chore: Update example, add output for task definition family and revi…

…sion

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.88.1
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

examples/fargate/README.md

@@ -74,7 +74,11 @@ No inputs.
 | <a name="output_service_iam_role_unique_id"></a> [service\_iam\_role\_unique\_id](#output\_service\_iam\_role\_unique\_id) | Stable and unique string identifying the service IAM role |
 | <a name="output_service_id"></a> [service\_id](#output\_service\_id) | ARN that identifies the service |
 | <a name="output_service_name"></a> [service\_name](#output\_service\_name) | Name of the service |
+| <a name="output_service_security_group_arn"></a> [service\_security\_group\_arn](#output\_service\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
+| <a name="output_service_security_group_id"></a> [service\_security\_group\_id](#output\_service\_security\_group\_id) | ID of the security group |
 | <a name="output_service_task_definition_arn"></a> [service\_task\_definition\_arn](#output\_service\_task\_definition\_arn) | Full ARN of the Task Definition (including both `family` and `revision`) |
+| <a name="output_service_task_definition_family"></a> [service\_task\_definition\_family](#output\_service\_task\_definition\_family) | The unique name of the task definition |
+| <a name="output_service_task_definition_family_revision"></a> [service\_task\_definition\_family\_revision](#output\_service\_task\_definition\_family\_revision) | The family and revision (family:revision) of the task definition |
 | <a name="output_service_task_definition_revision"></a> [service\_task\_definition\_revision](#output\_service\_task\_definition\_revision) | Revision of the task in a particular family |
 | <a name="output_service_task_exec_iam_role_arn"></a> [service\_task\_exec\_iam\_role\_arn](#output\_service\_task\_exec\_iam\_role\_arn) | Task execution IAM role ARN |
 | <a name="output_service_task_exec_iam_role_name"></a> [service\_task\_exec\_iam\_role\_name](#output\_service\_task\_exec\_iam\_role\_name) | Task execution IAM role name |
@@ -86,6 +90,7 @@ No inputs.
 | <a name="output_service_tasks_iam_role_arn"></a> [service\_tasks\_iam\_role\_arn](#output\_service\_tasks\_iam\_role\_arn) | Tasks IAM role ARN |
 | <a name="output_service_tasks_iam_role_name"></a> [service\_tasks\_iam\_role\_name](#output\_service\_tasks\_iam\_role\_name) | Tasks IAM role name |
 | <a name="output_service_tasks_iam_role_unique_id"></a> [service\_tasks\_iam\_role\_unique\_id](#output\_service\_tasks\_iam\_role\_unique\_id) | Stable and unique string identifying the tasks IAM role |
+| <a name="output_task_definition_run_task_command"></a> [task\_definition\_run\_task\_command](#output\_task\_definition\_run\_task\_command) | awscli command to run the standalone task |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## License

examples/fargate/main.tf

@@ -114,6 +114,7 @@ module "ecs_service" {
 
       linux_parameters = {
         capabilities = {
+          add = []
           drop = [
             "NET_RAW"
           ]
@@ -170,7 +171,6 @@ module "ecs_service" {
   tags = local.tags
 }
 
-
 ################################################################################
 # Standalone Task Definition (w/o Service)
 ################################################################################
@@ -179,56 +179,43 @@ module "ecs_task_definition" {
   source = "../../modules/service"
 
   # Service
-  name               = "${local.name}-standalone"
-  cluster_arn        = module.ecs_cluster.arn
-  create_service     = false
-  enable_autoscaling = false
+  name           = "${local.name}-standalone"
+  cluster_arn    = module.ecs_cluster.arn
+  create_service = false
 
   # Task Definition
   volume = {
-    my-vol = {}
+    ex-vol = {}
   }
 
   # Container definition(s)
   container_definitions = {
-    (local.container_name) = {
-      image = "public.ecr.aws/ecs-sample-image/amazon-ecs-sample:latest"
-      port_mappings = [
-        {
-          name          = local.container_name
-          containerPort = local.container_port
-          protocol      = "tcp"
-        }
-      ]
+    al2023 = {
+      image = "public.ecr.aws/amazonlinux/amazonlinux:2023-minimal"
 
       mount_points = [
         {
-          sourceVolume  = "my-vol",
-          containerPath = "/var/www/my-vol"
+          sourceVolume  = "ex-vol",
+          containerPath = "/var/www/ex-vol"
         }
       ]
 
-      entry_point = ["/usr/sbin/apache2", "-D", "FOREGROUND"]
-
-      # Example image used requires access to write to root filesystem
-      readonly_root_filesystem = false
-
-      enable_cloudwatch_logging              = true
-      create_cloudwatch_log_group            = true
-      cloudwatch_log_group_name              = "/aws/ecs/${local.name}-standalone/${local.container_name}"
-      cloudwatch_log_group_retention_in_days = 7
-
-      log_configuration = {
-        logDriver = "awslogs"
-        options = {
-          awslogs-region = local.region
-        }
-      }
+      command = ["/usr/bin/cat", "/etc/os-release"]
     }
   }
 
   subnet_ids = module.vpc.private_subnets
 
+  security_group_rules = {
+    egress_all = {
+      type        = "egress"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
+
   tags = local.tags
 }
 

examples/fargate/outputs.tf

@@ -71,6 +71,16 @@ output "service_task_definition_revision" {
   value       = module.ecs_service.task_definition_revision
 }
 
+output "service_task_definition_family" {
+  description = "The unique name of the task definition"
+  value       = module.ecs_service.task_definition_family
+}
+
+output "service_task_definition_family_revision" {
+  description = "The family and revision (family:revision) of the task definition"
+  value       = module.ecs_service.task_definition_family_revision
+}
+
 output "service_task_exec_iam_role_name" {
   description = "Task execution IAM role name"
   value       = module.ecs_service.task_exec_iam_role_name
@@ -130,3 +140,27 @@ output "service_autoscaling_scheduled_actions" {
   description = "Map of autoscaling scheduled actions and their attributes"
   value       = module.ecs_service.autoscaling_scheduled_actions
 }
+
+output "service_security_group_arn" {
+  description = "Amazon Resource Name (ARN) of the security group"
+  value       = module.ecs_service.security_group_arn
+}
+
+output "service_security_group_id" {
+  description = "ID of the security group"
+  value       = module.ecs_service.security_group_id
+}
+
+################################################################################
+# Standalone Task Definition (w/o Service)
+################################################################################
+
+output "task_definition_run_task_command" {
+  description = "awscli command to run the standalone task"
+  value       = <<EOT
+    aws ecs run-task --cluster ${module.ecs_cluster.name} \
+      --task-definition ${module.ecs_task_definition.task_definition_family_revision} \
+      --network-configuration "awsvpcConfiguration={subnets=[${join(",", module.vpc.private_subnets)}],securityGroups=[${module.ecs_task_definition.security_group_id}]}" \
+      --region ${local.region}
+  EOT
+}

modules/container-definition/main.tf

@@ -60,7 +60,7 @@ locals {
     secrets                = length(var.secrets) > 0 ? var.secrets : null
     startTimeout           = var.start_timeout
     stopTimeout            = var.stop_timeout
-    systemControls         = length(var.system_controls) > 0 ? var.system_controls : null
+    systemControls         = length(var.system_controls) > 0 ? var.system_controls : []
     ulimits                = local.is_not_windows && length(var.ulimits) > 0 ? var.ulimits : null
     user                   = local.is_not_windows ? var.user : null
     volumesFrom            = var.volumes_from

modules/service/README.md

@@ -338,6 +338,7 @@ module "ecs_service" {
 | <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
 | <a name="output_task_definition_arn"></a> [task\_definition\_arn](#output\_task\_definition\_arn) | Full ARN of the Task Definition (including both `family` and `revision`) |
 | <a name="output_task_definition_family"></a> [task\_definition\_family](#output\_task\_definition\_family) | The unique name of the task definition |
+| <a name="output_task_definition_family_revision"></a> [task\_definition\_family\_revision](#output\_task\_definition\_family\_revision) | The family and revision (family:revision) of the task definition |
 | <a name="output_task_definition_revision"></a> [task\_definition\_revision](#output\_task\_definition\_revision) | Revision of the task in a particular family |
 | <a name="output_task_exec_iam_role_arn"></a> [task\_exec\_iam\_role\_arn](#output\_task\_exec\_iam\_role\_arn) | Task execution IAM role ARN |
 | <a name="output_task_exec_iam_role_name"></a> [task\_exec\_iam\_role\_name](#output\_task\_exec\_iam\_role\_name) | Task execution IAM role name |

modules/service/main.tf

@@ -24,10 +24,12 @@ locals {
     security_groups  = flatten(concat([try(aws_security_group.this[0].id, [])], var.security_group_ids))
     subnets          = var.subnet_ids
   }
+
+  create_service = var.create && var.create_service
 }
 
 resource "aws_ecs_service" "this" {
-  count = var.create && var.create_service && !var.ignore_task_definition_changes ? 1 : 0
+  count = local.create_service && !var.ignore_task_definition_changes ? 1 : 0
 
   dynamic "alarms" {
     for_each = length(var.alarms) > 0 ? [var.alarms] : []
@@ -213,7 +215,7 @@ resource "aws_ecs_service" "this" {
 ################################################################################
 
 resource "aws_ecs_service" "ignore_task_definition" {
-  count = var.create && var.create_service && var.ignore_task_definition_changes ? 1 : 0
+  count = local.create_service && var.ignore_task_definition_changes ? 1 : 0
 
   dynamic "alarms" {
     for_each = length(var.alarms) > 0 ? [var.alarms] : []
@@ -1188,7 +1190,7 @@ resource "aws_ecs_task_set" "ignore_task_definition" {
 ################################################################################
 
 locals {
-  enable_autoscaling = var.create && var.enable_autoscaling && !local.is_daemon
+  enable_autoscaling = local.create_service && var.enable_autoscaling && !local.is_daemon
 
   cluster_name = element(split("/", var.cluster_arn), 1)
 }

modules/service/outputs.tf

@@ -59,6 +59,11 @@ output "task_definition_family" {
   value       = try(aws_ecs_task_definition.this[0].family, null)
 }
 
+output "task_definition_family_revision" {
+  description = "The family and revision (family:revision) of the task definition"
+  value       = "${try(aws_ecs_task_definition.this[0].family, "")}:${local.max_task_def_revision}"
+}
+
 ################################################################################
 # Task Execution - IAM Role
 # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html