diff --git a/README.md b/README.md
index efd0ef60d..c56994d1d 100644
--- a/README.md
+++ b/README.md
@@ -482,13 +482,16 @@ The following inputs can be used as `step.with` keys
| `aws_ecs_task_type`| String | Configuration type. Could be `EC2`, `FARGATE` or empty. Will default to `aws_ecs_service_launch_type` if none defined. (Blank if `EXTERNAL`). |
| `aws_ecs_task_name`| String | Elastic Container Service task name. If task is defined with a JSON file, should be the same as the container name. |
| `aws_ecs_task_ignore_definition`| Boolean | Toggle to ignore task definition changes after first deployment. Useful when using external tools to manage the task definition. Default: `false`. |
-| `aws_ecs_task_execution_role`| String | Elastic Container Service task execution role name from IAM. Defaults to `ecsTaskExecutionRole`. |
+| `aws_ecs_task_execution_role`| String | Task execution role name that the Amazon ECS container agent and the Docker daemon can assume. Defaults to `ecsTaskExecutionRole`. |
+| `aws_ecs_task_role` | String | IAM role name that allows your Amazon ECS container task to make calls to other AWS services. When mounting an EFS volume and `aws_ecs_efs_iam` is enabled, will create one specific for that volume if none defined. |
+| `aws_ecs_task_reuse_role` | Boolean | Toggle reusing the task execution role as the task role. |
| `aws_ecs_task_json_definition_file`| String | Name of the json file containing task definition. Overrides every other input. |
| `aws_ecs_task_network_mode`| String | Network type to use in task definition. One of `none`, `bridge`, `awsvpc`, and `host`. |
| `aws_ecs_task_cpu`| String | Task CPU Amount. |
| `aws_ecs_task_mem`| String | Task Mem Amount. |
| `aws_ecs_container_cpu`| String | Container CPU Amount. |
| `aws_ecs_container_mem`| String | Container Mem Amount. |
+| `aws_ecs_container_user`| String | User to run container as. Accepts `user`, `user:group`, `uid`, `uid:gid`, `user:gid` or `uid:group`. |
| `aws_ecs_node_count`| String | Node count for ECS Cluster. |
| `aws_ecs_app_image`| String | Name of the container image to be used. |
| `aws_ecs_security_group_name`| String | ECS Secruity group name. |
@@ -508,6 +511,14 @@ The following inputs can be used as `step.with` keys
| `aws_ecs_cloudwatch_lg_name`| String | Log group name. Will default to `aws_identifier` if none. |
| `aws_ecs_cloudwatch_skip_destroy`| Boolean | Toggle deletion or not when destroying the stack. |
| `aws_ecs_cloudwatch_retention_days`| String | Number of days to retain logs. 0 to never expire. Defaults to `14`. |
+| `aws_ecs_efs_fs_id` | String | ID of the EFS File System. |
+| `aws_ecs_efs_root_directory` | String | Directory within the FS to mount as the root directory. Defaults to `/`, ignored if `access_point_id` defined. |
+| `aws_ecs_efs_transit_encryption` | Boolean | EFS Volume Transit Encryption. Defaults to `true`. (ENABLED) |
+| `aws_ecs_efs_transit_encryption_port` | String | EFS Volume Transit Encryption Port. |
+| `aws_ecs_efs_access_point_id` | String | EFS Volume Access Point ID to use. |
+| `aws_ecs_efs_container_path` | String | Directory path within container to mount the EFS volume to. Defaults to`/mnt/efs` |
+| `aws_ecs_efs_readonly` | Boolean | Whether the EFS volume is mounted as read-only. Defaults to `false`. |
+| `aws_ecs_efs_iam` | Boolean | Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to `false`. (DISABLED) - Needs `aws_ecs_efs_transit_encryption` |
| `aws_ecs_additional_tags`| JSON | Add additional tags to the terraform [default tags](https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider), any tags put here will be added to ECS provisioned resources.|
diff --git a/action.yaml b/action.yaml
index 2ee4856e3..926b2befb 100644
--- a/action.yaml
+++ b/action.yaml
@@ -282,46 +282,46 @@ inputs:
# AWS ALB
aws_alb_create:
- description: "Global toggle for ALB creation"
+ description: 'Global toggle for ALB creation'
required: false
aws_alb_security_group_name:
- description: "Name of the security group to use for ALB"
+ description: 'Name of the security group to use for ALB'
required: false
aws_alb_app_port:
- description: "Comma-separated list of application ports for ALB target group"
+ description: 'Comma-separated list of application ports for ALB target group'
required: false
aws_alb_app_protocol:
- description: "Comma-separated list of protocols for ALB target group (HTTP/HTTPS)"
+ description: 'Comma-separated list of protocols for ALB target group (HTTP/HTTPS)'
required: false
aws_alb_listen_port:
- description: "Comma-separated list of listener ports for ALB"
+ description: 'Comma-separated list of listener ports for ALB'
required: false
aws_alb_listen_protocol:
- description: "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)"
+ description: 'Comma-separated list of listener protocols for ALB (HTTP/HTTPS)'
required: false
aws_alb_redirect_enable:
- description: "Enable HTTP to HTTPS redirection on ALB"
+ description: 'Enable HTTP to HTTPS redirection on ALB'
required: false
aws_alb_www_to_apex_redirect:
description: 'Enable www to apex domain redirection on ALB'
required: false
aws_alb_healthcheck_path:
- description: "Health check path for ALB target group"
+ description: 'Health check path for ALB target group'
required: false
aws_alb_healthcheck_protocol:
- description: "Health check protocol for ALB target group"
+ description: 'Health check protocol for ALB target group'
required: false
aws_alb_ssl_policy:
- description: "SSL policy for HTTPS listeners"
+ description: 'SSL policy for HTTPS listeners'
required: false
aws_alb_access_log_enabled:
- description: "Enable ALB access logs"
+ description: 'Enable ALB access logs'
required: false
aws_alb_access_log_bucket_name:
- description: "S3 bucket name to store the ALB access logs"
+ description: 'S3 bucket name to store the ALB access logs'
required: false
aws_alb_access_log_expire:
- description: "Delete the access logs after this amount of days"
+ description: 'Delete the access logs after this amount of days'
required: false
aws_alb_additional_tags:
description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
@@ -876,7 +876,7 @@ inputs:
description: 'Log type. Older Redis engines need slow-log. Newer support engine-log (default)'
required: false
aws_redis_cloudwatch_retention_days:
- description: "Number of days to retain logs. 0 to never expire. Default '14'"
+ description: 'Number of days to retain logs. 0 to never expire. Default 14'
required: false
aws_redis_single_line_url_secret:
description: 'Creates an AWS secret containing the connection string containing protocol://user@pass:endpoint:port'
@@ -943,7 +943,13 @@ inputs:
description: 'Toggle to ignore task definition changes after first deployment. Useful when using external tools to manage the task definition.'
required: false
aws_ecs_task_execution_role:
- description: 'Elastic Container Service task execution role name from IAM. Defaults to "ecsTaskExecutionRole"'
+ description: 'Task execution role name that the Amazon ECS container agent and the Docker daemon can assume'
+ required: false
+ aws_ecs_task_role:
+ description: 'Name of the IAM role that allows your Amazon ECS container task to make calls to other AWS services'
+ required: false
+ aws_ecs_task_reuse_role:
+ description: 'Toggle reusing the task execution role as the task role.'
required: false
aws_ecs_task_json_definition_file:
description: 'Name of the json file containing task definition. Overrides every other input.'
@@ -963,6 +969,9 @@ inputs:
aws_ecs_container_mem:
description: 'Container Mem Amount'
required: false
+ aws_ecs_container_user:
+ description: 'User to run container as'
+ required: false
aws_ecs_node_count:
description: 'Node count for ECS Cluster'
required: false
@@ -1003,22 +1012,46 @@ inputs:
description: 'Min ammount of nodes to scale down to.'
required: false
aws_ecs_autoscaling_max_mem:
- description: 'Some'
+ description: 'Max ammount of mem to scale up to.'
required: false
aws_ecs_autoscaling_max_cpu:
- description: 'Some'
+ description: 'Max ammount of cou to scale up to.'
required: false
aws_ecs_cloudwatch_enable:
- description: "Toggle cloudwatch for ECS. Default 'false'"
+ description: 'Toggle cloudwatch for ECS. Defaults to false'
required: false
aws_ecs_cloudwatch_lg_name:
- description: "Log group name. Will default to aws_identifier if none."
+ description: 'Log group name. Will default to aws_identifier if none.'
required: false
aws_ecs_cloudwatch_skip_destroy:
- description: "Toggle deletion or not when destroying the stack."
+ description: 'Toggle deletion or not when destroying the stack.'
required: false
aws_ecs_cloudwatch_retention_days:
- description: "Number of days to retain logs. 0 to never expire. Default '14'"
+ description: 'Number of days to retain logs. 0 to never expire. Default 14'
+ required: false
+ aws_ecs_efs_fs_id:
+ description: 'ID of the EFS File System'
+ required: false
+ aws_ecs_efs_root_directory:
+ description: 'Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined'
+ required: false
+ aws_ecs_efs_transit_encryption:
+ description: 'EFS Volume Transit Encryption. Defaults to true (ENABLED)'
+ required: false
+ aws_ecs_efs_transit_encryption_port:
+ description: 'EFS Volume Transit Encryption Port'
+ required: false
+ aws_ecs_efs_access_point_id:
+ description: 'EFS Volume Access Point ID to use'
+ required: false
+ aws_ecs_efs_container_path:
+ description: 'Directory path within container to mount the EFS volume to'
+ required: false
+ aws_ecs_efs_readonly:
+ description: 'Whether the EFS volume is mounted as read-only'
+ required: false
+ aws_ecs_efs_iam:
+ description: 'Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) '
required: false
aws_ecs_additional_tags:
description: 'A list of strings that will be added to created resources'
@@ -1103,10 +1136,10 @@ inputs:
description: 'Define if an EKS cluster should be created'
required: false
aws_eks_security_group_name_cluster:
- description: "SG for ${var.aws_resource_identifier} - ${var.aws_eks_environment} - EKS Master"
+ description: 'SG for ${var.aws_resource_identifier} - ${var.aws_eks_environment} - EKS Master'
required: false
aws_eks_security_group_name_node:
- description: "SG for ${var.aws_resource_identifier} - ${var.aws_eks_environment} - EKS Worker"
+ description: 'SG for ${var.aws_resource_identifier} - ${var.aws_eks_environment} - EKS Worker'
required: false
aws_eks_environment:
description: 'Specify the eks environment name. Defaults to env'
@@ -1121,19 +1154,19 @@ inputs:
description: 'Allow incoming traffic from this CIDR block. Accepts comma separated values, matching 1 to 1 with aws_eks_allowed_ports. If none defined, will allow all incoming traffic.'
required: false
aws_eks_cluster_name:
- description: "EKS Cluster name. Defaults to eks-cluster"
+ description: 'EKS Cluster name. Defaults to eks-cluster'
required: false
aws_eks_cluster_admin_role_arn:
- description: "Role ARN to grant cluster-admin permissions"
+ description: 'Role ARN to grant cluster-admin permissions'
required: false
aws_eks_cluster_log_types:
- description: "EKS Log types, comma separated list. Defaults to api,audit,authenticator"
+ description: 'EKS Log types, comma separated list. Defaults to api,audit,authenticator'
required: false
aws_eks_cluster_log_retention_days:
- description: "Days to store logs. Defaults to 7."
+ description: 'Days to store logs. Defaults to 7.'
required: false
aws_eks_cluster_log_skip_destroy:
- description: "Skip deletion of cluster logs if set to true"
+ description: 'Skip deletion of cluster logs if set to true'
required: false
aws_eks_cluster_version:
description: 'Specify the k8s cluster version'
@@ -1169,115 +1202,115 @@ inputs:
outputs:
# VPC
aws_vpc_id:
- description: "The selected VPC ID used."
+ description: 'The selected VPC ID used.'
value: ${{ steps.deploy.outputs.aws_vpc_id }}
# EC2
vm_url:
- description: "The URL of the generated app"
+ description: 'The URL of the generated app'
value: ${{ steps.deploy.outputs.vm_url }}
instance_endpoint:
- description: "The URL of the generated ec2 instance"
+ description: 'The URL of the generated ec2 instance'
value: ${{ steps.deploy.outputs.instance_endpoint }}
ec2_sg_id:
- description: "SG ID for the EC2 instance"
+ description: 'SG ID for the EC2 instance'
value: ${{ steps.deploy.outputs.ec2_sg_id }}
# EFS
aws_efs_fs_id:
- description: "EFS FS ID"
+ description: 'EFS FS ID'
value: ${{ steps.deploy.outputs.aws_efs_fs_id }}
aws_efs_replica_fs_id:
- description: "EFS FS Replica ID"
+ description: 'EFS FS Replica ID'
value: ${{ steps.deploy.outputs.aws_efs_replica_fs_id }}
aws_efs_sg_id:
- description: "EFS FS SG ID"
+ description: 'EFS FS SG ID'
value: ${{ steps.deploy.outputs.aws_efs_sg_id }}
# RDS
db_endpoint:
- description: "RDS Endpoint"
+ description: 'RDS Endpoint'
value: ${{ steps.deploy.outputs.db_endpoint }}
db_secret_details_name:
- description: "AWS Secret name containing db credentials"
+ description: 'AWS Secret name containing db credentials'
value: ${{ steps.deploy.outputs.db_secret_details_name }}
db_sg_id:
- description: "SG ID for the RDS instance"
+ description: 'SG ID for the RDS instance'
value: ${{ steps.deploy.outputs.db_sg_id }}
db_proxy_rds_endpoint:
- description: "Database proxy endpoint"
+ description: 'Database proxy endpoint'
value: ${{ steps.deploy.outputs.db_proxy_rds_endpoint }}
db_proxy_secret_name_rds:
- description: "AWS Secret name containing proxy credentials"
+ description: 'AWS Secret name containing proxy credentials'
value: ${{ steps.deploy.outputs.db_proxy_secret_name_rds }}
db_proxy_sg_id_rds:
- description: "SG ID for the RDS Proxy instance"
+ description: 'SG ID for the RDS Proxy instance'
value: ${{ steps.deploy.outputs.db_proxy_sg_id_rds }}
# Aurora
aurora_db_endpoint:
- description: "Aurora Endpoint"
+ description: 'Aurora Endpoint'
value: ${{ steps.deploy.outputs.aurora_db_endpoint }}
aurora_db_secret_details_name:
- description: "AWS Secret name containing db credentials"
+ description: 'AWS Secret name containing db credentials'
value: ${{ steps.deploy.outputs.aurora_db_secret_details_name }}
aurora_db_sg_id:
- description: "SG ID for the Aurora instance"
+ description: 'SG ID for the Aurora instance'
value: ${{ steps.deploy.outputs.aurora_db_sg_id }}
aurora_proxy_endpoint:
- description: "Database proxy endpoint"
+ description: 'Database proxy endpoint'
value: ${{ steps.deploy.outputs.aurora_proxy_endpoint }}
aurora_proxy_secret_name:
- description: "AWS Secret name containing proxy credentials"
+ description: 'AWS Secret name containing proxy credentials'
value: ${{ steps.deploy.outputs.aurora_proxy_secret_name }}
aurora_proxy_sg_id:
- description: "SG ID for the RDS Proxy instance"
+ description: 'SG ID for the RDS Proxy instance'
value: ${{ steps.deploy.outputs.aurora_proxy_sg_id }}
# DB Proxy
db_proxy_endpoint:
- description: "Database proxy endpoint"
+ description: 'Database proxy endpoint'
value: ${{ steps.deploy.outputs.db_proxy_endpoint }}
db_proxy_secret_name:
- description: "Database proxy secret_name"
+ description: 'Database proxy secret_name'
value: ${{ steps.deploy.outputs.db_proxy_secret_name }}
db_proxy_sg_id:
- description: "SG ID for the RDS Proxy instance"
+ description: 'SG ID for the RDS Proxy instance'
value: ${{ steps.deploy.outputs.db_proxy_sg_id }}
# ECS
ecs_load_balancer_dns:
- description: "ECS ALB DNS Record"
+ description: 'ECS ALB DNS Record'
value: ${{ steps.deploy.outputs.ecs_load_balancer_dns }}
ecs_dns_record:
- description: "ECS DNS URL"
+ description: 'ECS DNS URL'
value: ${{ steps.deploy.outputs.ecs_dns_record }}
ecs_sg_id:
- description: "ECS SG ID"
+ description: 'ECS SG ID'
value: ${{ steps.deploy.outputs.ecs_sg_id }}
ecs_lb_sg_id:
- description: "ECS LB SG ID"
+ description: 'ECS LB SG ID'
value: ${{ steps.deploy.outputs.ecs_lb_sg_id }}
# ECR
ecr_repository_arn:
- description: "ECR Repo ARN"
+ description: 'ECR Repo ARN'
value: ${{ steps.deploy.outputs.ecr_repository_arn }}
ecr_repository_url:
- description: "ECR Repo URL"
+ description: 'ECR Repo URL'
value: ${{ steps.deploy.outputs.ecr_repository_url }}
# REDIS
redis_endpoint:
- description: "Redis Endpoint"
+ description: 'Redis Endpoint'
value: ${{ steps.deploy.outputs.redis_endpoint }}
redis_secret_name:
- description: "Redis Secret name"
+ description: 'Redis Secret name'
value: ${{ steps.deploy.outputs.redis_secret_name }}
redis_connection_string_secret:
- description: "Redis secret containing complete URL to connect directly. (e.g. rediss://user:pass@host:port)"
+ description: 'Redis secret containing complete URL to connect directly. (e.g. rediss://user:pass@host:port)'
value: ${{ steps.deploy.outputs.redis_connection_string_secret }}
redis_sg_id:
- description: "Redis SG ID"
+ description: 'Redis SG ID'
value: ${{ steps.deploy.outputs.redis_sg_id }}
# EKS
eks_cluster_name:
- description: "EKS Cluster name"
+ description: 'EKS Cluster name'
value: ${{ steps.deploy.outputs.eks_cluster_name }}
eks_cluster_role_arn:
- description: "EKS Role ARN"
+ description: 'EKS Role ARN'
value: ${{ steps.deploy.outputs.eks_cluster_role_arn }}
runs:
@@ -1628,12 +1661,15 @@ runs:
AWS_ECS_TASK_NAME: ${{ inputs.aws_ecs_task_name }}
AWS_ECS_TASK_IGNORE_DEFINITION: ${{ inputs.aws_ecs_task_ignore_definition }}
AWS_ECS_TASK_EXECUTION_ROLE: ${{ inputs.aws_ecs_task_execution_role }}
+ AWS_ECS_TASK_ROLE: ${{ inputs.aws_ecs_task_role }}
+ AWS_ECS_TASK_REUSE_ROLE: ${{ inputs.aws_ecs_task_reuse_role }}
AWS_ECS_TASK_JSON_DEFINITION_FILE: ${{ inputs.aws_ecs_task_json_definition_file }}
AWS_ECS_TASK_NETWORK_MODE: ${{ inputs.aws_ecs_task_network_mode }}
AWS_ECS_TASK_CPU: ${{ inputs.aws_ecs_task_cpu }}
AWS_ECS_TASK_MEM: ${{ inputs.aws_ecs_task_mem }}
AWS_ECS_CONTAINER_CPU: ${{ inputs.aws_ecs_container_cpu }}
AWS_ECS_CONTAINER_MEM: ${{ inputs.aws_ecs_container_mem }}
+ AWS_ECS_CONTAINER_USER: ${{ inputs.aws_ecs_container_user }}
AWS_ECS_NODE_COUNT: ${{ inputs.aws_ecs_node_count }}
AWS_ECS_APP_IMAGE: ${{ inputs.aws_ecs_app_image }}
AWS_ECS_SECURITY_GROUP_NAME: ${{ inputs.aws_ecs_security_group_name }}
@@ -1653,6 +1689,14 @@ runs:
AWS_ECS_CLOUDWATCH_LG_NAME: ${{ inputs.aws_ecs_cloudwatch_lg_name }}
AWS_ECS_CLOUDWATCH_SKIP_DESTROY: ${{ inputs.aws_ecs_cloudwatch_skip_destroy }}
AWS_ECS_CLOUDWATCH_RETENTION_DAYS: ${{ inputs.aws_ecs_cloudwatch_retention_days }}
+ AWS_ECS_EFS_FS_ID: ${{ inputs.aws_ecs_efs_fs_id }}
+ AWS_ECS_EFS_ROOT_DIRECTORY: ${{ inputs.aws_ecs_efs_root_directory }}
+ AWS_ECS_EFS_TRANSIT_ENCRYPTION: ${{ inputs.aws_ecs_efs_transit_encryption }}
+ AWS_ECS_EFS_TRANSIT_ENCRYPTION_PORT: ${{ inputs.aws_ecs_efs_transit_encryption_port }}
+ AWS_ECS_EFS_ACCESS_POINT_ID: ${{ inputs.aws_ecs_efs_access_point_id }}
+ AWS_ECS_EFS_CONTAINER_PATH: ${{ inputs.aws_ecs_efs_container_path }}
+ AWS_ECS_EFS_READONLY: ${{ inputs.aws_ecs_efs_readonly }}
+ AWS_ECS_EFS_IAM: ${{ inputs.aws_ecs_efs_iam }}
AWS_ECS_ADDITIONAL_TAGS: ${{ inputs.aws_ecs_additional_tags }}
# ECR
diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh
index 5956e47e8..d2322570a 100644
--- a/operations/_scripts/generate/generate_vars_terraform.sh
+++ b/operations/_scripts/generate/generate_vars_terraform.sh
@@ -365,12 +365,15 @@ if [[ $(alpha_only "$AWS_ECS_ENABLE") == true ]]; then
aws_ecs_task_name=$(generate_var aws_ecs_task_name $AWS_ECS_TASK_NAME)
aws_ecs_task_ignore_definition=$(generate_var aws_ecs_task_ignore_definition $AWS_ECS_TASK_IGNORE_DEFINITION)
aws_ecs_task_execution_role=$(generate_var aws_ecs_task_execution_role $AWS_ECS_TASK_EXECUTION_ROLE)
+ aws_ecs_task_role=$(generate_var aws_ecs_task_role $AWS_ECS_TASK_ROLE)
+ aws_ecs_task_reuse_role=$(generate_var aws_ecs_task_reuse_role $AWS_ECS_TASK_REUSE_ROLE)
aws_ecs_task_json_definition_file=$(generate_var aws_ecs_task_json_definition_file $AWS_ECS_TASK_JSON_DEFINITION_FILE)
aws_ecs_task_network_mode=$(generate_var aws_ecs_task_network_mode $AWS_ECS_TASK_NETWORK_MODE)
aws_ecs_task_cpu=$(generate_var aws_ecs_task_cpu $AWS_ECS_TASK_CPU)
aws_ecs_task_mem=$(generate_var aws_ecs_task_mem $AWS_ECS_TASK_MEM)
aws_ecs_container_cpu=$(generate_var aws_ecs_container_cpu $AWS_ECS_CONTAINER_CPU)
- aws_ecs_container_cpu=$(generate_var aws_ecs_container_mem $AWS_ECS_CONTAINER_MEM)
+ aws_ecs_container_mem=$(generate_var aws_ecs_container_mem $AWS_ECS_CONTAINER_MEM)
+ aws_ecs_container_user=$(generate_var aws_ecs_container_user $AWS_ECS_CONTAINER_USER)
aws_ecs_node_count=$(generate_var aws_ecs_node_count $AWS_ECS_NODE_COUNT)
aws_ecs_app_image=$(generate_var aws_ecs_app_image $AWS_ECS_APP_IMAGE)
aws_ecs_env_vars=$(generate_var aws_ecs_env_vars $AWS_ECS_ENV_VARS )
@@ -391,6 +394,14 @@ if [[ $(alpha_only "$AWS_ECS_ENABLE") == true ]]; then
aws_ecs_cloudwatch_lg_name=$(generate_var aws_ecs_cloudwatch_lg_name $AWS_ECS_CLOUDWATCH_LG_NAME)
aws_ecs_cloudwatch_skip_destroy=$(generate_var aws_ecs_cloudwatch_skip_destroy $AWS_ECS_CLOUDWATCH_SKIP_DESTROY)
aws_ecs_cloudwatch_retention_days=$(generate_var aws_ecs_cloudwatch_retention_days $AWS_ECS_CLOUDWATCH_RETENTION_DAYS)
+ aws_ecs_efs_fs_id=$(generate_var aws_ecs_efs_fs_id $AWS_ECS_EFS_FS_ID)
+ aws_ecs_efs_root_directory=$(generate_var aws_ecs_efs_root_directory $AWS_ECS_EFS_ROOT_DIRECTORY)
+ aws_ecs_efs_transit_encryption=$(generate_var aws_ecs_efs_transit_encryption $AWS_ECS_EFS_TRANSIT_ENCRYPTION)
+ aws_ecs_efs_transit_encryption_port=$(generate_var aws_ecs_efs_transit_encryption_port $AWS_ECS_EFS_TRANSIT_ENCRYPTION_PORT)
+ aws_ecs_efs_access_point_id=$(generate_var aws_ecs_efs_access_point_id $AWS_ECS_EFS_ACCESS_POINT_ID)
+ aws_ecs_efs_container_path=$(generate_var aws_ecs_efs_container_path $AWS_ECS_EFS_CONTAINER_PATH)
+ aws_ecs_efs_readonly=$(generate_var aws_ecs_efs_readonly $AWS_ECS_EFS_READONLY)
+ aws_ecs_efs_iam=$(generate_var aws_ecs_efs_iam $AWS_ECS_EFS_IAM)
aws_ecs_additional_tags=$(generate_var aws_ecs_additional_tags $AWS_ECS_ADDITIONAL_TAGS)
fi
@@ -762,12 +773,15 @@ $aws_ecs_task_type
$aws_ecs_task_name
$aws_ecs_task_ignore_definition
$aws_ecs_task_execution_role
+$aws_ecs_task_role
+$aws_ecs_task_reuse_role
$aws_ecs_task_json_definition_file
$aws_ecs_task_network_mode
$aws_ecs_task_cpu
$aws_ecs_task_mem
$aws_ecs_container_cpu
$aws_ecs_container_mem
+$aws_ecs_container_user
$aws_ecs_node_count
$aws_ecs_app_image
$aws_ecs_env_vars
@@ -788,6 +802,14 @@ $aws_ecs_cloudwatch_enable
$aws_ecs_cloudwatch_lg_name
$aws_ecs_cloudwatch_skip_destroy
$aws_ecs_cloudwatch_retention_days
+$aws_ecs_efs_fs_id
+$aws_ecs_efs_root_directory
+$aws_ecs_efs_transit_encryption
+$aws_ecs_efs_transit_encryption_port
+$aws_ecs_efs_access_point_id
+$aws_ecs_efs_container_path
+$aws_ecs_efs_readonly
+$aws_ecs_efs_iam
$aws_ecs_additional_tags
#-- ECR --#
diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf
index 9c4a44078..353d05396 100644
--- a/operations/deployment/terraform/aws/aws_variables.tf
+++ b/operations/deployment/terraform/aws/aws_variables.tf
@@ -1620,6 +1620,18 @@ variable "aws_ecs_task_execution_role" {
default = ""
}
+variable "aws_ecs_task_role" {
+ type = string
+ description = "Elastic Container Service task role name."
+ default = ""
+}
+
+variable "aws_ecs_task_reuse_role" {
+ type = bool
+ description = "Toggle reusing the task execution role as the task role"
+ default = false
+}
+
variable "aws_ecs_task_json_definition_file" {
type = string
description = "Filename for json file containing ECS conteiner definitions"
@@ -1656,6 +1668,12 @@ variable "aws_ecs_container_mem" {
default = ""
}
+variable "aws_ecs_container_user" {
+ type = string
+ description = "Container User"
+ default = ""
+}
+
variable "aws_ecs_node_count" {
type = string
description = "Node count for ECS Cluster"
@@ -1770,6 +1788,54 @@ variable "aws_ecs_cloudwatch_retention_days" {
default = "14"
}
+variable "aws_ecs_efs_fs_id" {
+ type = string
+ description = "ID of the EFS File System"
+ default = null
+}
+
+variable "aws_ecs_efs_root_directory" {
+ type = string
+ description = "Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined"
+ default = null
+}
+
+variable "aws_ecs_efs_transit_encryption" {
+ type = bool
+ description = "EFS Volume Transit Encryption. Defaults to true (ENABLED)"
+ default = true
+}
+
+variable "aws_ecs_efs_transit_encryption_port" {
+ type = string
+ description = "EFS Volume Transit Encryption Port"
+ default = null
+}
+
+variable "aws_ecs_efs_access_point_id" {
+ type = string
+ description = "EFS Volume Access Point ID to use"
+ default = null
+}
+
+variable "aws_ecs_efs_container_path" {
+ type = string
+ description = "Container path where to mount the EFS volume"
+ default = "/mnt/efs"
+}
+
+variable "aws_ecs_efs_readonly" {
+ type = bool
+ description = "Whether the EFS volume is mounted as read-only"
+ default = false
+}
+
+variable "aws_ecs_efs_iam" {
+ type = bool
+ description = "Whether or not to use the IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) "
+ default = false
+}
+
variable "aws_ecs_additional_tags" {
type = string
description = "A list of strings that will be added to created resources"
diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf
index cdbf2b846..f32930461 100644
--- a/operations/deployment/terraform/aws/bitovi_main.tf
+++ b/operations/deployment/terraform/aws/bitovi_main.tf
@@ -558,41 +558,53 @@ module "aws_ecs" {
source = "../modules/aws/ecs"
count = var.aws_ecs_enable ? 1 : 0
# ECS
- aws_ecs_service_name = var.aws_ecs_service_name
- aws_ecs_cluster_name = var.aws_ecs_cluster_name
- aws_ecs_service_launch_type = var.aws_ecs_service_launch_type
- aws_ecs_task_type = var.aws_ecs_task_type
- aws_ecs_task_name = var.aws_ecs_task_name
- aws_ecs_task_ignore_definition = var.aws_ecs_task_ignore_definition
- aws_ecs_task_execution_role = var.aws_ecs_task_execution_role
- aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file
- aws_ecs_task_network_mode = var.aws_ecs_task_network_mode
- aws_ecs_task_cpu = var.aws_ecs_task_cpu
- aws_ecs_task_mem = var.aws_ecs_task_mem
- aws_ecs_container_cpu = var.aws_ecs_container_cpu
- aws_ecs_container_mem = var.aws_ecs_container_mem
- aws_ecs_node_count = var.aws_ecs_node_count
- aws_ecs_app_image = var.aws_ecs_app_image
- aws_ecs_security_group_name = var.aws_ecs_security_group_name
- aws_ecs_assign_public_ip = var.aws_ecs_assign_public_ip
- aws_ecs_container_port = var.aws_ecs_container_port
- aws_ecs_lb_port = var.aws_ecs_lb_port
- aws_ecs_lb_redirect_enable = var.aws_ecs_lb_redirect_enable
- aws_ecs_lb_container_path = var.aws_ecs_lb_container_path
- aws_ecs_lb_ssl_policy = var.aws_ecs_lb_ssl_policy
- aws_ecs_lb_www_to_apex_redirect = var.aws_r53_root_domain_deploy ? var.aws_ecs_lb_www_to_apex_redirect : false
- aws_ecs_autoscaling_enable = var.aws_ecs_autoscaling_enable
- aws_ecs_autoscaling_max_nodes = var.aws_ecs_autoscaling_max_nodes
- aws_ecs_autoscaling_min_nodes = var.aws_ecs_autoscaling_min_nodes
- aws_ecs_autoscaling_max_mem = var.aws_ecs_autoscaling_max_mem
- aws_ecs_autoscaling_max_cpu = var.aws_ecs_autoscaling_max_cpu
- aws_ecs_cloudwatch_enable = var.aws_ecs_cloudwatch_enable
- aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null
- aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy
- aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days
- aws_region_current_name = module.vpc.aws_region_current_name
- aws_selected_vpc_id = module.vpc.aws_selected_vpc_id
- aws_selected_subnets = module.vpc.aws_selected_vpc_subnets
+ aws_ecs_service_name = var.aws_ecs_service_name
+ aws_ecs_cluster_name = var.aws_ecs_cluster_name
+ aws_ecs_service_launch_type = var.aws_ecs_service_launch_type
+ aws_ecs_task_type = var.aws_ecs_task_type
+ aws_ecs_task_name = var.aws_ecs_task_name
+ aws_ecs_task_ignore_definition = var.aws_ecs_task_ignore_definition
+ aws_ecs_task_execution_role = var.aws_ecs_task_execution_role
+ aws_ecs_task_role = var.aws_ecs_task_role
+ aws_ecs_task_reuse_role = var.aws_ecs_task_reuse_role
+ aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file
+ aws_ecs_task_network_mode = var.aws_ecs_task_network_mode
+ aws_ecs_task_cpu = var.aws_ecs_task_cpu
+ aws_ecs_task_mem = var.aws_ecs_task_mem
+ aws_ecs_container_cpu = var.aws_ecs_container_cpu
+ aws_ecs_container_mem = var.aws_ecs_container_mem
+ aws_ecs_container_user = var.aws_ecs_container_user
+ aws_ecs_node_count = var.aws_ecs_node_count
+ aws_ecs_app_image = var.aws_ecs_app_image
+ aws_ecs_security_group_name = var.aws_ecs_security_group_name
+ aws_ecs_assign_public_ip = var.aws_ecs_assign_public_ip
+ aws_ecs_container_port = var.aws_ecs_container_port
+ aws_ecs_lb_port = var.aws_ecs_lb_port
+ aws_ecs_lb_redirect_enable = var.aws_ecs_lb_redirect_enable
+ aws_ecs_lb_container_path = var.aws_ecs_lb_container_path
+ aws_ecs_lb_ssl_policy = var.aws_ecs_lb_ssl_policy
+ aws_ecs_lb_www_to_apex_redirect = var.aws_r53_root_domain_deploy ? var.aws_ecs_lb_www_to_apex_redirect : false
+ aws_ecs_autoscaling_enable = var.aws_ecs_autoscaling_enable
+ aws_ecs_autoscaling_max_nodes = var.aws_ecs_autoscaling_max_nodes
+ aws_ecs_autoscaling_min_nodes = var.aws_ecs_autoscaling_min_nodes
+ aws_ecs_autoscaling_max_mem = var.aws_ecs_autoscaling_max_mem
+ aws_ecs_autoscaling_max_cpu = var.aws_ecs_autoscaling_max_cpu
+ aws_ecs_cloudwatch_enable = var.aws_ecs_cloudwatch_enable
+ aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null
+ aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy
+ aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days
+ aws_ecs_efs_enable = var.aws_efs_enable
+ aws_ecs_efs_fs_id = var.aws_efs_enable ? try(module.efs[0].aws_efs_fs_id, null) : null
+ aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory
+ aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption
+ aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port
+ aws_ecs_efs_access_point_id = var.aws_ecs_efs_access_point_id
+ aws_ecs_efs_container_path = var.aws_ecs_efs_container_path
+ aws_ecs_efs_readonly = var.aws_ecs_efs_readonly
+ aws_ecs_efs_iam = var.aws_ecs_efs_iam
+ aws_region_current_name = module.vpc.aws_region_current_name
+ aws_selected_vpc_id = module.vpc.aws_selected_vpc_id
+ aws_selected_subnets = module.vpc.aws_selected_vpc_subnets
# Others
aws_r53_domain_name = var.aws_r53_enable && var.aws_r53_domain_name != "" ? var.aws_r53_domain_name : ""
aws_certificate_enabled = var.aws_r53_enable_cert
@@ -601,12 +613,26 @@ module "aws_ecs" {
aws_resource_identifier_supershort = var.aws_resource_identifier_supershort
app_repo_name = var.app_repo_name
# Dependencies
- depends_on = [module.aws_certificates]
+ depends_on = [module.aws_certificates, module.efs]
providers = {
aws = aws.ecs
}
}
+module "ecs_to_efs_sg" {
+ source = "../modules/aws/sg/add_rule"
+ count = var.aws_ecs_enable && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0
+ # Inputs
+ sg_type = "ingress"
+ sg_rule_description = "${var.aws_resource_identifier} - ECS Incoming"
+ sg_rule_from_port = 2049
+ sg_rule_to_port = 2049
+ sg_rule_protocol = "tcp"
+ source_security_group_id = module.aws_ecs[0].ecs_sg_id
+ target_security_group_id = module.efs[0].aws_efs_sg_id
+ depends_on = [module.aws_ecs, module.efs]
+}
+
module "aws_route53_ecs" {
source = "../modules/aws/route53"
count = var.aws_ecs_enable && var.aws_r53_enable && var.aws_r53_domain_name != "" && (var.aws_ecs_container_port != "" || var.aws_ecs_task_ignore_definition) ? 1 : 0
@@ -968,11 +994,11 @@ output "ecs_load_balancer_dns" {
}
output "ecs_sg_id" {
- value = try(module.aws_ecs[0].ecs_sg.id, null)
+ value = try(module.aws_ecs[0].ecs_sg_id, null)
}
output "ecs_lb_sg_id" {
- value = try(module.aws_ecs[0].ecs_lb_sg.id, null)
+ value = try(module.aws_ecs[0].ecs_lb_sg_id, null)
}
# Redis
diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf
index c2cad23e0..51d8e0d46 100644
--- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf
+++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf
@@ -25,6 +25,7 @@ locals {
aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file != "" ? [for n in split(",", var.aws_ecs_task_json_definition_file) : n] : []
ecsTaskExecutionRole = var.aws_ecs_task_execution_role != "" ? data.aws_iam_role.ecsTaskExecutionRole[0].arn : aws_iam_role.ecsTaskExecutionRole[0].arn
+ ecsTaskRole = var.aws_ecs_task_role != "" ? data.aws_iam_role.ecsTaskRole[0].arn : (var.aws_ecs_efs_iam ? aws_iam_role.ecsTaskRole[0].arn : "")
# Calculate tasks_count early to avoid circular dependency
tasks_count = var.aws_ecs_task_ignore_definition ? 1 : length(local.aws_ecs_app_image) + length(local.aws_ecs_task_json_definition_file)
@@ -39,6 +40,23 @@ resource "aws_ecs_task_definition" "ecs_task" {
cpu = local.aws_ecs_task_cpu[count.index]
memory = local.aws_ecs_task_mem[count.index]
execution_role_arn = local.ecsTaskExecutionRole
+ task_role_arn = var.aws_ecs_task_reuse_role ? local.ecsTaskExecutionRole : local.ecsTaskRole
+ dynamic "volume" {
+ for_each = var.aws_ecs_efs_fs_id != null ? [1] : []
+ content {
+ name = "efs-${var.aws_ecs_efs_fs_id}"
+ efs_volume_configuration {
+ file_system_id = var.aws_ecs_efs_fs_id
+ root_directory = var.aws_ecs_efs_root_directory
+ transit_encryption = var.aws_ecs_efs_transit_encryption ? "ENABLED" : "DISABLED"
+ transit_encryption_port = var.aws_ecs_efs_transit_encryption_port
+ authorization_config {
+ access_point_id = var.aws_ecs_efs_access_point_id
+ iam = var.aws_ecs_efs_iam ? "ENABLED" : "DISABLED"
+ }
+ }
+ }
+ }
container_definitions = sensitive(jsonencode(
concat(
[
@@ -48,6 +66,7 @@ resource "aws_ecs_task_definition" "ecs_task" {
"cpu" : local.aws_ecs_container_cpu[count.index],
"memory" : local.aws_ecs_container_mem[count.index],
"essential" : true,
+ "user" : var.aws_ecs_container_user != "" ? var.aws_ecs_container_user : null,
"networkMode" : "awsvpc",
"portMappings" : length(local.aws_ecs_container_port) > 0 ? [
{
@@ -58,6 +77,13 @@ resource "aws_ecs_task_definition" "ecs_task" {
"appProtocol" : "http"
}
] : []
+ "mountPoints" : var.aws_ecs_efs_fs_id != null ? [
+ {
+ "sourceVolume" : "efs-${var.aws_ecs_efs_fs_id}",
+ "containerPath" : var.aws_ecs_efs_container_path,
+ "readOnly" : var.aws_ecs_efs_readonly
+ }
+ ] : []
"environment" : local.env_repo_vars,
"logConfiguration" : var.aws_ecs_cloudwatch_enable ? {
"logDriver" : "awslogs",
@@ -82,7 +108,24 @@ resource "aws_ecs_task_definition" "ecs_task_from_json" {
cpu = local.aws_ecs_task_cpu[count.index + length(local.aws_ecs_app_image)]
memory = local.aws_ecs_task_mem[count.index + length(local.aws_ecs_app_image)]
execution_role_arn = local.ecsTaskExecutionRole
- container_definitions = sensitive(file("../../ansible/clone_repo/app/${var.app_repo_name}/${local.aws_ecs_task_json_definition_file[count.index]}"))
+ task_role_arn = var.aws_ecs_task_reuse_role ? local.ecsTaskExecutionRole : local.ecsTaskRole
+ dynamic "volume" {
+ for_each = var.aws_ecs_efs_fs_id != null ? [1] : []
+ content {
+ name = "efs-${var.aws_ecs_efs_fs_id}"
+ efs_volume_configuration {
+ file_system_id = var.aws_ecs_efs_fs_id
+ root_directory = var.aws_ecs_efs_root_directory
+ transit_encryption = var.aws_ecs_efs_transit_encryption ? "ENABLED" : "DISABLED"
+ transit_encryption_port = var.aws_ecs_efs_transit_encryption_port
+ authorization_config {
+ access_point_id = var.aws_ecs_efs_access_point_id
+ iam = var.aws_ecs_efs_iam ? "ENABLED" : "DISABLED"
+ }
+ }
+ }
+ }
+ container_definitions = sensitive(file("../../ansible/clone_repo/app/${var.app_repo_name}/${local.aws_ecs_task_json_definition_file[count.index]}"))
}
resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" {
@@ -93,6 +136,23 @@ resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" {
cpu = local.aws_ecs_task_cpu[count.index]
memory = local.aws_ecs_task_mem[count.index]
execution_role_arn = local.ecsTaskExecutionRole
+ task_role_arn = var.aws_ecs_task_reuse_role ? local.ecsTaskExecutionRole : local.ecsTaskRole
+ dynamic "volume" {
+ for_each = var.aws_ecs_efs_fs_id != null ? [1] : []
+ content {
+ name = "efs-${var.aws_ecs_efs_fs_id}"
+ efs_volume_configuration {
+ file_system_id = var.aws_ecs_efs_fs_id
+ root_directory = var.aws_ecs_efs_root_directory
+ transit_encryption = var.aws_ecs_efs_transit_encryption ? "ENABLED" : "DISABLED"
+ transit_encryption_port = var.aws_ecs_efs_transit_encryption_port
+ authorization_config {
+ access_point_id = var.aws_ecs_efs_access_point_id
+ iam = var.aws_ecs_efs_iam ? "ENABLED" : "DISABLED"
+ }
+ }
+ }
+ }
container_definitions = sensitive(jsonencode([
{
"name" : var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}",
@@ -183,6 +243,11 @@ data "aws_iam_role" "ecsTaskExecutionRole" {
name = var.aws_ecs_task_execution_role
}
+data "aws_iam_role" "ecsTaskRole" {
+ count = var.aws_ecs_task_role != "" ? 1 : 0
+ name = var.aws_ecs_task_role
+}
+
resource "aws_iam_role" "ecsTaskExecutionRole" {
count = var.aws_ecs_task_execution_role != "" ? 0 : 1
name = "${var.aws_resource_identifier}-ecs"
@@ -205,4 +270,60 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" {
name = "AmazonECSTaskExecutionRolePolicyAttachment"
roles = [aws_iam_role.ecsTaskExecutionRole[0].name]
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
-}
\ No newline at end of file
+}
+
+# Task Role for EFS access
+resource "aws_iam_role" "ecsTaskRole" {
+ count = var.aws_ecs_task_role != "" || !var.aws_ecs_efs_iam ? 0 : 1
+ name = "${var.aws_resource_identifier}-ecs-task"
+ assume_role_policy = jsonencode({
+ "Version" : "2012-10-17",
+ "Statement" : [
+ {
+ "Effect" : "Allow",
+ "Principal" : {
+ "Service" : "ecs-tasks.amazonaws.com"
+ },
+ "Action" : "sts:AssumeRole"
+ }
+ ]
+ })
+}
+
+# EFS Access Policy for Task Role
+resource "aws_iam_policy" "ecsTaskRoleEFSPolicy" {
+ count = var.aws_ecs_efs_enable && var.aws_ecs_efs_iam ? 1 : 0
+ name = "${var.aws_resource_identifier}-ecs-task-efs-policy"
+ description = "Policy to allow ECS task to access EFS file system ${var.aws_ecs_efs_fs_id}"
+
+ policy = jsonencode({
+ "Version" : "2012-10-17",
+ "Statement" : [
+ {
+ "Effect" : "Allow",
+ "Action" : [
+ "elasticfilesystem:ClientMount",
+ "elasticfilesystem:ClientWrite",
+ "elasticfilesystem:ClientRootAccess"
+ ],
+ "Resource" : "arn:aws:elasticfilesystem:${var.aws_region_current_name}:${data.aws_caller_identity.current.account_id}:file-system/${var.aws_ecs_efs_fs_id}",
+ "Condition" : {
+ "StringEquals" : {
+ "elasticfilesystem:AccessPointArn" : var.aws_ecs_efs_access_point_id != null ? "arn:aws:elasticfilesystem:${var.aws_region_current_name}:${data.aws_caller_identity.current.account_id}:access-point/${var.aws_ecs_efs_access_point_id}" : ""
+ }
+ }
+ }
+ ]
+ })
+}
+
+resource "aws_iam_policy_attachment" "ecsTaskRoleEFSPolicyAttachment" {
+ count = var.aws_ecs_efs_enable && var.aws_ecs_efs_iam && var.aws_ecs_task_role == "" ? 1 : 0
+ name = "ECSTaskRoleEFSPolicyAttachment"
+ roles = [aws_iam_role.ecsTaskRole[0].name]
+ policy_arn = aws_iam_policy.ecsTaskRoleEFSPolicy[0].arn
+}
+
+# Data source to get current AWS account ID
+data "aws_caller_identity" "current" {}
+
diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf
index 515e305f8..e1c84ac93 100644
--- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf
+++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf
@@ -87,9 +87,9 @@ resource "aws_alb_listener" "lb_listener_ssl" {
type = "forward"
}
lifecycle {
- replace_triggered_by = [null_resource.http_redirect_dep.id]
+ replace_triggered_by = [null_resource.http_redirect_dep.id, aws_alb_target_group.lb_targets]
}
- depends_on = [aws_alb_listener.http_redirect]
+ depends_on = [aws_alb_listener.http_redirect, aws_alb_target_group.lb_targets]
}
resource "aws_alb_listener" "lb_listener" {
@@ -102,7 +102,7 @@ resource "aws_alb_listener" "lb_listener" {
type = "forward"
}
lifecycle {
- replace_triggered_by = [null_resource.http_redirect_dep.id]
+ replace_triggered_by = [null_resource.http_redirect_dep.id, aws_alb_target_group.lb_targets]
}
depends_on = [aws_alb_listener.http_redirect]
}
@@ -138,10 +138,7 @@ resource "aws_alb_listener" "http_redirect" {
status_code = "HTTP_301"
}
}
- depends_on = [
- aws_alb.ecs_lb,
- aws_alb_target_group.lb_targets
- ]
+ depends_on = [aws_alb.ecs_lb, aws_alb_target_group.lb_targets]
}
resource "aws_alb_listener" "http_forward" {
@@ -154,10 +151,7 @@ resource "aws_alb_listener" "http_forward" {
type = "forward"
target_group_arn = aws_alb_target_group.lb_targets[0].id
}
- depends_on = [
- aws_alb.ecs_lb,
- aws_alb_target_group.lb_targets
- ]
+ depends_on = [aws_alb.ecs_lb, aws_alb_target_group.lb_targets]
}
resource "aws_security_group_rule" "incoming_alb_http" {
@@ -184,6 +178,7 @@ resource "aws_alb_listener" "https_redirect" {
target_group_arn = aws_alb_target_group.lb_targets[0].id
type = "forward"
}
+ depends_on = [aws_alb_target_group.lb_targets]
}
resource "aws_alb_listener_rule" "redirect_based_on_path_for_http" {
@@ -221,10 +216,7 @@ resource "aws_alb_listener" "http_www_redirect" {
status_code = "404"
}
}
- depends_on = [
- aws_alb.ecs_lb,
- aws_alb_target_group.lb_targets
- ]
+ depends_on = [aws_alb.ecs_lb, aws_alb_target_group.lb_targets]
}
resource "aws_lb_listener_rule" "http_forward_apex" {
diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf
index 8a3d59422..41f3873f5 100644
--- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf
+++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf
@@ -5,12 +5,15 @@ variable "aws_ecs_task_type" {}
variable "aws_ecs_task_name" {}
variable "aws_ecs_task_ignore_definition" {}
variable "aws_ecs_task_execution_role" {}
+variable "aws_ecs_task_role" {}
+variable "aws_ecs_task_reuse_role" {}
variable "aws_ecs_task_json_definition_file" {}
variable "aws_ecs_task_network_mode" {}
variable "aws_ecs_task_cpu" {}
variable "aws_ecs_task_mem" {}
variable "aws_ecs_container_cpu" {}
variable "aws_ecs_container_mem" {}
+variable "aws_ecs_container_user" {}
variable "aws_ecs_node_count" {}
variable "aws_ecs_app_image" {}
variable "aws_ecs_security_group_name" {}
@@ -30,6 +33,15 @@ variable "aws_ecs_cloudwatch_enable" {}
variable "aws_ecs_cloudwatch_lg_name" {}
variable "aws_ecs_cloudwatch_skip_destroy" {}
variable "aws_ecs_cloudwatch_retention_days" {}
+variable "aws_ecs_efs_enable" {}
+variable "aws_ecs_efs_fs_id" {}
+variable "aws_ecs_efs_root_directory" {}
+variable "aws_ecs_efs_transit_encryption" {}
+variable "aws_ecs_efs_transit_encryption_port" {}
+variable "aws_ecs_efs_access_point_id" {}
+variable "aws_ecs_efs_container_path" {}
+variable "aws_ecs_efs_readonly" {}
+variable "aws_ecs_efs_iam" {}
variable "aws_r53_domain_name" {}
variable "aws_certificate_enabled" {}
variable "aws_certificates_selected_arn" {}
diff --git a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf
index b1c90cb0d..8c1556943 100644
--- a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf
+++ b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf
@@ -40,12 +40,20 @@ data "aws_efs_file_system" "efs" {
file_system_id = var.aws_efs_create ? aws_efs_file_system.efs[0].id : var.aws_efs_fs_id
}
+resource "terraform_data" "efs_ha_tracker" {
+ input = var.aws_efs_create_ha
+}
+
resource "aws_efs_mount_target" "efs_mount_target" {
count = var.aws_efs_create_mount_target ? length(local.aws_efs_subnets) : 0
file_system_id = var.aws_efs_create ? aws_efs_file_system.efs[0].id : var.aws_efs_fs_id
subnet_id = local.aws_efs_subnets[count.index]
security_groups = [aws_security_group.efs_security_group[0].id]
depends_on = [aws_efs_file_system.efs]
+
+ lifecycle {
+ replace_triggered_by = [terraform_data.efs_ha_tracker]
+ }
}
resource "aws_efs_replication_configuration" "efs_rep_config" {
@@ -61,7 +69,7 @@ resource "aws_efs_replication_configuration" "efs_rep_config" {
resource "aws_security_group" "efs_security_group" {
count = var.aws_efs_create_mount_target ? 1 : 0
- name = var.aws_efs_security_group_name != null ? var.aws_efs_security_group_name : "SG for ${var.aws_resource_identifier} - EFS"
+ name = var.aws_efs_security_group_name != "" ? var.aws_efs_security_group_name : "SG for ${var.aws_resource_identifier} - EFS"
description = "SG for ${var.aws_resource_identifier} - EFS"
vpc_id = var.aws_selected_vpc_id
egress {
@@ -73,6 +81,9 @@ resource "aws_security_group" "efs_security_group" {
tags = {
Name = "${var.aws_resource_identifier}-efs"
}
+ lifecycle {
+ ignore_changes = [name]
+ }
}
resource "aws_security_group_rule" "ingress_efs" {