Initial commit

Author: goruha

.github/settings.yml

@@ -1,11 +1,7 @@
 # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch.
 _extends: .github
 repository:
-  name: template
-  description: Template for Terraform Components
+  name: aws-ecs-service
+  description: This component is responsible for creating an ECS service
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-component
-
-
-
-

CHANGELOG.md

@@ -0,0 +1,11 @@
+## PR [#1008](https://github.com/cloudposse/terraform-aws-components/pull/1008)
+
+### Possible Breaking Change
+
+- Refactored how S3 Task Definitions and the Terraform Task definition are merged.
+  - Introduced local `local.containers_priority_terraform` to be referenced whenever terraform Should take priority
+  - Introduced local `local.containers_priority_s3` to be referenced whenever S3 Should take priority
+- `map_secrets` pulled out from container definition to local where it can be better maintained. Used Terraform as
+  priority as it is a calculated as a map of arns.
+- `s3_mirror_name` now automatically uploads a task-template.json to s3 mirror where it can be pulled from GitHub
+  Actions.

README.yaml

@@ -0,0 +1,66 @@
+// Service Connect
+
+module "cloudmap_namespace" {
+  for_each = { for service_connect in var.service_connect_configurations : service_connect.namespace => service_connect }
+
+  source  = "cloudposse/stack-config/yaml//modules/remote-state"
+  version = "1.5.0"
+
+  component = each.key
+
+  # we ignore errors because the namespace may be a name or an arn of a namespace for the service.
+  ignore_errors = true
+  context       = module.this.context
+}
+
+locals {
+  valid_cloudmap_namespaces      = { for k, v in module.cloudmap_namespace : k => v if v.outputs != null }
+  service_connect_configurations = [for service_connect in var.service_connect_configurations : merge(service_connect, { namespace = try(local.valid_cloudmap_namespaces[service_connect.namespace].outputs.name, service_connect.namespace) })]
+}
+// ------------------------------
+
+// Service Discovery
+
+module "cloudmap_namespace_service_discovery" {
+  for_each = { for service_connect in var.service_registries : service_connect.namespace => service_connect }
+
+  source  = "cloudposse/stack-config/yaml//modules/remote-state"
+  version = "1.5.0"
+
+  component = each.key
+
+  # we ignore errors because the namespace may be a name or an arn of a namespace for the service.
+  ignore_errors = true
+  context       = module.this.context
+}
+
+locals {
+  valid_cloudmap_service_discovery_namespaces = { for k, v in module.cloudmap_namespace_service_discovery : k => v if v.outputs != null }
+  service_discovery_configurations            = [for service_registry in var.service_registries : merge(service_registry, { namespace = try(local.valid_cloudmap_service_discovery_namespaces[service_registry.namespace].outputs.name, service_registry.namespace) })]
+  service_config_with_id                      = { for service_registry in var.service_registries : service_registry.namespace => merge(service_registry, { id = try(local.valid_cloudmap_service_discovery_namespaces[service_registry.namespace].outputs.id, null) }) }
+  service_discovery = [for value in var.service_registries : merge(value, {
+    registry_arn = aws_service_discovery_service.default[value.namespace].arn
+  })]
+}
+
+resource "aws_service_discovery_service" "default" {
+  for_each = local.service_config_with_id
+  name     = module.this.name
+
+  dns_config {
+    namespace_id = each.value.id
+
+    dns_records {
+      ttl  = 10
+      type = "A"
+    }
+
+    routing_policy = "MULTIVALUE"
+  }
+
+  health_check_custom_config {
+    failure_threshold = 1
+  }
+}
+
+// ------------------------------

src/cloud-map.tf

@@ -0,0 +1,156 @@
+variable "datadog_agent_sidecar_enabled" {
+  type        = bool
+  default     = false
+  description = "Enable the Datadog Agent Sidecar"
+}
+
+variable "datadog_log_method_is_firelens" {
+  type        = bool
+  default     = false
+  description = "Datadog logs can be sent via cloudwatch logs (and lambda) or firelens, set this to true to enable firelens via a sidecar container for fluentbit"
+}
+
+variable "datadog_sidecar_containers_logs_enabled" {
+  type        = bool
+  default     = true
+  description = "Enable the Datadog Agent Sidecar to send logs to aws cloudwatch group, requires `datadog_agent_sidecar_enabled` to be true"
+}
+
+variable "datadog_logging_tags" {
+  type        = map(string)
+  default     = null
+  description = "Tags to add to all logs sent to Datadog"
+}
+
+variable "datadog_logging_default_tags_enabled" {
+  type        = bool
+  default     = true
+  description = "Add Default tags to all logs sent to Datadog"
+}
+
+locals {
+  default_datadog_tags = var.datadog_logging_default_tags_enabled ? {
+    env     = module.this.stage
+    account = format("%s-%s-%s", module.this.tenant, module.this.environment, module.this.stage)
+  } : null
+
+  all_dd_tags = join(",", [for k, v in merge(local.default_datadog_tags, var.datadog_logging_tags) : format("%s:%s", k, v)])
+
+  datadog_logconfiguration_firelens = {
+    logDriver = "awsfirelens"
+    options = var.datadog_agent_sidecar_enabled ? {
+      Name           = "datadog",
+      apikey         = module.datadog_configuration.datadog_api_key,
+      Host           = format("http-intake.logs.%s", module.datadog_configuration.datadog_site)
+      dd_service     = module.this.name,
+      dd_tags        = local.all_dd_tags,
+      dd_source      = "ecs",
+      dd_message_key = "log",
+      TLS            = "on",
+      provider       = "ecs"
+    } : {}
+  }
+}
+
+module "datadog_sidecar_logs" {
+  source  = "cloudposse/cloudwatch-logs/aws"
+  version = "0.6.6"
+
+  # if we are using datadog firelens we don't need to create a log group
+  count = local.enabled && var.datadog_agent_sidecar_enabled && var.datadog_sidecar_containers_logs_enabled ? 1 : 0
+
+  stream_names      = lookup(var.logs, "stream_names", [])
+  retention_in_days = lookup(var.logs, "retention_in_days", 90)
+
+  principals = merge({
+    Service = ["ecs.amazonaws.com", "ecs-tasks.amazonaws.com"]
+  }, lookup(var.logs, "principals", {}))
+
+  additional_permissions = concat([
+    "logs:CreateLogStream",
+    "logs:DeleteLogStream",
+  ], lookup(var.logs, "additional_permissions", []))
+
+  context = module.this.context
+}
+
+module "datadog_container_definition" {
+  source  = "cloudposse/ecs-container-definition/aws"
+  version = "0.58.1"
+
+  count = local.enabled && var.datadog_agent_sidecar_enabled ? 1 : 0
+
+  container_cpu    = 256
+  container_memory = 512
+  container_name   = "datadog-agent"
+  container_image  = "public.ecr.aws/datadog/agent:latest"
+  essential        = true
+  map_environment = {
+    "ECS_FARGATE"                          = var.task.launch_type == "FARGATE" ? true : false
+    "DD_API_KEY"                           = module.datadog_configuration.datadog_api_key
+    "DD_SITE"                              = module.datadog_configuration.datadog_site
+    "DD_ENV"                               = module.this.stage
+    "DD_LOGS_ENABLED"                      = true
+    "DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL" = true
+    "SD_BACKEND"                           = "docker"
+    "DD_PROCESS_AGENT_ENABLED"             = true
+    "DD_DOGSTATSD_NON_LOCAL_TRAFFIC"       = true
+    "DD_APM_ENABLED"                       = true
+    "DD_CONTAINER_LABELS_AS_TAGS" = jsonencode({
+      "org.opencontainers.image.revision" = "version"
+    })
+  }
+
+  // Datadog DogStatsD/tracing ports
+  port_mappings = [{
+    containerPort = 8125
+    hostPort      = 8125
+    protocol      = "udp"
+    }, {
+    containerPort = 8126
+    hostPort      = 8126
+    protocol      = "tcp"
+  }]
+
+  log_configuration = var.datadog_sidecar_containers_logs_enabled ? {
+    logDriver = "awslogs"
+    options = {
+      "awslogs-group"         = one(module.datadog_sidecar_logs[*].log_group_name)
+      "awslogs-region"        = var.region
+      "awslogs-stream-prefix" = "datadog-agent"
+    }
+  } : null
+}
+
+module "datadog_fluent_bit_container_definition" {
+  source  = "cloudposse/ecs-container-definition/aws"
+  version = "0.58.1"
+
+  count = local.enabled && var.datadog_agent_sidecar_enabled ? 1 : 0
+
+  container_cpu    = 256
+  container_memory = 512
+  container_name   = "datadog-log-router"
+  # From Datadog Support:
+  # In this case, the newest container image with the latest tag (corresponding to version 2.29.0) looks like it is crashing for certain customers, which is causing the Task to deprovision.
+  # Note: We recommend customers to use the stable tag for this type of reason
+  container_image = "amazon/aws-for-fluent-bit:stable"
+  essential       = true
+  firelens_configuration = {
+    type = "fluentbit"
+    options = {
+      config-file-type        = "file",
+      config-file-value       = "/fluent-bit/configs/parse-json.conf",
+      enable-ecs-log-metadata = "true"
+    }
+  }
+
+  log_configuration = var.datadog_sidecar_containers_logs_enabled ? {
+    logDriver = "awslogs"
+    options = {
+      "awslogs-group"         = one(module.datadog_sidecar_logs[*].log_group_name)
+      "awslogs-region"        = var.region
+      "awslogs-stream-prefix" = "datadog-log-router"
+    }
+  } : null
+}