From f1cdd069f0ffbaad947aa153f6e5a952feb0f111 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 12:53:26 -0300 Subject: [PATCH 01/42] Initial EFS-to-ECS commit --- README.md | 6 ++ action.yaml | 24 +++++ .../generate/generate_vars_terraform.sh | 12 +++ .../deployment/terraform/aws/aws_variables.tf | 36 ++++++++ .../deployment/terraform/aws/bitovi_main.tf | 90 +++++++++++-------- .../terraform/modules/aws/ecs/aws_ecs.tf | 50 ++++++++++- .../terraform/modules/aws/ecs/aws_ecs_vars.tf | 6 ++ 7 files changed, 188 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index efd0ef60d..33035fd99 100644 --- a/README.md +++ b/README.md @@ -508,6 +508,12 @@ The following inputs can be used as `step.with` keys | `aws_ecs_cloudwatch_lg_name`| String | Log group name. Will default to `aws_identifier` if none. | | `aws_ecs_cloudwatch_skip_destroy`| Boolean | Toggle deletion or not when destroying the stack. | | `aws_ecs_cloudwatch_retention_days`| String | Number of days to retain logs. 0 to never expire. Defaults to `14`. | +| `aws_ecs_efs_fs_id` | String | ID of the EFS File System. | +| `aws_ecs_efs_root_directory` | String | Directory within the FS to mount as the root directory. Defaults to /, ignored if `access_point_id` defined. | +| `aws_ecs_efs_transit_encryption` | Boolean | EFS Volume Transit Encryption. Defaults to `false`. (DISABLED) | +| `aws_ecs_efs_transit_encryption_port` | String | EFS Volume Transit Encryption Port. | +| `aws_ecs_efs_access_point_id` | String | EFS Volume Access Point ID to use. | +| `aws_ecs_efs_iam` | Boolean | Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to `false`. (DISABLED) | | `aws_ecs_additional_tags`| JSON | Add additional tags to the terraform [default tags](https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider), any tags put here will be added to ECS provisioned resources.|

diff --git a/action.yaml b/action.yaml index 2ee4856e3..85e277a2d 100644 --- a/action.yaml +++ b/action.yaml @@ -1020,6 +1020,24 @@ inputs: aws_ecs_cloudwatch_retention_days: description: "Number of days to retain logs. 0 to never expire. Default '14'" required: false + aws_ecs_efs_fs_id: + description: "ID of the EFS File System" + required: false + aws_ecs_efs_root_directory: + description: "Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined" + required: false + aws_ecs_efs_transit_encryption: + description: "EFS Volume Transit Encryption. Defaults to false (DISABLED)" + required: false + aws_ecs_efs_transit_encryption_port: + description: "EFS Volume Transit Encryption Port" + required: false + aws_ecs_efs_access_point_id: + description: "EFS Volume Access Point ID to use" + required: false + aws_ecs_efs_iam: + description: "Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) " + required: false aws_ecs_additional_tags: description: 'A list of strings that will be added to created resources' required: false @@ -1653,6 +1671,12 @@ runs: AWS_ECS_CLOUDWATCH_LG_NAME: ${{ inputs.aws_ecs_cloudwatch_lg_name }} AWS_ECS_CLOUDWATCH_SKIP_DESTROY: ${{ inputs.aws_ecs_cloudwatch_skip_destroy }} AWS_ECS_CLOUDWATCH_RETENTION_DAYS: ${{ inputs.aws_ecs_cloudwatch_retention_days }} + AWS_ECS_EFS_FS_ID: ${{ inputs.aws_ecs_efs_fs_id }} + AWS_ECS_EFS_ROOT_DIRECTORY: ${{ inputs.aws_ecs_efs_root_directory }} + AWS_ECS_EFS_TRANSIT_ENCRYPTION: ${{ inputs.aws_ecs_efs_transit_encryption }} + AWS_ECS_EFS_TRANSIT_ENCRYPTION_PORT: ${{ inputs.aws_ecs_efs_transit_encryption_port }} + AWS_ECS_EFS_ACCESS_POINT_ID: ${{ inputs.aws_ecs_efs_access_point_id }} + AWS_ECS_EFS_IAM: ${{ inputs.aws_ecs_efs_iam }} AWS_ECS_ADDITIONAL_TAGS: ${{ inputs.aws_ecs_additional_tags }} # ECR diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index 5956e47e8..205077632 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -391,6 +391,12 @@ if [[ $(alpha_only "$AWS_ECS_ENABLE") == true ]]; then aws_ecs_cloudwatch_lg_name=$(generate_var aws_ecs_cloudwatch_lg_name $AWS_ECS_CLOUDWATCH_LG_NAME) aws_ecs_cloudwatch_skip_destroy=$(generate_var aws_ecs_cloudwatch_skip_destroy $AWS_ECS_CLOUDWATCH_SKIP_DESTROY) aws_ecs_cloudwatch_retention_days=$(generate_var aws_ecs_cloudwatch_retention_days $AWS_ECS_CLOUDWATCH_RETENTION_DAYS) + aws_ecs_efs_fs_id=$(generate_var aws_ecs_efs_fs_id $AWS_ECS_EFS_FS_ID) + aws_ecs_efs_root_directory=$(generate_var aws_ecs_efs_root_directory $AWS_ECS_EFS_ROOT_DIRECTORY) + aws_ecs_efs_transit_encryption=$(generate_var aws_ecs_efs_transit_encryption $AWS_ECS_EFS_TRANSIT_ENCRYPTION) + aws_ecs_efs_transit_encryption_port=$(generate_var aws_ecs_efs_transit_encryption_port $AWS_ECS_EFS_TRANSIT_ENCRYPTION_PORT) + aws_ecs_efs_access_point_id=$(generate_var aws_ecs_efs_access_point_id $AWS_ECS_EFS_ACCESS_POINT_ID) + aws_ecs_efs_iam=$(generate_var aws_ecs_efs_iam $AWS_ECS_EFS_IAM) aws_ecs_additional_tags=$(generate_var aws_ecs_additional_tags $AWS_ECS_ADDITIONAL_TAGS) fi @@ -788,6 +794,12 @@ $aws_ecs_cloudwatch_enable $aws_ecs_cloudwatch_lg_name $aws_ecs_cloudwatch_skip_destroy $aws_ecs_cloudwatch_retention_days +$aws_ecs_efs_fs_id +$aws_ecs_efs_root_directory +$aws_ecs_efs_transit_encryption +$aws_ecs_efs_transit_encryption_port +$aws_ecs_efs_access_point_id +$aws_ecs_efs_iam $aws_ecs_additional_tags #-- ECR --# diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 9c4a44078..edaa7a577 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -1770,6 +1770,42 @@ variable "aws_ecs_cloudwatch_retention_days" { default = "14" } +variable "aws_ecs_efs_fs_id" { + type = string + description = "ID of the EFS File System" + default = null +} + +variable "aws_ecs_efs_root_directory" { + type = string + description = "Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined" + default = null +} + +variable "aws_ecs_efs_transit_encryption" { + type = bool + description = "EFS Volume Transit Encryption. Defaults to false (DISABLED)" + default = false +} + +variable "aws_ecs_efs_transit_encryption_port" { + type = string + description = "EFS Volume Transit Encryption Port" + default = null +} + +variable "aws_ecs_efs_access_point_id" { + type = string + description = "EFS Volume Access Point ID to use" + default = null +} + +variable "aws_ecs_efs_iam" { + type = bool + description = "Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) " + default = true +} + variable "aws_ecs_additional_tags" { type = string description = "A list of strings that will be added to created resources" diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index cdbf2b846..31fdc0504 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -60,6 +60,20 @@ module "efs_to_ec2_sg" { depends_on = [module.ec2, module.efs] } +#module "efs_to_ecs_sg" { +# source = "../modules/aws/sg/add_rule" +# count = var.aws_ec2_instance_create && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0 +# # Inputs +# sg_type = "ingress" +# sg_rule_description = "${var.aws_resource_identifier} - ECS Incoming" +# sg_rule_from_port = 2049 +# sg_rule_to_port = 2049 +# sg_rule_protocol = "tcp" +# source_security_group_id = try(module.efs[0].aws_efs_sg_id) +# target_security_group_id = module.ecs[0].ecs_sg_id +# depends_on = [module.ecs, module.efs] +#} + module "aws_certificates" { source = "../modules/aws/certificates" count = (var.aws_ec2_instance_create || var.aws_ecs_enable) && var.aws_r53_enable_cert && var.aws_r53_cert_arn == "" && var.aws_r53_domain_name != "" ? 1 : 0 @@ -558,41 +572,47 @@ module "aws_ecs" { source = "../modules/aws/ecs" count = var.aws_ecs_enable ? 1 : 0 # ECS - aws_ecs_service_name = var.aws_ecs_service_name - aws_ecs_cluster_name = var.aws_ecs_cluster_name - aws_ecs_service_launch_type = var.aws_ecs_service_launch_type - aws_ecs_task_type = var.aws_ecs_task_type - aws_ecs_task_name = var.aws_ecs_task_name - aws_ecs_task_ignore_definition = var.aws_ecs_task_ignore_definition - aws_ecs_task_execution_role = var.aws_ecs_task_execution_role - aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file - aws_ecs_task_network_mode = var.aws_ecs_task_network_mode - aws_ecs_task_cpu = var.aws_ecs_task_cpu - aws_ecs_task_mem = var.aws_ecs_task_mem - aws_ecs_container_cpu = var.aws_ecs_container_cpu - aws_ecs_container_mem = var.aws_ecs_container_mem - aws_ecs_node_count = var.aws_ecs_node_count - aws_ecs_app_image = var.aws_ecs_app_image - aws_ecs_security_group_name = var.aws_ecs_security_group_name - aws_ecs_assign_public_ip = var.aws_ecs_assign_public_ip - aws_ecs_container_port = var.aws_ecs_container_port - aws_ecs_lb_port = var.aws_ecs_lb_port - aws_ecs_lb_redirect_enable = var.aws_ecs_lb_redirect_enable - aws_ecs_lb_container_path = var.aws_ecs_lb_container_path - aws_ecs_lb_ssl_policy = var.aws_ecs_lb_ssl_policy - aws_ecs_lb_www_to_apex_redirect = var.aws_r53_root_domain_deploy ? var.aws_ecs_lb_www_to_apex_redirect : false - aws_ecs_autoscaling_enable = var.aws_ecs_autoscaling_enable - aws_ecs_autoscaling_max_nodes = var.aws_ecs_autoscaling_max_nodes - aws_ecs_autoscaling_min_nodes = var.aws_ecs_autoscaling_min_nodes - aws_ecs_autoscaling_max_mem = var.aws_ecs_autoscaling_max_mem - aws_ecs_autoscaling_max_cpu = var.aws_ecs_autoscaling_max_cpu - aws_ecs_cloudwatch_enable = var.aws_ecs_cloudwatch_enable - aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null - aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy - aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days - aws_region_current_name = module.vpc.aws_region_current_name - aws_selected_vpc_id = module.vpc.aws_selected_vpc_id - aws_selected_subnets = module.vpc.aws_selected_vpc_subnets + aws_ecs_service_name = var.aws_ecs_service_name + aws_ecs_cluster_name = var.aws_ecs_cluster_name + aws_ecs_service_launch_type = var.aws_ecs_service_launch_type + aws_ecs_task_type = var.aws_ecs_task_type + aws_ecs_task_name = var.aws_ecs_task_name + aws_ecs_task_ignore_definition = var.aws_ecs_task_ignore_definition + aws_ecs_task_execution_role = var.aws_ecs_task_execution_role + aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file + aws_ecs_task_network_mode = var.aws_ecs_task_network_mode + aws_ecs_task_cpu = var.aws_ecs_task_cpu + aws_ecs_task_mem = var.aws_ecs_task_mem + aws_ecs_container_cpu = var.aws_ecs_container_cpu + aws_ecs_container_mem = var.aws_ecs_container_mem + aws_ecs_node_count = var.aws_ecs_node_count + aws_ecs_app_image = var.aws_ecs_app_image + aws_ecs_security_group_name = var.aws_ecs_security_group_name + aws_ecs_assign_public_ip = var.aws_ecs_assign_public_ip + aws_ecs_container_port = var.aws_ecs_container_port + aws_ecs_lb_port = var.aws_ecs_lb_port + aws_ecs_lb_redirect_enable = var.aws_ecs_lb_redirect_enable + aws_ecs_lb_container_path = var.aws_ecs_lb_container_path + aws_ecs_lb_ssl_policy = var.aws_ecs_lb_ssl_policy + aws_ecs_lb_www_to_apex_redirect = var.aws_r53_root_domain_deploy ? var.aws_ecs_lb_www_to_apex_redirect : false + aws_ecs_autoscaling_enable = var.aws_ecs_autoscaling_enable + aws_ecs_autoscaling_max_nodes = var.aws_ecs_autoscaling_max_nodes + aws_ecs_autoscaling_min_nodes = var.aws_ecs_autoscaling_min_nodes + aws_ecs_autoscaling_max_mem = var.aws_ecs_autoscaling_max_mem + aws_ecs_autoscaling_max_cpu = var.aws_ecs_autoscaling_max_cpu + aws_ecs_cloudwatch_enable = var.aws_ecs_cloudwatch_enable + aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null + aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy + aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days + aws_ecs_efs_fs_id = var.aws_ecs_efs_fs_id + aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory + aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption + aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port + aws_ecs_efs_access_point_id = var.aws_ecs_efs_access_point_id + aws_ecs_efs_iam = var.aws_ecs_efs_iam + aws_region_current_name = module.vpc.aws_region_current_name + aws_selected_vpc_id = module.vpc.aws_selected_vpc_id + aws_selected_subnets = module.vpc.aws_selected_vpc_subnets # Others aws_r53_domain_name = var.aws_r53_enable && var.aws_r53_domain_name != "" ? var.aws_r53_domain_name : "" aws_certificate_enabled = var.aws_r53_enable_cert diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index c2cad23e0..938e8aa49 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -39,6 +39,22 @@ resource "aws_ecs_task_definition" "ecs_task" { cpu = local.aws_ecs_task_cpu[count.index] memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole + dynamic "volume" { + for_each = var.aws_ecs_efs_fs_id != "" ? [1] : [] + content { + name = "efs-${var.aws_ecs_efs_fs_id}" + efs_volume_configuration { + file_system_id = var.aws_ecs_efs_fs_id + root_directory = var.aws_ecs_efs_root_directory + transit_encryption = var.aws_ecs_efs_transit_encryption ? "ENABLED" : "DISABLED" + transit_encryption_port = var.aws_ecs_efs_transit_encryption_port + authorization_config { + access_point_id = var.aws_ecs_efs_access_point_id + iam = var.aws_ecs_efs_iam ? "ENABLED" : "DISABLED" + } + } + } + } container_definitions = sensitive(jsonencode( concat( [ @@ -82,7 +98,23 @@ resource "aws_ecs_task_definition" "ecs_task_from_json" { cpu = local.aws_ecs_task_cpu[count.index + length(local.aws_ecs_app_image)] memory = local.aws_ecs_task_mem[count.index + length(local.aws_ecs_app_image)] execution_role_arn = local.ecsTaskExecutionRole - container_definitions = sensitive(file("../../ansible/clone_repo/app/${var.app_repo_name}/${local.aws_ecs_task_json_definition_file[count.index]}")) + dynamic "volume" { + for_each = var.aws_ecs_efs_fs_id != "" ? [1] : [] + content { + name = "efs-${var.aws_ecs_efs_fs_id}" + efs_volume_configuration { + file_system_id = var.aws_ecs_efs_fs_id + root_directory = var.aws_ecs_efs_root_directory + transit_encryption = var.aws_ecs_efs_transit_encryption ? "ENABLED" : "DISABLED" + transit_encryption_port = var.aws_ecs_efs_transit_encryption_port + authorization_config { + access_point_id = var.aws_ecs_efs_access_point_id + iam = var.aws_ecs_efs_iam ? "ENABLED" : "DISABLED" + } + } + } + } + container_definitions = sensitive(file("../../ansible/clone_repo/app/${var.app_repo_name}/${local.aws_ecs_task_json_definition_file[count.index]}")) } resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" { @@ -93,6 +125,22 @@ resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" { cpu = local.aws_ecs_task_cpu[count.index] memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole + dynamic "volume" { + for_each = var.aws_ecs_efs_fs_id != "" ? [1] : [] + content { + name = "efs-${var.aws_ecs_efs_fs_id}" + efs_volume_configuration { + file_system_id = var.aws_ecs_efs_fs_id + root_directory = var.aws_ecs_efs_root_directory + transit_encryption = var.aws_ecs_efs_transit_encryption ? "ENABLED" : "DISABLED" + transit_encryption_port = var.aws_ecs_efs_transit_encryption_port + authorization_config { + access_point_id = var.aws_ecs_efs_access_point_id + iam = var.aws_ecs_efs_iam ? "ENABLED" : "DISABLED" + } + } + } + } container_definitions = sensitive(jsonencode([ { "name" : var.aws_ecs_task_name != "" ? local.aws_ecs_task_name[count.index] : "${local.aws_ecs_task_name[count.index]}${count.index}", diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf index 8a3d59422..795613f1a 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf @@ -30,6 +30,12 @@ variable "aws_ecs_cloudwatch_enable" {} variable "aws_ecs_cloudwatch_lg_name" {} variable "aws_ecs_cloudwatch_skip_destroy" {} variable "aws_ecs_cloudwatch_retention_days" {} +variable "aws_ecs_efs_fs_id" {} +variable "aws_ecs_efs_root_directory" {} +variable "aws_ecs_efs_transit_encryption" {} +variable "aws_ecs_efs_transit_encryption_port" {} +variable "aws_ecs_efs_access_point_id" {} +variable "aws_ecs_efs_iam" {} variable "aws_r53_domain_name" {} variable "aws_certificate_enabled" {} variable "aws_certificates_selected_arn" {} From ca177da61ebcbde18a3d1ebfe037da3cf23dba68 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 14:46:52 -0300 Subject: [PATCH 02/42] Null fix --- .../deployment/terraform/aws/aws_variables.tf | 24 +++++++++---------- .../terraform/modules/aws/ecs/aws_ecs.tf | 6 ++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index edaa7a577..2e3473fd6 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -1771,39 +1771,39 @@ variable "aws_ecs_cloudwatch_retention_days" { } variable "aws_ecs_efs_fs_id" { - type = string + type = string description = "ID of the EFS File System" - default = null + default = null } variable "aws_ecs_efs_root_directory" { - type = string + type = string description = "Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined" - default = null + default = null } variable "aws_ecs_efs_transit_encryption" { - type = bool + type = bool description = "EFS Volume Transit Encryption. Defaults to false (DISABLED)" - default = false + default = false } variable "aws_ecs_efs_transit_encryption_port" { - type = string + type = string description = "EFS Volume Transit Encryption Port" - default = null + default = null } variable "aws_ecs_efs_access_point_id" { - type = string + type = string description = "EFS Volume Access Point ID to use" - default = null + default = null } variable "aws_ecs_efs_iam" { - type = bool + type = bool description = "Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) " - default = true + default = true } variable "aws_ecs_additional_tags" { diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index 938e8aa49..c74d976bb 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -40,7 +40,7 @@ resource "aws_ecs_task_definition" "ecs_task" { memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole dynamic "volume" { - for_each = var.aws_ecs_efs_fs_id != "" ? [1] : [] + for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { name = "efs-${var.aws_ecs_efs_fs_id}" efs_volume_configuration { @@ -99,7 +99,7 @@ resource "aws_ecs_task_definition" "ecs_task_from_json" { memory = local.aws_ecs_task_mem[count.index + length(local.aws_ecs_app_image)] execution_role_arn = local.ecsTaskExecutionRole dynamic "volume" { - for_each = var.aws_ecs_efs_fs_id != "" ? [1] : [] + for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { name = "efs-${var.aws_ecs_efs_fs_id}" efs_volume_configuration { @@ -126,7 +126,7 @@ resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" { memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole dynamic "volume" { - for_each = var.aws_ecs_efs_fs_id != "" ? [1] : [] + for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { name = "efs-${var.aws_ecs_efs_fs_id}" efs_volume_configuration { From 20c3feafb84ff34c97c02743fa20c0eecedf785c Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 15:16:59 -0300 Subject: [PATCH 03/42] Default aws_ecs_efs_transit_encryption to ENABLED --- README.md | 2 +- action.yaml | 2 +- operations/deployment/terraform/aws/aws_variables.tf | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 33035fd99..626ae44b6 100644 --- a/README.md +++ b/README.md @@ -510,7 +510,7 @@ The following inputs can be used as `step.with` keys | `aws_ecs_cloudwatch_retention_days`| String | Number of days to retain logs. 0 to never expire. Defaults to `14`. | | `aws_ecs_efs_fs_id` | String | ID of the EFS File System. | | `aws_ecs_efs_root_directory` | String | Directory within the FS to mount as the root directory. Defaults to /, ignored if `access_point_id` defined. | -| `aws_ecs_efs_transit_encryption` | Boolean | EFS Volume Transit Encryption. Defaults to `false`. (DISABLED) | +| `aws_ecs_efs_transit_encryption` | Boolean | EFS Volume Transit Encryption. Defaults to `true`. (ENABLED) | | `aws_ecs_efs_transit_encryption_port` | String | EFS Volume Transit Encryption Port. | | `aws_ecs_efs_access_point_id` | String | EFS Volume Access Point ID to use. | | `aws_ecs_efs_iam` | Boolean | Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to `false`. (DISABLED) | diff --git a/action.yaml b/action.yaml index 85e277a2d..428279adc 100644 --- a/action.yaml +++ b/action.yaml @@ -1027,7 +1027,7 @@ inputs: description: "Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined" required: false aws_ecs_efs_transit_encryption: - description: "EFS Volume Transit Encryption. Defaults to false (DISABLED)" + description: "EFS Volume Transit Encryption. Defaults to true (ENABLED)" required: false aws_ecs_efs_transit_encryption_port: description: "EFS Volume Transit Encryption Port" diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 2e3473fd6..982a228bd 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -1784,14 +1784,14 @@ variable "aws_ecs_efs_root_directory" { variable "aws_ecs_efs_transit_encryption" { type = bool - description = "EFS Volume Transit Encryption. Defaults to false (DISABLED)" - default = false + description = "EFS Volume Transit Encryption. Defaults to true (ENABLED)" + default = true } variable "aws_ecs_efs_transit_encryption_port" { type = string description = "EFS Volume Transit Encryption Port" - default = null + default = "" } variable "aws_ecs_efs_access_point_id" { From 571a041fc5df35ddf302a540321bb78ebe376905 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 15:28:10 -0300 Subject: [PATCH 04/42] null port --- operations/deployment/terraform/aws/aws_variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 982a228bd..7c511efb7 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -1791,7 +1791,7 @@ variable "aws_ecs_efs_transit_encryption" { variable "aws_ecs_efs_transit_encryption_port" { type = string description = "EFS Volume Transit Encryption Port" - default = "" + default = null } variable "aws_ecs_efs_access_point_id" { From 634834c3334f45af1b30a565dcd0d1c1350cd631 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 15:40:05 -0300 Subject: [PATCH 05/42] Add missing policy --- operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index c74d976bb..7db287664 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -253,4 +253,11 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" { name = "AmazonECSTaskExecutionRolePolicyAttachment" roles = [aws_iam_role.ecsTaskExecutionRole[0].name] policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" +} + +resource "aws_iam_policy_attachment" "ecsTaskExecutionRoleEfsPolicy" { + count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 + name = "AmazonEFSClientFullAccessAttachment" + roles = [aws_iam_role.ecsTaskExecutionRole[0].name] + policy_arn = "arn:aws:iam::aws:policy/AmazonEFSClientFullAccess" } \ No newline at end of file From 9d3ff1f288f066072ca7c340c2acb59527b6b336 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 15:52:02 -0300 Subject: [PATCH 06/42] Add policy --- .../terraform/modules/aws/ecs/aws_ecs.tf | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index 7db287664..eca27b34a 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -256,8 +256,30 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" { } resource "aws_iam_policy_attachment" "ecsTaskExecutionRoleEfsPolicy" { - count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 + count = var.aws_ecs_task_execution_role != "" && aws_ecs_efs_fs_id != null ? 0 : 1 name = "AmazonEFSClientFullAccessAttachment" roles = [aws_iam_role.ecsTaskExecutionRole[0].name] - policy_arn = "arn:aws:iam::aws:policy/AmazonEFSClientFullAccess" + policy_arn = aws_iam_role_policy.efs[0].arn +} + +resource "aws_iam_role_policy" "efs" { + count = var.aws_ecs_task_execution_role != "" && aws_ecs_efs_fs_id != null ? 0 : 1 + role = [aws_iam_role.ecsTaskExecutionRole[0].name] + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Effect = "Allow" + Action = [ + "elasticfilesystem:ClientMount", + "elasticfilesystem:ClientWrite" + ] + Resource = aws_efs_access_point.app.arn + }] + }) +} + +data "aws_efs_file_system" "efs" { + count = var.aws_ecs_efs_fs_id != null ? 1 : 0 + file_system_id = var.aws_ecs_efs_fs_id } \ No newline at end of file From 3a5f89a3837db22e985db5d3a9ed2b216b288d11 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 15:56:19 -0300 Subject: [PATCH 07/42] Fix volume id --- operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index eca27b34a..71b965eb4 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -256,14 +256,14 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" { } resource "aws_iam_policy_attachment" "ecsTaskExecutionRoleEfsPolicy" { - count = var.aws_ecs_task_execution_role != "" && aws_ecs_efs_fs_id != null ? 0 : 1 + count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 name = "AmazonEFSClientFullAccessAttachment" roles = [aws_iam_role.ecsTaskExecutionRole[0].name] policy_arn = aws_iam_role_policy.efs[0].arn } resource "aws_iam_role_policy" "efs" { - count = var.aws_ecs_task_execution_role != "" && aws_ecs_efs_fs_id != null ? 0 : 1 + count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 role = [aws_iam_role.ecsTaskExecutionRole[0].name] policy = jsonencode({ @@ -274,7 +274,7 @@ resource "aws_iam_role_policy" "efs" { "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ] - Resource = aws_efs_access_point.app.arn + Resource = aws_efs_file_system.efs[0].arn }] }) } From 2b74df76010f3d10edd6ba2ba06b7ce72beb700a Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 16:00:02 -0300 Subject: [PATCH 08/42] Fixing data source name --- operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index 71b965eb4..fbb555396 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -259,12 +259,12 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRoleEfsPolicy" { count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 name = "AmazonEFSClientFullAccessAttachment" roles = [aws_iam_role.ecsTaskExecutionRole[0].name] - policy_arn = aws_iam_role_policy.efs[0].arn + policy_arn = data.aws_iam_role_policy.efs[0].arn } resource "aws_iam_role_policy" "efs" { count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 - role = [aws_iam_role.ecsTaskExecutionRole[0].name] + role = aws_iam_role.ecsTaskExecutionRole[0].name policy = jsonencode({ Version = "2012-10-17" @@ -274,7 +274,7 @@ resource "aws_iam_role_policy" "efs" { "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ] - Resource = aws_efs_file_system.efs[0].arn + Resource = data.aws_efs_file_system.efs[0].arn }] }) } From 9f7e79c36c585861d4240886728939c1e80215b1 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 16:03:16 -0300 Subject: [PATCH 09/42] Cleanup --- operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index fbb555396..a75651c0f 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -255,13 +255,6 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" { policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } -resource "aws_iam_policy_attachment" "ecsTaskExecutionRoleEfsPolicy" { - count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 - name = "AmazonEFSClientFullAccessAttachment" - roles = [aws_iam_role.ecsTaskExecutionRole[0].name] - policy_arn = data.aws_iam_role_policy.efs[0].arn -} - resource "aws_iam_role_policy" "efs" { count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 role = aws_iam_role.ecsTaskExecutionRole[0].name From 7bbb1ccc5067568d1bc4e2ef533c00407010379f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 19 Jan 2026 16:11:07 -0300 Subject: [PATCH 10/42] Fixing task role --- .../terraform/modules/aws/ecs/aws_ecs.tf | 45 ++++++++++--------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index a75651c0f..fcf4902a5 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -39,6 +39,7 @@ resource "aws_ecs_task_definition" "ecs_task" { cpu = local.aws_ecs_task_cpu[count.index] memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole + task_role_arn = local.ecsTaskExecutionRole # <-- Add this line dynamic "volume" { for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { @@ -98,6 +99,7 @@ resource "aws_ecs_task_definition" "ecs_task_from_json" { cpu = local.aws_ecs_task_cpu[count.index + length(local.aws_ecs_app_image)] memory = local.aws_ecs_task_mem[count.index + length(local.aws_ecs_app_image)] execution_role_arn = local.ecsTaskExecutionRole + task_role_arn = local.ecsTaskExecutionRole # <-- Add this line dynamic "volume" { for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { @@ -125,6 +127,7 @@ resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" { cpu = local.aws_ecs_task_cpu[count.index] memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole + task_role_arn = local.ecsTaskExecutionRole dynamic "volume" { for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { @@ -255,24 +258,24 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" { policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } -resource "aws_iam_role_policy" "efs" { - count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 - role = aws_iam_role.ecsTaskExecutionRole[0].name - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Effect = "Allow" - Action = [ - "elasticfilesystem:ClientMount", - "elasticfilesystem:ClientWrite" - ] - Resource = data.aws_efs_file_system.efs[0].arn - }] - }) -} - -data "aws_efs_file_system" "efs" { - count = var.aws_ecs_efs_fs_id != null ? 1 : 0 - file_system_id = var.aws_ecs_efs_fs_id -} \ No newline at end of file +#resource "aws_iam_role_policy" "efs" { +# count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 +# role = aws_iam_role.ecsTaskExecutionRole[0].name +# +# policy = jsonencode({ +# Version = "2012-10-17" +# Statement = [{ +# Effect = "Allow" +# Action = [ +# "elasticfilesystem:ClientMount", +# "elasticfilesystem:ClientWrite" +# ] +# Resource = data.aws_efs_file_system.efs[0].arn +# }] +# }) +#} +# +#data "aws_efs_file_system" "efs" { +# count = var.aws_ecs_efs_fs_id != null ? 1 : 0 +# file_system_id = var.aws_ecs_efs_fs_id +#} \ No newline at end of file From f79fd33d13d2c47a73e167f342475f7eac278036 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 20 Jan 2026 08:10:33 -0300 Subject: [PATCH 11/42] Adding missing block to container defn and flags --- README.md | 4 +- action.yaml | 138 +++++++++--------- .../generate/generate_vars_terraform.sh | 4 + .../deployment/terraform/aws/aws_variables.tf | 12 ++ .../deployment/terraform/aws/bitovi_main.tf | 2 + .../terraform/modules/aws/ecs/aws_ecs.tf | 7 + .../terraform/modules/aws/ecs/aws_ecs_vars.tf | 2 + 7 files changed, 103 insertions(+), 66 deletions(-) diff --git a/README.md b/README.md index 626ae44b6..59e677937 100644 --- a/README.md +++ b/README.md @@ -509,10 +509,12 @@ The following inputs can be used as `step.with` keys | `aws_ecs_cloudwatch_skip_destroy`| Boolean | Toggle deletion or not when destroying the stack. | | `aws_ecs_cloudwatch_retention_days`| String | Number of days to retain logs. 0 to never expire. Defaults to `14`. | | `aws_ecs_efs_fs_id` | String | ID of the EFS File System. | -| `aws_ecs_efs_root_directory` | String | Directory within the FS to mount as the root directory. Defaults to /, ignored if `access_point_id` defined. | +| `aws_ecs_efs_root_directory` | String | Directory within the FS to mount as the root directory. Defaults to `/`, ignored if `access_point_id` defined. | | `aws_ecs_efs_transit_encryption` | Boolean | EFS Volume Transit Encryption. Defaults to `true`. (ENABLED) | | `aws_ecs_efs_transit_encryption_port` | String | EFS Volume Transit Encryption Port. | | `aws_ecs_efs_access_point_id` | String | EFS Volume Access Point ID to use. | +| `aws_ecs_efs_container_path` | String | Directory path within container to mount the EFS volume to. Defaults to`/mnt/efs` | +| `aws_ecs_efs_readonly` | Boolean | Whether the EFS volume is mounted as read-only. Defaults to `false`. | | `aws_ecs_efs_iam` | Boolean | Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to `false`. (DISABLED) | | `aws_ecs_additional_tags`| JSON | Add additional tags to the terraform [default tags](https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider), any tags put here will be added to ECS provisioned resources.|
diff --git a/action.yaml b/action.yaml index 428279adc..74a7196fe 100644 --- a/action.yaml +++ b/action.yaml @@ -282,46 +282,46 @@ inputs: # AWS ALB aws_alb_create: - description: "Global toggle for ALB creation" + description: 'Global toggle for ALB creation' required: false aws_alb_security_group_name: - description: "Name of the security group to use for ALB" + description: 'Name of the security group to use for ALB' required: false aws_alb_app_port: - description: "Comma-separated list of application ports for ALB target group" + description: 'Comma-separated list of application ports for ALB target group' required: false aws_alb_app_protocol: - description: "Comma-separated list of protocols for ALB target group (HTTP/HTTPS)" + description: 'Comma-separated list of protocols for ALB target group (HTTP/HTTPS)' required: false aws_alb_listen_port: - description: "Comma-separated list of listener ports for ALB" + description: 'Comma-separated list of listener ports for ALB' required: false aws_alb_listen_protocol: - description: "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)" + description: 'Comma-separated list of listener protocols for ALB (HTTP/HTTPS)' required: false aws_alb_redirect_enable: - description: "Enable HTTP to HTTPS redirection on ALB" + description: 'Enable HTTP to HTTPS redirection on ALB' required: false aws_alb_www_to_apex_redirect: description: 'Enable www to apex domain redirection on ALB' required: false aws_alb_healthcheck_path: - description: "Health check path for ALB target group" + description: 'Health check path for ALB target group' required: false aws_alb_healthcheck_protocol: - description: "Health check protocol for ALB target group" + description: 'Health check protocol for ALB target group' required: false aws_alb_ssl_policy: - description: "SSL policy for HTTPS listeners" + description: 'SSL policy for HTTPS listeners' required: false aws_alb_access_log_enabled: - description: "Enable ALB access logs" + description: 'Enable ALB access logs' required: false aws_alb_access_log_bucket_name: - description: "S3 bucket name to store the ALB access logs" + description: 'S3 bucket name to store the ALB access logs' required: false aws_alb_access_log_expire: - description: "Delete the access logs after this amount of days" + description: 'Delete the access logs after this amount of days' required: false aws_alb_additional_tags: description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`' @@ -876,7 +876,7 @@ inputs: description: 'Log type. Older Redis engines need slow-log. Newer support engine-log (default)' required: false aws_redis_cloudwatch_retention_days: - description: "Number of days to retain logs. 0 to never expire. Default '14'" + description: 'Number of days to retain logs. 0 to never expire. Default 14' required: false aws_redis_single_line_url_secret: description: 'Creates an AWS secret containing the connection string containing protocol://user@pass:endpoint:port' @@ -1009,34 +1009,40 @@ inputs: description: 'Some' required: false aws_ecs_cloudwatch_enable: - description: "Toggle cloudwatch for ECS. Default 'false'" + description: 'Toggle cloudwatch for ECS. Defaults to false' required: false aws_ecs_cloudwatch_lg_name: - description: "Log group name. Will default to aws_identifier if none." + description: 'Log group name. Will default to aws_identifier if none.' required: false aws_ecs_cloudwatch_skip_destroy: - description: "Toggle deletion or not when destroying the stack." + description: 'Toggle deletion or not when destroying the stack.' required: false aws_ecs_cloudwatch_retention_days: - description: "Number of days to retain logs. 0 to never expire. Default '14'" + description: 'Number of days to retain logs. 0 to never expire. Default 14' required: false aws_ecs_efs_fs_id: - description: "ID of the EFS File System" + description: 'ID of the EFS File System' required: false aws_ecs_efs_root_directory: - description: "Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined" + description: 'Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined' required: false aws_ecs_efs_transit_encryption: - description: "EFS Volume Transit Encryption. Defaults to true (ENABLED)" + description: 'EFS Volume Transit Encryption. Defaults to true (ENABLED)' required: false aws_ecs_efs_transit_encryption_port: - description: "EFS Volume Transit Encryption Port" + description: 'EFS Volume Transit Encryption Port' required: false aws_ecs_efs_access_point_id: - description: "EFS Volume Access Point ID to use" + description: 'EFS Volume Access Point ID to use' + required: false + aws_ecs_efs_container_path: + description: 'Directory path within container to mount the EFS volume to' + required: false + aws_ecs_efs_readonly: + description: 'Whether the EFS volume is mounted as read-only' required: false aws_ecs_efs_iam: - description: "Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) " + description: 'Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) ' required: false aws_ecs_additional_tags: description: 'A list of strings that will be added to created resources' @@ -1121,10 +1127,10 @@ inputs: description: 'Define if an EKS cluster should be created' required: false aws_eks_security_group_name_cluster: - description: "SG for ${var.aws_resource_identifier} - ${var.aws_eks_environment} - EKS Master" + description: 'SG for ${var.aws_resource_identifier} - ${var.aws_eks_environment} - EKS Master' required: false aws_eks_security_group_name_node: - description: "SG for ${var.aws_resource_identifier} - ${var.aws_eks_environment} - EKS Worker" + description: 'SG for ${var.aws_resource_identifier} - ${var.aws_eks_environment} - EKS Worker' required: false aws_eks_environment: description: 'Specify the eks environment name. Defaults to env' @@ -1139,19 +1145,19 @@ inputs: description: 'Allow incoming traffic from this CIDR block. Accepts comma separated values, matching 1 to 1 with aws_eks_allowed_ports. If none defined, will allow all incoming traffic.' required: false aws_eks_cluster_name: - description: "EKS Cluster name. Defaults to eks-cluster" + description: 'EKS Cluster name. Defaults to eks-cluster' required: false aws_eks_cluster_admin_role_arn: - description: "Role ARN to grant cluster-admin permissions" + description: 'Role ARN to grant cluster-admin permissions' required: false aws_eks_cluster_log_types: - description: "EKS Log types, comma separated list. Defaults to api,audit,authenticator" + description: 'EKS Log types, comma separated list. Defaults to api,audit,authenticator' required: false aws_eks_cluster_log_retention_days: - description: "Days to store logs. Defaults to 7." + description: 'Days to store logs. Defaults to 7.' required: false aws_eks_cluster_log_skip_destroy: - description: "Skip deletion of cluster logs if set to true" + description: 'Skip deletion of cluster logs if set to true' required: false aws_eks_cluster_version: description: 'Specify the k8s cluster version' @@ -1187,115 +1193,115 @@ inputs: outputs: # VPC aws_vpc_id: - description: "The selected VPC ID used." + description: 'The selected VPC ID used.' value: ${{ steps.deploy.outputs.aws_vpc_id }} # EC2 vm_url: - description: "The URL of the generated app" + description: 'The URL of the generated app' value: ${{ steps.deploy.outputs.vm_url }} instance_endpoint: - description: "The URL of the generated ec2 instance" + description: 'The URL of the generated ec2 instance' value: ${{ steps.deploy.outputs.instance_endpoint }} ec2_sg_id: - description: "SG ID for the EC2 instance" + description: 'SG ID for the EC2 instance' value: ${{ steps.deploy.outputs.ec2_sg_id }} # EFS aws_efs_fs_id: - description: "EFS FS ID" + description: 'EFS FS ID' value: ${{ steps.deploy.outputs.aws_efs_fs_id }} aws_efs_replica_fs_id: - description: "EFS FS Replica ID" + description: 'EFS FS Replica ID' value: ${{ steps.deploy.outputs.aws_efs_replica_fs_id }} aws_efs_sg_id: - description: "EFS FS SG ID" + description: 'EFS FS SG ID' value: ${{ steps.deploy.outputs.aws_efs_sg_id }} # RDS db_endpoint: - description: "RDS Endpoint" + description: 'RDS Endpoint' value: ${{ steps.deploy.outputs.db_endpoint }} db_secret_details_name: - description: "AWS Secret name containing db credentials" + description: 'AWS Secret name containing db credentials' value: ${{ steps.deploy.outputs.db_secret_details_name }} db_sg_id: - description: "SG ID for the RDS instance" + description: 'SG ID for the RDS instance' value: ${{ steps.deploy.outputs.db_sg_id }} db_proxy_rds_endpoint: - description: "Database proxy endpoint" + description: 'Database proxy endpoint' value: ${{ steps.deploy.outputs.db_proxy_rds_endpoint }} db_proxy_secret_name_rds: - description: "AWS Secret name containing proxy credentials" + description: 'AWS Secret name containing proxy credentials' value: ${{ steps.deploy.outputs.db_proxy_secret_name_rds }} db_proxy_sg_id_rds: - description: "SG ID for the RDS Proxy instance" + description: 'SG ID for the RDS Proxy instance' value: ${{ steps.deploy.outputs.db_proxy_sg_id_rds }} # Aurora aurora_db_endpoint: - description: "Aurora Endpoint" + description: 'Aurora Endpoint' value: ${{ steps.deploy.outputs.aurora_db_endpoint }} aurora_db_secret_details_name: - description: "AWS Secret name containing db credentials" + description: 'AWS Secret name containing db credentials' value: ${{ steps.deploy.outputs.aurora_db_secret_details_name }} aurora_db_sg_id: - description: "SG ID for the Aurora instance" + description: 'SG ID for the Aurora instance' value: ${{ steps.deploy.outputs.aurora_db_sg_id }} aurora_proxy_endpoint: - description: "Database proxy endpoint" + description: 'Database proxy endpoint' value: ${{ steps.deploy.outputs.aurora_proxy_endpoint }} aurora_proxy_secret_name: - description: "AWS Secret name containing proxy credentials" + description: 'AWS Secret name containing proxy credentials' value: ${{ steps.deploy.outputs.aurora_proxy_secret_name }} aurora_proxy_sg_id: - description: "SG ID for the RDS Proxy instance" + description: 'SG ID for the RDS Proxy instance' value: ${{ steps.deploy.outputs.aurora_proxy_sg_id }} # DB Proxy db_proxy_endpoint: - description: "Database proxy endpoint" + description: 'Database proxy endpoint' value: ${{ steps.deploy.outputs.db_proxy_endpoint }} db_proxy_secret_name: - description: "Database proxy secret_name" + description: 'Database proxy secret_name' value: ${{ steps.deploy.outputs.db_proxy_secret_name }} db_proxy_sg_id: - description: "SG ID for the RDS Proxy instance" + description: 'SG ID for the RDS Proxy instance' value: ${{ steps.deploy.outputs.db_proxy_sg_id }} # ECS ecs_load_balancer_dns: - description: "ECS ALB DNS Record" + description: 'ECS ALB DNS Record' value: ${{ steps.deploy.outputs.ecs_load_balancer_dns }} ecs_dns_record: - description: "ECS DNS URL" + description: 'ECS DNS URL' value: ${{ steps.deploy.outputs.ecs_dns_record }} ecs_sg_id: - description: "ECS SG ID" + description: 'ECS SG ID' value: ${{ steps.deploy.outputs.ecs_sg_id }} ecs_lb_sg_id: - description: "ECS LB SG ID" + description: 'ECS LB SG ID' value: ${{ steps.deploy.outputs.ecs_lb_sg_id }} # ECR ecr_repository_arn: - description: "ECR Repo ARN" + description: 'ECR Repo ARN' value: ${{ steps.deploy.outputs.ecr_repository_arn }} ecr_repository_url: - description: "ECR Repo URL" + description: 'ECR Repo URL' value: ${{ steps.deploy.outputs.ecr_repository_url }} # REDIS redis_endpoint: - description: "Redis Endpoint" + description: 'Redis Endpoint' value: ${{ steps.deploy.outputs.redis_endpoint }} redis_secret_name: - description: "Redis Secret name" + description: 'Redis Secret name' value: ${{ steps.deploy.outputs.redis_secret_name }} redis_connection_string_secret: - description: "Redis secret containing complete URL to connect directly. (e.g. rediss://user:pass@host:port)" + description: 'Redis secret containing complete URL to connect directly. (e.g. rediss://user:pass@host:port)' value: ${{ steps.deploy.outputs.redis_connection_string_secret }} redis_sg_id: - description: "Redis SG ID" + description: 'Redis SG ID' value: ${{ steps.deploy.outputs.redis_sg_id }} # EKS eks_cluster_name: - description: "EKS Cluster name" + description: 'EKS Cluster name' value: ${{ steps.deploy.outputs.eks_cluster_name }} eks_cluster_role_arn: - description: "EKS Role ARN" + description: 'EKS Role ARN' value: ${{ steps.deploy.outputs.eks_cluster_role_arn }} runs: @@ -1676,6 +1682,8 @@ runs: AWS_ECS_EFS_TRANSIT_ENCRYPTION: ${{ inputs.aws_ecs_efs_transit_encryption }} AWS_ECS_EFS_TRANSIT_ENCRYPTION_PORT: ${{ inputs.aws_ecs_efs_transit_encryption_port }} AWS_ECS_EFS_ACCESS_POINT_ID: ${{ inputs.aws_ecs_efs_access_point_id }} + AWS_ECS_EFS_CONTAINER_PATH: ${{ inputs.aws_ecs_efs_container_path }} + AWS_ECS_EFS_READONLY: ${{ inputs.aws_ecs_efs_readonly }} AWS_ECS_EFS_IAM: ${{ inputs.aws_ecs_efs_iam }} AWS_ECS_ADDITIONAL_TAGS: ${{ inputs.aws_ecs_additional_tags }} diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index 205077632..bd3d45294 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -396,6 +396,8 @@ if [[ $(alpha_only "$AWS_ECS_ENABLE") == true ]]; then aws_ecs_efs_transit_encryption=$(generate_var aws_ecs_efs_transit_encryption $AWS_ECS_EFS_TRANSIT_ENCRYPTION) aws_ecs_efs_transit_encryption_port=$(generate_var aws_ecs_efs_transit_encryption_port $AWS_ECS_EFS_TRANSIT_ENCRYPTION_PORT) aws_ecs_efs_access_point_id=$(generate_var aws_ecs_efs_access_point_id $AWS_ECS_EFS_ACCESS_POINT_ID) + aws_ecs_efs_container_path=$(generate_var aws_ecs_efs_container_path $AWS_ECS_EFS_CONTAINER_PATH) + aws_ecs_efs_readonly=$(generate_var aws_ecs_efs_readonly $AWS_ECS_EFS_READONLY) aws_ecs_efs_iam=$(generate_var aws_ecs_efs_iam $AWS_ECS_EFS_IAM) aws_ecs_additional_tags=$(generate_var aws_ecs_additional_tags $AWS_ECS_ADDITIONAL_TAGS) fi @@ -799,6 +801,8 @@ $aws_ecs_efs_root_directory $aws_ecs_efs_transit_encryption $aws_ecs_efs_transit_encryption_port $aws_ecs_efs_access_point_id +$aws_ecs_efs_container_path +$aws_ecs_efs_readonly $aws_ecs_efs_iam $aws_ecs_additional_tags diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 7c511efb7..01b261106 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -1800,6 +1800,18 @@ variable "aws_ecs_efs_access_point_id" { default = null } +variable "aws_ecs_efs_container_path" { + type = string + description = "Container path where to mount the EFS volume" + default = "/mnt/efs" +} + +variable "aws_ecs_efs_readonly" { + type = bool + description = "Whether the EFS volume is mounted as read-only" + default = false +} + variable "aws_ecs_efs_iam" { type = bool description = "Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) " diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 31fdc0504..32fa0e635 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -609,6 +609,8 @@ module "aws_ecs" { aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port aws_ecs_efs_access_point_id = var.aws_ecs_efs_access_point_id + aws_ecs_efs_container_path = var.aws_ecs_efs_container_path + aws_ecs_efs_readonly = var.aws_ecs_efs_readonly aws_ecs_efs_iam = var.aws_ecs_efs_iam aws_region_current_name = module.vpc.aws_region_current_name aws_selected_vpc_id = module.vpc.aws_selected_vpc_id diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index fcf4902a5..3696f6112 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -75,6 +75,13 @@ resource "aws_ecs_task_definition" "ecs_task" { "appProtocol" : "http" } ] : [] + "mountPoints" : var.aws_ecs_efs_fs_id != null ? [ + { + "sourceVolume" : "efs-${var.aws_ecs_efs_fs_id}", + "containerPath" : var.aws_ecs_efs_container_path, + "readOnly" : var.aws_ecs_efs_readonly + } + ] : [], "environment" : local.env_repo_vars, "logConfiguration" : var.aws_ecs_cloudwatch_enable ? { "logDriver" : "awslogs", diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf index 795613f1a..30011482c 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf @@ -35,6 +35,8 @@ variable "aws_ecs_efs_root_directory" {} variable "aws_ecs_efs_transit_encryption" {} variable "aws_ecs_efs_transit_encryption_port" {} variable "aws_ecs_efs_access_point_id" {} +variable "aws_ecs_efs_container_path" {} +variable "aws_ecs_efs_readonly" {} variable "aws_ecs_efs_iam" {} variable "aws_r53_domain_name" {} variable "aws_certificate_enabled" {} From b3ba2b58fdd6a57f930332d51f46b1d946cbc7d9 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 20 Jan 2026 08:17:15 -0300 Subject: [PATCH 12/42] Removing coma --- operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index 3696f6112..dcde29f4a 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -81,7 +81,7 @@ resource "aws_ecs_task_definition" "ecs_task" { "containerPath" : var.aws_ecs_efs_container_path, "readOnly" : var.aws_ecs_efs_readonly } - ] : [], + ] : [] "environment" : local.env_repo_vars, "logConfiguration" : var.aws_ecs_cloudwatch_enable ? { "logDriver" : "awslogs", From 3491bd53d0689e522a7e5a26419f86f74ee1d6e7 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 20 Jan 2026 09:53:45 -0300 Subject: [PATCH 13/42] Add create-before-detroy to ECS LB --- .../deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf index 515e305f8..65481f134 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf @@ -62,6 +62,7 @@ resource "aws_alb_target_group" "lb_targets" { lifecycle { replace_triggered_by = [aws_security_group.ecs_sg.id] + create_before_destroy = true } } From c649f0ba3d09ff9e665e417048e4c68894400f91 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 20 Jan 2026 11:08:12 -0300 Subject: [PATCH 14/42] Rollback create-before destroy --- .../deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf index 65481f134..515e305f8 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf @@ -62,7 +62,6 @@ resource "aws_alb_target_group" "lb_targets" { lifecycle { replace_triggered_by = [aws_security_group.ecs_sg.id] - create_before_destroy = true } } From 92732dfe35bb277f0938c9e15a669adc49b57548 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 20 Jan 2026 11:53:41 -0300 Subject: [PATCH 15/42] user testing --- operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index dcde29f4a..ed5a791ca 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -65,6 +65,7 @@ resource "aws_ecs_task_definition" "ecs_task" { "cpu" : local.aws_ecs_container_cpu[count.index], "memory" : local.aws_ecs_container_mem[count.index], "essential" : true, + "user" : "1000:1000", "networkMode" : "awsvpc", "portMappings" : length(local.aws_ecs_container_port) > 0 ? [ { From f6a672b755343a15a04928e00c82537edfa15c28 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 20 Jan 2026 11:59:23 -0300 Subject: [PATCH 16/42] User 0 --- operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index ed5a791ca..4d57dea75 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -65,7 +65,7 @@ resource "aws_ecs_task_definition" "ecs_task" { "cpu" : local.aws_ecs_container_cpu[count.index], "memory" : local.aws_ecs_container_mem[count.index], "essential" : true, - "user" : "1000:1000", + "user" : "0", "networkMode" : "awsvpc", "portMappings" : length(local.aws_ecs_container_port) > 0 ? [ { From 558ccdb97047fa1724388555bf2b055b38bcfd01 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 20 Jan 2026 12:39:35 -0300 Subject: [PATCH 17/42] Adding aws_ecs_container_user --- README.md | 1 + action.yaml | 4 ++++ operations/_scripts/generate/generate_vars_terraform.sh | 4 +++- operations/deployment/terraform/aws/aws_variables.tf | 6 ++++++ operations/deployment/terraform/aws/bitovi_main.tf | 1 + operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 2 +- .../deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf | 1 + 7 files changed, 17 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 59e677937..714e8076d 100644 --- a/README.md +++ b/README.md @@ -489,6 +489,7 @@ The following inputs can be used as `step.with` keys | `aws_ecs_task_mem`| String | Task Mem Amount. | | `aws_ecs_container_cpu`| String | Container CPU Amount. | | `aws_ecs_container_mem`| String | Container Mem Amount. | +| `aws_ecs_container_user`| String | User to run container as. Accepts `user`, `user:group`, `uid`, `uid:gid`, `user:gid` or `uid:group`. | | `aws_ecs_node_count`| String | Node count for ECS Cluster. | | `aws_ecs_app_image`| String | Name of the container image to be used. | | `aws_ecs_security_group_name`| String | ECS Secruity group name. | diff --git a/action.yaml b/action.yaml index 74a7196fe..7ab90de6b 100644 --- a/action.yaml +++ b/action.yaml @@ -963,6 +963,9 @@ inputs: aws_ecs_container_mem: description: 'Container Mem Amount' required: false + aws_ecs_container_user: + description: 'User to run container as' + required: false aws_ecs_node_count: description: 'Node count for ECS Cluster' required: false @@ -1658,6 +1661,7 @@ runs: AWS_ECS_TASK_MEM: ${{ inputs.aws_ecs_task_mem }} AWS_ECS_CONTAINER_CPU: ${{ inputs.aws_ecs_container_cpu }} AWS_ECS_CONTAINER_MEM: ${{ inputs.aws_ecs_container_mem }} + AWS_ECS_CONTAINER_USER: ${{ inputs.aws_ecs_container_user }} AWS_ECS_NODE_COUNT: ${{ inputs.aws_ecs_node_count }} AWS_ECS_APP_IMAGE: ${{ inputs.aws_ecs_app_image }} AWS_ECS_SECURITY_GROUP_NAME: ${{ inputs.aws_ecs_security_group_name }} diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index bd3d45294..b84eebb23 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -370,7 +370,8 @@ if [[ $(alpha_only "$AWS_ECS_ENABLE") == true ]]; then aws_ecs_task_cpu=$(generate_var aws_ecs_task_cpu $AWS_ECS_TASK_CPU) aws_ecs_task_mem=$(generate_var aws_ecs_task_mem $AWS_ECS_TASK_MEM) aws_ecs_container_cpu=$(generate_var aws_ecs_container_cpu $AWS_ECS_CONTAINER_CPU) - aws_ecs_container_cpu=$(generate_var aws_ecs_container_mem $AWS_ECS_CONTAINER_MEM) + aws_ecs_container_mem=$(generate_var aws_ecs_container_mem $AWS_ECS_CONTAINER_MEM) + aws_ecs_container_user=$(generate_var aws_ecs_container_user $AWS_ECS_CONTAINER_USER) aws_ecs_node_count=$(generate_var aws_ecs_node_count $AWS_ECS_NODE_COUNT) aws_ecs_app_image=$(generate_var aws_ecs_app_image $AWS_ECS_APP_IMAGE) aws_ecs_env_vars=$(generate_var aws_ecs_env_vars $AWS_ECS_ENV_VARS ) @@ -776,6 +777,7 @@ $aws_ecs_task_cpu $aws_ecs_task_mem $aws_ecs_container_cpu $aws_ecs_container_mem +$aws_ecs_container_user $aws_ecs_node_count $aws_ecs_app_image $aws_ecs_env_vars diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 01b261106..e002d9211 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -1656,6 +1656,12 @@ variable "aws_ecs_container_mem" { default = "" } +variable "aws_ecs_container_user" { + type = string + description = "Container User" + default = "" +} + variable "aws_ecs_node_count" { type = string description = "Node count for ECS Cluster" diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 32fa0e635..5396bb07c 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -585,6 +585,7 @@ module "aws_ecs" { aws_ecs_task_mem = var.aws_ecs_task_mem aws_ecs_container_cpu = var.aws_ecs_container_cpu aws_ecs_container_mem = var.aws_ecs_container_mem + aws_ecs_container_user = var.aws_ecs_container_user aws_ecs_node_count = var.aws_ecs_node_count aws_ecs_app_image = var.aws_ecs_app_image aws_ecs_security_group_name = var.aws_ecs_security_group_name diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index 4d57dea75..efe5aa83c 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -65,7 +65,7 @@ resource "aws_ecs_task_definition" "ecs_task" { "cpu" : local.aws_ecs_container_cpu[count.index], "memory" : local.aws_ecs_container_mem[count.index], "essential" : true, - "user" : "0", + "user" : var.aws_ecs_container_user != "" ? var.aws_ecs_container_user : null, "networkMode" : "awsvpc", "portMappings" : length(local.aws_ecs_container_port) > 0 ? [ { diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf index 30011482c..4f6d3b939 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf @@ -11,6 +11,7 @@ variable "aws_ecs_task_cpu" {} variable "aws_ecs_task_mem" {} variable "aws_ecs_container_cpu" {} variable "aws_ecs_container_mem" {} +variable "aws_ecs_container_user" {} variable "aws_ecs_node_count" {} variable "aws_ecs_app_image" {} variable "aws_ecs_security_group_name" {} From 1319726dcd4054cf6e4c6b18332493b6339ce26a Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 21 Jan 2026 08:43:22 -0300 Subject: [PATCH 18/42] Add dependency --- action.yaml | 4 ++-- .../modules/aws/ecs/aws_ecs_networking.tf | 22 ++++++------------- 2 files changed, 9 insertions(+), 17 deletions(-) diff --git a/action.yaml b/action.yaml index 7ab90de6b..00fbe662d 100644 --- a/action.yaml +++ b/action.yaml @@ -1006,10 +1006,10 @@ inputs: description: 'Min ammount of nodes to scale down to.' required: false aws_ecs_autoscaling_max_mem: - description: 'Some' + description: 'Max ammount of mem to scale up to.' required: false aws_ecs_autoscaling_max_cpu: - description: 'Some' + description: 'Max ammount of cou to scale up to.' required: false aws_ecs_cloudwatch_enable: description: 'Toggle cloudwatch for ECS. Defaults to false' diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf index 515e305f8..cee13d027 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf @@ -87,9 +87,9 @@ resource "aws_alb_listener" "lb_listener_ssl" { type = "forward" } lifecycle { - replace_triggered_by = [null_resource.http_redirect_dep.id] + replace_triggered_by = [null_resource.http_redirect_dep.id,aws_alb_target_group.lb_targets] } - depends_on = [aws_alb_listener.http_redirect] + depends_on = [aws_alb_listener.http_redirect, aws_alb_target_group.lb_targets] } resource "aws_alb_listener" "lb_listener" { @@ -102,7 +102,7 @@ resource "aws_alb_listener" "lb_listener" { type = "forward" } lifecycle { - replace_triggered_by = [null_resource.http_redirect_dep.id] + replace_triggered_by = [null_resource.http_redirect_dep.id,aws_alb_target_group.lb_targets] } depends_on = [aws_alb_listener.http_redirect] } @@ -138,10 +138,7 @@ resource "aws_alb_listener" "http_redirect" { status_code = "HTTP_301" } } - depends_on = [ - aws_alb.ecs_lb, - aws_alb_target_group.lb_targets - ] + depends_on = [aws_alb.ecs_lb,aws_alb_target_group.lb_targets] } resource "aws_alb_listener" "http_forward" { @@ -154,10 +151,7 @@ resource "aws_alb_listener" "http_forward" { type = "forward" target_group_arn = aws_alb_target_group.lb_targets[0].id } - depends_on = [ - aws_alb.ecs_lb, - aws_alb_target_group.lb_targets - ] + depends_on = [aws_alb.ecs_lb, aws_alb_target_group.lb_targets] } resource "aws_security_group_rule" "incoming_alb_http" { @@ -184,6 +178,7 @@ resource "aws_alb_listener" "https_redirect" { target_group_arn = aws_alb_target_group.lb_targets[0].id type = "forward" } + depends_on = [aws_alb_target_group.lb_targets] } resource "aws_alb_listener_rule" "redirect_based_on_path_for_http" { @@ -221,10 +216,7 @@ resource "aws_alb_listener" "http_www_redirect" { status_code = "404" } } - depends_on = [ - aws_alb.ecs_lb, - aws_alb_target_group.lb_targets - ] + depends_on = [aws_alb.ecs_lb,aws_alb_target_group.lb_targets] } resource "aws_lb_listener_rule" "http_forward_apex" { From b42c1e63f16b33520abc6d56342c33133c477c22 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 21 Jan 2026 13:19:32 -0300 Subject: [PATCH 19/42] Add missing role variables --- README.md | 4 +++- action.yaml | 10 +++++++++- .../_scripts/generate/generate_vars_terraform.sh | 4 ++++ .../deployment/terraform/aws/aws_variables.tf | 14 +++++++++++++- operations/deployment/terraform/aws/bitovi_main.tf | 2 ++ .../terraform/modules/aws/ecs/aws_ecs.tf | 12 +++++++++--- .../modules/aws/ecs/aws_ecs_networking.tf | 8 ++++---- .../terraform/modules/aws/ecs/aws_ecs_vars.tf | 2 ++ 8 files changed, 46 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 714e8076d..ffb038a90 100644 --- a/README.md +++ b/README.md @@ -482,7 +482,9 @@ The following inputs can be used as `step.with` keys | `aws_ecs_task_type`| String | Configuration type. Could be `EC2`, `FARGATE` or empty. Will default to `aws_ecs_service_launch_type` if none defined. (Blank if `EXTERNAL`). | | `aws_ecs_task_name`| String | Elastic Container Service task name. If task is defined with a JSON file, should be the same as the container name. | | `aws_ecs_task_ignore_definition`| Boolean | Toggle to ignore task definition changes after first deployment. Useful when using external tools to manage the task definition. Default: `false`. | -| `aws_ecs_task_execution_role`| String | Elastic Container Service task execution role name from IAM. Defaults to `ecsTaskExecutionRole`. | +| `aws_ecs_task_execution_role`| String | Task execution role name that the Amazon ECS container agent and the Docker daemon can assume. Defaults to `ecsTaskExecutionRole`. | +| `aws_ecs_task_role` | String | Name of the IAM role that allows your Amazon ECS container task to make calls to other AWS services. If `aws_ecs_efs_transit_encryption` is enabled and none defined, will use the `aws_ecs_task_execution_role`. | +| `aws_ecs_task_reuse_role` | Boolean | Toggle reusing the task execution role as the task role. | | `aws_ecs_task_json_definition_file`| String | Name of the json file containing task definition. Overrides every other input. | | `aws_ecs_task_network_mode`| String | Network type to use in task definition. One of `none`, `bridge`, `awsvpc`, and `host`. | | `aws_ecs_task_cpu`| String | Task CPU Amount. | diff --git a/action.yaml b/action.yaml index 00fbe662d..926b2befb 100644 --- a/action.yaml +++ b/action.yaml @@ -943,7 +943,13 @@ inputs: description: 'Toggle to ignore task definition changes after first deployment. Useful when using external tools to manage the task definition.' required: false aws_ecs_task_execution_role: - description: 'Elastic Container Service task execution role name from IAM. Defaults to "ecsTaskExecutionRole"' + description: 'Task execution role name that the Amazon ECS container agent and the Docker daemon can assume' + required: false + aws_ecs_task_role: + description: 'Name of the IAM role that allows your Amazon ECS container task to make calls to other AWS services' + required: false + aws_ecs_task_reuse_role: + description: 'Toggle reusing the task execution role as the task role.' required: false aws_ecs_task_json_definition_file: description: 'Name of the json file containing task definition. Overrides every other input.' @@ -1655,6 +1661,8 @@ runs: AWS_ECS_TASK_NAME: ${{ inputs.aws_ecs_task_name }} AWS_ECS_TASK_IGNORE_DEFINITION: ${{ inputs.aws_ecs_task_ignore_definition }} AWS_ECS_TASK_EXECUTION_ROLE: ${{ inputs.aws_ecs_task_execution_role }} + AWS_ECS_TASK_ROLE: ${{ inputs.aws_ecs_task_role }} + AWS_ECS_TASK_REUSE_ROLE: ${{ inputs.aws_ecs_task_reuse_role }} AWS_ECS_TASK_JSON_DEFINITION_FILE: ${{ inputs.aws_ecs_task_json_definition_file }} AWS_ECS_TASK_NETWORK_MODE: ${{ inputs.aws_ecs_task_network_mode }} AWS_ECS_TASK_CPU: ${{ inputs.aws_ecs_task_cpu }} diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh index b84eebb23..d2322570a 100644 --- a/operations/_scripts/generate/generate_vars_terraform.sh +++ b/operations/_scripts/generate/generate_vars_terraform.sh @@ -365,6 +365,8 @@ if [[ $(alpha_only "$AWS_ECS_ENABLE") == true ]]; then aws_ecs_task_name=$(generate_var aws_ecs_task_name $AWS_ECS_TASK_NAME) aws_ecs_task_ignore_definition=$(generate_var aws_ecs_task_ignore_definition $AWS_ECS_TASK_IGNORE_DEFINITION) aws_ecs_task_execution_role=$(generate_var aws_ecs_task_execution_role $AWS_ECS_TASK_EXECUTION_ROLE) + aws_ecs_task_role=$(generate_var aws_ecs_task_role $AWS_ECS_TASK_ROLE) + aws_ecs_task_reuse_role=$(generate_var aws_ecs_task_reuse_role $AWS_ECS_TASK_REUSE_ROLE) aws_ecs_task_json_definition_file=$(generate_var aws_ecs_task_json_definition_file $AWS_ECS_TASK_JSON_DEFINITION_FILE) aws_ecs_task_network_mode=$(generate_var aws_ecs_task_network_mode $AWS_ECS_TASK_NETWORK_MODE) aws_ecs_task_cpu=$(generate_var aws_ecs_task_cpu $AWS_ECS_TASK_CPU) @@ -771,6 +773,8 @@ $aws_ecs_task_type $aws_ecs_task_name $aws_ecs_task_ignore_definition $aws_ecs_task_execution_role +$aws_ecs_task_role +$aws_ecs_task_reuse_role $aws_ecs_task_json_definition_file $aws_ecs_task_network_mode $aws_ecs_task_cpu diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index e002d9211..442a4753c 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -1620,6 +1620,18 @@ variable "aws_ecs_task_execution_role" { default = "" } +variable "aws_ecs_task_role" { + type = string + description = "Elastic Container Service task role name." + default = "" +} + +variable "aws_ecs_task_reuse_role" { + type = bool + description = "Toggle reusing the task execution role as the task role" + default = false +} + variable "aws_ecs_task_json_definition_file" { type = string description = "Filename for json file containing ECS conteiner definitions" @@ -1820,7 +1832,7 @@ variable "aws_ecs_efs_readonly" { variable "aws_ecs_efs_iam" { type = bool - description = "Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) " + description = "Whether or not to use the IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) " default = true } diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 5396bb07c..965c235ad 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -579,6 +579,8 @@ module "aws_ecs" { aws_ecs_task_name = var.aws_ecs_task_name aws_ecs_task_ignore_definition = var.aws_ecs_task_ignore_definition aws_ecs_task_execution_role = var.aws_ecs_task_execution_role + aws_ecs_task_role = var.aws_ecs_task_role + aws_ecs_task_reuse_role = var.aws_ecs_task_reuse_role aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file aws_ecs_task_network_mode = var.aws_ecs_task_network_mode aws_ecs_task_cpu = var.aws_ecs_task_cpu diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index efe5aa83c..f95b70900 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -25,6 +25,7 @@ locals { aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file != "" ? [for n in split(",", var.aws_ecs_task_json_definition_file) : n] : [] ecsTaskExecutionRole = var.aws_ecs_task_execution_role != "" ? data.aws_iam_role.ecsTaskExecutionRole[0].arn : aws_iam_role.ecsTaskExecutionRole[0].arn + ecsTaskRole = var.aws_ecs_task_role != "" ? data.aws_iam_role.ecsTaskRole[0].arn : var.aws_ecs_efs_iam ? local.ecsTaskExecutionRole : "" # Calculate tasks_count early to avoid circular dependency tasks_count = var.aws_ecs_task_ignore_definition ? 1 : length(local.aws_ecs_app_image) + length(local.aws_ecs_task_json_definition_file) @@ -39,7 +40,7 @@ resource "aws_ecs_task_definition" "ecs_task" { cpu = local.aws_ecs_task_cpu[count.index] memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole - task_role_arn = local.ecsTaskExecutionRole # <-- Add this line + task_role_arn = var.aws_ecs_task_reuse_role ? local.ecsTaskExecutionRole : local.ecsTaskRole dynamic "volume" { for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { @@ -107,7 +108,7 @@ resource "aws_ecs_task_definition" "ecs_task_from_json" { cpu = local.aws_ecs_task_cpu[count.index + length(local.aws_ecs_app_image)] memory = local.aws_ecs_task_mem[count.index + length(local.aws_ecs_app_image)] execution_role_arn = local.ecsTaskExecutionRole - task_role_arn = local.ecsTaskExecutionRole # <-- Add this line + task_role_arn = var.aws_ecs_task_reuse_role ? local.ecsTaskExecutionRole : local.ecsTaskRole dynamic "volume" { for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { @@ -135,7 +136,7 @@ resource "aws_ecs_task_definition" "aws_ecs_task_ignore_definition" { cpu = local.aws_ecs_task_cpu[count.index] memory = local.aws_ecs_task_mem[count.index] execution_role_arn = local.ecsTaskExecutionRole - task_role_arn = local.ecsTaskExecutionRole + task_role_arn = var.aws_ecs_task_reuse_role ? local.ecsTaskExecutionRole : local.ecsTaskRole dynamic "volume" { for_each = var.aws_ecs_efs_fs_id != null ? [1] : [] content { @@ -242,6 +243,11 @@ data "aws_iam_role" "ecsTaskExecutionRole" { name = var.aws_ecs_task_execution_role } +data "aws_iam_role" "ecsTaskRole" { + count = var.aws_ecs_task_role != "" ? 1 : 0 + name = var.aws_ecs_task_role +} + resource "aws_iam_role" "ecsTaskExecutionRole" { count = var.aws_ecs_task_execution_role != "" ? 0 : 1 name = "${var.aws_resource_identifier}-ecs" diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf index cee13d027..e1c84ac93 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf @@ -87,7 +87,7 @@ resource "aws_alb_listener" "lb_listener_ssl" { type = "forward" } lifecycle { - replace_triggered_by = [null_resource.http_redirect_dep.id,aws_alb_target_group.lb_targets] + replace_triggered_by = [null_resource.http_redirect_dep.id, aws_alb_target_group.lb_targets] } depends_on = [aws_alb_listener.http_redirect, aws_alb_target_group.lb_targets] } @@ -102,7 +102,7 @@ resource "aws_alb_listener" "lb_listener" { type = "forward" } lifecycle { - replace_triggered_by = [null_resource.http_redirect_dep.id,aws_alb_target_group.lb_targets] + replace_triggered_by = [null_resource.http_redirect_dep.id, aws_alb_target_group.lb_targets] } depends_on = [aws_alb_listener.http_redirect] } @@ -138,7 +138,7 @@ resource "aws_alb_listener" "http_redirect" { status_code = "HTTP_301" } } - depends_on = [aws_alb.ecs_lb,aws_alb_target_group.lb_targets] + depends_on = [aws_alb.ecs_lb, aws_alb_target_group.lb_targets] } resource "aws_alb_listener" "http_forward" { @@ -216,7 +216,7 @@ resource "aws_alb_listener" "http_www_redirect" { status_code = "404" } } - depends_on = [aws_alb.ecs_lb,aws_alb_target_group.lb_targets] + depends_on = [aws_alb.ecs_lb, aws_alb_target_group.lb_targets] } resource "aws_lb_listener_rule" "http_forward_apex" { diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf index 4f6d3b939..53602ac3e 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf @@ -5,6 +5,8 @@ variable "aws_ecs_task_type" {} variable "aws_ecs_task_name" {} variable "aws_ecs_task_ignore_definition" {} variable "aws_ecs_task_execution_role" {} +variable "aws_ecs_task_role" {} +variable "aws_ecs_task_reuse_role" {} variable "aws_ecs_task_json_definition_file" {} variable "aws_ecs_task_network_mode" {} variable "aws_ecs_task_cpu" {} From 45a82cc40df183d014b11173a696de32dc209ad9 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 21 Jan 2026 15:34:56 -0300 Subject: [PATCH 20/42] Fixing aws_variables and README --- README.md | 4 ++-- operations/deployment/terraform/aws/aws_variables.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ffb038a90..b724e9884 100644 --- a/README.md +++ b/README.md @@ -483,7 +483,7 @@ The following inputs can be used as `step.with` keys | `aws_ecs_task_name`| String | Elastic Container Service task name. If task is defined with a JSON file, should be the same as the container name. | | `aws_ecs_task_ignore_definition`| Boolean | Toggle to ignore task definition changes after first deployment. Useful when using external tools to manage the task definition. Default: `false`. | | `aws_ecs_task_execution_role`| String | Task execution role name that the Amazon ECS container agent and the Docker daemon can assume. Defaults to `ecsTaskExecutionRole`. | -| `aws_ecs_task_role` | String | Name of the IAM role that allows your Amazon ECS container task to make calls to other AWS services. If `aws_ecs_efs_transit_encryption` is enabled and none defined, will use the `aws_ecs_task_execution_role`. | +| `aws_ecs_task_role` | String | IAM role name that allows your Amazon ECS container task to make calls to other AWS services. When mounting an EFS volume and `aws_ecs_efs_iam` is enabled, will use the `aws_ecs_task_execution_role` if none defined. | | `aws_ecs_task_reuse_role` | Boolean | Toggle reusing the task execution role as the task role. | | `aws_ecs_task_json_definition_file`| String | Name of the json file containing task definition. Overrides every other input. | | `aws_ecs_task_network_mode`| String | Network type to use in task definition. One of `none`, `bridge`, `awsvpc`, and `host`. | @@ -518,7 +518,7 @@ The following inputs can be used as `step.with` keys | `aws_ecs_efs_access_point_id` | String | EFS Volume Access Point ID to use. | | `aws_ecs_efs_container_path` | String | Directory path within container to mount the EFS volume to. Defaults to`/mnt/efs` | | `aws_ecs_efs_readonly` | Boolean | Whether the EFS volume is mounted as read-only. Defaults to `false`. | -| `aws_ecs_efs_iam` | Boolean | Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to `false`. (DISABLED) | +| `aws_ecs_efs_iam` | Boolean | Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to `false`. (DISABLED) - Needs `aws_ecs_efs_transit_encryption` | | `aws_ecs_additional_tags`| JSON | Add additional tags to the terraform [default tags](https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider), any tags put here will be added to ECS provisioned resources.|

diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf index 442a4753c..353d05396 100644 --- a/operations/deployment/terraform/aws/aws_variables.tf +++ b/operations/deployment/terraform/aws/aws_variables.tf @@ -1833,7 +1833,7 @@ variable "aws_ecs_efs_readonly" { variable "aws_ecs_efs_iam" { type = bool description = "Whether or not to use the IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) " - default = true + default = false } variable "aws_ecs_additional_tags" { From df885db8c4732a91890196144891cd0b68a137d5 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 21 Jan 2026 15:36:15 -0300 Subject: [PATCH 21/42] Cleanup --- operations/deployment/terraform/aws/bitovi_main.tf | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 965c235ad..2cfb7d69b 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -60,20 +60,6 @@ module "efs_to_ec2_sg" { depends_on = [module.ec2, module.efs] } -#module "efs_to_ecs_sg" { -# source = "../modules/aws/sg/add_rule" -# count = var.aws_ec2_instance_create && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0 -# # Inputs -# sg_type = "ingress" -# sg_rule_description = "${var.aws_resource_identifier} - ECS Incoming" -# sg_rule_from_port = 2049 -# sg_rule_to_port = 2049 -# sg_rule_protocol = "tcp" -# source_security_group_id = try(module.efs[0].aws_efs_sg_id) -# target_security_group_id = module.ecs[0].ecs_sg_id -# depends_on = [module.ecs, module.efs] -#} - module "aws_certificates" { source = "../modules/aws/certificates" count = (var.aws_ec2_instance_create || var.aws_ecs_enable) && var.aws_r53_enable_cert && var.aws_r53_cert_arn == "" && var.aws_r53_domain_name != "" ? 1 : 0 From b9650700b3404541b2aba8a856db84c24c147387 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Wed, 21 Jan 2026 15:37:02 -0300 Subject: [PATCH 22/42] Cleanup aws_ecs --- .../terraform/modules/aws/ecs/aws_ecs.tf | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index f95b70900..0b020069e 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -271,25 +271,3 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" { roles = [aws_iam_role.ecsTaskExecutionRole[0].name] policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } - -#resource "aws_iam_role_policy" "efs" { -# count = var.aws_ecs_task_execution_role != "" && var.aws_ecs_efs_fs_id != null ? 0 : 1 -# role = aws_iam_role.ecsTaskExecutionRole[0].name -# -# policy = jsonencode({ -# Version = "2012-10-17" -# Statement = [{ -# Effect = "Allow" -# Action = [ -# "elasticfilesystem:ClientMount", -# "elasticfilesystem:ClientWrite" -# ] -# Resource = data.aws_efs_file_system.efs[0].arn -# }] -# }) -#} -# -#data "aws_efs_file_system" "efs" { -# count = var.aws_ecs_efs_fs_id != null ? 1 : 0 -# file_system_id = var.aws_ecs_efs_fs_id -#} \ No newline at end of file From 5231439d81675bde6ca4d9f39e428e61f14de1f1 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 23 Jan 2026 08:40:01 -0300 Subject: [PATCH 23/42] Add EFS specific ECS policy --- .../terraform/modules/aws/ecs/aws_ecs.tf | 58 ++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index 0b020069e..cecc246be 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -25,7 +25,7 @@ locals { aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file != "" ? [for n in split(",", var.aws_ecs_task_json_definition_file) : n] : [] ecsTaskExecutionRole = var.aws_ecs_task_execution_role != "" ? data.aws_iam_role.ecsTaskExecutionRole[0].arn : aws_iam_role.ecsTaskExecutionRole[0].arn - ecsTaskRole = var.aws_ecs_task_role != "" ? data.aws_iam_role.ecsTaskRole[0].arn : var.aws_ecs_efs_iam ? local.ecsTaskExecutionRole : "" + ecsTaskRole = var.aws_ecs_task_role != "" ? data.aws_iam_role.ecsTaskRole[0].arn : (var.aws_ecs_efs_iam ? aws_iam_role.ecsTaskRole[0].arn : "") # Calculate tasks_count early to avoid circular dependency tasks_count = var.aws_ecs_task_ignore_definition ? 1 : length(local.aws_ecs_app_image) + length(local.aws_ecs_task_json_definition_file) @@ -271,3 +271,59 @@ resource "aws_iam_policy_attachment" "ecsTaskExecutionRolePolicy" { roles = [aws_iam_role.ecsTaskExecutionRole[0].name] policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } + +# Task Role for EFS access +resource "aws_iam_role" "ecsTaskRole" { + count = var.aws_ecs_task_role != "" || !var.aws_ecs_efs_iam ? 0 : 1 + name = "${var.aws_resource_identifier}-ecs-task" + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : "ecs-tasks.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + }) +} + +# EFS Access Policy for Task Role +resource "aws_iam_policy" "ecsTaskRoleEFSPolicy" { + count = var.aws_ecs_efs_fs_id != null && var.aws_ecs_efs_iam ? 1 : 0 + name = "${var.aws_resource_identifier}-ecs-task-efs-policy" + description = "Policy to allow ECS task to access EFS file system ${var.aws_ecs_efs_fs_id}" + + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "elasticfilesystem:ClientMount", + "elasticfilesystem:ClientWrite", + "elasticfilesystem:ClientRootAccess" + ], + "Resource" : "arn:aws:elasticfilesystem:${var.aws_region_current_name}:${data.aws_caller_identity.current.account_id}:file-system/${var.aws_ecs_efs_fs_id}", + "Condition" : { + "StringEquals" : { + "elasticfilesystem:AccessPointArn" : var.aws_ecs_efs_access_point_id != null ? "arn:aws:elasticfilesystem:${var.aws_region_current_name}:${data.aws_caller_identity.current.account_id}:access-point/${var.aws_ecs_efs_access_point_id}" : "" + } + } + } + ] + }) +} + +resource "aws_iam_policy_attachment" "ecsTaskRoleEFSPolicyAttachment" { + count = var.aws_ecs_efs_fs_id != null && var.aws_ecs_efs_iam && var.aws_ecs_task_role == "" ? 1 : 0 + name = "ECSTaskRoleEFSPolicyAttachment" + roles = [aws_iam_role.ecsTaskRole[0].name] + policy_arn = aws_iam_policy.ecsTaskRoleEFSPolicy[0].arn +} + +# Data source to get current AWS account ID +data "aws_caller_identity" "current" {} + From 6b25e76675007a3b8902decfbdcf76b8fa318d0f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 23 Jan 2026 09:07:12 -0300 Subject: [PATCH 24/42] Adding EFS to ECS --- README.md | 2 +- .../deployment/terraform/aws/bitovi_main.tf | 16 +++++++++++++++- .../terraform/modules/aws/ecs/aws_ecs.tf | 2 +- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b724e9884..c56994d1d 100644 --- a/README.md +++ b/README.md @@ -483,7 +483,7 @@ The following inputs can be used as `step.with` keys | `aws_ecs_task_name`| String | Elastic Container Service task name. If task is defined with a JSON file, should be the same as the container name. | | `aws_ecs_task_ignore_definition`| Boolean | Toggle to ignore task definition changes after first deployment. Useful when using external tools to manage the task definition. Default: `false`. | | `aws_ecs_task_execution_role`| String | Task execution role name that the Amazon ECS container agent and the Docker daemon can assume. Defaults to `ecsTaskExecutionRole`. | -| `aws_ecs_task_role` | String | IAM role name that allows your Amazon ECS container task to make calls to other AWS services. When mounting an EFS volume and `aws_ecs_efs_iam` is enabled, will use the `aws_ecs_task_execution_role` if none defined. | +| `aws_ecs_task_role` | String | IAM role name that allows your Amazon ECS container task to make calls to other AWS services. When mounting an EFS volume and `aws_ecs_efs_iam` is enabled, will create one specific for that volume if none defined. | | `aws_ecs_task_reuse_role` | Boolean | Toggle reusing the task execution role as the task role. | | `aws_ecs_task_json_definition_file`| String | Name of the json file containing task definition. Overrides every other input. | | `aws_ecs_task_network_mode`| String | Network type to use in task definition. One of `none`, `bridge`, `awsvpc`, and `host`. | diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 2cfb7d69b..b5ff85b3c 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -593,7 +593,7 @@ module "aws_ecs" { aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days - aws_ecs_efs_fs_id = var.aws_ecs_efs_fs_id + aws_ecs_efs_fs_id = var.aws_efs_enable ? try(module.efs[0].efs_fs_id, "") : var.aws_ecs_efs_fs_id aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port @@ -618,6 +618,20 @@ module "aws_ecs" { } } +#module "efs_to_ecs_sg" { +# source = "../modules/aws/sg/add_rule" +# count = var.aws_ecs_enable && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0 +# # Inputs +# sg_type = "ingress" +# sg_rule_description = "${var.aws_resource_identifier} - ECS Incoming" +# sg_rule_from_port = 2049 +# sg_rule_to_port = 2049 +# sg_rule_protocol = "tcp" +# source_security_group_id = try(module.efs[0].aws_efs_sg_id) +# target_security_group_id = module.aws_ecs[0].aws_ecs_security_group_id +# depends_on = [module.aws_ecs, module.efs] +#} + module "aws_route53_ecs" { source = "../modules/aws/route53" count = var.aws_ecs_enable && var.aws_r53_enable && var.aws_r53_domain_name != "" && (var.aws_ecs_container_port != "" || var.aws_ecs_task_ignore_definition) ? 1 : 0 diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index cecc246be..27d3c581f 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -295,7 +295,7 @@ resource "aws_iam_policy" "ecsTaskRoleEFSPolicy" { count = var.aws_ecs_efs_fs_id != null && var.aws_ecs_efs_iam ? 1 : 0 name = "${var.aws_resource_identifier}-ecs-task-efs-policy" description = "Policy to allow ECS task to access EFS file system ${var.aws_ecs_efs_fs_id}" - + policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ From b591f09f954d6238cf00edfb4f5838671adbf8f9 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 23 Jan 2026 09:18:58 -0300 Subject: [PATCH 25/42] Fix incoming fs var --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index b5ff85b3c..d50f5f8cb 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -593,7 +593,7 @@ module "aws_ecs" { aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days - aws_ecs_efs_fs_id = var.aws_efs_enable ? try(module.efs[0].efs_fs_id, "") : var.aws_ecs_efs_fs_id + aws_ecs_efs_fs_id = var.aws_efs_fs_id #var.aws_efs_enable || var.aws_efs_fs_id ? try(module.efs[0].efs_fs_id, "") : var.aws_ecs_efs_fs_id aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port From f4a44848f95c5e1f8a63dd2d604e8b3e7afcc3be Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 23 Jan 2026 09:28:07 -0300 Subject: [PATCH 26/42] Add SG Rule --- .../deployment/terraform/aws/bitovi_main.tf | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index d50f5f8cb..0399a4f12 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -618,19 +618,19 @@ module "aws_ecs" { } } -#module "efs_to_ecs_sg" { -# source = "../modules/aws/sg/add_rule" -# count = var.aws_ecs_enable && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0 -# # Inputs -# sg_type = "ingress" -# sg_rule_description = "${var.aws_resource_identifier} - ECS Incoming" -# sg_rule_from_port = 2049 -# sg_rule_to_port = 2049 -# sg_rule_protocol = "tcp" -# source_security_group_id = try(module.efs[0].aws_efs_sg_id) -# target_security_group_id = module.aws_ecs[0].aws_ecs_security_group_id -# depends_on = [module.aws_ecs, module.efs] -#} +module "efs_to_ecs_sg" { + source = "../modules/aws/sg/add_rule" + count = var.aws_ecs_enable && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0 + # Inputs + sg_type = "ingress" + sg_rule_description = "${var.aws_resource_identifier} - ECS Incoming" + sg_rule_from_port = 2049 + sg_rule_to_port = 2049 + sg_rule_protocol = "tcp" + source_security_group_id = try(module.efs[0].aws_efs_sg_id) + target_security_group_id = module.aws_ecs[0].aws_ecs_security_group_id + depends_on = [module.aws_ecs, module.efs] +} module "aws_route53_ecs" { source = "../modules/aws/route53" From 4ffe930548fa5197ee6886e016663808f2a85e5c Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 23 Jan 2026 09:35:16 -0300 Subject: [PATCH 27/42] Fixing SG Rule var --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 0399a4f12..e250b7be2 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -628,7 +628,7 @@ module "efs_to_ecs_sg" { sg_rule_to_port = 2049 sg_rule_protocol = "tcp" source_security_group_id = try(module.efs[0].aws_efs_sg_id) - target_security_group_id = module.aws_ecs[0].aws_ecs_security_group_id + target_security_group_id = module.aws_ecs[0].ecs_sg_id depends_on = [module.aws_ecs, module.efs] } From caba9ba7caf0bf1daa706e4a011238f7bb42b3c9 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 23 Jan 2026 09:47:26 -0300 Subject: [PATCH 28/42] Fixing conditional for EFS SG --- operations/deployment/terraform/aws/bitovi_main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index e250b7be2..1a472dced 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -620,14 +620,14 @@ module "aws_ecs" { module "efs_to_ecs_sg" { source = "../modules/aws/sg/add_rule" - count = var.aws_ecs_enable && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0 + count = var.aws_ecs_enable && var.aws_efs_enable && module.efs[0].aws_efs_sg_id != null ? 1 : 0 # Inputs sg_type = "ingress" sg_rule_description = "${var.aws_resource_identifier} - ECS Incoming" sg_rule_from_port = 2049 sg_rule_to_port = 2049 sg_rule_protocol = "tcp" - source_security_group_id = try(module.efs[0].aws_efs_sg_id) + source_security_group_id = module.efs[0].aws_efs_sg_id target_security_group_id = module.aws_ecs[0].ecs_sg_id depends_on = [module.aws_ecs, module.efs] } From d84444ded3454167e278d3d9583e3b9a4c01104d Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Fri, 23 Jan 2026 10:32:09 -0300 Subject: [PATCH 29/42] Fix conditional --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 1a472dced..0ebf1cebc 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -620,7 +620,7 @@ module "aws_ecs" { module "efs_to_ecs_sg" { source = "../modules/aws/sg/add_rule" - count = var.aws_ecs_enable && var.aws_efs_enable && module.efs[0].aws_efs_sg_id != null ? 1 : 0 + count = var.aws_ecs_enable && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0 # Inputs sg_type = "ingress" sg_rule_description = "${var.aws_resource_identifier} - ECS Incoming" From f2f39f895c66ca5090a36dd768cecb50c82c286b Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 10:21:50 -0300 Subject: [PATCH 30/42] Change sg order --- operations/deployment/terraform/aws/bitovi_main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 0ebf1cebc..c5ceee75b 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -627,8 +627,8 @@ module "efs_to_ecs_sg" { sg_rule_from_port = 2049 sg_rule_to_port = 2049 sg_rule_protocol = "tcp" - source_security_group_id = module.efs[0].aws_efs_sg_id - target_security_group_id = module.aws_ecs[0].ecs_sg_id + source_security_group_id = module.aws_ecs[0].ecs_sg_id #module.efs[0].aws_efs_sg_id + target_security_group_id = module.efs[0].aws_efs_sg_id #module.aws_ecs[0].ecs_sg_id depends_on = [module.aws_ecs, module.efs] } From e4cf65c62803b5de6c504bba5a61c41cbec19763 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 10:54:29 -0300 Subject: [PATCH 31/42] Minor fixes --- operations/deployment/terraform/aws/bitovi_main.tf | 6 +++--- operations/deployment/terraform/modules/aws/efs/aws_efs.tf | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index c5ceee75b..a0eeaf154 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -618,7 +618,7 @@ module "aws_ecs" { } } -module "efs_to_ecs_sg" { +module "ecs_to_efs_sg" { source = "../modules/aws/sg/add_rule" count = var.aws_ecs_enable && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0 # Inputs @@ -993,11 +993,11 @@ output "ecs_load_balancer_dns" { } output "ecs_sg_id" { - value = try(module.aws_ecs[0].ecs_sg.id, null) + value = try(module.aws_ecs[0].ecs_sg_id, null) } output "ecs_lb_sg_id" { - value = try(module.aws_ecs[0].ecs_lb_sg.id, null) + value = try(module.aws_ecs[0].ecs_lb_sg_id, null) } # Redis diff --git a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf index b1c90cb0d..93b8410be 100644 --- a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf +++ b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf @@ -61,7 +61,7 @@ resource "aws_efs_replication_configuration" "efs_rep_config" { resource "aws_security_group" "efs_security_group" { count = var.aws_efs_create_mount_target ? 1 : 0 - name = var.aws_efs_security_group_name != null ? var.aws_efs_security_group_name : "SG for ${var.aws_resource_identifier} - EFS" + name = var.aws_efs_security_group_name != "" ? var.aws_efs_security_group_name : "SG for ${var.aws_resource_identifier} - EFS" description = "SG for ${var.aws_resource_identifier} - EFS" vpc_id = var.aws_selected_vpc_id egress { From 8bcfb1cfacf1f83a4b415cc24da109acb1734dc2 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 11:27:37 -0300 Subject: [PATCH 32/42] Add ignore name to EFS SG --- operations/deployment/terraform/modules/aws/efs/aws_efs.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf index 93b8410be..0070b76f9 100644 --- a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf +++ b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf @@ -73,6 +73,9 @@ resource "aws_security_group" "efs_security_group" { tags = { Name = "${var.aws_resource_identifier}-efs" } + lifecycle { + ignore_changes = [ "name" ] + } } resource "aws_security_group_rule" "ingress_efs" { From 058ab1efa57b0ec63d3c21b686167963710660fd Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 11:41:36 -0300 Subject: [PATCH 33/42] Cosmetic fix --- operations/deployment/terraform/modules/aws/efs/aws_efs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf index 0070b76f9..0ee973338 100644 --- a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf +++ b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf @@ -74,7 +74,7 @@ resource "aws_security_group" "efs_security_group" { Name = "${var.aws_resource_identifier}-efs" } lifecycle { - ignore_changes = [ "name" ] + ignore_changes = [ name ] } } From e314bb02979f279f22004f8892c20fc2d2645f6e Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 12:21:01 -0300 Subject: [PATCH 34/42] Fix EFS FS ID incoming to ECS --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index a0eeaf154..679bfc5be 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -593,7 +593,7 @@ module "aws_ecs" { aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days - aws_ecs_efs_fs_id = var.aws_efs_fs_id #var.aws_efs_enable || var.aws_efs_fs_id ? try(module.efs[0].efs_fs_id, "") : var.aws_ecs_efs_fs_id + aws_ecs_efs_fs_id = var.aws_efs_enable ? try(module.efs[0].efs_fs_id, "") : "" aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port From 38539a01a6fd8d70bb5a441841af1d986c1a9398 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 12:39:03 -0300 Subject: [PATCH 35/42] Add EFS module dependency --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 679bfc5be..e21b84456 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -612,7 +612,7 @@ module "aws_ecs" { aws_resource_identifier_supershort = var.aws_resource_identifier_supershort app_repo_name = var.app_repo_name # Dependencies - depends_on = [module.aws_certificates] + depends_on = [module.aws_certificates,module.efs] providers = { aws = aws.ecs } From 55cd5f868f1a65352831403975cec1d959445331 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 12:45:12 -0300 Subject: [PATCH 36/42] EFS FS ID --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index e21b84456..360dea749 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -593,7 +593,7 @@ module "aws_ecs" { aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days - aws_ecs_efs_fs_id = var.aws_efs_enable ? try(module.efs[0].efs_fs_id, "") : "" + aws_ecs_efs_fs_id = var.aws_efs_enable ? module.efs[0].aws_efs_fs_id : "" aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port From 3f052286578c2ad0537299626790eb364395d66f Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 13:07:40 -0300 Subject: [PATCH 37/42] Test adding lifecycle to mount_targets --- .../deployment/terraform/modules/aws/efs/aws_efs.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf index 0ee973338..0f1e355fc 100644 --- a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf +++ b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf @@ -40,12 +40,20 @@ data "aws_efs_file_system" "efs" { file_system_id = var.aws_efs_create ? aws_efs_file_system.efs[0].id : var.aws_efs_fs_id } +resource "terraform_data" "efs_ha_tracker" { + input = var.aws_efs_create_ha +} + resource "aws_efs_mount_target" "efs_mount_target" { count = var.aws_efs_create_mount_target ? length(local.aws_efs_subnets) : 0 file_system_id = var.aws_efs_create ? aws_efs_file_system.efs[0].id : var.aws_efs_fs_id subnet_id = local.aws_efs_subnets[count.index] security_groups = [aws_security_group.efs_security_group[0].id] depends_on = [aws_efs_file_system.efs] + + lifecycle { + replace_triggered_by = [terraform_data.efs_ha_tracker] + } } resource "aws_efs_replication_configuration" "efs_rep_config" { From cb0ff516328bc447a975cba1a8dc2fb80f0384dd Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 13:14:22 -0300 Subject: [PATCH 38/42] Fix formatting --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- operations/deployment/terraform/modules/aws/efs/aws_efs.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 360dea749..6bf48f264 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -612,7 +612,7 @@ module "aws_ecs" { aws_resource_identifier_supershort = var.aws_resource_identifier_supershort app_repo_name = var.app_repo_name # Dependencies - depends_on = [module.aws_certificates,module.efs] + depends_on = [module.aws_certificates, module.efs] providers = { aws = aws.ecs } diff --git a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf index 0f1e355fc..8c1556943 100644 --- a/operations/deployment/terraform/modules/aws/efs/aws_efs.tf +++ b/operations/deployment/terraform/modules/aws/efs/aws_efs.tf @@ -82,7 +82,7 @@ resource "aws_security_group" "efs_security_group" { Name = "${var.aws_resource_identifier}-efs" } lifecycle { - ignore_changes = [ name ] + ignore_changes = [name] } } From e137dc07ab7d36c05a5fcfc62ceeb04750186737 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Mon, 26 Jan 2026 13:45:59 -0300 Subject: [PATCH 39/42] Fixing conditional --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 6bf48f264..45e47bfb4 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -593,7 +593,7 @@ module "aws_ecs" { aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days - aws_ecs_efs_fs_id = var.aws_efs_enable ? module.efs[0].aws_efs_fs_id : "" + aws_ecs_efs_fs_id = var.aws_efs_enable ? module.efs[0].aws_efs_fs_id : null aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port From 0c8755dc5cfc28329a3349a598bb4fba7a510592 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 27 Jan 2026 07:15:24 -0300 Subject: [PATCH 40/42] Adding try to ecs_efs_fs_id --- operations/deployment/terraform/aws/bitovi_main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 45e47bfb4..2a4f2a1f4 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -593,7 +593,7 @@ module "aws_ecs" { aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days - aws_ecs_efs_fs_id = var.aws_efs_enable ? module.efs[0].aws_efs_fs_id : null + aws_ecs_efs_fs_id = var.aws_efs_enable ? try(module.efs[0].aws_efs_fs_id, null) : null aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port From 02183b348f9567b1a5e42240ed1282bb487101b2 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 27 Jan 2026 07:33:03 -0300 Subject: [PATCH 41/42] var.aws_ecs_efs_enable --- operations/deployment/terraform/aws/bitovi_main.tf | 1 + operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf | 4 ++-- .../deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index 2a4f2a1f4..a606f4d8f 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -593,6 +593,7 @@ module "aws_ecs" { aws_ecs_cloudwatch_lg_name = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null aws_ecs_cloudwatch_skip_destroy = var.aws_ecs_cloudwatch_skip_destroy aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days + aws_ecs_efs_enable = var.aws_efs_enable aws_ecs_efs_fs_id = var.aws_efs_enable ? try(module.efs[0].aws_efs_fs_id, null) : null aws_ecs_efs_root_directory = var.aws_ecs_efs_root_directory aws_ecs_efs_transit_encryption = var.aws_ecs_efs_transit_encryption diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf index 27d3c581f..51d8e0d46 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs.tf @@ -292,7 +292,7 @@ resource "aws_iam_role" "ecsTaskRole" { # EFS Access Policy for Task Role resource "aws_iam_policy" "ecsTaskRoleEFSPolicy" { - count = var.aws_ecs_efs_fs_id != null && var.aws_ecs_efs_iam ? 1 : 0 + count = var.aws_ecs_efs_enable && var.aws_ecs_efs_iam ? 1 : 0 name = "${var.aws_resource_identifier}-ecs-task-efs-policy" description = "Policy to allow ECS task to access EFS file system ${var.aws_ecs_efs_fs_id}" @@ -318,7 +318,7 @@ resource "aws_iam_policy" "ecsTaskRoleEFSPolicy" { } resource "aws_iam_policy_attachment" "ecsTaskRoleEFSPolicyAttachment" { - count = var.aws_ecs_efs_fs_id != null && var.aws_ecs_efs_iam && var.aws_ecs_task_role == "" ? 1 : 0 + count = var.aws_ecs_efs_enable && var.aws_ecs_efs_iam && var.aws_ecs_task_role == "" ? 1 : 0 name = "ECSTaskRoleEFSPolicyAttachment" roles = [aws_iam_role.ecsTaskRole[0].name] policy_arn = aws_iam_policy.ecsTaskRoleEFSPolicy[0].arn diff --git a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf index 53602ac3e..41f3873f5 100644 --- a/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf +++ b/operations/deployment/terraform/modules/aws/ecs/aws_ecs_vars.tf @@ -33,6 +33,7 @@ variable "aws_ecs_cloudwatch_enable" {} variable "aws_ecs_cloudwatch_lg_name" {} variable "aws_ecs_cloudwatch_skip_destroy" {} variable "aws_ecs_cloudwatch_retention_days" {} +variable "aws_ecs_efs_enable" {} variable "aws_ecs_efs_fs_id" {} variable "aws_ecs_efs_root_directory" {} variable "aws_ecs_efs_transit_encryption" {} From 45b9224cc08670616a32e88d742c20184cc13ec9 Mon Sep 17 00:00:00 2001 From: LeoDiazL Date: Tue, 27 Jan 2026 08:38:30 -0300 Subject: [PATCH 42/42] Cleanup comment --- operations/deployment/terraform/aws/bitovi_main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf index a606f4d8f..f32930461 100644 --- a/operations/deployment/terraform/aws/bitovi_main.tf +++ b/operations/deployment/terraform/aws/bitovi_main.tf @@ -628,8 +628,8 @@ module "ecs_to_efs_sg" { sg_rule_from_port = 2049 sg_rule_to_port = 2049 sg_rule_protocol = "tcp" - source_security_group_id = module.aws_ecs[0].ecs_sg_id #module.efs[0].aws_efs_sg_id - target_security_group_id = module.efs[0].aws_efs_sg_id #module.aws_ecs[0].ecs_sg_id + source_security_group_id = module.aws_ecs[0].ecs_sg_id + target_security_group_id = module.efs[0].aws_efs_sg_id depends_on = [module.aws_ecs, module.efs] }