +5,5 @@ crash.log
 
 # InteliJ IDE
 .idea/
+# Visual Studio Code
+.vs/

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+
+repos:
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.7.3
+  hooks:
+    - id: terraform_fmt
+- repo: git://github.com/pre-commit/pre-commit-hooks
+  rev: v1.4.0
+  hooks:
+    - id: check-merge-conflict

Makefile

@@ -27,7 +27,7 @@ test:
 	@for d in $$(find . -type f -name '*.tf' -path "./examples/*" -not -path "**/.terraform/*" -exec dirname {} \; | sort -u); do \
 		cd $$d; \
 		terraform init -backend=false >> /dev/null; \
-		terraform validate -check-variables=false; \
+		terraform validate; \
 		if [ $$? -eq 1 ]; then \
 			echo "✗ terraform validate failed: $$d"; \
 			exit 1; \

README.md

@@ -1,4 +1,18 @@
-## Fargate ECS
+# AWS Fargate ECS Terraform Module
 
 [![Build Status](https://travis-ci.com/telia-oss/terraform-aws-ecs-fargate.svg?branch=master)](https://travis-ci.com/telia-oss/terraform-aws-ecs-fargate)
+![](https://img.shields.io/maintenance/yes/2018.svg) 
 
+Terraform module which creates Fargate ECS resources on AWS.
+
+## Examples
+
+* [Complete AWS Fargate ECS example](https://github.com/telia-oss/terraform-aws-ecs-fargate/examples/default/example.tf)
+
+## Authors
+
+Currently maintained by [these contributors](https://github.com/telia-oss/terraform-aws-ecs-fargate/graphs/contributors).
+
+## License
+
+MIT License. See LICENSE for full details.

examples/default/README.md

@@ -0,0 +1,3 @@
+## examples/default
+
+Basic example which creates an Fargate ECS cluster with a default listener and hello-world service (in the default VPC).

examples/default/example.tf

@@ -0,0 +1,93 @@
+# ----------------------------------------
+# Create a ecs service using fargate
+# ----------------------------------------
+
+provider "aws" {
+  region = "eu-west-1"
+}
+
+resource "aws_ecs_cluster" "cluster" {
+  name = "example-ecs-cluster"
+}
+
+data "aws_vpc" "main" {
+  default = true
+}
+
+data "aws_subnet_ids" "main" {
+  vpc_id = "${data.aws_vpc.main.id}"
+}
+
+module "fargate_alb" {
+  source  = "telia-oss/loadbalancer/aws"
+  version = "0.1.0"
+
+  name_prefix = "example-ecs-cluster"
+  type        = "application"
+  internal    = "false"
+  vpc_id      = "${data.aws_vpc.main.id}"
+  subnet_ids  = ["${data.aws_subnet_ids.main.ids}"]
+
+  tags {
+    environment = "test"
+    terraform   = "true"
+  }
+}
+
+resource "aws_lb_listener" "alb" {
+  load_balancer_arn = "${module.fargate_alb.arn}"
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    target_group_arn = "${module.fargate.target_group_arn}"
+    type             = "forward"
+  }
+}
+
+resource "aws_security_group_rule" "task_ingress_8000" {
+  security_group_id        = "${module.fargate.service_sg_id}"
+  type                     = "ingress"
+  protocol                 = "tcp"
+  from_port                = "8000"
+  to_port                  = "8000"
+  source_security_group_id = "${module.fargate_alb.security_group_id}"
+}
+
+resource "aws_security_group_rule" "alb_ingress_80" {
+  security_group_id = "${module.fargate_alb.security_group_id}"
+  type              = "ingress"
+  protocol          = "tcp"
+  from_port         = "80"
+  to_port           = "80"
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+module "fargate" {
+  source = "../../"
+
+  name_prefix          = "example-app"
+  vpc_id               = "${data.aws_vpc.main.id}"
+  private_subnet_ids   = "${data.aws_subnet_ids.main.ids}"
+  cluster_id           = "${aws_ecs_cluster.cluster.id}"
+  task_container_image = "crccheck/hello-world:latest"
+
+  // public ip is needed for default vpc, default is false
+  task_container_assign_public_ip = "true"
+
+  // port, default protocol is HTTP
+  task_container_port = "8000"
+
+  health_check {
+    port = "traffic-port"
+    path = "/"
+  }
+
+  tags {
+    environment = "test"
+    terraform   = "true"
+  }
+
+  lb_arn = "${module.fargate_alb.arn}"
+}

main.tf

@@ -0,0 +1,162 @@
+# ------------------------------------------------------------------------------
+# AWS
+# ------------------------------------------------------------------------------
+data "aws_region" "current" {}
+
+# ------------------------------------------------------------------------------
+# Cloudwatch
+# ------------------------------------------------------------------------------
+resource "aws_cloudwatch_log_group" "main" {
+  name              = "${var.name_prefix}"
+  retention_in_days = "${var.log_retention_in_days}"
+  tags              = "${var.tags}"
+}
+
+# ------------------------------------------------------------------------------
+# IAM - Task execution role, needed to pull ECR images etc.
+# ------------------------------------------------------------------------------
+resource "aws_iam_role" "execution" {
+  name               = "${var.name_prefix}-task-execution-role"
+  assume_role_policy = "${data.aws_iam_policy_document.task_assume.json}"
+}
+
+resource "aws_iam_role_policy" "task_execution" {
+  name   = "${var.name_prefix}-task-execution"
+  role   = "${aws_iam_role.execution.id}"
+  policy = "${data.aws_iam_policy_document.task_execution_permissions.json}"
+}
+
+# ------------------------------------------------------------------------------
+# IAM - Task role, basic. Users of the module will append policies to this role
+# when they use the module. S3, Dynamo permissions etc etc.
+# ------------------------------------------------------------------------------
+resource "aws_iam_role" "task" {
+  name               = "${var.name_prefix}-task-role"
+  assume_role_policy = "${data.aws_iam_policy_document.task_assume.json}"
+}
+
+resource "aws_iam_role_policy" "log_agent" {
+  name   = "${var.name_prefix}-log-permissions"
+  role   = "${aws_iam_role.task.id}"
+  policy = "${data.aws_iam_policy_document.task_permissions.json}"
+}
+
+# ------------------------------------------------------------------------------
+# Security groups
+# ------------------------------------------------------------------------------
+resource "aws_security_group" "ecs_service" {
+  vpc_id      = "${var.vpc_id}"
+  name        = "${var.name_prefix}-ecs-service-sg"
+  description = "Fargate service security group"
+  tags        = "${merge(var.tags, map("Name", "${var.name_prefix}-sg"))}"
+}
+
+resource "aws_security_group_rule" "egress_service" {
+  security_group_id = "${aws_security_group.ecs_service.id}"
+  type              = "egress"
+  protocol          = "-1"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+# ------------------------------------------------------------------------------
+# LB Target group
+# ------------------------------------------------------------------------------
+resource "aws_lb_target_group" "task" {
+  vpc_id       = "${var.vpc_id}"
+  protocol     = "${var.task_container_protocol}"
+  port         = "${var.task_container_port}"
+  target_type  = "ip"
+  health_check = ["${var.health_check}"]
+
+  # NOTE: TF is unable to destroy a target group while a listener is attached,
+  # therefor we have to create a new one before destroying the old. This also means
+  # we have to let it have a random name, and then tag it with the desired name.
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = "${merge(var.tags, map("Name", "${var.name_prefix}-target-${var.task_container_port}"))}"
+}
+
+# ------------------------------------------------------------------------------
+# ECS Task/Service
+# ------------------------------------------------------------------------------
+data "null_data_source" "task_environment" {
+  count = "${var.task_container_environment_count}"
+
+  inputs = {
+    name  = "${element(keys(var.task_container_environment), count.index)}"
+    value = "${element(values(var.task_container_environment), count.index)}"
+  }
+}
+
+resource "aws_ecs_task_definition" "task" {
+  family                   = "${var.name_prefix}"
+  execution_role_arn       = "${aws_iam_role.execution.arn}"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = "${var.task_definition_cpu}"
+  memory                   = "${var.task_definition_memory}"
+  task_role_arn            = "${aws_iam_role.task.arn}"
+
+  container_definitions = <<EOF
+[{
+    "name": "${var.name_prefix}",
+    "image": "${var.task_container_image}",
+    "essential": true,
+    "portMappings": [
+        {
+            "containerPort": ${var.task_container_port},
+            "hostPort": ${var.task_container_port},
+            "protocol":"tcp"
+        }
+    ],
+    "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+            "awslogs-group": "${aws_cloudwatch_log_group.main.name}",
+            "awslogs-region": "${data.aws_region.current.name}",
+            "awslogs-stream-prefix": "container"
+        }
+    },
+    "command": ${jsonencode(var.task_container_command)},
+    "environment": ${jsonencode(data.null_data_source.task_environment.*.outputs)}
+}]
+EOF
+}
+
+resource "aws_ecs_service" "service" {
+  depends_on                         = ["null_resource.lb_exists"]
+  name                               = "${var.name_prefix}"
+  cluster                            = "${var.cluster_id}"
+  task_definition                    = "${aws_ecs_task_definition.task.arn}"
+  desired_count                      = "${var.desired_count}"
+  launch_type                        = "FARGATE"
+  deployment_minimum_healthy_percent = 50
+  deployment_maximum_percent         = 200
+
+  network_configuration {
+    subnets          = ["${var.private_subnet_ids}"]
+    security_groups  = ["${aws_security_group.ecs_service.id}"]
+    assign_public_ip = "${var.task_container_assign_public_ip}"
+  }
+
+  load_balancer {
+    container_name   = "${var.name_prefix}"
+    container_port   = "${var.task_container_port}"
+    target_group_arn = "${aws_lb_target_group.task.arn}"
+  }
+}
+
+# HACK: The workaround used in ecs/service does not work for some reason in this module, this fixes the following error:
+# "The target group with targetGroupArn arn:aws:elasticloadbalancing:... does not have an associated load balancer."
+# see https://github.com/hashicorp/terraform/issues/12634.
+# Service depends on this resources which prevents it from being created until the LB is ready
+resource "null_resource" "lb_exists" {
+  triggers {
+    alb_name = "${var.lb_arn}"
+  }
+}

outputs.tf

@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------------------
+# Output
+# ------------------------------------------------------------------------------
+output "service_arn" {
+  description = "The Amazon Resource Name (ARN) that identifies the service."
+  value       = "${aws_ecs_service.service.id}"
+}
+
+output "target_group_arn" {
+  description = "The ARN of the Target Group."
+  value       = "${aws_lb_target_group.task.arn}"
+}
+
+output "task_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the service role."
+  value       = "${aws_iam_role.task.arn}"
+}
+
+output "task_role_name" {
+  description = "The name of the service role."
+  value       = "${aws_iam_role.task.name}"
+}
+
+output "service_sg_id" {
+  description = "The Amazon Resource Name (ARN) that identifies the service security group."
+  value       = "${aws_security_group.ecs_service.id}"
+}

policies.tf

@@ -0,0 +1,48 @@
+# Task role assume policy
+data "aws_iam_policy_document" "task_assume" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+# Task logging privileges
+data "aws_iam_policy_document" "task_permissions" {
+  statement {
+    effect = "Allow"
+
+    resources = [
+      "${aws_cloudwatch_log_group.main.arn}",
+    ]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+}
+
+# Task ecr privileges
+data "aws_iam_policy_document" "task_execution_permissions" {
+  statement {
+    effect = "Allow"
+
+    resources = [
+      "*",
+    ]
+
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+  }
+}