Skip to main content
Amazon ECS 1.2.0Last updated in version 1.1.0

ECS Daemon Service Module

View Source Release Notes

This Terraform Module creates an ECS Daemon Service that you can use to deploy exactly one task on each active container instance that meets all of the task placement constraints specified in your cluster.

What is an ECS Daemon Service?

To run Docker daemon containers with ECS, you first define an ECS Task, which is a JSON file that describes what container(s) to run, the resources (memory, CPU) those containers need, the volumes to mount, the environment variables to set, and so on. To actually run an ECS Task, you define an ECS Daemon Service, which will:

  1. Deploy exactly one task on each active container instance.
  2. Restart tasks if they fail.

How do you create an ECS cluster?

To use ECS, you first deploy one or more EC2 Instances into a "cluster". See the ecs-cluster module for how to create a cluster.

How do you add additional IAM policies?

If you associate this ECS Service with a single ELB, then we create an IAM Role and associated IAM Policies that allow the ECS Service to talk to the ELB. To add additional IAM policies to this IAM Role, you can use the aws_iam_role_policy or aws_iam_policy_attachment resources, and set the IAM role id to the Terraform output of this module called service_iam_role_id . For example, here is how you can allow the ECS Service in this cluster to access an S3 bucket:

module "ecs_daemon_service" {
# (arguments omitted)
}

resource "aws_iam_role_policy" "access_s3_bucket" {
name = "access_s3_bucket"
role = "${module.ecs_daemon_service.service_iam_role_arn}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect":"Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
EOF
}

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S ECS-DAEMON-SERVICE MODULE
# ------------------------------------------------------------------------------------------------------

module "ecs_daemon_service" {

source = "git::git@github.com:gruntwork-io/terraform-aws-ecs.git//modules/ecs-daemon-service?ref=v1.2.0"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# The Amazon Resource Name (ARN) of the ECS Cluster where this service should
# run.
ecs_cluster_arn = <string>

# The JSON text of the ECS Task Container Definitions. This portion of the ECS
# Task Definition defines the Docker container(s) to be run along with all
# their properties. It should adhere to the format described at
# https://goo.gl/ob5U3g.
ecs_task_container_definitions = <string>

# The name of the service. This is used to namespace all resources created by
# this module.
service_name = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# A list of additional principals who can assume the task and task execution
# roles
additional_task_assume_role_policy_principals = []

# ECS automatically redistributes tasks within a service across Availability
# Zones (AZs) to mitigate the risk of impaired application availability due to
# underlying infrastructure failures and task lifecycle activities. The valid
# values are ENABLED and DISABLED. Defaults to DISABLED.
availability_zone_rebalancing = "DISABLED"

# Prefix for name of the IAM role used by the ECS task. If not provide, will
# be set to var.service_name.
custom_iam_role_name_prefix = null

# A map of tags to apply to all resources created by this module. Each item in
# this list should be a map with the parameters key and value.
custom_tags = {}

# Prefix for name of iam role and policy that allows cloudwatch and ecr access
custom_task_execution_name_prefix = null

# Type of deployment controller, possible values: CODE_DEPLOY, ECS, EXTERNAL
deployment_controller = null

# (Optional) The lower limit (as a percentage of the service's desiredCount)
# of the number of running tasks that must remain running and healthy in a
# service during a deployment
deployment_minimum_healthy_percent = null

# The Docker networking mode to use for the containers in the task. The valid
# values are none, bridge, awsvpc, and host
ecs_task_definition_network_mode = "bridge"

# The process namespace to use for the containers in the task. The valid
# values are host and task.
ecs_task_definition_pid_mode = "task"

# The launch type on which to run your service. The valid values are EC2 and
# FARGATE. Defaults to EC2
launch_type = "EC2"

placement_constraint_expression = "attribute:ecs.ami-id != 'ami-fake'"

placement_constraint_type = "memberOf"

# Whether tags should be propogated to the tasks from the service or from the
# task definition. Valid values are SERVICE and TASK_DEFINITION. Defaults to
# SERVICE. If set to null, no tags are created for tasks.
propagate_tags = "SERVICE"

# Use this variable to adjust the default timeout of 20m for create and update
# operations the the ECS service. Adjusting the value can be particularly
# useful when using 'wait_for_steady_state'.
service_create_update_timeout = "20m"

# A map of tags to apply to the ECS service. Each item in this list should be
# a map with the parameters key and value.
service_tags = {}

# A map of tags to apply to the task definition. Each item in this list should
# be a map with the parameters key and value.
task_definition_tags = {}

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role for the ECS task execution.
task_execution_role_permissions_boundary_arn = null

# The ARN of the policy that is used to set the permissions boundary for the
# IAM role for the ECS task.
task_role_permissions_boundary_arn = null

# (Optional) A map of volume blocks that containers in your task may use. The
# key should be the name of the volume and the value should be a map
# compatible with
# https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#volume-block-arguments,
# but not including the name parameter.
volumes = {}

# If true, Terraform will wait for the service to reach a steady state—as in,
# the ECS tasks you wanted are actually deployed—before 'apply' is considered
# complete.
wait_for_steady_state = true

}


Reference

Required

ecs_cluster_arnstringrequired

The Amazon Resource Name (ARN) of the ECS Cluster where this service should run.

The JSON text of the ECS Task Container Definitions. This portion of the ECS Task Definition defines the Docker container(s) to be run along with all their properties. It should adhere to the format described at https://goo.gl/ob5U3g.

service_namestringrequired

The name of the service. This is used to namespace all resources created by this module.

Optional

A list of additional principals who can assume the task and task execution roles

[]

ECS automatically redistributes tasks within a service across Availability Zones (AZs) to mitigate the risk of impaired application availability due to underlying infrastructure failures and task lifecycle activities. The valid values are ENABLED and DISABLED. Defaults to DISABLED.

"DISABLED"

Prefix for name of the IAM role used by the ECS task. If not provide, will be set to service_name.

null
custom_tagsmap(string)optional

A map of tags to apply to all resources created by this module. Each item in this list should be a map with the parameters key and value.

{}

Prefix for name of iam role and policy that allows cloudwatch and ecr access

null
deployment_controllerstringoptional

Type of deployment controller, possible values: CODE_DEPLOY, ECS, EXTERNAL

null

(Optional) The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment

null

The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host

"bridge"

The process namespace to use for the containers in the task. The valid values are host and task.

"task"
launch_typestringoptional

The launch type on which to run your service. The valid values are EC2 and FARGATE. Defaults to EC2

"EC2"
"attribute:ecs.ami-id != 'ami-fake'"
"memberOf"
propagate_tagsstringoptional

Whether tags should be propogated to the tasks from the service or from the task definition. Valid values are SERVICE and TASK_DEFINITION. Defaults to SERVICE. If set to null, no tags are created for tasks.

"SERVICE"

Use this variable to adjust the default timeout of 20m for create and update operations the the ECS service. Adjusting the value can be particularly useful when using 'wait_for_steady_state'.

"20m"
service_tagsmap(string)optional

A map of tags to apply to the ECS service. Each item in this list should be a map with the parameters key and value.

{}
task_definition_tagsmap(string)optional

A map of tags to apply to the task definition. Each item in this list should be a map with the parameters key and value.

{}

The ARN of the policy that is used to set the permissions boundary for the IAM role for the ECS task execution.

null

The ARN of the policy that is used to set the permissions boundary for the IAM role for the ECS task.

null
volumesanyoptional

(Optional) A map of volume blocks that containers in your task may use. The key should be the name of the volume and the value should be a map compatible with https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#volume-block-arguments, but not including the name parameter.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
Example
   volumes = {
datadog = {
host_path = "/var/run/datadog"
}

logs = {
host_path = "/var/log"
docker_volume_configuration = {
scope = "shared"
autoprovision = true
driver = "local"
}
}
}

If true, Terraform will wait for the service to reach a steady state—as in, the ECS tasks you wanted are actually deployed—before 'apply' is considered complete.

true