Add initial module configuration

Author: marcincuber

.pre-commit-config.yaml

@@ -0,0 +1,25 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v2.5.0
+  hooks:
+  - id: check-added-large-files
+    args: ['--maxkb=500']
+  - id: check-executables-have-shebangs
+  - id: pretty-format-json
+    args: ['--autofix', '--no-sort-keys', '--indent=2']
+  - id: check-byte-order-marker
+  - id: check-case-conflict
+  - id: check-executables-have-shebangs
+  - id: check-merge-conflict
+  - id: check-symlinks
+  - id: detect-private-key
+  - id: check-merge-conflict
+  - id: detect-aws-credentials
+    args: ['--allow-missing-credentials']
+  - id: trailing-whitespace
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.27.0
+  hooks:
+  - id: terraform_fmt
+  - id: terraform_docs
+  - id: terraform_tflint

LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

Makefile

@@ -0,0 +1,16 @@
+ifneq (,)
+.error This Makefile requires GNU Make.
+endif
+
+.PHONY: hooks validate
+
+help:
+	@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+hooks: ## Commit hooks setup
+	@pre-commit install
+	@pre-commit gc
+	@pre-commit autoupdate
+
+validate: ## Validate files with pre-commit hooks
+	@pre-commit run --all-files

README.md

@@ -1,2 +1,87 @@
 # terraform-aws-ecs-fargate-task-definition
 Terraform module to create AWS ECS Fargate Task Definition
+
+## Terraform versions
+
+Terraform 0.12. Pin module version to `~> v1.0`. Submit pull-requests to `master` branch.
+
+## Usage
+
+```hcl
+module "ecs-task-definition" {
+	...
+}
+```
+
+## Assumptions
+
+Module is to be used with Terraform > 0.12.
+
+## Examples
+
+* [Example]()
+
+## Authors
+
+Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](https://www.linkedin.com/in/marcincuber/).
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cloudwatch\_log\_group\_name | CloudWatch log group name required to enabled logDriver in container definitions for ecs task. | map(string) | n/a | yes |
+| container\_name | Optional name for the container to be used instead of name\_prefix. | string | `""` | no |
+| name\_prefix | A prefix used for naming resources. | string | n/a | yes |
+| placement\_constraints | \(Optional\) A set of placement constraints rules that are taken into consideration during task placement. Maximum number of placement\_constraints is 10. This is a list of maps, where each map should contain "type" and "expression" | list | `[]` | no |
+| proxy\_configuration | \(Optional\) The proxy configuration details for the App Mesh proxy. This is a list of maps, where each map should contain "container\_name", "properties" and "type" | list | `[]` | no |
+| repository\_credentials | name or ARN of a secrets manager secret \(arn:aws:secretsmanager:region:aws\_account\_id:secret:secret\_name\) | string | `""` | no |
+| repository\_credentials\_kms\_key | key id, key ARN, alias name or alias ARN of the key that encrypted the repository credentials | string | `"alias/aws/secretsmanager"` | no |
+| tags | A map of tags \(key-value pairs\) passed to resources. | map(string) | `{}` | no |
+| task\_container\_command | The command that is passed to the container. | list(string) | `[]` | no |
+| task\_container\_environment | The environment variables to pass to a container. | map(string) | `{}` | no |
+| task\_container\_image | The image used to start a container. | string | n/a | yes |
+| task\_container\_port | The port number on the container that is bound to the user-specified or automatically assigned host port | number | n/a | yes |
+| task\_definition\_cpu | Amount of CPU to reserve for the task. | number | `"256"` | no |
+| task\_definition\_memory | The soft limit \(in MiB\) of memory to reserve for the container. | number | `"512"` | no |
+| task\_host\_port | The port number on the container instance to reserve for your container. | number | `"0"` | no |
+| volume | \(Optional\) A set of volume blocks that containers in your task may use. This is a list of maps, where each map should contain "name", "host\_path" and "docker\_volume\_configuration". Full set of options can be found at https://www.terraform.io/docs/providers/aws/r/ecs\_task\_definition.html | list | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| container\_port | Port on which the container is listening. |
+| execution\_role\_arn | The Amazon Resource Name \(ARN\) of execution role. |
+| execution\_role\_create\_date | The creation date of the IAM role. |
+| execution\_role\_id | The ID of the execution role. |
+| execution\_role\_name | The name of the execution service role. |
+| execution\_role\_unique\_id | The stable and unique string identifying the role. |
+| task\_definition\_arn | Full ARN of the Task Definition \(including both family and revision\). |
+| task\_definition\_family | The family of the Task Definition. |
+| task\_definition\_td\_revision | The revision of the task in a particular family. |
+| task\_role\_arn | The Amazon Resource Name \(ARN\) specifying the ECS service role. |
+| task\_role\_create\_date | The creation date of the IAM role. |
+| task\_role\_id | The ID of the role. |
+| task\_role\_name | The name of the Fargate task service role. |
+| task\_role\_unique\_id | The stable and unique string identifying the role. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## License
+
+See LICENSE for full details.
+
+## Pre-commit hooks
+
+### Install dependencies
+
+* [`pre-commit`](https://pre-commit.com/#install)
+* [`terraform-docs`](https://github.com/segmentio/terraform-docs) required for `terraform_docs` hooks.
+* [`TFLint`](https://github.com/terraform-linters/tflint) required for `terraform_tflint` hook.
+
+#### MacOS
+
+```bash
+brew install pre-commit terraform-docs tflint
+```

data.tf

@@ -0,0 +1,46 @@
+data "aws_region" "current" {}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "task_permissions" {
+  statement {
+    effect = "Allow"
+
+    resources = ["*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+  }
+}
+
+data "aws_kms_key" "secretsmanager_key" {
+  key_id = var.repository_credentials_kms_key
+}
+
+data "aws_iam_policy_document" "read_repository_credentials" {
+  statement {
+    effect = "Allow"
+
+    resources = [
+      var.repository_credentials,
+      data.aws_kms_key.secretsmanager_key.arn,
+    ]
+
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "kms:Decrypt",
+    ]
+  }
+}

examples/core/README.md

@@ -0,0 +1,9 @@
+
+## Example deployment flow
+
+```bash
+terraform init
+terraform validate
+terraform plan
+terraform apply --auto-approve
+```

examples/core/main.tf

@@ -0,0 +1,21 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#####
+# VPC and subnets
+#####
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 2.21"
+
+  name = "simple-vpc"
+
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = false
+}

main.tf

@@ -0,0 +1,130 @@
+#####
+# Execution IAM Role
+#####
+resource "aws_iam_role" "execution" {
+  name               = "${var.name_prefix}-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach" {
+  role       = aws_iam_role.execution.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_iam_role_policy" "read_repository_credentials" {
+  count = length(var.repository_credentials) != 0 ? 1 : 0
+
+  name   = "${var.name_prefix}-read-repository-credentials"
+  role   = aws_iam_role.execution.id
+  policy = data.aws_iam_policy_document.read_repository_credentials.json
+}
+
+#####
+# IAM - Task role, basic. Append policies to this role for S3, DynamoDB etc.
+#####
+resource "aws_iam_role" "task" {
+  name               = "${var.name_prefix}-task-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy" "log_agent" {
+  name   = "${var.name_prefix}-log-permissions"
+  role   = aws_iam_role.task.id
+  policy = data.aws_iam_policy_document.task_permissions.json
+}
+
+#####
+# ECS task definition
+#####
+
+locals {
+  task_environment = [
+    for k, v in var.task_container_environment : {
+      name  = k
+      value = v
+    }
+  ]
+}
+
+resource "aws_ecs_task_definition" "task" {
+  family                   = var.name_prefix
+  execution_role_arn       = aws_iam_role.execution.arn
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.task_definition_cpu
+  memory                   = var.task_definition_memory
+  task_role_arn            = aws_iam_role.task.arn
+
+  container_definitions = <<EOF
+[{
+    "name": "${var.container_name != "" ? var.container_name : var.name_prefix}",
+    "image": "${var.task_container_image}",
+    %{if var.repository_credentials != ""~}
+    "repositoryCredentials": {
+      "credentialsParameter": "${var.repository_credentials}"
+    },
+    %{~endif}
+    "essential": true,
+    "portMappings": [
+      {
+        "containerPort": ${var.task_container_port},
+        %{if var.task_host_port != 0~}
+        "hostPort": ${var.task_host_port},
+        %{~endif}
+        "protocol":"tcp"
+      }
+    ],
+    %{if var.cloudwatch_log_group_name != ""~}
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${var.cloudwatch_log_group_name}",
+        "awslogs-region": "${data.aws_region.current.name}",
+        "awslogs-stream-prefix": "container"
+      }
+    },
+    %{~endif}
+    "command": ${jsonencode(var.task_container_command)},
+    "environment": ${jsonencode(local.task_environment)}
+}]
+EOF
+
+  dynamic "placement_constraints" {
+    for_each = var.placement_constraints
+    content {
+      expression = lookup(placement_constraints.value, "expression", null)
+      type       = placement_constraints.value.type
+    }
+  }
+
+  dynamic "proxy_configuration" {
+    for_each = var.proxy_configuration
+    content {
+      container_name = proxy_configuration.value.container_name
+      properties     = lookup(proxy_configuration.value, "properties", null)
+      type           = lookup(proxy_configuration.value, "type", null)
+    }
+  }
+
+  dynamic "volume" {
+    for_each = var.volume
+    content {
+      name                        = volume.value.name
+      host_path                   = lookup(volume.value, "host_path", null)
+      docker_volume_configuration = lookup(volume.value, "docker_volume_configuration", null)
+    }
+  }
+
+
+  tags = merge(
+    var.tags,
+    {
+      Name = var.container_name != "" ? var.container_name : var.name_prefix
+    },
+  )
+}
+