# CloudWatch Log Group
resource "aws_cloudwatch_log_group" "ecs" {
name = "/ecs/${var.project_name}-${var.environment}"
retention_in_days = 7
tags = merge(
var.tags,
{
Name = "${var.project_name}-${var.environment}-logs"
}
)
}
# ECS Cluster
resource "aws_ecs_cluster" "main" {
name = "${var.project_name}-${var.environment}"
setting {
name = "containerInsights"
value = "enabled"
}
tags = merge(
var.tags,
{
Name = "${var.project_name}-${var.environment}-cluster"
}
)
}
# ECS Task Definition
resource "aws_ecs_task_definition" "main" {
family = "${var.project_name}-${var.environment}"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = var.container_cpu
memory = var.container_memory
execution_role_arn = aws_iam_role.ecs_task_execution.arn
task_role_arn = aws_iam_role.ecs_task.arn
container_definitions = jsonencode([
{
name = "${var.project_name}-container"
image = "${aws_ecr_repository.main.repository_url}:latest"
essential = true
portMappings = [
{
containerPort = var.container_port
protocol = "tcp"
}
]
environment = [
{
name = "OKTA_DOMAIN"
value = var.okta_domain
},
{
name = "OKTA_CLIENT_ID"
value = var.okta_client_id
}
]
secrets = [
{
name = "GITHUB_PERSONAL_ACCESS_TOKEN"
valueFrom = "${aws_secretsmanager_secret.github_pat.arn}:GITHUB_PERSONAL_ACCESS_TOKEN::"
}
]
logConfiguration = {
logDriver = "awslogs"
options = {
"awslogs-group" = aws_cloudwatch_log_group.ecs.name
"awslogs-region" = var.aws_region
"awslogs-stream-prefix" = "ecs"
}
}
healthCheck = {
command = ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:${var.container_port}/healthz || exit 1"]
interval = 30
timeout = 5
retries = 3
startPeriod = 60
}
}
])
tags = merge(
var.tags,
{
Name = "${var.project_name}-${var.environment}-task"
}
)
}
# ECS Service
resource "aws_ecs_service" "main" {
name = "${var.project_name}-${var.environment}"
cluster = aws_ecs_cluster.main.id
task_definition = aws_ecs_task_definition.main.arn
desired_count = var.desired_count
launch_type = "FARGATE"
network_configuration {
subnets = var.private_subnets
security_groups = [var.ecs_security_group_id]
assign_public_ip = false
}
load_balancer {
target_group_arn = var.alb_target_group_arn
container_name = "${var.project_name}-container"
container_port = var.container_port
}
health_check_grace_period_seconds = 60
deployment_maximum_percent = 200
deployment_minimum_healthy_percent = 100
enable_execute_command = false
tags = merge(
var.tags,
{
Name = "${var.project_name}-${var.environment}-service"
}
)
depends_on = [aws_iam_role_policy_attachment.ecs_task_execution]
}
