stroeer / terraform-aws-ecs-fargate Goto Github PK
View Code? Open in Web Editor NEWTerraform module for ECS Fargate Services
Home Page: https://registry.terraform.io/modules/stroeer/ecs-fargate/aws
License: Apache License 2.0
Terraform module for ECS Fargate Services
Home Page: https://registry.terraform.io/modules/stroeer/ecs-fargate/aws
License: Apache License 2.0
To simplify client code, we could attach an IAM policy to the existing ecs task role in order to allow containers to put log events into firehose.
Module clients could remove the following code and rely on the module:
data "aws_iam_policy_document" "policy" {
statement {
actions = ["firehose:PutRecordBatch"]
// todo limit this service stream
resources = ["*"]
}
}
If the a ALB target group needs to be replaced (e.g. aws_alb_target_group.public
because the container_port
changed), this fails with:
Error deleting Target Group: ResourceInUse: Target group 'arn:aws:elasticloadbalancing:eu-west-1:12345678:targetgroup/my-service/1541e04161e7f3ef' is currently in use by a listener or a rule
see https://github.com/telia-oss/terraform-aws-ecs-fargate/blob/0f3cbc67c057625f1354f28f6ad4efc3763a8978/main.tf#L208 for a possible solution
│ Error: Error in function call
│
│ on .terraform/modules/alb-ecs-service/main.tf line 278, in resource "aws_appautoscaling_policy" "ecs":
│ 278: resource_label = lookup(var.appautoscaling_settings, "resource_label")
│ ├────────────────
│ │ while calling lookup(inputMap, key, default...)
│ │ var.appautoscaling_settings is map of string with 7 elements
│
│ Call to function "lookup" failed: lookup failed to find key "resource_label".
The deployment (sub) module uses data sources of existing IAM roles for codepipeline and codebuild.
There is no documentation about the necessary permissions for those roles and their names can't be configured so this won't be usable outside our team.
Options:
deployment
(sub) module (service specific naming)I'd prefer option one since it's more coherent IMO and requires less upfront terraforming outside the module.
the variables of the deployment (sub) module have no description at the moment.
The deployment (sub) module uses a data source of an existing S3 bucket for storing pipeline artifacts. This bucket is (re-used) for all pipelines.
There is no documentation about this bucket and it's name can't be configured so this won't be usable outside our team.
Options:
deployment
(sub) module (service specific naming)I'd prefer option one since it's more coherent IMO and requires less upfront terraforming outside the module.
With enabled logs
sub-module, we should provide the opportunity to provide an existing CloudWatch Log Group for logs of the fluent-bit sidecar or create one (which should be the default).
If create_deployment_pipeline
is set to false
, terraform plan
fails with:
Error: Failed getting S3 bucket: InvalidParameter: 1 validation error(s) found.
- minimum field size of 1, HeadBucketInput.Bucket.
Bucket: ""
on .terraform/modules/client/terraform-aws-ecs-fargate-0.1.1/modules/deployment/s3.tf line 13, in data "aws_s3_bucket" "codepipeline":
13: data "aws_s3_bucket" "codepipeline" {
Add a CONTRIBUTING.md describing how to contribute to this project.
We might remove internal dependencies to 3rd party terraform modules like terraform-aws-modules/s3-bucket/aws which cuts interdependencies in terms of required/supported aws provider and terraform versions.
│ Error: Invalid count argument
│
│ on .terraform/modules/services.otel_container_definition/modules/assert/main.tf line 2, in data "external" "assertion":
│ 2: count = var.condition ? 0 : 1
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To
│ work around this, use the -target argument to first apply only the resources that the count depends on.
╵
make: *** [tf] Error 1
Workaround: apply using 0.29.0
first.
If using the log
sub-module, an Elasticsearch domain named application-logs
is expected. This variable is not yet configurable from the main module.
The Provisioning
phase for the CodeBuild
step currently takes several minutes, which slows down deployments of ecs tasks by a lot.
• Currently we use aws/codebuild/amazonlinux2-x86_64-standard:1.0
, which is pretty old.
• The Internet says that older images get dropped on the AWS caches, so we should probably switch to a newer image.
• According to this, aws/codebuild/amazonlinux2-x86_64-standard:3.0
should be the one to to switch to:
https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
We should list and cut all dependencies to our internal datasources and remote states, to make this module more generic to team/organization external users.
Affected resources:
ssm_ecs_task_execution_role
data sourceaws_service_discovery_service
namespace_idThis module can't be applied using terraform 0.13. It fails with Error: ECR Repository (service-name) not found
.
Details:
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: 2020/08/25 09:49:16 [DEBUG] [aws-sdk-go] DEBUG: Response ecr/DescribeRepositories Details:
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: ---[ RESPONSE ]--------------------------------------
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: HTTP/1.1 400 Bad Request
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: Connection: close
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: Content-Length: 153
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: Content-Type: application/x-amz-json-1.1
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: Date: Tue, 25 Aug 2020 07:49:16 GMT
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: X-Amzn-Requestid: 99522912-b9c0-44a3-9be2-1fc3b09ef2a7
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5:
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5:
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: -----------------------------------------------------
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: 2020/08/25 09:49:16 [DEBUG] [aws-sdk-go] {"__type":"RepositoryNotFoundException","message":"The repository with name 'service-name' does not exist in the registry with id '12432442342'"}
2020-08-25T09:49:16.831+0200 [DEBUG] plugin.terraform-provider-aws_v3.3.0_x5: 2020/08/25 09:49:16 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ecr/DescribeRepositories failed, attempt 0/25, error RepositoryNotFoundException: The repository with name 'service-name' does not exist in the registry with id '12432442342'
2020/08/25 09:49:16 [ERROR] eval: *terraform.evalReadDataPlan, err: ECR Repository (service-name) not found
2020/08/25 09:49:16 [ERROR] eval: *terraform.EvalSequence, err: ECR Repository (service-name) not found
There is an easier way to automatically add tags to all resources, see blog post or aws tf provider docs
aws_codebuild_project
(https://www.terraform.io/docs/providers/aws/r/codebuild_project.html) defaults to create a CloudWatch log group which is not managed by terraform lifecycle. Thus those log groups are not destroyed.
If those log groups are needed at all, we should manage them in the module (including definition of retention time).
We should provide examples depicting major features of this module. Those examples need to be terraform apply
'able by users without errors.
Possible examples:
It would be useful if the deployment process supported more than only production
as a tag in ECR, or at least allow this tag to be specified.
Providing a container_port
used for the load balancer and/or mesh proxy configuration is mandatory at the moment. We might want to support apps w/o an exposed port as well, e.g. apps consuming Kinesis/Dynamodb streams or sqs queues.
With #14 we introduced an IAM role with required permissions to run CodePipeline for services. This role currently contains commented code and it's not finally clear, which permissions are actually needed.
Currently the deployment is part of the main stack, which can be deactivated using a variable.
We might also separate those 2 stacks like in terraform-aws-lambda/tree/master/modules/deploy.
All aws resources get default tags when created with this module.
When I create an ECS service via another github repository where I use terraform-aws-buzzgate
the source
tag should be of the service repository and not of github.com/stroeer/terraform-aws-buzzgate.
Example
in the github.com/stroeer/polyphase repo i use this module and I create aws resources with tf files, that are in the given repo. So to be able to terraform these resources you would need to know, that the tf files reside in github.com/stroeer/polyphase and not in github.com/stroeer/terraform-aws-buzzgate
Monitoring aws/containers-roadmap#698 in order to send app logs directly to Elasticsearch instead of piping through Kinesis Firehose streams.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.