diff --git a/modules/service/README.md b/modules/service/README.md
index 2101fd3..e91c35b 100644
--- a/modules/service/README.md
+++ b/modules/service/README.md
@@ -195,10 +195,12 @@ module "ecs_service" {
| [aws_ecs_task_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_set) | resource |
| [aws_iam_policy.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.task_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.infrastructure_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.task_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.tasks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.tasks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_iam_role_ebs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.task_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.task_exec_additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -207,6 +209,7 @@ module "ecs_service" {
| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_ecs_task_definition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecs_task_definition) | data source |
+| [aws_iam_policy_document.infrastructure_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.service_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.task_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -234,6 +237,7 @@ module "ecs_service" {
| [cpu](#input\_cpu) | Number of cpu units used by the task. If the `requires_compatibilities` is `FARGATE` this field is required | `number` | `1024` | no |
| [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
| [create\_iam\_role](#input\_create\_iam\_role) | Determines whether the ECS service IAM role should be created | `bool` | `true` | no |
+| [create\_infrastructure\_iam\_role](#input\_create\_infrastructure\_iam\_role) | Determines whether the ECS infrastructure IAM role should be created | `bool` | `false` | no |
| [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
| [create\_service](#input\_create\_service) | Determines whether service resource will be created (set to `false` in case you want to create task definition only) | `bool` | `true` | no |
| [create\_task\_definition](#input\_create\_task\_definition) | Determines whether to create a task definition or use existing/provided | `bool` | `true` | no |
@@ -264,6 +268,13 @@ module "ecs_service" {
| [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
| [ignore\_task\_definition\_changes](#input\_ignore\_task\_definition\_changes) | Whether changes to service `task_definition` changes should be ignored | `bool` | `false` | no |
| [inference\_accelerator](#input\_inference\_accelerator) | Configuration block(s) with Inference Accelerators settings | `any` | `{}` | no |
+| [infrastructure\_iam\_role\_arn](#input\_infrastructure\_iam\_role\_arn) | Existing IAM role ARN | `string` | `null` | no |
+| [infrastructure\_iam\_role\_description](#input\_infrastructure\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| [infrastructure\_iam\_role\_name](#input\_infrastructure\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| [infrastructure\_iam\_role\_path](#input\_infrastructure\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| [infrastructure\_iam\_role\_permissions\_boundary](#input\_infrastructure\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| [infrastructure\_iam\_role\_tags](#input\_infrastructure\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| [infrastructure\_iam\_role\_use\_name\_prefix](#input\_infrastructure\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
| [ipc\_mode](#input\_ipc\_mode) | IPC resource namespace to be used for the containers in the task The valid values are `host`, `task`, and `none` | `string` | `null` | no |
| [launch\_type](#input\_launch\_type) | Launch type on which to run your service. The valid values are `EC2`, `FARGATE`, and `EXTERNAL`. Defaults to `FARGATE` | `string` | `"FARGATE"` | no |
| [load\_balancer](#input\_load\_balancer) | Configuration block for load balancers | `any` | `{}` | no |
@@ -319,6 +330,7 @@ module "ecs_service" {
| [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the service | `map(string)` | `{}` | no |
| [triggers](#input\_triggers) | Map of arbitrary keys and values that, when changed, will trigger an in-place update (redeployment). Useful with `timestamp()` | `any` | `{}` | no |
| [volume](#input\_volume) | Configuration block for volumes that containers in your task may use | `any` | `{}` | no |
+| [volume\_configuration](#input\_volume\_configuration) | Configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume | `any` | `{}` | no |
| [wait\_for\_steady\_state](#input\_wait\_for\_steady\_state) | If true, Terraform will wait for the service to reach a steady state before continuing. Default is `false` | `bool` | `null` | no |
| [wait\_until\_stable](#input\_wait\_until\_stable) | Whether terraform should wait until the task set has reached `STEADY_STATE` | `bool` | `null` | no |
| [wait\_until\_stable\_timeout](#input\_wait\_until\_stable\_timeout) | Wait timeout for task set to reach `STEADY_STATE`. Valid time units include `ns`, `us` (or µs), `ms`, `s`, `m`, and `h`. Default `10m` | `string` | `null` | no |
diff --git a/modules/service/main.tf b/modules/service/main.tf
index eda959b..ceee22d 100644
--- a/modules/service/main.tf
+++ b/modules/service/main.tf
@@ -1447,7 +1447,7 @@ resource "aws_iam_role" "infrastructure_iam_role" {
path = var.infrastructure_iam_role_path
description = coalesce(var.infrastructure_iam_role_description, "Amazon ECS infrastructure IAM role that is used to manage your infrastructure")
- assume_role_policy = data.aws_iam_policy_document.ecs_infrastructure_iam_role[0].json
+ assume_role_policy = data.aws_iam_policy_document.infrastructure_iam_role[0].json
permissions_boundary = var.infrastructure_iam_role_permissions_boundary
force_detach_policies = true
diff --git a/modules/service/variables.tf b/modules/service/variables.tf
index a5a820b..c516013 100644
--- a/modules/service/variables.tf
+++ b/modules/service/variables.tf
@@ -373,6 +373,12 @@ variable "volume" {
default = {}
}
+variable "volume_configuration" {
+ description = "Configuration for a volume specified in the task definition as a volume that is configured at launch time. Currently, the only supported volume type is an Amazon EBS volume"
+ type = any
+ default = {}
+}
+
variable "task_tags" {
description = "A map of additional tags to add to the task definition/set created"
type = map(string)
@@ -660,46 +666,6 @@ variable "security_group_tags" {
default = {}
}
-################################################################################
-# Security Group
-################################################################################
-
-variable "create_security_group" {
- description = "Determines if a security group is created"
- type = bool
- default = true
-}
-
-variable "security_group_name" {
- description = "Name to use on security group created"
- type = string
- default = null
-}
-
-variable "security_group_use_name_prefix" {
- description = "Determines whether the security group name (`security_group_name`) is used as a prefix"
- type = bool
- default = true
-}
-
-variable "security_group_description" {
- description = "Description of the security group created"
- type = string
- default = null
-}
-
-variable "security_group_rules" {
- description = "Security group rules to add to the security group created"
- type = any
- default = {}
-}
-
-variable "security_group_tags" {
- description = "A map of additional tags to add to the security group created"
- type = map(string)
- default = {}
-}
-
############################################################################################
# ECS infrastructure IAM role
############################################################################################
diff --git a/wrappers/service/main.tf b/wrappers/service/main.tf
index 3dbd9e4..aaf8941 100644
--- a/wrappers/service/main.tf
+++ b/wrappers/service/main.tf
@@ -27,57 +27,65 @@ module "wrapper" {
}
}
})
- autoscaling_scheduled_actions = try(each.value.autoscaling_scheduled_actions, var.defaults.autoscaling_scheduled_actions, {})
- capacity_provider_strategy = try(each.value.capacity_provider_strategy, var.defaults.capacity_provider_strategy, {})
- cluster_arn = try(each.value.cluster_arn, var.defaults.cluster_arn, "")
- container_definition_defaults = try(each.value.container_definition_defaults, var.defaults.container_definition_defaults, {})
- container_definitions = try(each.value.container_definitions, var.defaults.container_definitions, {})
- cpu = try(each.value.cpu, var.defaults.cpu, 1024)
- create = try(each.value.create, var.defaults.create, true)
- create_iam_role = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
- create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
- create_service = try(each.value.create_service, var.defaults.create_service, true)
- create_task_definition = try(each.value.create_task_definition, var.defaults.create_task_definition, true)
- create_task_exec_iam_role = try(each.value.create_task_exec_iam_role, var.defaults.create_task_exec_iam_role, true)
- create_task_exec_policy = try(each.value.create_task_exec_policy, var.defaults.create_task_exec_policy, true)
- create_tasks_iam_role = try(each.value.create_tasks_iam_role, var.defaults.create_tasks_iam_role, true)
- deployment_circuit_breaker = try(each.value.deployment_circuit_breaker, var.defaults.deployment_circuit_breaker, {})
- deployment_controller = try(each.value.deployment_controller, var.defaults.deployment_controller, {})
- deployment_maximum_percent = try(each.value.deployment_maximum_percent, var.defaults.deployment_maximum_percent, 200)
- deployment_minimum_healthy_percent = try(each.value.deployment_minimum_healthy_percent, var.defaults.deployment_minimum_healthy_percent, 66)
- desired_count = try(each.value.desired_count, var.defaults.desired_count, 1)
- enable_autoscaling = try(each.value.enable_autoscaling, var.defaults.enable_autoscaling, true)
- enable_ecs_managed_tags = try(each.value.enable_ecs_managed_tags, var.defaults.enable_ecs_managed_tags, true)
- enable_execute_command = try(each.value.enable_execute_command, var.defaults.enable_execute_command, false)
- ephemeral_storage = try(each.value.ephemeral_storage, var.defaults.ephemeral_storage, {})
- external_id = try(each.value.external_id, var.defaults.external_id, null)
- family = try(each.value.family, var.defaults.family, null)
- force_delete = try(each.value.force_delete, var.defaults.force_delete, null)
- force_new_deployment = try(each.value.force_new_deployment, var.defaults.force_new_deployment, true)
- health_check_grace_period_seconds = try(each.value.health_check_grace_period_seconds, var.defaults.health_check_grace_period_seconds, null)
- iam_role_arn = try(each.value.iam_role_arn, var.defaults.iam_role_arn, null)
- iam_role_description = try(each.value.iam_role_description, var.defaults.iam_role_description, null)
- iam_role_name = try(each.value.iam_role_name, var.defaults.iam_role_name, null)
- iam_role_path = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
- iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
- iam_role_statements = try(each.value.iam_role_statements, var.defaults.iam_role_statements, {})
- iam_role_tags = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
- iam_role_use_name_prefix = try(each.value.iam_role_use_name_prefix, var.defaults.iam_role_use_name_prefix, true)
- ignore_task_definition_changes = try(each.value.ignore_task_definition_changes, var.defaults.ignore_task_definition_changes, false)
- inference_accelerator = try(each.value.inference_accelerator, var.defaults.inference_accelerator, {})
- ipc_mode = try(each.value.ipc_mode, var.defaults.ipc_mode, null)
- launch_type = try(each.value.launch_type, var.defaults.launch_type, "FARGATE")
- load_balancer = try(each.value.load_balancer, var.defaults.load_balancer, {})
- memory = try(each.value.memory, var.defaults.memory, 2048)
- name = try(each.value.name, var.defaults.name, null)
- network_mode = try(each.value.network_mode, var.defaults.network_mode, "awsvpc")
- ordered_placement_strategy = try(each.value.ordered_placement_strategy, var.defaults.ordered_placement_strategy, {})
- pid_mode = try(each.value.pid_mode, var.defaults.pid_mode, null)
- placement_constraints = try(each.value.placement_constraints, var.defaults.placement_constraints, {})
- platform_version = try(each.value.platform_version, var.defaults.platform_version, null)
- propagate_tags = try(each.value.propagate_tags, var.defaults.propagate_tags, null)
- proxy_configuration = try(each.value.proxy_configuration, var.defaults.proxy_configuration, {})
- requires_compatibilities = try(each.value.requires_compatibilities, var.defaults.requires_compatibilities, ["FARGATE"])
+ autoscaling_scheduled_actions = try(each.value.autoscaling_scheduled_actions, var.defaults.autoscaling_scheduled_actions, {})
+ capacity_provider_strategy = try(each.value.capacity_provider_strategy, var.defaults.capacity_provider_strategy, {})
+ cluster_arn = try(each.value.cluster_arn, var.defaults.cluster_arn, "")
+ container_definition_defaults = try(each.value.container_definition_defaults, var.defaults.container_definition_defaults, {})
+ container_definitions = try(each.value.container_definitions, var.defaults.container_definitions, {})
+ cpu = try(each.value.cpu, var.defaults.cpu, 1024)
+ create = try(each.value.create, var.defaults.create, true)
+ create_iam_role = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
+ create_infrastructure_iam_role = try(each.value.create_infrastructure_iam_role, var.defaults.create_infrastructure_iam_role, false)
+ create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
+ create_service = try(each.value.create_service, var.defaults.create_service, true)
+ create_task_definition = try(each.value.create_task_definition, var.defaults.create_task_definition, true)
+ create_task_exec_iam_role = try(each.value.create_task_exec_iam_role, var.defaults.create_task_exec_iam_role, true)
+ create_task_exec_policy = try(each.value.create_task_exec_policy, var.defaults.create_task_exec_policy, true)
+ create_tasks_iam_role = try(each.value.create_tasks_iam_role, var.defaults.create_tasks_iam_role, true)
+ deployment_circuit_breaker = try(each.value.deployment_circuit_breaker, var.defaults.deployment_circuit_breaker, {})
+ deployment_controller = try(each.value.deployment_controller, var.defaults.deployment_controller, {})
+ deployment_maximum_percent = try(each.value.deployment_maximum_percent, var.defaults.deployment_maximum_percent, 200)
+ deployment_minimum_healthy_percent = try(each.value.deployment_minimum_healthy_percent, var.defaults.deployment_minimum_healthy_percent, 66)
+ desired_count = try(each.value.desired_count, var.defaults.desired_count, 1)
+ enable_autoscaling = try(each.value.enable_autoscaling, var.defaults.enable_autoscaling, true)
+ enable_ecs_managed_tags = try(each.value.enable_ecs_managed_tags, var.defaults.enable_ecs_managed_tags, true)
+ enable_execute_command = try(each.value.enable_execute_command, var.defaults.enable_execute_command, false)
+ ephemeral_storage = try(each.value.ephemeral_storage, var.defaults.ephemeral_storage, {})
+ external_id = try(each.value.external_id, var.defaults.external_id, null)
+ family = try(each.value.family, var.defaults.family, null)
+ force_delete = try(each.value.force_delete, var.defaults.force_delete, null)
+ force_new_deployment = try(each.value.force_new_deployment, var.defaults.force_new_deployment, true)
+ health_check_grace_period_seconds = try(each.value.health_check_grace_period_seconds, var.defaults.health_check_grace_period_seconds, null)
+ iam_role_arn = try(each.value.iam_role_arn, var.defaults.iam_role_arn, null)
+ iam_role_description = try(each.value.iam_role_description, var.defaults.iam_role_description, null)
+ iam_role_name = try(each.value.iam_role_name, var.defaults.iam_role_name, null)
+ iam_role_path = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
+ iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
+ iam_role_statements = try(each.value.iam_role_statements, var.defaults.iam_role_statements, {})
+ iam_role_tags = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
+ iam_role_use_name_prefix = try(each.value.iam_role_use_name_prefix, var.defaults.iam_role_use_name_prefix, true)
+ ignore_task_definition_changes = try(each.value.ignore_task_definition_changes, var.defaults.ignore_task_definition_changes, false)
+ inference_accelerator = try(each.value.inference_accelerator, var.defaults.inference_accelerator, {})
+ infrastructure_iam_role_arn = try(each.value.infrastructure_iam_role_arn, var.defaults.infrastructure_iam_role_arn, null)
+ infrastructure_iam_role_description = try(each.value.infrastructure_iam_role_description, var.defaults.infrastructure_iam_role_description, null)
+ infrastructure_iam_role_name = try(each.value.infrastructure_iam_role_name, var.defaults.infrastructure_iam_role_name, null)
+ infrastructure_iam_role_path = try(each.value.infrastructure_iam_role_path, var.defaults.infrastructure_iam_role_path, null)
+ infrastructure_iam_role_permissions_boundary = try(each.value.infrastructure_iam_role_permissions_boundary, var.defaults.infrastructure_iam_role_permissions_boundary, null)
+ infrastructure_iam_role_tags = try(each.value.infrastructure_iam_role_tags, var.defaults.infrastructure_iam_role_tags, {})
+ infrastructure_iam_role_use_name_prefix = try(each.value.infrastructure_iam_role_use_name_prefix, var.defaults.infrastructure_iam_role_use_name_prefix, true)
+ ipc_mode = try(each.value.ipc_mode, var.defaults.ipc_mode, null)
+ launch_type = try(each.value.launch_type, var.defaults.launch_type, "FARGATE")
+ load_balancer = try(each.value.load_balancer, var.defaults.load_balancer, {})
+ memory = try(each.value.memory, var.defaults.memory, 2048)
+ name = try(each.value.name, var.defaults.name, null)
+ network_mode = try(each.value.network_mode, var.defaults.network_mode, "awsvpc")
+ ordered_placement_strategy = try(each.value.ordered_placement_strategy, var.defaults.ordered_placement_strategy, {})
+ pid_mode = try(each.value.pid_mode, var.defaults.pid_mode, null)
+ placement_constraints = try(each.value.placement_constraints, var.defaults.placement_constraints, {})
+ platform_version = try(each.value.platform_version, var.defaults.platform_version, null)
+ propagate_tags = try(each.value.propagate_tags, var.defaults.propagate_tags, null)
+ proxy_configuration = try(each.value.proxy_configuration, var.defaults.proxy_configuration, {})
+ requires_compatibilities = try(each.value.requires_compatibilities, var.defaults.requires_compatibilities, ["FARGATE"])
runtime_platform = try(each.value.runtime_platform, var.defaults.runtime_platform, {
operating_system_family = "LINUX"
cpu_architecture = "X86_64"
@@ -123,6 +131,7 @@ module "wrapper" {
timeouts = try(each.value.timeouts, var.defaults.timeouts, {})
triggers = try(each.value.triggers, var.defaults.triggers, {})
volume = try(each.value.volume, var.defaults.volume, {})
+ volume_configuration = try(each.value.volume_configuration, var.defaults.volume_configuration, {})
wait_for_steady_state = try(each.value.wait_for_steady_state, var.defaults.wait_for_steady_state, null)
wait_until_stable = try(each.value.wait_until_stable, var.defaults.wait_until_stable, null)
wait_until_stable_timeout = try(each.value.wait_until_stable_timeout, var.defaults.wait_until_stable_timeout, null)