Add EFS to ECS

README.md

@@ -482,13 +482,16 @@ The following inputs can be used as `step.with` keys
 | `aws_ecs_task_type`| String | Configuration type. Could be `EC2`, `FARGATE` or empty. Will default to `aws_ecs_service_launch_type` if none defined. (Blank if `EXTERNAL`). |
 | `aws_ecs_task_name`| String | Elastic Container Service task name. If task is defined with a JSON file, should be the same as the container name. |
 | `aws_ecs_task_ignore_definition`| Boolean | Toggle to ignore task definition changes after first deployment. Useful when using external tools to manage the task definition. Default: `false`. |
-| `aws_ecs_task_execution_role`| String | Elastic Container Service task execution role name from IAM. Defaults to `ecsTaskExecutionRole`. |
+| `aws_ecs_task_execution_role`| String | Task execution role name that the Amazon ECS container agent and the Docker daemon can assume. Defaults to `ecsTaskExecutionRole`. |
+| `aws_ecs_task_role` | String | IAM role name that allows your Amazon ECS container task to make calls to other AWS services. When mounting an EFS volume and `aws_ecs_efs_iam` is enabled, will create one specific for that volume if none defined. |
+| `aws_ecs_task_reuse_role` | Boolean | Toggle reusing the task execution role as the task role. |
 | `aws_ecs_task_json_definition_file`| String | Name of the json file containing task definition. Overrides every other input. |
 | `aws_ecs_task_network_mode`| String | Network type to use in task definition. One of `none`, `bridge`, `awsvpc`, and `host`. |
 | `aws_ecs_task_cpu`| String | Task CPU Amount. |
 | `aws_ecs_task_mem`| String | Task Mem Amount. |
 | `aws_ecs_container_cpu`| String | Container CPU Amount. |
 | `aws_ecs_container_mem`| String | Container Mem Amount. |
+| `aws_ecs_container_user`| String | User to run container as. Accepts `user`, `user:group`, `uid`, `uid:gid`, `user:gid` or `uid:group`. |
 | `aws_ecs_node_count`| String | Node count for ECS Cluster. |
 | `aws_ecs_app_image`| String | Name of the container image to be used. |
 | `aws_ecs_security_group_name`| String | ECS Secruity group name. |
@@ -508,6 +511,14 @@ The following inputs can be used as `step.with` keys
 | `aws_ecs_cloudwatch_lg_name`| String | Log group name. Will default to `aws_identifier` if none. |
 | `aws_ecs_cloudwatch_skip_destroy`| Boolean | Toggle deletion or not when destroying the stack. |
 | `aws_ecs_cloudwatch_retention_days`| String | Number of days to retain logs. 0 to never expire. Defaults to `14`. |
+| `aws_ecs_efs_fs_id` | String | ID of the EFS File System. |
+| `aws_ecs_efs_root_directory` | String | Directory within the FS to mount as the root directory. Defaults to `/`, ignored if `access_point_id` defined. |
+| `aws_ecs_efs_transit_encryption` | Boolean | EFS Volume Transit Encryption. Defaults to `true`. (ENABLED) |
+| `aws_ecs_efs_transit_encryption_port` | String | EFS Volume Transit Encryption Port. |
+| `aws_ecs_efs_access_point_id` | String | EFS Volume Access Point ID to use. |
+| `aws_ecs_efs_container_path` | String | Directory path within container to mount the EFS volume to. Defaults to`/mnt/efs` |
+| `aws_ecs_efs_readonly` | Boolean | Whether the EFS volume is mounted as read-only. Defaults to `false`. |
+| `aws_ecs_efs_iam` | Boolean | Whether or not to use the ECS task IAM role defined in a task definition when mounting the FS. Defaults to `false`. (DISABLED) - Needs `aws_ecs_efs_transit_encryption` |
 | `aws_ecs_additional_tags`| JSON | Add additional tags to the terraform [default tags](https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider), any tags put here will be added to ECS provisioned resources.|
 <hr/>
 <br/>

operations/_scripts/generate/generate_vars_terraform.sh

@@ -365,12 +365,15 @@ if [[ $(alpha_only "$AWS_ECS_ENABLE") == true ]]; then
   aws_ecs_task_name=$(generate_var aws_ecs_task_name $AWS_ECS_TASK_NAME)
   aws_ecs_task_ignore_definition=$(generate_var aws_ecs_task_ignore_definition $AWS_ECS_TASK_IGNORE_DEFINITION)
   aws_ecs_task_execution_role=$(generate_var aws_ecs_task_execution_role $AWS_ECS_TASK_EXECUTION_ROLE)
+  aws_ecs_task_role=$(generate_var aws_ecs_task_role $AWS_ECS_TASK_ROLE)
+  aws_ecs_task_reuse_role=$(generate_var aws_ecs_task_reuse_role $AWS_ECS_TASK_REUSE_ROLE)  
   aws_ecs_task_json_definition_file=$(generate_var aws_ecs_task_json_definition_file $AWS_ECS_TASK_JSON_DEFINITION_FILE)
   aws_ecs_task_network_mode=$(generate_var aws_ecs_task_network_mode $AWS_ECS_TASK_NETWORK_MODE)
   aws_ecs_task_cpu=$(generate_var aws_ecs_task_cpu $AWS_ECS_TASK_CPU)
   aws_ecs_task_mem=$(generate_var aws_ecs_task_mem $AWS_ECS_TASK_MEM)
   aws_ecs_container_cpu=$(generate_var aws_ecs_container_cpu $AWS_ECS_CONTAINER_CPU)
-  aws_ecs_container_cpu=$(generate_var aws_ecs_container_mem $AWS_ECS_CONTAINER_MEM)
+  aws_ecs_container_mem=$(generate_var aws_ecs_container_mem $AWS_ECS_CONTAINER_MEM)
+  aws_ecs_container_user=$(generate_var aws_ecs_container_user $AWS_ECS_CONTAINER_USER)
   aws_ecs_node_count=$(generate_var aws_ecs_node_count $AWS_ECS_NODE_COUNT)
   aws_ecs_app_image=$(generate_var aws_ecs_app_image $AWS_ECS_APP_IMAGE)
   aws_ecs_env_vars=$(generate_var aws_ecs_env_vars $AWS_ECS_ENV_VARS )
@@ -391,6 +394,14 @@ if [[ $(alpha_only "$AWS_ECS_ENABLE") == true ]]; then
   aws_ecs_cloudwatch_lg_name=$(generate_var aws_ecs_cloudwatch_lg_name $AWS_ECS_CLOUDWATCH_LG_NAME)
   aws_ecs_cloudwatch_skip_destroy=$(generate_var aws_ecs_cloudwatch_skip_destroy $AWS_ECS_CLOUDWATCH_SKIP_DESTROY)
   aws_ecs_cloudwatch_retention_days=$(generate_var aws_ecs_cloudwatch_retention_days $AWS_ECS_CLOUDWATCH_RETENTION_DAYS)
+  aws_ecs_efs_fs_id=$(generate_var aws_ecs_efs_fs_id $AWS_ECS_EFS_FS_ID)
+  aws_ecs_efs_root_directory=$(generate_var aws_ecs_efs_root_directory $AWS_ECS_EFS_ROOT_DIRECTORY)
+  aws_ecs_efs_transit_encryption=$(generate_var aws_ecs_efs_transit_encryption $AWS_ECS_EFS_TRANSIT_ENCRYPTION)
+  aws_ecs_efs_transit_encryption_port=$(generate_var aws_ecs_efs_transit_encryption_port $AWS_ECS_EFS_TRANSIT_ENCRYPTION_PORT)
+  aws_ecs_efs_access_point_id=$(generate_var aws_ecs_efs_access_point_id $AWS_ECS_EFS_ACCESS_POINT_ID)
+  aws_ecs_efs_container_path=$(generate_var aws_ecs_efs_container_path $AWS_ECS_EFS_CONTAINER_PATH)
+  aws_ecs_efs_readonly=$(generate_var aws_ecs_efs_readonly $AWS_ECS_EFS_READONLY)
+  aws_ecs_efs_iam=$(generate_var aws_ecs_efs_iam $AWS_ECS_EFS_IAM)
   aws_ecs_additional_tags=$(generate_var aws_ecs_additional_tags $AWS_ECS_ADDITIONAL_TAGS)
 fi
 
@@ -762,12 +773,15 @@ $aws_ecs_task_type
 $aws_ecs_task_name
 $aws_ecs_task_ignore_definition
 $aws_ecs_task_execution_role
+$aws_ecs_task_role
+$aws_ecs_task_reuse_role
 $aws_ecs_task_json_definition_file
 $aws_ecs_task_network_mode
 $aws_ecs_task_cpu
 $aws_ecs_task_mem
 $aws_ecs_container_cpu
 $aws_ecs_container_mem
+$aws_ecs_container_user
 $aws_ecs_node_count
 $aws_ecs_app_image
 $aws_ecs_env_vars
@@ -788,6 +802,14 @@ $aws_ecs_cloudwatch_enable
 $aws_ecs_cloudwatch_lg_name
 $aws_ecs_cloudwatch_skip_destroy
 $aws_ecs_cloudwatch_retention_days
+$aws_ecs_efs_fs_id
+$aws_ecs_efs_root_directory
+$aws_ecs_efs_transit_encryption
+$aws_ecs_efs_transit_encryption_port
+$aws_ecs_efs_access_point_id
+$aws_ecs_efs_container_path
+$aws_ecs_efs_readonly
+$aws_ecs_efs_iam
 $aws_ecs_additional_tags
 
 #-- ECR --#

operations/deployment/terraform/aws/aws_variables.tf

@@ -1620,6 +1620,18 @@ variable "aws_ecs_task_execution_role" {
   default     = ""
 }
 
+variable "aws_ecs_task_role" {
+  type        = string
+  description = "Elastic Container Service task role name."
+  default     = ""
+}
+
+variable "aws_ecs_task_reuse_role" {
+  type        = bool
+  description = "Toggle reusing the task execution role as the task role"
+  default     = false
+}
+
 variable "aws_ecs_task_json_definition_file" {
   type        = string
   description = "Filename for json file containing ECS conteiner definitions"
@@ -1656,6 +1668,12 @@ variable "aws_ecs_container_mem" {
   default     = ""
 }
 
+variable "aws_ecs_container_user" {
+  type        = string
+  description = "Container User"
+  default     = ""
+}
+
 variable "aws_ecs_node_count" {
   type        = string
   description = "Node count for ECS Cluster"
@@ -1770,6 +1788,54 @@ variable "aws_ecs_cloudwatch_retention_days" {
   default     = "14"
 }
 
+variable "aws_ecs_efs_fs_id" {
+  type        = string
+  description = "ID of the EFS File System"
+  default     = null
+}
+
+variable "aws_ecs_efs_root_directory" {
+  type        = string
+  description = "Directory within the FS to mount as the root directory. Defaults to /, ignored if access_point_id defined"
+  default     = null
+}
+
+variable "aws_ecs_efs_transit_encryption" {
+  type        = bool
+  description = "EFS Volume Transit Encryption. Defaults to true (ENABLED)"
+  default     = true
+}
+
+variable "aws_ecs_efs_transit_encryption_port" {
+  type        = string
+  description = "EFS Volume Transit Encryption Port"
+  default     = null
+}
+
+variable "aws_ecs_efs_access_point_id" {
+  type        = string
+  description = "EFS Volume Access Point ID to use"
+  default     = null
+}
+
+variable "aws_ecs_efs_container_path" {
+  type        = string
+  description = "Container path where to mount the EFS volume"
+  default     = "/mnt/efs"
+}
+
+variable "aws_ecs_efs_readonly" {
+  type        = bool
+  description = "Whether the EFS volume is mounted as read-only"
+  default     = false
+}
+
+variable "aws_ecs_efs_iam" {
+  type        = bool
+  description = "Whether or not to use the IAM role defined in a task definition when mounting the FS. Defaults to false. (DISABLED) "
+  default     = false
+}
+
 variable "aws_ecs_additional_tags" {
   type        = string
   description = "A list of strings that will be added to created resources"

operations/deployment/terraform/aws/bitovi_main.tf

@@ -558,41 +558,53 @@ module "aws_ecs" {
   source = "../modules/aws/ecs"
   count  = var.aws_ecs_enable ? 1 : 0
   # ECS
-  aws_ecs_service_name              = var.aws_ecs_service_name
-  aws_ecs_cluster_name              = var.aws_ecs_cluster_name
-  aws_ecs_service_launch_type       = var.aws_ecs_service_launch_type
-  aws_ecs_task_type                 = var.aws_ecs_task_type
-  aws_ecs_task_name                 = var.aws_ecs_task_name
-  aws_ecs_task_ignore_definition    = var.aws_ecs_task_ignore_definition
-  aws_ecs_task_execution_role       = var.aws_ecs_task_execution_role
-  aws_ecs_task_json_definition_file = var.aws_ecs_task_json_definition_file
-  aws_ecs_task_network_mode         = var.aws_ecs_task_network_mode
-  aws_ecs_task_cpu                  = var.aws_ecs_task_cpu
-  aws_ecs_task_mem                  = var.aws_ecs_task_mem
-  aws_ecs_container_cpu             = var.aws_ecs_container_cpu
-  aws_ecs_container_mem             = var.aws_ecs_container_mem
-  aws_ecs_node_count                = var.aws_ecs_node_count
-  aws_ecs_app_image                 = var.aws_ecs_app_image
-  aws_ecs_security_group_name       = var.aws_ecs_security_group_name
-  aws_ecs_assign_public_ip          = var.aws_ecs_assign_public_ip
-  aws_ecs_container_port            = var.aws_ecs_container_port
-  aws_ecs_lb_port                   = var.aws_ecs_lb_port
-  aws_ecs_lb_redirect_enable        = var.aws_ecs_lb_redirect_enable
-  aws_ecs_lb_container_path         = var.aws_ecs_lb_container_path
-  aws_ecs_lb_ssl_policy             = var.aws_ecs_lb_ssl_policy
-  aws_ecs_lb_www_to_apex_redirect   = var.aws_r53_root_domain_deploy ? var.aws_ecs_lb_www_to_apex_redirect : false
-  aws_ecs_autoscaling_enable        = var.aws_ecs_autoscaling_enable
-  aws_ecs_autoscaling_max_nodes     = var.aws_ecs_autoscaling_max_nodes
-  aws_ecs_autoscaling_min_nodes     = var.aws_ecs_autoscaling_min_nodes
-  aws_ecs_autoscaling_max_mem       = var.aws_ecs_autoscaling_max_mem
-  aws_ecs_autoscaling_max_cpu       = var.aws_ecs_autoscaling_max_cpu
-  aws_ecs_cloudwatch_enable         = var.aws_ecs_cloudwatch_enable
-  aws_ecs_cloudwatch_lg_name        = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null
-  aws_ecs_cloudwatch_skip_destroy   = var.aws_ecs_cloudwatch_skip_destroy
-  aws_ecs_cloudwatch_retention_days = var.aws_ecs_cloudwatch_retention_days
-  aws_region_current_name           = module.vpc.aws_region_current_name
-  aws_selected_vpc_id               = module.vpc.aws_selected_vpc_id
-  aws_selected_subnets              = module.vpc.aws_selected_vpc_subnets
+  aws_ecs_service_name                = var.aws_ecs_service_name
+  aws_ecs_cluster_name                = var.aws_ecs_cluster_name
+  aws_ecs_service_launch_type         = var.aws_ecs_service_launch_type
+  aws_ecs_task_type                   = var.aws_ecs_task_type
+  aws_ecs_task_name                   = var.aws_ecs_task_name
+  aws_ecs_task_ignore_definition      = var.aws_ecs_task_ignore_definition
+  aws_ecs_task_execution_role         = var.aws_ecs_task_execution_role
+  aws_ecs_task_role                   = var.aws_ecs_task_role
+  aws_ecs_task_reuse_role             = var.aws_ecs_task_reuse_role
+  aws_ecs_task_json_definition_file   = var.aws_ecs_task_json_definition_file
+  aws_ecs_task_network_mode           = var.aws_ecs_task_network_mode
+  aws_ecs_task_cpu                    = var.aws_ecs_task_cpu
+  aws_ecs_task_mem                    = var.aws_ecs_task_mem
+  aws_ecs_container_cpu               = var.aws_ecs_container_cpu
+  aws_ecs_container_mem               = var.aws_ecs_container_mem
+  aws_ecs_container_user              = var.aws_ecs_container_user
+  aws_ecs_node_count                  = var.aws_ecs_node_count
+  aws_ecs_app_image                   = var.aws_ecs_app_image
+  aws_ecs_security_group_name         = var.aws_ecs_security_group_name
+  aws_ecs_assign_public_ip            = var.aws_ecs_assign_public_ip
+  aws_ecs_container_port              = var.aws_ecs_container_port
+  aws_ecs_lb_port                     = var.aws_ecs_lb_port
+  aws_ecs_lb_redirect_enable          = var.aws_ecs_lb_redirect_enable
+  aws_ecs_lb_container_path           = var.aws_ecs_lb_container_path
+  aws_ecs_lb_ssl_policy               = var.aws_ecs_lb_ssl_policy
+  aws_ecs_lb_www_to_apex_redirect     = var.aws_r53_root_domain_deploy ? var.aws_ecs_lb_www_to_apex_redirect : false
+  aws_ecs_autoscaling_enable          = var.aws_ecs_autoscaling_enable
+  aws_ecs_autoscaling_max_nodes       = var.aws_ecs_autoscaling_max_nodes
+  aws_ecs_autoscaling_min_nodes       = var.aws_ecs_autoscaling_min_nodes
+  aws_ecs_autoscaling_max_mem         = var.aws_ecs_autoscaling_max_mem
+  aws_ecs_autoscaling_max_cpu         = var.aws_ecs_autoscaling_max_cpu
+  aws_ecs_cloudwatch_enable           = var.aws_ecs_cloudwatch_enable
+  aws_ecs_cloudwatch_lg_name          = var.aws_ecs_cloudwatch_enable ? (var.aws_ecs_cloudwatch_lg_name != null ? var.aws_ecs_cloudwatch_lg_name : "${var.aws_resource_identifier}-ecs-logs") : null
+  aws_ecs_cloudwatch_skip_destroy     = var.aws_ecs_cloudwatch_skip_destroy
+  aws_ecs_cloudwatch_retention_days   = var.aws_ecs_cloudwatch_retention_days
+  aws_ecs_efs_enable                  = var.aws_efs_enable
+  aws_ecs_efs_fs_id                   = var.aws_efs_enable ? try(module.efs[0].aws_efs_fs_id, null) : null
+  aws_ecs_efs_root_directory          = var.aws_ecs_efs_root_directory
+  aws_ecs_efs_transit_encryption      = var.aws_ecs_efs_transit_encryption
+  aws_ecs_efs_transit_encryption_port = var.aws_ecs_efs_transit_encryption_port
+  aws_ecs_efs_access_point_id         = var.aws_ecs_efs_access_point_id
+  aws_ecs_efs_container_path          = var.aws_ecs_efs_container_path
+  aws_ecs_efs_readonly                = var.aws_ecs_efs_readonly
+  aws_ecs_efs_iam                     = var.aws_ecs_efs_iam
+  aws_region_current_name             = module.vpc.aws_region_current_name
+  aws_selected_vpc_id                 = module.vpc.aws_selected_vpc_id
+  aws_selected_subnets                = module.vpc.aws_selected_vpc_subnets
   # Others
   aws_r53_domain_name                = var.aws_r53_enable && var.aws_r53_domain_name != "" ? var.aws_r53_domain_name : ""
   aws_certificate_enabled            = var.aws_r53_enable_cert
@@ -601,12 +613,26 @@ module "aws_ecs" {
   aws_resource_identifier_supershort = var.aws_resource_identifier_supershort
   app_repo_name                      = var.app_repo_name
   # Dependencies
-  depends_on = [module.aws_certificates]
+  depends_on = [module.aws_certificates, module.efs]
   providers = {
     aws = aws.ecs
   }
 }
 
+module "ecs_to_efs_sg" {
+  source = "../modules/aws/sg/add_rule"
+  count  = var.aws_ecs_enable && var.aws_efs_enable && (var.aws_efs_fs_id == null) ? 1 : 0
+  # Inputs 
+  sg_type                  = "ingress"
+  sg_rule_description      = "${var.aws_resource_identifier} - ECS Incoming"
+  sg_rule_from_port        = 2049
+  sg_rule_to_port          = 2049
+  sg_rule_protocol         = "tcp"
+  source_security_group_id = module.aws_ecs[0].ecs_sg_id
+  target_security_group_id = module.efs[0].aws_efs_sg_id
+  depends_on               = [module.aws_ecs, module.efs]
+}
+
 module "aws_route53_ecs" {
   source = "../modules/aws/route53"
   count  = var.aws_ecs_enable && var.aws_r53_enable && var.aws_r53_domain_name != "" && (var.aws_ecs_container_port != "" || var.aws_ecs_task_ignore_definition) ? 1 : 0
@@ -968,11 +994,11 @@ output "ecs_load_balancer_dns" {
 }
 
 output "ecs_sg_id" {
-  value = try(module.aws_ecs[0].ecs_sg.id, null)
+  value = try(module.aws_ecs[0].ecs_sg_id, null)
 }
 
 output "ecs_lb_sg_id" {
-  value = try(module.aws_ecs[0].ecs_lb_sg.id, null)
+  value = try(module.aws_ecs[0].ecs_lb_sg_id, null)
 }
 
 # Redis