feat: Add support for advanced deployment configurations (i.e. - blue/green deployment) (#322)

* blue/green deployments

* updates

* update example

* update example

* update examples

* feedback changes

Author: magreenbaum

README.md

@@ -27,13 +27,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.4 |
 
 ## Modules
 

examples/complete/README.md

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.4"
     }
   }
 }

examples/complete/versions.tf

@@ -22,7 +22,7 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.4 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.5 |
 
 ## Providers

examples/container-definition/README.md

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.4"
     }
     local = {
       source  = "hashicorp/local"

examples/container-definition/versions.tf

@@ -27,13 +27,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.4 |
 
 ## Modules
 

examples/ec2-autoscaling/README.md

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.4"
     }
   }
 }

examples/ec2-autoscaling/versions.tf

@@ -27,13 +27,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.4 |
 
 ## Modules
 
@@ -49,6 +49,9 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Type |
 |------|------|
+| [aws_iam_role.ecs_elb_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.ecs_elb_management_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ecs_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_service_discovery_http_namespace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/service_discovery_http_namespace) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_ssm_parameter.fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |

examples/fargate/README.md

@@ -60,6 +60,26 @@ module "ecs_service" {
   # Enables ECS Exec
   enable_execute_command = true
 
+  # for blue/green deployments
+  deployment_configuration = {
+    strategy             = "BLUE_GREEN"
+    bake_time_in_minutes = 2
+
+    # example config using lifecycle hooks
+    # lifecycle_hook = {
+    #  success = {
+    #    hook_target_arn  = aws_lambda_function.hook_success.arn
+    #    role_arn         = aws_iam_role.global.arn
+    #    lifecycle_stages = ["POST_SCALE_UP", "POST_TEST_TRAFFIC_SHIFT"]
+    #  }
+    #  failure = {
+    #    hook_target_arn  = aws_lambda_function.hook_failure.arn
+    #    role_arn         = aws_iam_role.global.arn
+    #    lifecycle_stages = ["TEST_TRAFFIC_SHIFT", "POST_PRODUCTION_TRAFFIC_SHIFT"]
+    #  }
+    # }
+  }
+
   # Container definition(s)
   container_definitions = {
 
@@ -152,6 +172,14 @@ module "ecs_service" {
       target_group_arn = module.alb.target_groups["ex_ecs"].arn
       container_name   = local.container_name
       container_port   = local.container_port
+
+      # for blue/green deployments
+      advanced_configuration = {
+        alternate_target_group_arn = module.alb.target_groups["ex_ecs_alternate"].arn
+        production_listener_rule   = module.alb.listener_rules["ex_http/production"].arn
+        test_listener_rule         = module.alb.listener_rules["ex_http/test"].arn
+        role_arn                   = aws_iam_role.ecs_elb_permissions.arn
+      }
     }
   }
 
@@ -176,6 +204,12 @@ module "ecs_service" {
   }
 
   tags = local.tags
+
+  depends_on = [
+    aws_iam_role.ecs_elb_permissions,
+    aws_iam_role_policy_attachment.ecs_service_role,
+    aws_iam_role_policy_attachment.ecs_elb_management_role
+  ]
 }
 
 ################################################################################
@@ -278,8 +312,60 @@ module "alb" {
       port     = 80
       protocol = "HTTP"
 
-      forward = {
-        target_group_key = "ex_ecs"
+      fixed_response = {
+        content_type = "text/plain"
+        message_body = "404: Page not found"
+        status_code  = "404"
+      }
+
+      # for blue/green deployments
+      rules = {
+        production = {
+          priority = 1
+          actions = [
+            {
+              type = "weighted-forward"
+              target_groups = [
+                {
+                  target_group_key = "ex_ecs"
+                  weight           = 100
+                },
+                {
+                  target_group_key = "ex_ecs_alternate"
+                  weight           = 0
+                }
+              ]
+            }
+          ]
+          conditions = [
+            {
+              path_pattern = {
+                values = ["/*"]
+              }
+            }
+          ]
+        }
+        test = {
+          priority = 2
+          actions = [
+            {
+              type = "weighted-forward"
+              target_groups = [
+                {
+                  target_group_key = "ex_ecs_alternate"
+                  weight           = 100
+                }
+              ]
+            }
+          ]
+          conditions = [
+            {
+              path_pattern = {
+                values = ["/*"]
+              }
+            }
+          ]
+        }
       }
     }
   }
@@ -308,6 +394,31 @@ module "alb" {
       # ECS will attach the IPs of the tasks to this target group
       create_attachment = false
     }
+
+    # for blue/green deployments
+    ex_ecs_alternate = {
+      backend_protocol                  = "HTTP"
+      backend_port                      = local.container_port
+      target_type                       = "ip"
+      deregistration_delay              = 5
+      load_balancing_cross_zone_enabled = true
+
+      health_check = {
+        enabled             = true
+        healthy_threshold   = 5
+        interval            = 30
+        matcher             = "200"
+        path                = "/"
+        port                = "traffic-port"
+        protocol            = "HTTP"
+        timeout             = 5
+        unhealthy_threshold = 2
+      }
+
+      # There's nothing to attach here in this definition. Instead,
+      # ECS will attach the IPs of the tasks to this target group
+      create_attachment = false
+    }
   }
 
   tags = local.tags
@@ -329,3 +440,33 @@ module "vpc" {
 
   tags = local.tags
 }
+
+resource "aws_iam_role" "ecs_elb_permissions" {
+  name = "${local.name}-ecs-elb-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "ecs-tasks.amazonaws.com",
+            "ecs.amazonaws.com",
+          ]
+        }
+      }
+    ]
+  })
+}
+
+# for example purposes only
+resource "aws_iam_role_policy_attachment" "ecs_service_role" {
+  role       = aws_iam_role.ecs_elb_permissions.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_elb_management_role" {
+  role       = aws_iam_role.ecs_elb_permissions.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonECSInfrastructureRolePolicyForLoadBalancers"
+}

examples/fargate/main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.4"
     }
   }
 }