terraform-aws-ecs-service/task_definition.tf at main · infrablocks/terraform-aws-ecs-service · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
locals {
  service_task_container_definitions_template = coalesce(
    var.service_task_container_definitions,
  file("${path.module}/container-definitions/service.json.tpl"))
  resolved_service_task_container_definitions = replace(
    replace(
      replace(
        replace(
          replace(
            replace(
              replace(
                replace(
                  local.service_task_container_definitions_template,
                "$${name}", var.service_name),
              "$${image}", var.service_image),
            "$${command}", jsonencode(var.service_command)),
          "$${port}", var.service_port),
        "$${region}", var.region),
      "$${log_group}", var.include_log_group ? aws_cloudwatch_log_group.service[0].name : ""),
    "$${cpu}", var.service_task_cpu),
  "$${memory}", var.service_task_memory)
}

resource "aws_iam_role" "default_task_execution_role" {
  description = "default-task-execution-role-${var.component}-${var.deployment_identifier}-${var.service_name}"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "ecs-tasks.amazonaws.com"
        }
        Sid = ""
      }
    ]
  })

  lifecycle {
    create_before_destroy = true
  }
}

data "aws_iam_policy_document" "default_task_execution_policy" {
  statement {
    sid = "1"

    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ]

    resources = [
      "arn:aws:s3:::*",
    ]
  }
}

resource "aws_iam_role_policy" "default_task_execution_role_policy" {
  role   = aws_iam_role.default_task_execution_role.id
  policy = data.aws_iam_policy_document.default_task_execution_policy.json
}

resource "aws_ecs_task_definition" "service" {
  family                = "${var.component}-${var.service_name}-${var.deployment_identifier}"
  container_definitions = local.resolved_service_task_container_definitions

  network_mode = var.use_fargate ? "awsvpc" : var.service_task_network_mode
  pid_mode     = var.service_task_pid_mode

  task_role_arn      = var.service_role
  execution_role_arn = var.use_fargate ? (var.task_execution_role_arn == null ? aws_iam_role.default_task_execution_role.arn : var.task_execution_role_arn) : null

  requires_compatibilities = var.use_fargate ? ["FARGATE"] : null
  cpu                      = var.use_fargate ? var.service_task_cpu : null
  memory                   = var.use_fargate ? var.service_task_memory : null

  runtime_platform {
    operating_system_family = var.use_fargate ? var.service_task_operating_system_family : null
    cpu_architecture        = var.use_fargate ? var.service_task_cpu_architecture : null
  }

  dynamic "ephemeral_storage" {
    for_each = var.use_fargate && var.service_task_ephemeral_storage != null ? [var.service_task_ephemeral_storage] : []
    content {
      size_in_gib = ephemeral_storage.value
    }
  }

  dynamic "volume" {
    for_each = var.service_volumes
    content {
      name      = volume.value.name
      host_path = lookup(volume.value, "host_path", null)
    }
  }
}