Forem: Kieran Jennings The latest articles on Forem by Kieran Jennings (@kieranjen). https://forem.com/kieranjen https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F65294%2Fc81eba80-3085-484d-819f-13291e1f3351.jpeg Forem: Kieran Jennings https://forem.com/kieranjen en ECS Fargate Service Auto Scaling with Terraform Kieran Jennings Sat, 10 Oct 2020 18:43:01 +0000 https://forem.com/kieranjen/ecs-fargate-service-auto-scaling-with-terraform-2ld https://forem.com/kieranjen/ecs-fargate-service-auto-scaling-with-terraform-2ld <p><em>Note: This is my first blog post! Any feedback is totally welcome.</em></p> <p>You can access the completed code for this blog <a href="https://github.com/kieranjen/ecs-fargate-auto-scaling" rel="noopener noreferrer">here</a>.</p> <h2> Introduction </h2> <p>ECS (Elastic Container Service) is AWS's container orchestration service. You can read more about ECS <a href="https://aws.amazon.com/ecs/" rel="noopener noreferrer">here</a>.</p> <p>There are two deployment options that can be used, EC2 and Fargate.</p> <p>With EC2 deployments, you need to manage the number of EC2 instances that are required for your container.</p> <p>Fargate is a serverless compute engine provided by AWS. This means the servers that your containers are launched on are managed by AWS. All you need to do is specify the CPU and memory your container will use and AWS will provision an appropriate amount of compute resource.</p> <p>In this blog post, I will be using <a href="https://www.terraform.io/" rel="noopener noreferrer">Terraform</a> (v0.13.4). Terraform is one of the most popular Infrastructure as Code tools.</p> <p>I will be demonstrating how to configure the whole infrastructure in this post. If there is a certain section you are focusing on, feel free to skip to it!</p> <h3> Image </h3> <p>I will be using a sample docker image that uses nginx to show a simple static page. You can find information about the image <a href="https://github.com/docker/labs/blob/master/beginner/chapters/webapps.md" rel="noopener noreferrer">here</a>. The tag is <code>dockersamples/static-site</code>.</p> <h2> Let's Start! </h2> <h3> Directory Structure </h3> <p>Create the below directory structure, where <code>modules</code> is an empty directory for now, and leave the files empty.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ├── terraform │ ├── modules │ ├── main.tf │ ├── variables.tf │ ├── backend.tf </code></pre> </div> <h3> Backend Config </h3> <p>To store my terraform state I will be using S3. Open up the <code>backend.tf</code> file and add the following:</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"&lt;your-s3-bucket&gt;"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"terraform.tfstate"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Make sure you replace <code>&lt;your-s3-bucket&gt;</code> with the name of your S3 bucket. You can also change the region and the key location if you want.</p> <p>You can confirm that your configuration is working by initialising the terraform backend. To do this, open your terminal to the terraform directory you created above. When in that directory run <code>terraform init</code>.</p> <p>You should see output similar to the screenshot below.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fsuryfns3pltmighehy4k.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fsuryfns3pltmighehy4k.png" alt="Terraform init output screenshot"></a></p> <p>If you have any problems, drop a comment below or take a look at Terraform's documentation on configuring backends <a href="https://www.terraform.io/docs/backends/index.html" rel="noopener noreferrer">here</a>.</p> <h3> VPC </h3> <p>We need to create a VPC to hold all our infrastructure.</p> <p>Create a directory under the modules directory called <code>vpc</code>. Put three empty files, called <code>main.tf</code>, <code>variables.tf</code> and <code>outputs.tf</code> in the <code>vpc</code> directory.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ├── terraform │ ├── modules │ ├── vpc │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ ├── main.tf │ ├── variables.tf │ ├── backend.tf </code></pre> </div> <p>In the <code>main.tf</code> file, we want to add a VPC resource, like below.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.0.0.0/16"</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If you understand CIDR blocks then you can choose your own, just make sure you are consistent with the change throughout the blog! If you don't know much about CIDR blocks, you are probably better sticking with the CIDR blocks I use.</p> <p>If you are just starting out with AWS, or any cloud platform, it would be beneficial to do some reading about CIDR blocks.</p> <h4> Internet Gateway </h4> <p>We need an internet gateway to give internet access to the load balancer and to the Fargate subnets, so they can download the docker image.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"internal_gateway"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Billing</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Route table </h4> <p>We need a route table to describe the route for certain CIDR blocks. In this post, we will just route all traffic to the internet gateway.</p> <p>In a production system, for security reasons, you would want two route tables. You would want a public route table that routes traffic to the internet gateway, and a second route table that routes traffic to a NAT Gateway. There is a section on adding a NAT Gateway under the Improvements section below.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"route_table"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">internal_gateway</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Subnets </h4> <p>I'm going to create six subnets. There will be three subnets for the load balancer and three subnets for the ECS tasks to be placed in.</p> <p>I use three subnets for each because there will a subnet in each <a href="https://aws.amazon.com/about-aws/global-infrastructure/regions_az/" rel="noopener noreferrer">availability zone</a> in the <code>eu-west-1</code> region. The number of subnets might be different for you, depending on which region you are using.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">data</span> <span class="s2">"aws_availability_zones"</span> <span class="s2">"available"</span> <span class="p">{}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"elb_a"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.0.0.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"elb-a"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"elb_b"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.0.1.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"elb-b"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"elb_c"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.0.2.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"elb-c"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"ecs_a"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.0.3.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"ecs-a"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"ecs_b"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.0.4.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"ecs-b"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"ecs_c"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"192.0.5.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"ecs-c"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"elb_a"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_a</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">route_table</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"elb_b"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_b</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">route_table</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"elb_c"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_c</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">route_table</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"ecs_a"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_a</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">route_table</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"ecs_b"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_b</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">route_table</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"ecs_c"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_c</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">route_table</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h4> Security groups </h4> <p>For our application, we will create two security groups, one for the load balancer and one for the ECS tasks.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"load_balancer"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"load-balancer"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"ecs_task"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"ecs-task"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We can then assign rules to these security groups. The load balancer will need access from anywhere on ports <code>80</code> and <code>443</code>. The ECS task security group needs to allow traffic from the load balancer to the port that the docker container will run on. The default port for the image we are using is <code>80</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"ingress_load_balancer_http"</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="nx">id</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"ingress_load_balancer_https"</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="nx">id</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"ingress_ecs_task_elb"</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">ecs_task</span><span class="p">.</span><span class="nx">id</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="nx">id</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"egress_load_balancer"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"egress_ecs_task"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">ecs_task</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h4> NACLs </h4> <p><strong>This section isn't necessary but is an added layer of security. It can be confusing for a beginner, so feel free to skip to the outputs section if you want.</strong></p> <p>Network access control lists (NACLs) control access in and out of the subnets. The thing to remember with NACLs is they're stateless. This means that return traffic must be explicitly allowed by rules.</p> <p>Let's create an NACL for our load balancer subnets and a different NACL for the ECS task subnets.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_network_acl"</span> <span class="s2">"load_balancer"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_a</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_b</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_c</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_network_acl"</span> <span class="s2">"ecs_task"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_a</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_b</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_c</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_network_acl_rule"</span> <span class="s2">"load_balancer_http"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">egress</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">rule_action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_network_acl_rule"</span> <span class="s2">"load_balancer_https"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">200</span> <span class="nx">egress</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">rule_action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_network_acl_rule"</span> <span class="s2">"ingress_load_balancer_ephemeral"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">egress</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">rule_action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">1024</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_network_acl_rule"</span> <span class="s2">"ecs_task_ephemeral"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">ecs_task</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">egress</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">rule_action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">1024</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_network_acl_rule"</span> <span class="s2">"ecs_task_http"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">ecs_task</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">200</span> <span class="nx">egress</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">rule_action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">cidr_block</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_network_acl_rule"</span> <span class="s2">"load_balancer_ephemeral"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">egress</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">rule_action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_network_acl_rule"</span> <span class="s2">"ecs_task_all"</span> <span class="p">{</span> <span class="nx">network_acl_id</span> <span class="p">=</span> <span class="nx">aws_network_acl</span><span class="p">.</span><span class="nx">ecs_task</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">egress</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">rule_action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">}</span> </code></pre> </div> <h4> Outputs </h4> <p>We then need to output the resources we have created in <code>vpc/outputs.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">output</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">vpc</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"load_balancer_subnet_a"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_a</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"load_balancer_subnet_b"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_b</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"load_balancer_subnet_c"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_c</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ecs_subnet_a"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_a</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ecs_subnet_b"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_b</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ecs_subnet_c"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">ecs_c</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"load_balancer_sg"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">load_balancer</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ecs_sg"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">ecs_task</span> <span class="p">}</span> </code></pre> </div> <h3> Application Load Balancer </h3> <p>We need an application load balancer to route traffic to the ECS tasks and manage the load across all the ECS tasks.</p> <p>I will also be pointing a Route 53 hosted zone record to the load balancer to use <code>https</code> and give a better-looking URL. If you don't have a Route 53 hosted zone then don't worry, you can still do this part and only use <code>http</code>.</p> <p>Create a directory called <code>elb</code> under the <code>modules</code> directory. You should have a directory structure similar to below.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ├── terraform │ ├── modules │ ├── vpc │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ ├── elb │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ ├── main.tf │ ├── variables.tf │ ├── backend.tf </code></pre> </div> <h4> Certificate </h4> <p><strong>You can skip this section if you do not have a Route 53 hosted zone to use.</strong></p> <p>We need to create a certificate using <a href="https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html" rel="noopener noreferrer">ACM</a> so that we can enable <code>https</code> on our load balancer.</p> <p>To do this we need to add a variable to the <code>variables.tf</code> file.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{}</span> </code></pre> </div> <p>This variable will represent the id of the Route 53 hosted zone you want to use.</p> <p>We then need to create the certificate and validate it using DNS. Terraform also allows you to wait for the validation to complete.</p> <p>Open up <code>elb/main.tf</code> and add the following.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">data</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"selected"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_acm_certificate"</span> <span class="s2">"elb_cert"</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">selected</span><span class="p">.</span><span class="nx">name</span> <span class="nx">validation_method</span> <span class="p">=</span> <span class="s2">"DNS"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Billing</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"cert_validation"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">dvo</span> <span class="nx">in</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">elb_cert</span><span class="p">.</span><span class="nx">domain_validation_options</span> <span class="err">:</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_name</span> <span class="nx">record</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_value</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">dvo</span><span class="p">.</span><span class="nx">resource_record_type</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">allow_overwrite</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">record</span><span class="p">]</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">type</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">selected</span><span class="p">.</span><span class="nx">zone_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_acm_certificate_validation"</span> <span class="s2">"elb_cert"</span> <span class="p">{</span> <span class="nx">certificate_arn</span> <span class="p">=</span> <span class="nx">aws_acm_certificate</span><span class="p">.</span><span class="nx">elb_cert</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">validation_record_fqdns</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">record</span> <span class="nx">in</span> <span class="nx">aws_route53_record</span><span class="p">.</span><span class="nx">cert_validation</span> <span class="err">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">fqdn</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Make sure you put the correct <code>domain_name</code> attribute for the certificate. It needs to cover the domain name you intend to use.</p> <h4> Load balancer and listeners </h4> <p>There are a few more variables we need to add in <code>ecs/variables.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"load_balancer_sg"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"load_balancer_subnet_a"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"load_balancer_subnet_b"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"load_balancer_subnet_c"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"vpc"</span> <span class="p">{}</span> </code></pre> </div> <p>We can then create the application load balancer.</p> <p>Open up <code>elb/main.tf</code> and add the following.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"elb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">internal</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">load_balancer_type</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">load_balancer_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">load_balancer_subnet_a</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">load_balancer_subnet_b</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">load_balancer_subnet_c</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Billing</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We now need to create the load balancer listeners. This section will depend on whether you are using a Route 53 hosted zone or not.</p> <h5> With Hosted Zone </h5> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"ecs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ecs"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">target_type</span> <span class="p">=</span> <span class="s2">"ip"</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">interval</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">matcher</span> <span class="p">=</span> <span class="s2">"200"</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">5</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Billing</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"https"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"443"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTPS"</span> <span class="nx">ssl_policy</span> <span class="p">=</span> <span class="s2">"ELBSecurityPolicy-2016-08"</span> <span class="nx">certificate_arn</span> <span class="p">=</span><span class="nx">aws_acm_certificate_validation</span><span class="p">.</span><span class="nx">elb_cert</span><span class="p">.</span><span class="nx">certificate_arn</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">ecs</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"http"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"80"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"redirect"</span> <span class="nx">redirect</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"443"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTPS"</span> <span class="nx">status_code</span> <span class="p">=</span> <span class="s2">"HTTP_301"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Make sure the port in the target group resource matches your application port.</p> <h5> Without Hosted Zone </h5> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"ecs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ecs"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">target_type</span> <span class="p">=</span> <span class="s2">"ip"</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">interval</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">matcher</span> <span class="p">=</span> <span class="s2">"200"</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">5</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Billing</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"http"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"80"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">ecs</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Make sure the port in the target group resource matches your application port.</p> <h5> Both </h5> <p>We then need to add the load balancer and target group resources as outputs. Open the <code>elb/outputs.tf</code> file and add the following.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">output</span> <span class="s2">"elb"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">elb</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ecs_target_group"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">ecs</span> <span class="p">}</span> </code></pre> </div> <p>These resources can now be used in other modules. This will be done later on when we bring it all together.</p> <h3> IAM </h3> <p>We need to create an IAM role for the ECS service and task to assume.</p> <p>Create an <code>iam</code> directory under the <code>modules</code> directory so your new directory structure is like the following.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ├── terraform │ ├── modules │ ├── vpc │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ ├── elb │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ ├── iam │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ ├── main.tf │ ├── variables.tf │ ├── backend.tf </code></pre> </div> <p>In the <code>iam/variables.tf</code> file add the following.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"elb"</span> <span class="p">{}</span> </code></pre> </div> <p>Then open the <code>iam/main.tf</code> file and add:</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ecs_service"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ecs-service"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Effect": "Allow" } ] } </span><span class="no">EOF </span><span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"ecs_service_elb"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:Describe*"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"</span><span class="p">,</span> <span class="s2">"elasticloadbalancing:DeregisterTargets"</span><span class="p">,</span> <span class="s2">"elasticloadbalancing:Describe*"</span><span class="p">,</span> <span class="s2">"elasticloadbalancing:RegisterInstancesWithLoadBalancer"</span><span class="p">,</span> <span class="s2">"elasticloadbalancing:RegisterTargets"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"ecs_service_standard"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:DescribeTags"</span><span class="p">,</span> <span class="s2">"ecs:DeregisterContainerInstance"</span><span class="p">,</span> <span class="s2">"ecs:DiscoverPollEndpoint"</span><span class="p">,</span> <span class="s2">"ecs:Poll"</span><span class="p">,</span> <span class="s2">"ecs:RegisterContainerInstance"</span><span class="p">,</span> <span class="s2">"ecs:StartTelemetrySession"</span><span class="p">,</span> <span class="s2">"ecs:UpdateContainerInstancesState"</span><span class="p">,</span> <span class="s2">"ecs:Submit*"</span><span class="p">,</span> <span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span> <span class="s2">"logs:CreateLogStream"</span><span class="p">,</span> <span class="s2">"logs:PutLogEvents"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"ecs_service_scaling"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"application-autoscaling:*"</span><span class="p">,</span> <span class="s2">"ecs:DescribeServices"</span><span class="p">,</span> <span class="s2">"ecs:UpdateService"</span><span class="p">,</span> <span class="s2">"cloudwatch:DescribeAlarms"</span><span class="p">,</span> <span class="s2">"cloudwatch:PutMetricAlarm"</span><span class="p">,</span> <span class="s2">"cloudwatch:DeleteAlarms"</span><span class="p">,</span> <span class="s2">"cloudwatch:DescribeAlarmHistory"</span><span class="p">,</span> <span class="s2">"cloudwatch:DescribeAlarms"</span><span class="p">,</span> <span class="s2">"cloudwatch:DescribeAlarmsForMetric"</span><span class="p">,</span> <span class="s2">"cloudwatch:GetMetricStatistics"</span><span class="p">,</span> <span class="s2">"cloudwatch:ListMetrics"</span><span class="p">,</span> <span class="s2">"cloudwatch:PutMetricAlarm"</span><span class="p">,</span> <span class="s2">"cloudwatch:DisableAlarmActions"</span><span class="p">,</span> <span class="s2">"cloudwatch:EnableAlarmActions"</span><span class="p">,</span> <span class="s2">"iam:CreateServiceLinkedRole"</span><span class="p">,</span> <span class="s2">"sns:CreateTopic"</span><span class="p">,</span> <span class="s2">"sns:Subscribe"</span><span class="p">,</span> <span class="s2">"sns:Get*"</span><span class="p">,</span> <span class="s2">"sns:List*"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"ecs_service_elb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-to-elb"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow access to the service elb"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">ecs_service_elb</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"ecs_service_standard"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-to-standard"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow standard ecs actions"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">ecs_service_standard</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"ecs_service_scaling"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-to-scaling"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow ecs service scaling"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">ecs_service_scaling</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ecs_service_elb"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_service</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">ecs_service_elb</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ecs_service_standard"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_service</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">ecs_service_standard</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ecs_service_scaling"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_service</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">ecs_service_scaling</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>We can then output the role by adding the following to <code>iam/outputs.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">output</span> <span class="s2">"ecs_role"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_service</span> <span class="p">}</span> </code></pre> </div> <h3> ECS </h3> <p>We can now create the ECS cluster, service, and task.</p> <p>Add an <code>ecs</code> directory under the <code>modules</code> directory, and create the <code>main.tf</code>, <code>variables.tf</code> and <code>outputs.tf</code> under the <code>ecs</code> directory.</p> <p>Add the following variables in <code>ecs/variables.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"ecs_target_group"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"ecs_subnet_a"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"ecs_subnet_b"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"ecs_subnet_c"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"ecs_sg"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"ecs_role"</span> <span class="p">{}</span> </code></pre> </div> <p>You can then add the following to <code>ecs/main.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_ecs_cluster"</span> <span class="s2">"dev_to"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">capacity_providers</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"FARGATE"</span><span class="p">]</span> <span class="nx">setting</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"containerInsights"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"enabled"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Billing</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ecs_task_definition"</span> <span class="s2">"dev_to"</span> <span class="p">{</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">container_definitions</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">TASK_DEFINITION</span><span class="sh"> [ { "portMappings": [ { "hostPort": 80, "protocol": "tcp", "containerPort": 80 } ], "cpu": 512, "environment": [ { "name": "AUTHOR", "value": "Kieran" } ], "memory": 1024, "image": "dockersamples/static-site", "essential": true, "name": "site" } ] </span><span class="no">TASK_DEFINITION </span> <span class="nx">network_mode</span> <span class="p">=</span> <span class="s2">"awsvpc"</span> <span class="nx">requires_compatibilities</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"FARGATE"</span><span class="p">]</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"1024"</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"512"</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ecs_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">task_role_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ecs_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">Billing</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ecs_service"</span> <span class="s2">"dev_to"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-to"</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">dev_to</span><span class="p">.</span><span class="nx">id</span> <span class="nx">task_definition</span> <span class="p">=</span> <span class="nx">aws_ecs_task_definition</span><span class="p">.</span><span class="nx">dev_to</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">desired_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">launch_type</span> <span class="p">=</span> <span class="s2">"FARGATE"</span> <span class="nx">platform_version</span> <span class="p">=</span> <span class="s2">"1.4.0"</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">desired_count</span><span class="p">]</span> <span class="p">}</span> <span class="nx">network_configuration</span> <span class="p">{</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ecs_subnet_a</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ecs_subnet_b</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ecs_subnet_c</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ecs_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">assign_public_ip</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">load_balancer</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ecs_target_group</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">container_name</span> <span class="p">=</span> <span class="s2">"site"</span> <span class="nx">container_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>There isn't much memory or CPU requirements for this example as it is only a static site. Make sure you adjust the <code>cpu</code> and <code>memory</code> attributes if you are using your own image.</p> <p>If you are using a different image to the one used in this example, make sure you change any references to port <code>80</code> so it is correct for your application.</p> <p>Adding the <code>lifecycle</code> block to ignore changes to <code>desired_count</code> is important as the <code>desired_count</code> attribute will be handled by the auto-scaling policies.</p> <p>We need to output the cluster and service resources for use in other modules. Add the following to <code>ecs/outputs.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">output</span> <span class="s2">"ecs_cluster"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">dev_to</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ecs_service"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_ecs_service</span><span class="p">.</span><span class="nx">dev_to</span> <span class="p">}</span> </code></pre> </div> <h3> Auto-scaling </h3> <p>With everything we have created so far, we would have a working ECS cluster that is running a static site. The problem would be it wouldn't scale. If there was a large increase in the number of requests, the application could fail.</p> <p>In this section, I will explain how to apply auto-scaling to your ECS service. There are three types of auto-scaling that can be applied to an ECS service:</p> <ul> <li>Target Tracking Scaling Policies</li> <li>Step Scaling Policies</li> <li>Scheduled Scaling</li> </ul> <p>This post will demonstrate the target tracking scaling type. You can read more about all three types <a href="https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-auto-scaling.html" rel="noopener noreferrer">here</a>.</p> <p>Create an <code>auto-scaling</code> directory under the <code>modules</code> directory and create the <code>main.tf</code>, <code>variables.tf</code> and <code>outputs.tf</code> files in this directory.</p> <p>Add the following to <code>auto-scaling/variables.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"ecs_cluster"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"ecs_service"</span> <span class="p">{}</span> </code></pre> </div> <p>After adding the above variables, open <code>auto-scaling/main.tf</code> and add the following.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_appautoscaling_target"</span> <span class="s2">"dev_to_target"</span> <span class="p">{</span> <span class="nx">max_capacity</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">min_capacity</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="s2">"service/${var.ecs_cluster.name}/${var.ecs_service.name}"</span> <span class="nx">scalable_dimension</span> <span class="p">=</span> <span class="s2">"ecs:service:DesiredCount"</span> <span class="nx">service_namespace</span> <span class="p">=</span> <span class="s2">"ecs"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_appautoscaling_policy"</span> <span class="s2">"dev_to_memory"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-to-memory"</span> <span class="nx">policy_type</span> <span class="p">=</span> <span class="s2">"TargetTrackingScaling"</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">dev_to_target</span><span class="p">.</span><span class="nx">resource_id</span> <span class="nx">scalable_dimension</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">dev_to_target</span><span class="p">.</span><span class="nx">scalable_dimension</span> <span class="nx">service_namespace</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">dev_to_target</span><span class="p">.</span><span class="nx">service_namespace</span> <span class="nx">target_tracking_scaling_policy_configuration</span> <span class="p">{</span> <span class="nx">predefined_metric_specification</span> <span class="p">{</span> <span class="nx">predefined_metric_type</span> <span class="p">=</span> <span class="s2">"ECSServiceAverageMemoryUtilization"</span> <span class="p">}</span> <span class="nx">target_value</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_appautoscaling_policy"</span> <span class="s2">"dev_to_cpu"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-to-cpu"</span> <span class="nx">policy_type</span> <span class="p">=</span> <span class="s2">"TargetTrackingScaling"</span> <span class="nx">resource_id</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">dev_to_target</span><span class="p">.</span><span class="nx">resource_id</span> <span class="nx">scalable_dimension</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">dev_to_target</span><span class="p">.</span><span class="nx">scalable_dimension</span> <span class="nx">service_namespace</span> <span class="p">=</span> <span class="nx">aws_appautoscaling_target</span><span class="p">.</span><span class="nx">dev_to_target</span><span class="p">.</span><span class="nx">service_namespace</span> <span class="nx">target_tracking_scaling_policy_configuration</span> <span class="p">{</span> <span class="nx">predefined_metric_specification</span> <span class="p">{</span> <span class="nx">predefined_metric_type</span> <span class="p">=</span> <span class="s2">"ECSServiceAverageCPUUtilization"</span> <span class="p">}</span> <span class="nx">target_value</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>ECS provides the two metrics, <code>ECSServiceAverageCPUUtilization</code> and <code>ECSServiceAverageMemoryUtilization</code>, which you can use for the auto-scaling policies.</p> <p>You can view the <a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy" rel="noopener noreferrer">Terraform docs</a> for more information about the <code>aws_appautoscaling_policy</code> resource, including how you can utilise other metrics.</p> <p>You can obviously play around with the values used above, such as <code>max_capacity</code>, <code>min_capacity</code>, and <code>target_value</code>.</p> <p>Creating these resources will make Terraform create four cloudwatch alarms, two for each auto-scaling policy. There will be an alarm for scaling up, and an alarm for scaling down again.</p> <h3> Route 53 </h3> <p><strong>Do not do this section if you do not have a hosted zone available.</strong></p> <p>Lastly, we need to create a Route 53 record to point our domain at the load balancer we created.</p> <p>Create a <code>route53</code> directory under the <code>modules</code> directory and create the <code>main.tf</code>, <code>variables.tf</code> and <code>outputs.tf</code> files in this directory.</p> <p>Add the following to <code>route53/variables.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"elb"</span> <span class="p">{}</span> <span class="nx">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{}</span> </code></pre> </div> <p>After adding these variables, add the following to <code>route53/main.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">data</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"selected"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"dev_to"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">selected</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">selected</span><span class="p">.</span><span class="nx">name</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">dns_name</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Bringing it all together </h2> <p><strong>If you don't have a hosted zone, remove any reference to <code>hosted_zone_id</code> below</strong></p> <p>Now we have all the separate modules configured, we can add them all to the <code>terraform/main.tf</code> file. This is the entry point when you create a Terraform plan for your infrastructure. </p> <p>Before doing this, we need to define the global variables that need to be passed in as part of the plan. Add the following to <code>terraform/variables.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The region you want to deploy the infrastructure in"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"hosted_zone_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The id of the hosted zone of the Route 53 domain you want to use"</span> <span class="p">}</span> </code></pre> </div> <p>After adding the variables, add the following to <code>terraform/main.tf</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/vpc"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"elb"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/elb"</span> <span class="nx">hosted_zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="nx">load_balancer_sg</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">load_balancer_sg</span> <span class="nx">load_balancer_subnet_a</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">load_balancer_subnet_a</span> <span class="nx">load_balancer_subnet_b</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">load_balancer_subnet_b</span> <span class="nx">load_balancer_subnet_c</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">load_balancer_subnet_c</span> <span class="nx">vpc</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"iam"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/iam"</span> <span class="nx">elb</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">elb</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ecs"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/ecs"</span> <span class="nx">ecs_role</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">iam</span><span class="p">.</span><span class="nx">ecs_role</span> <span class="nx">ecs_sg</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">ecs_sg</span> <span class="nx">ecs_subnet_a</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">ecs_subnet_a</span> <span class="nx">ecs_subnet_b</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">ecs_subnet_b</span> <span class="nx">ecs_subnet_c</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">ecs_subnet_c</span> <span class="nx">ecs_target_group</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">ecs_target_group</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"auto_scaling"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/auto-scaling"</span> <span class="nx">ecs_cluster</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ecs</span><span class="p">.</span><span class="nx">ecs_cluster</span> <span class="nx">ecs_service</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ecs</span><span class="p">.</span><span class="nx">ecs_service</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"route53"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/route53"</span> <span class="nx">elb</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">elb</span><span class="p">.</span><span class="nx">elb</span> <span class="nx">hosted_zone_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">hosted_zone_id</span> <span class="p">}</span> </code></pre> </div> <p>You can see how you can reference the outputs of one module to be used as a variable in another module. Terraform will automatically resolve dependencies when a resource is referenced by a module.</p> <h2> Building the infrastructure </h2> <p>Make sure you have credentials configured for your AWS account using one of the methods supported by Terraform. You can find how to configure credentials <a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication" rel="noopener noreferrer">here</a>.</p> <p>Run the following commands from the <code>terraform</code> directory to build the infrastructure:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> terraform init </code></pre> </div> <h5> With Hosted Zone </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> terraform plan <span class="nt">-out</span><span class="o">=</span>plan <span class="nt">-var</span><span class="o">=</span><span class="s2">"hosted_zone_id=&lt;your-hosted-zone-id&gt;"</span> <span class="nt">-var</span><span class="o">=</span><span class="s2">"region=eu-west-1"</span> </code></pre> </div> <p>Make sure you replace <code>&lt;your-hosted-zone-id&gt;</code> with your hosted zone id in the command above.</p> <h5> Without Hosted Zone </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> terraform plan <span class="nt">-out</span><span class="o">=</span>plan <span class="nt">-var</span><span class="o">=</span><span class="s2">"region=eu-west-1"</span> </code></pre> </div> <h5> Both </h5> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> terraform apply plan </code></pre> </div> <p>When this command has executed, everything should be up and running! To check it is working, you can either visit the domain associated with your hosted zone or go to the DNS name associated with your load balancer.</p> <p>To destroy everything that has been created, you can run:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> terraform plan <span class="nt">-out</span><span class="o">=</span>plan <span class="nt">-destroy</span> <span class="nt">-var</span><span class="o">=</span><span class="s2">"hosted_zone_id=&lt;your-hosted-zone-id&gt;"</span> <span class="nt">-var</span><span class="o">=</span><span class="s2">"region=eu-west-1"</span> terraform apply plan </code></pre> </div> <p>Adding the <code>-destroy</code> parameter tells Terraform to create a plan to tear down the infrastructure.</p> <h2> Improvements </h2> <p>There are a few improvements we can make to the infrastructure. I will explain what they are but I will leave you to work out how to do it using Terraform.</p> <h3> Add logging </h3> <p>If an error occurs inside your ECS task, you currently wouldn't be able to see what has gone wrong.</p> <p>You can create a Cloudwatch log group and tell ECS to use this log group to store the logs from the docker containers.</p> <p>When you have created the log group, you can add the following to your task definition to make ECS use the new log group.</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"logConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"><br> </span><span class="nl">"logDriver"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awslogs"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"secretOptions"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"><br> </span><span class="nl">"awslogs-group"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${var.ecs_dashboard_log_group.name}"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"awslogs-region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-1"</span><span class="p">,</span><span class="w"><br> </span><span class="nl">"awslogs-stream-prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ecs"</span><span class="w"><br> </span><span class="p">}</span><span class="w"><br> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> <br> <br> <br> Use a NAT Gateway<br> </h3> <p>Our ECS subnets currently have a route to the internet using the internet gateway we created. The downside of this is internet gateways also allow inbound traffic. This means we have to make sure our security groups and NACL rules are correct or we risk exposing our application more than we want.</p> <p>A more secure way to give your application access to the internet is to use a <a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html" rel="noopener noreferrer">NAT Gateway</a>. The benefit of a NAT Gateway is they only allow outbound access. In our case outbound access is all we need to get access to DockerHub.</p> <p>The reason I didn't demonstrate using a NAT Gateway is that they are expensive, especially when you want a highly available setup. In our infrastructure, we would need three NAT Gateways, one for each availability zone.</p> <h3> ECR </h3> <p>The reason we need access to the internet is so we can pull the docker image from DockerHub. We can eliminate that requirement by storing our images in <a href="https://aws.amazon.com/ecr/" rel="noopener noreferrer">ECR</a>. ECR is AWS's own container registry.</p> <p>The benefit of using ECR is you can use a <a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html" rel="noopener noreferrer">VPC Endpoint</a>. This essentially gives you access to the ECR service without access to the internet, so you can remove the internet gateway from the ECS subnets.</p> <p>A drawback to using ECR is if you don't control where the image is stored. If you are using a third-party image, like in this example, you would be responsible for keeping it updated in ECR.</p> <p>I hope this has been useful. If you have any issues or feedback, drop a comment below!</p> aws terraform cloud