dynamic ports and enable efs

_variables.tf

@@ -49,9 +49,18 @@ variable "nlb_arn" {
   description = "Networking LoadBalance ARN - Required if nlb=false or nlb_internal=false"
 }
 
-variable "port" {
-  default     = "80"
+variable "ports" {
+  default     = [
+    {
+      port = 80
+      protocol      = "tcp"
+    }
+  ]
   description = "Port for target group to listen"
+  type = list(object({
+    port = number
+    protocol = string
+  }))
 }
 
 variable "container_port" {
@@ -129,7 +138,7 @@ variable "placement_constraints" {
 }
 
 variable "launch_type" {
-  default     = "EC2"
+  default     = "FARGATE"
   description = "The launch type on which to run your service. The valid values are EC2 and FARGATE. Defaults to EC2."
 }
 
@@ -195,4 +204,51 @@ variable "security_group_ecs_nodes_inbound_cidrs" {
   type        = list(string)
   default     = ["0.0.0.0/0"]
   description = "ECS Nodes inbound allowed CIDRs for the security group."
+}
+
+variable "efs_mapping" {
+  type        = map(string)
+  description = "A map of efs volume ids and paths to mount into the default task definition"
+  default     = {}
+}
+
+variable "ulimits" {
+  type = list(object({
+    name      = string
+    hardLimit = number
+    softLimit = number
+  }))
+  description = "Container ulimit settings. This is a list of maps, where each map should contain \"name\", \"hardLimit\" and \"softLimit\""
+  default     = null
+}
+
+variable "deployment_controller" {
+  default     = "CODE_DEPLOY"
+  description = "Type of deployment controller. Valid values: CODE_DEPLOY, ECS, EXTERNAL."
+}
+
+variable "codedeploy_wait_time_for_cutover" {
+  default     = 0
+  description = "Time in minutes to route the traffic to the new application deployment"
+}
+
+variable "codedeploy_wait_time_for_termination" {
+  default     = 0
+  description = "Time in minutes to terminate the new deployment"
+}
+
+variable "codedeploy_deployment_config_name" {
+  default     = "CodeDeployDefault.ECSAllAtOnce"
+  description = "Specifies the deployment configuration for CodeDeploy"
+}
+
+variable "create_iam_codedeployrole" {
+  type        = bool
+  default     = true
+  description = "Create Codedeploy IAM Role for ECS or not."
+}
+
+variable "codedeploy_role_arn" {
+  default     = null
+  description = "Existing IAM CodeDeploy role ARN created by ECS cluster module"
 }

ecs-service.tf

@@ -7,10 +7,13 @@ resource "aws_ecs_service" "default" {
   health_check_grace_period_seconds = var.service_health_check_grace_period_seconds
   enable_execute_command            = true
 
-  load_balancer {
-    target_group_arn = aws_lb_target_group.ecs_default_tcp.arn
-    container_name   = var.name
-    container_port   = var.container_port
+  dynamic load_balancer {
+    for_each = {for port in var.ports : port.port => port}
+    content {
+      target_group_arn = aws_lb_target_group.ecs_default_tcp[load_balancer.value.port].arn
+      container_name   = var.name
+      container_port   =  load_balancer.value.port
+    }
   }
 
   dynamic "placement_constraints" {
@@ -45,6 +48,6 @@ resource "aws_ecs_service" "default" {
   }
 
   lifecycle {
-    ignore_changes = [load_balancer, task_definition, desired_count]
+    ignore_changes = [load_balancer, task_definition, desired_count, capacity_provider_strategy]
   }
 }

ecs-task-definition.tf

@@ -1,4 +1,15 @@
+locals {
+  port_mappings = [
+    for port in var.ports : {
+      hostPort      = port.port
+      protocol      = port.protocol
+      containerPort = port.port
+    }
+  ]
+}
+
 resource "aws_ecs_task_definition" "default" {
+
   family = "${var.cluster_name}-${var.name}"
 
   execution_role_arn = var.task_role_arn
@@ -10,32 +21,47 @@ resource "aws_ecs_task_definition" "default" {
   cpu          = var.launch_type == "FARGATE" ? var.cpu : null
   memory       = var.launch_type == "FARGATE" ? var.memory : null
 
-  container_definitions = <<EOT
-[
-  {
-    "name": "${var.name}",
-    "image": "${var.image}",
-    "cpu": ${var.cpu},
-    "memory": ${var.memory},
-    "essential": true,
-    "portMappings": [
-      {
-        "containerPort": ${var.container_port}
+  container_definitions = jsonencode([
+    {
+      name      = var.name
+      image     = var.image
+      cpu       = var.cpu
+      memory    = var.memory
+      essential = true
+      portMappings = local.port_mappings
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = aws_cloudwatch_log_group.default.name
+          awslogs-region        = data.aws_region.current.name
+          awslogs-stream-prefix = "app"
+        }
       }
-    ],
-    "log_configuration": {
-      "log_driver": "awslogs",
-      "options": {
-          "awslogs-group": "${aws_cloudwatch_log_group.default.arn}",
-          "awslogs-region": "${data.aws_region.current.name}",
-          "awslogs-stream-prefix": "app"
+      mountPoints = length(var.efs_mapping) == 0 ? null : [{
+        sourceVolume  = "efs-${keys(var.efs_mapping)[0]}"
+        containerPath = values(var.efs_mapping)[0]
+      }]
+      ulimits     = var.ulimits
+    }
+  ])
+
+  dynamic "volume" {
+    for_each = var.efs_mapping
+
+    content {
+      name = "efs-${volume.key}"
+
+      efs_volume_configuration {
+        file_system_id     = volume.key
+        transit_encryption = "ENABLED"
+        authorization_config {
+          access_point_id = aws_efs_access_point.default[volume.key].id
+        }
       }
     }
   }
-]
-EOT
 
   lifecycle {
     ignore_changes = [container_definitions]
   }
-}
+}

efs-access-point.tf

@@ -0,0 +1,12 @@
+resource "aws_efs_access_point" "default" {
+  for_each       = var.efs_mapping
+  file_system_id = each.key
+  root_directory {
+    creation_info {
+      owner_gid   = 0
+      owner_uid   = 0
+      permissions = 755
+    }
+    path = "/${var.name}"
+  }
+}

iam-codedeploy.tf

@@ -0,0 +1,28 @@
+resource "aws_iam_role" "codedeploy_service" {
+
+  count = var.create_iam_codedeployrole == true ? 1 : 0
+
+  name = "codedeploy-service-${var.cluster_name}-${var.name}-${data.aws_region.current.name}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "codedeploy.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "codedeploy_service" {
+  count      = var.create_iam_codedeployrole == true ? 1 : 0
+  role       = aws_iam_role.codedeploy_service[count.index].name
+  policy_arn = "arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS"
+}

nlb-target-group.tf

@@ -1,11 +1,12 @@
 resource "aws_lb_listener" "ecs_tcp" {
+  for_each = {for port in var.ports : port.port => port}
   load_balancer_arn = var.nlb ? try(aws_lb.default[0].arn, "") : var.nlb_arn
-  port              = var.port
-  protocol          = "TCP"
+  port              = each.value.port
+  protocol          = each.value.protocol
 
   default_action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.ecs_default_tcp.arn
+    target_group_arn = aws_lb_target_group.ecs_default_tcp[each.value.port].arn
   }
 }
 
@@ -16,9 +17,10 @@ resource "random_string" "tg_nlb_prefix" {
 }
 
 resource "aws_lb_target_group" "ecs_default_tcp" {
-  name        = format("%s-%s-tcp", substr("${var.cluster_name}-${var.name}", 0, 23), random_string.tg_nlb_prefix.result)
-  port        = var.port
-  protocol    = "TCP"
+  for_each = {for port in var.ports : port.port => port}
+  name        = format("%s-%s-tcp", substr("${var.cluster_name}-${var.name}-${each.value.port}", 0, 23), random_string.tg_nlb_prefix.result)
+  port        = each.value.port
+  protocol    = each.value.protocol
   vpc_id      = var.vpc_id
   target_type = var.launch_type == "FARGATE" ? "ip" : "instance"
 }