ECS Deploy Runner

Use a CI/CD pipeline for deploying infrastructure code updates.

ami_builder_config — Configuration options for the ami-builder container of the ECS deploy runner stack. This container will be used for building AMIs in the CI/CD pipeline using packer. Set to null to disable this container.

container_cpu — The default CPU units for the instances that Fargate will spin up. The invoker allows users to override the CPU at run time, but this value will be used if the user provides no value for the CPU. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size.

container_default_launch_type — The default launch type of the ECS deploy runner workers. This launch type will be used if it is not overridden during invocation of the lambda function. Must be FARGATE or EC2.

container_max_cpu — The maximum CPU units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function.

container_max_memory — The maximum memory units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function.

container_memory — The default memory units for the instances that Fargate will spin up. The invoker allows users to override the memory at run time, but this value will be used if the user provides no value for memory. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size.

docker_image_builder_config — Configuration options for the docker-image-builder container of the ECS deploy runner stack. This container will be used for building docker images in the CI/CD pipeline. Set to null to disable this container.

docker_image_builder_hardcoded_args — Unlike hardcoded_options, this is used for hardcoded positional args and will always be passed in at the end of the args list.

docker_image_builder_hardcoded_options — Which options and args to always pass in alongside the ones provided by the command. This is a map of option keys to args to pass in. Each arg in the list will be passed in as a separate option. This will be passed in first, before the args provided by the user in the event data.

ec2_worker_pool_configuration — Worker configuration of a EC2 worker pool for the ECS cluster. An EC2 worker pool supports caching of Docker images, so your builds may run faster, whereas Fargate is serverless, so you have no persistent EC2 instances to manage and pay for. If null, no EC2 worker pool will be allocated and the deploy runner will be in Fargate only mode. Note that when this variable is set, this example module will automatically lookup and use the base ECS optimized AMI that AWS provides.

iam_groups — List of AWS IAM groups that should be given access to invoke the deploy runner.

iam_roles — List of AWS IAM roles that should be given access to invoke the deploy runner.

iam_users — List of AWS IAM usernames that should be given access to invoke the deploy runner.

kms_grant_opt_in_regions — Create multi-region resources in the specified regions. The best practice is to enable multi-region services in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions.

name — Name of this instance of the deploy runner stack. Used to namespace all resources.

private_subnet_ids — List of IDs of private subnets that can be used for running the ECS task and Lambda function.

shared_secrets_enabled — If true, this module will create grants for a given shared secrets KMS key. You must pass a value for shared_secrets_kms_cmk_arn if this is set to true. Defaults to false.

shared_secrets_kms_cmk_arn — The ARN of the KMS CMK used for sharing AWS Secrets Manager secrets between accounts.

snapshot_encryption_kms_cmk_arns — Map of names to ARNs of KMS CMKs that are used to encrypt snapshots (including AMIs). This module will create the necessary KMS key grants to allow the respective deploy containers access to utilize the keys for managing the encrypted snapshots. The keys are arbitrary names that are used to identify the key.

terraform_applier_config — Configuration options for the terraform-applier container of the ECS deploy runner stack. This container will be used for running infrastructure deployment actions (including automated variable updates) in the CI/CD pipeline with Terraform / Terragrunt. Set to null to disable this container.

terraform_planner_config — Configuration options for the terraform-planner container of the ECS deploy runner stack. This container will be used for running infrastructure plan (including validate) actions in the CI/CD pipeline with Terraform / Terragrunt. Set to null to disable this container.

cloudwatch_log_group_name — Name of the CloudWatch Log Group used to store the log output from the Deploy Runner ECS task.

default_ecs_task_arn — AWS ARN of the default ECS Task Definition. Can be used to trigger the ECS Task directly.

ecs_cluster_arn — AWS ARN of the ECS Cluster that can be used to run the deploy runner task.

ecs_task_arns — Map of AWS ARNs of the ECS Task Definition. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier).

ecs_task_families — Map of the families of the ECS Task Definition that is currently live. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier).

ecs_task_iam_roles — Map of AWS ARNs and names of the IAM role that will be attached to the ECS task to grant it access to AWS resources. Each container will have its own IAM role. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier).

ecs_task_revisions — Map of the current revision of the ECS Task Definition that is currently live. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier).

invoke_policy_arn — The ARN of the IAM policy that allows access to the invoke the deploy runner.

invoker_function_arn — AWS ARN of the invoker lambda function that can be used to invoke a deployment.