Fargate fixes (#28)

* Allow for fargate task without loadbalancer

* Fix duplicate role when module is used multiple times

examples/fargate/README.md

@@ -1,36 +1,39 @@
 # Test ECS service
 
-This directory contains a test setup for an ECS service on Fargate. 
-- service default: ALB via HTTP
+This directory contains a test setup for an ECS service on Fargate.
+
+* service loadbalanced: ALB via HTTP
+* service default: HTTP without ALB
 
 ## Prerequisites for running the example
-Terraform is managed via the tool `tfenv`. Ensure you have installed [tfenv](https://github.com/kamatama41/tfenv). And install via tfenv the required terraform version as listed in `.terraform-version`
+
+Terraform is managed via the tool `tfenv` . Ensure you have installed [tfenv](https://github.com/kamatama41/tfenv). And install via tfenv the required terraform version as listed in `.terraform-version` 
 
 ## Generate ssh and init terraform
 
-```
+``` 
 source ./generate-ssh-key.sh
 terraform init
 
 ```
 
 ## Plan the changes and inspect
 
-```
+``` 
 terraform plan
 ```
 
 ## Create the environment.
 
-```
+``` 
 terraform apply
 ```
 
 Once done you can test the service via the URL on the console. It can take a few minutes before the service is available
 
-
 ## Cleanup
 
-```
+``` 
 terraform destroy
 ```
+

examples/fargate/outputs.tf

@@ -1,3 +1,3 @@
-output "url-default" {
-  value = "http://${lower(module.service.alb_dns_name)}"
+output "url-loadbalanced" {
+  value = "http://${lower(module.service_loadbalanced.alb_dns_name)}"
 }

examples/fargate/service-default.tf

@@ -45,14 +45,9 @@ module "service" {
   docker_image     = "nginx"
   service_name     = "service-default"
 
-  // ALB part, over http without dns entry
-  enable_alb            = true
-  alb_protocol          = "HTTP"
-  alb_port              = 80
-  container_ssl_enabled = false
-  container_port        = 80
-  container_cpu         = 256
-  container_memory      = 512
+  container_port   = 80
+  container_cpu    = 256
+  container_memory = 512
 
   // DNS specifc settings for the ALB, disalbed
   enable_dns = false

examples/fargate/service-loadbalanced.tf

@@ -0,0 +1,81 @@
+resource "aws_security_group" "awsvpc_loadbalanced_sg" {
+  name   = "${var.environment}-awsvpc-loadbalanced-sg"
+  vpc_id = module.vpc.vpc_id
+
+  ingress {
+    protocol  = "tcp"
+    from_port = 80
+    to_port   = 80
+
+    cidr_blocks = [
+      "${module.vpc.vpc_cidr}",
+    ]
+  }
+
+  egress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name        = "${var.environment}-loadbalanced-awsvpc-sg"
+    Environment = "${var.environment}"
+  }
+}
+
+module "service_loadbalanced" {
+  source = "../../"
+
+  environment = var.environment
+  project     = var.project
+
+  vpc_id           = module.vpc.vpc_id
+  subnet_ids       = module.vpc.public_subnets
+  ecs_cluster_id   = aws_ecs_cluster.cluster.id
+  ecs_cluster_name = aws_ecs_cluster.cluster.name
+  docker_image     = "nginx"
+  service_name     = "service-loadbalanced"
+
+  // ALB part, over http without dns entry
+  enable_alb            = true
+  alb_protocol          = "HTTP"
+  alb_port              = 80
+  container_ssl_enabled = false
+  container_port        = 80
+  container_cpu         = 256
+  container_memory      = 512
+
+  // DNS specifc settings for the ALB, disalbed
+  enable_dns = false
+
+  // Monitoring settings, disabled
+  enable_monitoring = false
+
+  // Enables logging to other targets (default is STDOUT)
+  // For CloudWatch logging, make sure the awslogs-group exists
+  docker_logging_config = <<EOF
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "${var.environment}",
+          "awslogs-region": "${var.aws_region}",
+          "awslogs-stream-prefix": "service-loadbalanced"
+        }
+      }
+
+EOF
+
+  launch_type                    = "FARGATE"
+  awsvpc_service_security_groups = ["${aws_security_group.awsvpc_loadbalanced_sg.id}"]
+  awsvpc_service_subnetids       = module.vpc.private_subnets
+}
+

fargate-ecs-execution-role.tf

@@ -11,12 +11,12 @@ data "aws_iam_policy_document" "ecs_tasks_execution_role" {
 
 resource "aws_iam_role" "ecs_tasks_execution_role" {
   count              = var.launch_type == "FARGATE" ? 1 : 0
-  name               = "${var.environment}-ecs-task-execution-role"
+  name               = "${var.environment}-${var.service_name}-ecs-task-execution-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_tasks_execution_role.json
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_tasks_execution_role" {
   count      = var.launch_type == "FARGATE" ? 1 : 0
   role       = aws_iam_role.ecs_tasks_execution_role[0].name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
-}
+}

main.tf

@@ -97,5 +97,13 @@ resource "aws_ecs_service" "service" {
   task_definition = aws_ecs_task_definition.task.arn
   desired_count   = var.desired_count
   launch_type     = var.launch_type
+
+  dynamic "network_configuration" {
+    for_each = var.launch_type == "FARGATE" ? list(var.launch_type) : []
+    content {
+      security_groups = var.awsvpc_service_security_groups
+      subnets         = var.awsvpc_service_subnetids
+    }
+  }
 }