feat: update doc and ecs service optimize (#36)

* (add): cloudwatch loffroup name

* (update): log_group name

* feat: add output

* feat: change to 1 sercret manager for cost saving

* fix: typo

* fix: typo

* chore: remove ocmment

* chore: update example usage

* chore: uncomment outputs

* chore: uncomment outputs

* chore: remove previous secret

* chore: revert

* chore: test l=5 on random_string

* chore: add output backs

* chore: update document and changelog

* feat: tag propagate (#37)

* chore: update CHANGLOG

Author: xshot9011

CHANGELOG.md

@@ -1,5 +1,32 @@
 # Change Log
 
+## [v1.1.12] - 2023-01-23
+
+### Added
+
+- Add and verify example in `./examples/simple`
+- Add outputs `cloudwatch_log_group_name` and `cloudwatch_log_group_arn`
+- Add variable `propagate_tags` with default value TASK_DEFINITION
+
+### Changed
+
+- Target group naming `local.log_group_name`; remove `service` in string
+- Update task definition's construction procedure for the secret ARN
+- Update resource `random_string.service_secret_random_suffix`'s attribute `length` from 6 to 5
+- Update resource `aws_iam_role_policy.task_execution_secrets`'s condition and resource arns
+- Update resource `aws_ecs_service.this` to support propagate_tags
+
+### Removed
+
+- Remove `local.task_role_id`
+- Remove all previous secrets creation
+    - The following `local` are removed `secret_manager_arns` ,`secret_names`, `secrets_name_arn_map`, `secrets_task_unique_definition`, `secret_manager_json_arn`, `secrets_name_json_arn_map`, `secrets_json_task_definition`
+- Remove resource:
+    - `aws_secretsmanager_secret.service_json_secrets`
+    - `aws_secretsmanager_secret_version.service_json_secrets`
+- Remove outputs `outask_role_id` and `secret_json_arn`
+- Remove variable `json_secret_variables`
+
 ## [v1.1.11] - 2022-12-22
 
 ### Added

README.md

@@ -65,26 +65,33 @@ No requirements.
 
 ## Providers
 
-No providers.
+| Name                                              | Version |
+|---------------------------------------------------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.50.0  |
 
 ## Modules
 
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_service_api"></a> [service\_api](#module\_service\_api) | ../.. | n/a |
+| Name                                                                                | Source                        | Version |
+|-------------------------------------------------------------------------------------|-------------------------------|---------|
+| <a name="module_fargate_cluster"></a> [fargate\_cluster](#module\_fargate\_cluster) | oozou/ecs-fargate-cluster/aws | 1.0.7   |
+| <a name="module_service_api"></a> [service\_api](#module\_service\_api)             | ../..                         | n/a     |
+| <a name="module_vpc"></a> [vpc](#module\_vpc)                                       | oozou/vpc/aws                 | 1.2.4   |
 
 ## Resources
 
-No resources.
+| Name                                                                                                                       | Type        |
+|----------------------------------------------------------------------------------------------------------------------------|-------------|
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region)                   | data source |
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_generics_info"></a> [generics\_info](#input\_generics\_info) | Generic infomation | <pre>object({<br>    region      = string<br>    prefix      = string<br>    environment = string<br>    name        = string<br>    custom_tags = map(any)<br>  })</pre> | n/a | yes |
-| <a name="input_service_info"></a> [service\_info](#input\_service\_info) | is\_attach\_service\_with\_lb >> Attach the container to the public ALB? (true/false)<br>  service\_alb\_host\_header   >> Mention host header for api endpoint<br>  service\_info              >> The configuration of service<br>  health\_check              >> Health Check Config for the service | <pre>map(object({<br>    is_attach_service_with_lb = bool<br>    service_alb_host_header   = string<br>    alb_paths                 = list(string)<br>    alb_priority              = string<br>    service_info = object({<br>      cpu_allocation = number<br>      mem_allocation = number<br>      containers_num = number<br>      port           = number<br>      image          = string<br>    })<br>    health_check = object({<br>      interval            = number<br>      path                = string<br>      timeout             = number<br>      healthy_threshold   = number<br>      unhealthy_threshold = number<br>      matcher             = string<br>    })<br>  }))</pre> | n/a | yes |
-| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs to launch resources in | `list(string)` | n/a | yes |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to deploy | `string` | n/a | yes |
+| Name                                                                  | Description                                                                                                   | Type          | Default | Required |
+|-----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
+| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. | `map(string)` | `{}`    |    no    |
+| <a name="input_environment"></a> [environment](#input\_environment)   | [Required] Name prefix used for resource naming in this component                                             | `string`      | n/a     |   yes    |
+| <a name="input_name"></a> [name](#input\_name)                        | [Required] Name of Platfrom or application                                                                    | `string`      | n/a     |   yes    |
+| <a name="input_prefix"></a> [prefix](#input\_prefix)                  | [Required] Name prefix used for resource naming in this component                                             | `string`      | n/a     |   yes    |
 
 ## Outputs
 

examples/simple/README.md

@@ -1,8 +1,39 @@
-# Please see how to use fargate cluster at ooozou/terraform-aws-fargate-cluster
+data "aws_caller_identity" "this" {}
+data "aws_region" "this" {}
+
+/* -------------------------------------------------------------------------- */
+/*                                     VPC                                    */
+/* -------------------------------------------------------------------------- */
+module "vpc" {
+  source  = "oozou/vpc/aws"
+  version = "1.2.4"
+
+  prefix       = var.prefix
+  environment  = var.environment
+  account_mode = "spoke"
+
+  cidr              = "172.17.170.128/25"
+  public_subnets    = ["172.17.170.192/28", "172.17.170.208/28"]
+  private_subnets   = ["172.17.170.224/28", "172.17.170.240/28"]
+  database_subnets  = ["172.17.170.128/27", "172.17.170.160/27"]
+  availability_zone = ["ap-southeast-1b", "ap-southeast-1c"]
+
+  is_create_nat_gateway             = true
+  is_enable_single_nat_gateway      = true
+  is_enable_dns_hostnames           = true
+  is_enable_dns_support             = true
+  is_create_flow_log                = false
+  is_enable_flow_log_s3_integration = false
 
-module "fargate_cluster" {
+  tags = var.custom_tags
+}
 
-  source = "git@github.com:oozou/terraform-aws-ecs-fargate-cluster?ref=v1.0.6"
+/* -------------------------------------------------------------------------- */
+/*                               Fargate Cluster                              */
+/* -------------------------------------------------------------------------- */
+module "fargate_cluster" {
+  source  = "oozou/ecs-fargate-cluster/aws"
+  version = "1.0.7"
 
   # Generics
   prefix      = var.prefix
@@ -12,7 +43,7 @@ module "fargate_cluster" {
   # IAM Role
   ## If is_create_role is false, all of folowing argument is ignored
   is_create_role                 = true
-  allow_access_from_principals   = ["arn:aws:iam::557291035693:root"]
+  allow_access_from_principals   = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"]
   additional_managed_policy_arns = []
 
   # VPC Information
@@ -21,10 +52,11 @@ module "fargate_cluster" {
   additional_security_group_ingress_rules = {}
 
   # ALB
-  is_create_alb              = true
-  is_public_alb              = true
-  enable_deletion_protection = false
-  alb_listener_port          = 8080
+  is_create_alb                  = true
+  is_public_alb                  = true
+  enable_deletion_protection     = false
+  alb_listener_port              = 80
+  is_ignore_unsecured_connection = true
   # alb_certificate_arn        = var.alb_certificate_arn
   public_subnet_ids = module.vpc.public_subnet_ids # If is_public_alb is true, public_subnet_ids is required
 
@@ -34,6 +66,9 @@ module "fargate_cluster" {
   tags = var.custom_tags
 }
 
+/* -------------------------------------------------------------------------- */
+/*                                   Service                                  */
+/* -------------------------------------------------------------------------- */
 module "service_api" {
   source = "../.."
 
@@ -49,7 +84,7 @@ module "service_api" {
   ]
 
   # ALB
-  is_attach_service_with_lb = false
+  is_attach_service_with_lb = true
   alb_listener_arn          = module.fargate_cluster.alb_listener_http_arn
   alb_host_header           = null
   alb_paths                 = ["/*"]
@@ -69,7 +104,6 @@ module "service_api" {
 
   # Task definition
   service_info = {
-    containers_num = 2,
     cpu_allocation = 256,
     mem_allocation = 512,
     port           = 80,
@@ -78,6 +112,21 @@ module "service_api" {
   }
   is_application_scratch_volume_enabled = true
 
+  # Secret and Env
+  environment_variables = {
+    THIS_IS_ENV  = "ENV1",
+    THIS_IS_ENVV = "ENVV",
+  }
+  # WARNING Secret should not be in plain text
+  secret_variables = {
+    THIS_IS_SECRET       = "1xxxxx",
+    THIS_IS_SECRETT      = "2xxxxx",
+    THIS_IS_SECRETTT     = "3xxxxx",
+    THIS_IS_SECRETTTTT   = "4xxxxx",
+    THIS_IS_SECRETTTTTT  = "5xxxxx",
+    THIS_IS_SECRETTTTTTT = "6xxxxx",
+  }
+
   # ECS service
   ecs_cluster_name            = module.fargate_cluster.ecs_cluster_name
   service_discovery_namespace = module.fargate_cluster.service_discovery_namespace

examples/simple/main.tf

@@ -0,0 +1,6 @@
+prefix      = "oozou"
+environment = "devops"
+name        = "demo"
+custom_tags = {
+  "Remark" = "terraform-aws-ecs-service"
+}

examples/simple/terraform.auto.tfvars

@@ -10,7 +10,6 @@ locals {
   # Task Role
   task_role_arn  = var.is_create_iam_role ? aws_iam_role.task_role[0].arn : var.exists_task_role_arn
   task_role_name = try(split("/", local.task_role_arn)[1], "")
-  task_role_id   = local.task_role_name
 
   # Task Exec Role
   task_execution_role_arn                     = var.is_create_iam_role ? aws_iam_role.task_execution_role[0].arn : var.exists_task_execution_role_arn
@@ -20,7 +19,7 @@ locals {
   ecs_task_execution_role_policy_arns         = toset(concat(var.additional_ecs_task_execution_role_policy_arns, local.ecs_default_task_execution_role_policy_arns))
 
   # Logging
-  log_group_name = format("%s-service-log-group", local.name)
+  log_group_name = format("%s-log-group", local.name)
 
   # Volume
   volumes = concat(var.efs_volumes)
@@ -85,7 +84,7 @@ locals {
     name                  = local.name
     service_port          = var.service_info.port
     environment_variables = jsonencode(local.environment_variables)
-    secret_variables      = jsonencode(local.secrets_task_unique_definition)
+    secret_variables      = jsonencode(local.secrets_task_definition)
     entry_point           = jsonencode(var.entry_point)
     mount_points          = jsonencode(local.mount_points)
     command               = jsonencode(var.command)
@@ -108,46 +107,13 @@ locals {
 }
 
 /* -------------------------------------------------------------------------- */
-/*                                   SECRET                                   */
+/*                                   Secret                                   */
 /* -------------------------------------------------------------------------- */
 locals {
-  # Create secret arn collection for granting "secretmanager:GetSecret" permission
-  secret_manager_arns = [for secret in aws_secretsmanager_secret.service_secrets : secret.arn]
-
-  # Get Secret Name Arrays
-  secret_names = keys(var.secret_variables)
-
-  # Create a secret map { secret_name : secret_arn } using ZipMap Function for iteration
-  secrets_name_arn_map = zipmap(local.secret_names, local.secret_manager_arns)
-
-  # Create secrets format for Task Definition
-  secrets_task_unique_definition = [for secret_key, secret_arn in local.secrets_name_arn_map :
-    tomap({
-      name      = upper(secret_key)
-      valueFrom = secret_arn
-    })
-  ]
-}
-
-/* -------------------------------------------------------------------------- */
-/*                                 JSON SECRET                                */
-/* -------------------------------------------------------------------------- */
-locals {
-  # Get secret arn for granting  "secretmanager:GetSecret" permission
-  secret_manager_json_arn = aws_secretsmanager_secret.service_json_secrets.arn
-
-  # Map JSON Secret to Secret Arrays
-  secrets_name_json_arn_map = { "JSON_SECRET" : local.secret_manager_json_arn }
-
-  # Create secrets JSON format for Task Definition
-  secrets_json_task_definition = [for secret_key, secret_arn in local.secrets_name_json_arn_map :
-    tomap({
-      name      = upper(secret_key)
-      valueFrom = secret_arn
-    })
-  ]
-  # Concat Secret and JSON Secret to the one list.
-  secrets_task_definition = concat(local.secrets_task_unique_definition, local.secrets_json_task_definition)
+  secrets_task_definition = [for secret_name, secret_value in var.secret_variables : {
+    name      = secret_name,
+    valueFrom = format("%s:%s::", aws_secretsmanager_secret_version.service_secrets.arn, secret_name)
+  }]
 }
 
 /* -------------------------------------------------------------------------- */

examples/simple/vpc.tf

@@ -166,58 +166,31 @@ module "secret_kms_key" {
   tags = merge(local.tags, { "Name" : format("%s-ecs", local.name) })
 }
 
-# Append random string to SM Secret names because once we tear down the infra, the secret does not actually
-# get deleted right away, which means that if we then try to recreate the infra, it'll fail as the
-# secret name already exists.
 resource "random_string" "service_secret_random_suffix" {
-  length  = 6
+  length  = 5
   special = false
 }
 
+/* -------------------------------------------------------------------------- */
+/*                                   Secret                                   */
+/* -------------------------------------------------------------------------- */
 resource "aws_secretsmanager_secret" "service_secrets" {
-  for_each = var.secret_variables
-
-  name        = "${local.name}/${lower(each.key)}-${random_string.service_secret_random_suffix.result}"
-  description = "Secret 'secret_${lower(each.key)}' for service ${local.name}"
-  kms_key_id  = module.secret_kms_key.key_arn
-
-  tags = merge(local.tags, { Name = "${local.name}/${each.key}" })
-}
-
-resource "aws_secretsmanager_secret_version" "service_secrets" {
-  for_each = var.secret_variables
-
-  secret_id     = aws_secretsmanager_secret.service_secrets[each.key].id
-  secret_string = each.value
-}
-
-
-# /* -------------------------------------------------------------------------- */
-# /*                                 JSON SECRET                                */
-# /* -------------------------------------------------------------------------- */
-resource "aws_secretsmanager_secret" "service_json_secrets" {
   name        = "${local.name}/${random_string.service_secret_random_suffix.result}"
   description = "Secret for service ${local.name}"
   kms_key_id  = module.secret_kms_key.key_arn
 
-  tags = merge({
-    Name = "${local.name}"
-  }, local.tags)
-
-  provider = aws
+  tags = merge({ Name = "${local.name}" }, local.tags)
 }
 
-resource "aws_secretsmanager_secret_version" "service_json_secrets" {
-  secret_id     = aws_secretsmanager_secret.service_json_secrets.id
-  secret_string = jsonencode(var.json_secret_variables)
-
-  provider = aws
+resource "aws_secretsmanager_secret_version" "service_secrets" {
+  secret_id     = aws_secretsmanager_secret.service_secrets.id
+  secret_string = jsonencode(var.secret_variables)
 }
 
 # We add a policy to the ECS Task Execution role so that ECS can pull secrets from SecretsManager and
 # inject them as environment variables in the service
 resource "aws_iam_role_policy" "task_execution_secrets" {
-  count = var.is_create_iam_role ? 1 : 0
+  count = var.is_create_iam_role && length(var.secret_variables) > 0 ? 1 : 0
 
   name = "${local.name}-ecs-task-execution-secrets"
   role = local.task_execution_role_id
@@ -228,7 +201,7 @@ resource "aws_iam_role_policy" "task_execution_secrets" {
       {
         "Effect": "Allow",
         "Action": ["secretsmanager:GetSecretValue"],
-        "Resource": ${jsonencode(format("%s/*", split("/", local.secret_manager_json_arn)[0]))}
+        "Resource": ${jsonencode(format("%s/*", split("/", aws_secretsmanager_secret.service_secrets.arn)[0]))}
       }
     ]
 }
@@ -314,6 +287,7 @@ resource "aws_ecs_service" "this" {
   enable_execute_command  = var.is_enable_execute_command
   enable_ecs_managed_tags = true
   launch_type             = var.capacity_provider_strategy == null ? "FARGATE" : null
+  propagate_tags          = var.propagate_tags
 
   network_configuration {
     security_groups = var.security_groups