Infrastructure Pipeline: ECS Deploy Runner
This module can be used to set up a secure CI/CD pipeline for your infrastructure code (Terraform, Terragrunt, Packer, Docker, etc). You can use this in combination with existing CI servers (e.g Jenkins, CircleCI, Gitlab) to set up workflows that:
-
Run
plan
andapply
with approval stages -
Build docker images for every PR
-
Build VM images (e.g., AMIs) for every PR
-
Automatically update infrastructure code and commit and push the changes to Git
These workflows can be implemented without directly running the steps from your CI servers. Instead, the CI server can coordinate the CI / CD flow, and for anything that requires sensitive / powerful IAM permissions, it can trigger pre-defined, locked-down jobs in an isolated ECS task, and stream the logs from that task as if it’s running locally.
Refer to the infrastructure-deployer CLI to integrate this with existing CI servers. You can also refer to the infrastructure-deploy-script module for more information on the underlying deployment scripts.
Terraform and Terragrunt CI/CD architecture
Features
-
Set up an automated CI / CD pipeline for your infrastructure code (Terraform / Terragrunt / Packer / Docker)
-
Supports approval work flows: see plan first and approve it in your CI / CD system before running apply
-
Build AMIs and Docker images
-
Isolated runtime environment in AWS using AWS Lambda and ECS Fargate/EC2
-
Deploy any reference (commit sha, tag, or branch) from any git repository
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
-
Overview: An overview of the architecture deployed by in this module, including how to implement a CI/CD pipeline for infrastructure code.
-
Threat model of the deploy runner: An overview of the threat model used to design the security features of the solution, including a description of the potential attack vectors that are mitigated by the solution, and those attacks that require policy and behavioral changes to mitigate.
Repo organization
-
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
-
examples: This folder contains working examples of how to use the submodules.
-
test: Automated tests for the modules and examples.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this repo out for experimenting and learning, check out the following resources:
- examples folder: The
examples
folder contains sample code optimized for learning, experimenting, and testing (but not production usage).
Manage
-
How do I use the deployment task container with a private VCS system such as GitHub Enterprise?
-
How do I access the stdout and stderr output from the underlying scripts?
-
What are the IAM permissions necessary to trigger a deployment?
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S ECS-DEPLOY-RUNNER MODULE
# ------------------------------------------------------------------------------------------------------
module "ecs_deploy_runner" {
source = "git::git@github.com:gruntwork-io/terraform-aws-ci.git//modules/ecs-deploy-runner?ref=v0.59.4"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Map of names to docker image (repo and tag) to use for the ECS task. Each
# entry corresponds to a different ECS task definition that can be used for
# infrastructure pipelines. The key corresponds to a user defined name that
# can be used with the invoker function to determine which task definition to
# use.
container_images = <map(object(
docker_image = string
docker_tag = string
secrets_manager_env_vars = map(string)
environment_vars = map(string)
additional_secrets_manager_arns = list(string)
script_config = map(object(
hardcoded_options = map(list(string))
hardcoded_args = list(string)
allow_positional_args = bool
allowed_options = list(string)
allowed_options_without_args = list(string)
restricted_options = list(string)
restricted_options_regex = map(string)
))
default = bool
))>
# AWS ID of the VPC where the ECS task and invoker lambda should run.
vpc_id = <string>
# List of VPC Subnet IDs where the ECS task and invoker lambda should run.
vpc_subnet_ids = <list(string)>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Configuration for storing artifacts from the underlying commands. When set,
# stdout, stderr, and interleaved output will be stored in the configured S3
# bucket. Set to null if you do not wish for artifacts to be stored. Note that
# when null, the args for configuring storage of outputs will not be
# available.
artifact_config = null
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data.
cloudwatch_log_group_kms_key_id = null
# A custom name to set for the CloudWatch Log Group used to stream the
# container logs. When null, the Log Group will default to var.name.
cloudwatch_log_group_name = null
# The number of days to retain log events in the log group. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days
# for all the valid values. When null, the log events are retained forever.
cloudwatch_log_group_retention_in_days = null
# The ARN of the destination to deliver matching log events to. Kinesis stream
# or Lambda function ARN. Only applicable if
# var.should_create_cloudwatch_log_group is true, and var.container_images is
# non-empty.
cloudwatch_log_group_subscription_destination_arn = null
# The method used to distribute log data to the destination. Only applicable
# when var.cloudwatch_log_group_subscription_destination_arn is a kinesis
# stream. Valid values are `Random` and `ByLogStream`.
cloudwatch_log_group_subscription_distribution = null
# A valid CloudWatch Logs filter pattern for subscribing to a filtered stream
# of log events.
cloudwatch_log_group_subscription_filter_pattern = ""
# ARN of an IAM role that grants Amazon CloudWatch Logs permissions to deliver
# ingested log events to the destination. Only applicable when
# var.cloudwatch_log_group_subscription_destination_arn is a kinesis stream.
cloudwatch_log_group_subscription_role_arn = null
# Tags to apply on the CloudWatch Log Group, encoded as a map where the keys
# are tag keys and values are tag values.
cloudwatch_log_group_tags = null
# The default CPU units for the instances that Fargate will spin up. The
# invoker allows users to override the CPU at run time, but this value will be
# used if the user provides no value for the CPU. Options here:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size.
container_cpu = 1024
# The default launch type of the ECS deploy runner workers. This launch type
# will be used if it is not overridden during invocation of the lambda
# function. Must be FARGATE or EC2.
container_default_launch_type = "FARGATE"
# The maximum CPU units that is allowed to be specified by the user when
# invoking the deploy runner with the Lambda function.
container_max_cpu = 2048
# The maximum memory units that is allowed to be specified by the user when
# invoking the deploy runner with the Lambda function.
container_max_memory = 8192
# The default memory units for the instances that Fargate will spin up. The
# invoker allows users to override the memory at run time, but this value will
# be used if the user provides no value for memory. Options here:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size.
container_memory = 4096
# A map of custom tags to apply to all the resources created in this module.
# The key is the tag name and the value is the tag value.
custom_tags = {}
# Worker configuration of a EC2 worker pool for the ECS cluster. If null, no
# EC2 worker pool will be allocated and the deploy runner will be in Fargate
# only mode.
ec2_worker_pool_configuration = null
# The ARN of the policy that is used to set the permissions boundary for the
# ECS Task Execution IAM role. This policy should be created outside of this
# module.
ecs_task_exec_role_permissions_boundary = null
# Set the maximum session duration for the ECS Task execution IAM role. 2h by
# default.
ecs_task_execution_role_max_session_duration = 7200
# Set the maximum session duration for the ECS Task IAM role. 2h by default.
ecs_task_max_session_duration = 7200
# The ARN of the policy that is used to set the permissions boundary for the
# ECS Task IAM role. This policy should be created outside of this module.
ecs_task_permissions_boundary = null
# When true, enable container insights for the ECS cluster. This will enable
# the collection of metrics and logs for the cluster. Note that this will
# incur additional charges.
enable_cluster_container_insights = false
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data for the invoker lambda function.
invoker_lambda_cloudwatch_log_group_kms_key_id = null
# The number of days to retain log events in the log group for the invoker
# lambda function. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days
# for all the valid values. When null, the log events are retained forever.
invoker_lambda_cloudwatch_log_group_retention_in_days = null
# Tags to apply on the CloudWatch Log Group for the invoker lambda function,
# encoded as a map where the keys are tag keys and values are tag values.
invoker_lambda_cloudwatch_log_group_tags = null
# Set the logging level of the invoker lambda function. Must be one of debug,
# info, warn, error.
invoker_lambda_loglevel = "info"
# The amount of reserved concurrent executions for the invoker lambda
# function. Set to -1 to explicitly denote concurrent executions are
# unreserved.
invoker_lambda_reserved_concurrent_executions = null
# The ARN of the policy that is used to set the permissions boundary for the
# invoker lambda function's execution role. This policy should be created
# outside of this module.
invoker_lambda_role_permissions_boundary = null
# When true, precreate the CloudWatch Log Group to use for log aggregation
# from the invoker lambda function execution. This is useful if you wish to
# customize the CloudWatch Log Group with various settings such as retention
# periods and KMS encryption. When false, AWS Lambda will automatically create
# a basic log group to use.
invoker_lambda_should_create_cloudwatch_log_group = true
# Name of this instance of the deploy runner stack. Used to namespace all
# resources.
name = "ecs-deploy-runner"
# When non-null, set the security group name of the ECS Deploy Runner ECS Task
# to this string. When null, a unique name will be generated by Terraform to
# avoid conflicts when deploying multiple instances of the ECS Deploy Runner.
outbound_security_group_name = null
# The ARN of a AWS Secrets Manager secret containing credentials to access the
# private repository. See the docs for details on the format of the secret:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html.
# Note that appropriate secrets manager permissions need to be added to the
# task execution role for this to work.
repository_credentials_secrets_manager_arn = null
# ARN of the KMS Key used to encrypt the AWS Secrets Manager entries. Note
# that if this variable is provided, this module will grant read and decrypt
# access to the KMS key to the ECS task. Only required if a custom KMS key was
# used to encrypt the secrets manager entry.
secrets_manager_kms_key_arn = null
# When true, precreate the CloudWatch Log Group to use for log aggregation
# from the ECS Task execution. This is useful if you wish to customize the
# CloudWatch Log Group with various settings such as retention periods and KMS
# encryption. When false, AWS ECS will automatically create a basic log group
# to use.
should_create_cloudwatch_log_group = true
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
# resource for findings. As such, it is important to avoid inline policies
# when targeting compliance with various security standards.
use_managed_iam_policies = true
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S ECS-DEPLOY-RUNNER MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-ci.git//modules/ecs-deploy-runner?ref=v0.59.4"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Map of names to docker image (repo and tag) to use for the ECS task. Each
# entry corresponds to a different ECS task definition that can be used for
# infrastructure pipelines. The key corresponds to a user defined name that
# can be used with the invoker function to determine which task definition to
# use.
container_images = <map(object(
docker_image = string
docker_tag = string
secrets_manager_env_vars = map(string)
environment_vars = map(string)
additional_secrets_manager_arns = list(string)
script_config = map(object(
hardcoded_options = map(list(string))
hardcoded_args = list(string)
allow_positional_args = bool
allowed_options = list(string)
allowed_options_without_args = list(string)
restricted_options = list(string)
restricted_options_regex = map(string)
))
default = bool
))>
# AWS ID of the VPC where the ECS task and invoker lambda should run.
vpc_id = <string>
# List of VPC Subnet IDs where the ECS task and invoker lambda should run.
vpc_subnet_ids = <list(string)>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# Configuration for storing artifacts from the underlying commands. When set,
# stdout, stderr, and interleaved output will be stored in the configured S3
# bucket. Set to null if you do not wish for artifacts to be stored. Note that
# when null, the args for configuring storage of outputs will not be
# available.
artifact_config = null
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data.
cloudwatch_log_group_kms_key_id = null
# A custom name to set for the CloudWatch Log Group used to stream the
# container logs. When null, the Log Group will default to var.name.
cloudwatch_log_group_name = null
# The number of days to retain log events in the log group. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days
# for all the valid values. When null, the log events are retained forever.
cloudwatch_log_group_retention_in_days = null
# The ARN of the destination to deliver matching log events to. Kinesis stream
# or Lambda function ARN. Only applicable if
# var.should_create_cloudwatch_log_group is true, and var.container_images is
# non-empty.
cloudwatch_log_group_subscription_destination_arn = null
# The method used to distribute log data to the destination. Only applicable
# when var.cloudwatch_log_group_subscription_destination_arn is a kinesis
# stream. Valid values are `Random` and `ByLogStream`.
cloudwatch_log_group_subscription_distribution = null
# A valid CloudWatch Logs filter pattern for subscribing to a filtered stream
# of log events.
cloudwatch_log_group_subscription_filter_pattern = ""
# ARN of an IAM role that grants Amazon CloudWatch Logs permissions to deliver
# ingested log events to the destination. Only applicable when
# var.cloudwatch_log_group_subscription_destination_arn is a kinesis stream.
cloudwatch_log_group_subscription_role_arn = null
# Tags to apply on the CloudWatch Log Group, encoded as a map where the keys
# are tag keys and values are tag values.
cloudwatch_log_group_tags = null
# The default CPU units for the instances that Fargate will spin up. The
# invoker allows users to override the CPU at run time, but this value will be
# used if the user provides no value for the CPU. Options here:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size.
container_cpu = 1024
# The default launch type of the ECS deploy runner workers. This launch type
# will be used if it is not overridden during invocation of the lambda
# function. Must be FARGATE or EC2.
container_default_launch_type = "FARGATE"
# The maximum CPU units that is allowed to be specified by the user when
# invoking the deploy runner with the Lambda function.
container_max_cpu = 2048
# The maximum memory units that is allowed to be specified by the user when
# invoking the deploy runner with the Lambda function.
container_max_memory = 8192
# The default memory units for the instances that Fargate will spin up. The
# invoker allows users to override the memory at run time, but this value will
# be used if the user provides no value for memory. Options here:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size.
container_memory = 4096
# A map of custom tags to apply to all the resources created in this module.
# The key is the tag name and the value is the tag value.
custom_tags = {}
# Worker configuration of a EC2 worker pool for the ECS cluster. If null, no
# EC2 worker pool will be allocated and the deploy runner will be in Fargate
# only mode.
ec2_worker_pool_configuration = null
# The ARN of the policy that is used to set the permissions boundary for the
# ECS Task Execution IAM role. This policy should be created outside of this
# module.
ecs_task_exec_role_permissions_boundary = null
# Set the maximum session duration for the ECS Task execution IAM role. 2h by
# default.
ecs_task_execution_role_max_session_duration = 7200
# Set the maximum session duration for the ECS Task IAM role. 2h by default.
ecs_task_max_session_duration = 7200
# The ARN of the policy that is used to set the permissions boundary for the
# ECS Task IAM role. This policy should be created outside of this module.
ecs_task_permissions_boundary = null
# When true, enable container insights for the ECS cluster. This will enable
# the collection of metrics and logs for the cluster. Note that this will
# incur additional charges.
enable_cluster_container_insights = false
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data for the invoker lambda function.
invoker_lambda_cloudwatch_log_group_kms_key_id = null
# The number of days to retain log events in the log group for the invoker
# lambda function. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days
# for all the valid values. When null, the log events are retained forever.
invoker_lambda_cloudwatch_log_group_retention_in_days = null
# Tags to apply on the CloudWatch Log Group for the invoker lambda function,
# encoded as a map where the keys are tag keys and values are tag values.
invoker_lambda_cloudwatch_log_group_tags = null
# Set the logging level of the invoker lambda function. Must be one of debug,
# info, warn, error.
invoker_lambda_loglevel = "info"
# The amount of reserved concurrent executions for the invoker lambda
# function. Set to -1 to explicitly denote concurrent executions are
# unreserved.
invoker_lambda_reserved_concurrent_executions = null
# The ARN of the policy that is used to set the permissions boundary for the
# invoker lambda function's execution role. This policy should be created
# outside of this module.
invoker_lambda_role_permissions_boundary = null
# When true, precreate the CloudWatch Log Group to use for log aggregation
# from the invoker lambda function execution. This is useful if you wish to
# customize the CloudWatch Log Group with various settings such as retention
# periods and KMS encryption. When false, AWS Lambda will automatically create
# a basic log group to use.
invoker_lambda_should_create_cloudwatch_log_group = true
# Name of this instance of the deploy runner stack. Used to namespace all
# resources.
name = "ecs-deploy-runner"
# When non-null, set the security group name of the ECS Deploy Runner ECS Task
# to this string. When null, a unique name will be generated by Terraform to
# avoid conflicts when deploying multiple instances of the ECS Deploy Runner.
outbound_security_group_name = null
# The ARN of a AWS Secrets Manager secret containing credentials to access the
# private repository. See the docs for details on the format of the secret:
# https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html.
# Note that appropriate secrets manager permissions need to be added to the
# task execution role for this to work.
repository_credentials_secrets_manager_arn = null
# ARN of the KMS Key used to encrypt the AWS Secrets Manager entries. Note
# that if this variable is provided, this module will grant read and decrypt
# access to the KMS key to the ECS task. Only required if a custom KMS key was
# used to encrypt the secrets manager entry.
secrets_manager_kms_key_arn = null
# When true, precreate the CloudWatch Log Group to use for log aggregation
# from the ECS Task execution. This is useful if you wish to customize the
# CloudWatch Log Group with various settings such as retention periods and KMS
# encryption. When false, AWS ECS will automatically create a basic log group
# to use.
should_create_cloudwatch_log_group = true
# When true, all IAM policies will be managed as dedicated policies rather
# than inline policies attached to the IAM roles. Dedicated managed policies
# are friendlier to automated policy checkers, which may scan a single
# resource for findings. As such, it is important to avoid inline policies
# when targeting compliance with various security standards.
use_managed_iam_policies = true
}
Reference
- Inputs
- Outputs
Required
container_images
map(object(…))Map of names to docker image (repo and tag) to use for the ECS task. Each entry corresponds to a different ECS task definition that can be used for infrastructure pipelines. The key corresponds to a user defined name that can be used with the invoker function to determine which task definition to use.
map(object({
# Docker container identifiers
docker_image = string
docker_tag = string
# Map of environment variable names to secret manager arns of secrets to share with the container during runtime.
# Note that the container processes will not be able to directly read these secrets directly using the Secrets
# Manager API (they are only available implicitly through the env vars).
secrets_manager_env_vars = map(string)
# Map of environment variable names to values share with the container during runtime.
# Do NOT use this for sensitive variables! Use secrets_manager_env_vars for secrets.
environment_vars = map(string)
# List of additional secrets manager entries that the container should have access to, but not directly injected as
# environment variables. These secrets can be read by the container processes using the Secrets Manager API, unlike
# those shared as environment variables with `secrets_manager_env_vars`.
additional_secrets_manager_arns = list(string)
# Security configuration for each script for each container. Each entry in the map corresponds to a script in the
# triggers directory. If a script is not included in the map, then the default is to allow no additional args to be
# passed in when invoked.
script_config = map(object({
# Which options and args to always pass in alongside the ones provided by the command.
# This is a map of option keys to args to pass in. Each arg in the list will be passed in as a separate option.
# E.g., if you had {'foo': ['bar', 'baz', 'car']}, then this will be: `--foo bar --foo baz --foo car`
# This will be passed in first, before the args provided by the user in the event data.
hardcoded_options = map(list(string))
# Unlike hardcoded_options, this is used for hardcoded positional args and will always be passed in at the end of
# the args list.
hardcoded_args = list(string)
# Whether or not positional args are allowed to be passed in.
allow_positional_args = bool
# This is a list of option keys that are explicitly allowed. When set, any option key that is not present in this
# list will cause an exception. Note that `null` means allow any option, as opposed to `[]` which means allow no
# option. Only one of `allowed_options` or `restricted_options` should be used.
allowed_options = list(string)
# List of options without arguments
allowed_options_without_args = list(string)
# This is a list of option keys that are not allowed. When set, any option key passed in that is in this list will
# cause an exception. Empty list means allow any option (unless restricted by allowed_options).
restricted_options = list(string)
# This is a map of option keys to a regex for specifying what args are allowed to be passed in for that option key.
# There is no restriction to the option if there is no entry in this map.
restricted_options_regex = map(string)
}))
# Whether or not the particular container is the default container for the pipeline. This container is used when no
# name is provided to the infrastructure deployer. Exactly one must be marked as the default. An arbitrary container
# will be picked amongst the list of defaults when multiple are marked as default.
# If no containers are marked as default, then the invoker lambda function always requires a container name to be
# provided.
default = bool
}))
Details
Map of environment variable names to secret manager arns of secrets to share with the container during runtime.
Note that the container processes will not be able to directly read these secrets directly using the Secrets
Manager API (they are only available implicitly through the env vars).
Details
Map of environment variable names to values share with the container during runtime.
Do NOT use this for sensitive variables! Use secrets_manager_env_vars for secrets.
Details
List of additional secrets manager entries that the container should have access to, but not directly injected as
environment variables. These secrets can be read by the container processes using the Secrets Manager API, unlike
those shared as environment variables with `secrets_manager_env_vars`.
Details
Security configuration for each script for each container. Each entry in the map corresponds to a script in the
triggers directory. If a script is not included in the map, then the default is to allow no additional args to be
passed in when invoked.
Details
Unlike hardcoded_options, this is used for hardcoded positional args and will always be passed in at the end of
the args list.
Details
Whether or not positional args are allowed to be passed in.
Details
This is a list of option keys that are explicitly allowed. When set, any option key that is not present in this
list will cause an exception. Note that `null` means allow any option, as opposed to `[]` which means allow no
option. Only one of `allowed_options` or `restricted_options` should be used.
Details
List of options without arguments
Details
This is a list of option keys that are not allowed. When set, any option key passed in that is in this list will
cause an exception. Empty list means allow any option (unless restricted by allowed_options).
Details
This is a map of option keys to a regex for specifying what args are allowed to be passed in for that option key.
There is no restriction to the option if there is no entry in this map.
Details
Whether or not the particular container is the default container for the pipeline. This container is used when no
name is provided to the infrastructure deployer. Exactly one must be marked as the default. An arbitrary container
will be picked amongst the list of defaults when multiple are marked as default.
If no containers are marked as default, then the invoker lambda function always requires a container name to be
provided.
vpc_id
stringAWS ID of the VPC where the ECS task and invoker lambda should run.
vpc_subnet_ids
list(string)List of VPC Subnet IDs where the ECS task and invoker lambda should run.
Optional
artifact_config
object(…)Configuration for storing artifacts from the underlying commands. When set, stdout, stderr, and interleaved output will be stored in the configured S3 bucket. Set to null if you do not wish for artifacts to be stored. Note that when null, the args for configuring storage of outputs will not be available.
object({
# Whether to allow user to selectively decide when artifacts should be stored in S3. When true,
# users must provide `--store-outputs true` to the script args in the infrastructure-deployer call to store the
# outputs. When false, every run will be hardcoded to `--store-outputs true`.
allow_runtime_selection = bool
# S3 bucket and region (us-east-1) where the outputs will be stored.
bucket_name = string
region = string
# Key prefix to use if lambda event does not specify. Outputs will be stored at PREFIX/stdout, PREFIX/stderr, and
# PREFIX/interleaved. Note that this will overwrite the output even if the key already exists.
default_key_prefix = string
})
null
Details
S3 bucket and region (us-east-1) where the outputs will be stored.
Details
Key prefix to use if lambda event does not specify. Outputs will be stored at PREFIX/stdout, PREFIX/stderr, and
PREFIX/interleaved. Note that this will overwrite the output even if the key already exists.
The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for encrypting log data.
null
A custom name to set for the CloudWatch Log Group used to stream the container logs. When null, the Log Group will default to name
.
null
The number of days to retain log events in the log group. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days for all the valid values. When null, the log events are retained forever.
null
The ARN of the destination to deliver matching log events to. Kinesis stream or Lambda function ARN. Only applicable if should_create_cloudwatch_log_group
is true, and container_images
is non-empty.
null
The method used to distribute log data to the destination. Only applicable when cloudwatch_log_group_subscription_destination_arn
is a kinesis stream. Valid values are Random
and ByLogStream
.
null
A valid CloudWatch Logs filter pattern for subscribing to a filtered stream of log events.
""
ARN of an IAM role that grants Amazon CloudWatch Logs permissions to deliver ingested log events to the destination. Only applicable when cloudwatch_log_group_subscription_destination_arn
is a kinesis stream.
null
cloudwatch_log_group_tags
map(string)Tags to apply on the CloudWatch Log Group, encoded as a map where the keys are tag keys and values are tag values.
null
container_cpu
numberThe default CPU units for the instances that Fargate will spin up. The invoker allows users to override the CPU at run time, but this value will be used if the user provides no value for the CPU. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size.
1024
The default launch type of the ECS deploy runner workers. This launch type will be used if it is not overridden during invocation of the lambda function. Must be FARGATE or EC2.
"FARGATE"
container_max_cpu
numberThe maximum CPU units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function.
2048
container_max_memory
numberThe maximum memory units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function.
8192
container_memory
numberThe default memory units for the instances that Fargate will spin up. The invoker allows users to override the memory at run time, but this value will be used if the user provides no value for memory. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size.
4096
custom_tags
map(string)A map of custom tags to apply to all the resources created in this module. The key is the tag name and the value is the tag value.
{}
Example
{
key1 = "value1"
key2 = "value2"
}
ec2_worker_pool_configuration
object(…)Worker configuration of a EC2 worker pool for the ECS cluster. If null, no EC2 worker pool will be allocated and the deploy runner will be in Fargate only mode.
object({
# The minimum number of EC2 Instances launchable for this ECS Cluster. Useful for auto-scaling limits.
min_size = number
# The maximum number of EC2 Instances that must be running for this ECS Cluster. We recommend making this twice
# min_size, even if you don't plan on scaling the cluster up and down, as the extra capacity will be used to
# deploy updates to the cluster.
max_size = number
# AMI to use for launching the EC2 instances for the ECS cluster.
ami = string
# Instance type (e.g. t2.micro) to use for the EC2 instances. We recommend using at least large class instances.
instance_type = string
# The User Data script to run on each of the ECS Cluster's EC2 Instances on their first boot. Set to null if there
# is no boot script to run. Use user_data for setting a single plain text script, and user_data_base64 if you want
# to use cloud-init boot scripts.
user_data = string
user_data_base64 = string
})
null
Details
AMI to use for launching the EC2 instances for the ECS cluster.
Details
Instance type (e.g. t2.micro) to use for the EC2 instances. We recommend using at least large class instances.
Details
The User Data script to run on each of the ECS Cluster's EC2 Instances on their first boot. Set to null if there
is no boot script to run. Use user_data for setting a single plain text script, and user_data_base64 if you want
to use cloud-init boot scripts.
The ARN of the policy that is used to set the permissions boundary for the ECS Task Execution IAM role. This policy should be created outside of this module.
null
Set the maximum session duration for the ECS Task execution IAM role. 2h by default.
7200
Set the maximum session duration for the ECS Task IAM role. 2h by default.
7200
The ARN of the policy that is used to set the permissions boundary for the ECS Task IAM role. This policy should be created outside of this module.
null
When true, enable container insights for the ECS cluster. This will enable the collection of metrics and logs for the cluster. Note that this will incur additional charges.
false
The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for encrypting log data for the invoker lambda function.
null
The number of days to retain log events in the log group for the invoker lambda function. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days for all the valid values. When null, the log events are retained forever.
null
invoker_lambda_cloudwatch_log_group_tags
map(string)Tags to apply on the CloudWatch Log Group for the invoker lambda function, encoded as a map where the keys are tag keys and values are tag values.
null
invoker_lambda_loglevel
stringSet the logging level of the invoker lambda function. Must be one of debug, info, warn, error.
"info"
The amount of reserved concurrent executions for the invoker lambda function. Set to -1 to explicitly denote concurrent executions are unreserved.
null
The ARN of the policy that is used to set the permissions boundary for the invoker lambda function's execution role. This policy should be created outside of this module.
null
When true, precreate the CloudWatch Log Group to use for log aggregation from the invoker lambda function execution. This is useful if you wish to customize the CloudWatch Log Group with various settings such as retention periods and KMS encryption. When false, AWS Lambda will automatically create a basic log group to use.
true
name
stringName of this instance of the deploy runner stack. Used to namespace all resources.
"ecs-deploy-runner"
When non-null, set the security group name of the ECS Deploy Runner ECS Task to this string. When null, a unique name will be generated by Terraform to avoid conflicts when deploying multiple instances of the ECS Deploy Runner.
null
The ARN of a AWS Secrets Manager secret containing credentials to access the private repository. See the docs for details on the format of the secret: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html. Note that appropriate secrets manager permissions need to be added to the task execution role for this to work.
null
ARN of the KMS Key used to encrypt the AWS Secrets Manager entries. Note that if this variable is provided, this module will grant read and decrypt access to the KMS key to the ECS task. Only required if a custom KMS key was used to encrypt the secrets manager entry.
null
When true, precreate the CloudWatch Log Group to use for log aggregation from the ECS Task execution. This is useful if you wish to customize the CloudWatch Log Group with various settings such as retention periods and KMS encryption. When false, AWS ECS will automatically create a basic log group to use.
true
When true, all IAM policies will be managed as dedicated policies rather than inline policies attached to the IAM roles. Dedicated managed policies are friendlier to automated policy checkers, which may scan a single resource for findings. As such, it is important to avoid inline policies when targeting compliance with various security standards.
true
Name of the CloudWatch Log Group used to store the log output from the Deploy Runner ECS task.
AWS ARN of the default ECS Task Definition. Can be used to trigger the ECS Task directly.
AWS ARN of the ECS Cluster that can be used to run the deploy runner task.
Name of the Autoscaling Group associated with the EC2 worker pool of the ECS Cluster that can be used to run the deploy runner task.
AWS ARN and name of the IAM role associated with the EC2 worker pool of the ECS Cluster that can be used to run the deploy runner task.
Map of AWS ARNs of the ECS Task Definition. Each entry corresponds to an entry in the container_images
input map, with the keys aligned.
ECS Task execution role ARN
Map of the families of the ECS Task Definition that is currently live. Each entry corresponds to an entry in the container_images
input map, with the keys aligned.
Map of AWS ARNs and names of the IAM role that will be attached to the ECS task to grant it access to AWS resources. Each container will have its own IAM role, and each entry in this map corresponds to an entry in the container_images
input map, with the keys aligned.
Map of the current revision of the ECS Task Definition that is live. Each entry corresponds to an entry in the container_images
input map, with the keys aligned.
AWS ARN of the invoker lambda function that can be used to invoke a deployment.
Name of the invoker lambda function that can be used to invoke a deployment.
Security Group ID of the ECS task