terraform-aws-modules
diff --git a/‎docs/UPGRADE-6.0.md
Lines changed: 183 additions & 14 deletions b/‎docs/UPGRADE-6.0.md
Lines changed: 183 additions & 14 deletions
diff --git a/‎examples/container-definition/README.md
Lines changed: 92 additions & 0 deletions b/‎examples/container-definition/README.md
Lines changed: 92 additions & 0 deletions
@@ -5,14 +5,21 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 
 ## List of backwards incompatible changes
 
-- Terraform v1.5.7 is now minimum supported version
-- AWS provider v6.0.0 is now minimum supported version
+- Terraform `v1.5.7` is now minimum supported version
+- AWS provider `v6.0.0` is now minimum supported version
+- The attributes used to construct the container definition(s) have been changed from HCL's norm of `snake_case` to `camelCase` to match the AWS API. There currently isn't a [resource nor data source for the container definition](https://github.com/hashicorp/terraform-provider-aws/issues/17988), so one is constructed entirely from HCL in the `container-definition` sub-module. This definition is then rendered as JSON when presented to the task definition (or task set) APIs. Previously, the variable names used were `snake_case` and then internally converted to `camelCase`. However, this does not allow for [using the `container-definition` sub-module on its own](https://github.com/terraform-aws-modules/terraform-aws-ecs/issues/147) due to the mismatch between casing. Its probably going to trip a few folks up, but hopefully we'll remove this for a data source in the future.
+- `security_group_rules` has been split into `security_group_ingress_rules` and `security_group_egress_rules` to better match the AWS API and allow for more flexibility in defining security group rules.
+- Default permissive permissions for SSM parameter ARNs and Secrets Manager secret ARNs have been removed throughout. While this made it easier for users since it "just worked", it was not secure and could lead to unexpected access to resources. Users should now explicitly define the permissions they need in their IAM policies.
+- The "hack" put in place to track the task definition version when updating outside of the module has been removed. Instead, users should rely on the `track_latest` variable to ensure that the latest task definition is used when updating the service. Any issues with tracking the task definition version should be reported to the *ECS service team* as it is a limitation of the AWS ECS service/API and not the module itself.
+- The inline policy for the Tasks role of the `service` sub-module has been replaced with a standalone IAM policy. In some organizations, inline policies are not allowed.
+- The default for the `container-definition` `user` has been changed from `0` to `null`.
 
 ## Additional changes
 
 ### Added
 
 - Support for `region` parameter to specify the AWS region for the resources created if different from the provider region.
+- Support for ECS infrastructure IAM role creation in the `service` sub-module. This role is used to manage ECS infrastructure resources https://docs.aws.amazon.com/AmazonECS/latest/developerguide/infrastructure_IAM_role.html
 
 ### Modified
 
@@ -22,35 +29,148 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 
 1. Removed variables:
 
-    -
+    - `default_capacity_provider_use_fargate`
+    - `fargate_capacity_providers`
+
+    - `cluster` sub-module
+      - `fargate_capacity_providers`; part of `default_capacity_provider_strategy` now
+      - `default_capacity_provider_use_fargate`
+
+    - `container-definition` sub-module
+      - None
+
+    - `service` sub-module
+      - `inference_accelerator`
+
 
 2. Renamed variables:
 
-    -
+    - `cluster_settings` -> `cluster_setting`
+
+    - `cluster` sub-module
+      - `cluster_configuration` - `configuration`
+      - `cluster_settings` - `setting`
+      - `cluster_service_connect_defaults` - `service_connect_defaults`
+
+    - `container-definition` sub-module
+      - `dependencies` - `dependsOn`
+      - `disable_networking` - `disableNetworking`
+      - `dns_search_domains` - `dnsSearchDomains`
+      - `dns_servers` - `dnsServers`
+      - `docker_labels` - `dockerLabels`
+      - `docker_security_options` - `dockerSecurityOptions`
+      - `environment_files` - `environmentFiles`
+      - `extra_hosts` - `extraHosts`
+      - `firelens_configuration` - `firelensConfiguration`
+      - `health_check` - `healthCheck`
+      - `linux_parameters` - `linuxParameters`
+      - `log_configuration` - `logConfiguration`
+      - `memory_reservation` - `memoryReservation`
+      - `mount_points` - `mountPoints`
+      - `port_mappings` - `portMappings`
+      - `psuedo_terminal` - `pseudoTerminal`
+      - `readonly_root_filesystem` - `readonlyRootFilesystem`
+      - `repository_credentials` - `repositoryCredentials`
+      - `start_timeout` - `startTimeout`
+      - `system_controls` - `systemControls`
+      - `volumes_from` - `volumesFrom`
+      - `working_directory` - `workingDirectory`
+
+    - `service` sub-module
+      - None
 
 3. Added variables:
 
-    -
+    - `cloudwatch_log_group_class`
+    - `default_capacity_provider_strategy`
+
+    - `cluster` sub-module
+      - `cloudwatch_log_group_class`
+      - `default_capacity_provider_strategy` - replaces `fargate_capacity_providers` and `default_capacity_provider_use_fargate` functionality
+
+    - `container-definition` sub-module
+      - `log_group_class`
+      - `restartPolicy` - defaults to `enabled = true`
+      - `versionConsistency` - defaults to `"disabled"` https://github.com/aws/containers-roadmap/issues/2394
+
+    - `service` sub-module
+      - `availability_zone_rebalancing`
+      - `volume_configuration`
+      - `vpc_lattice_configurations`
+      - `enable_fault_injection`
+      - `track_latest`
+      - `create_infrastructure_iam_role`
+      - `infrastructure_iam_role_arn`
+      - `infrastructure_iam_role_name`
+      - `infrastructure_iam_role_use_name_prefix`
+      - `infrastructure_iam_role_path`
+      - `infrastructure_iam_role_description`
+      - `infrastructure_iam_role_permissions_boundary`
+      - `infrastructure_iam_role_tags`
 
 4. Removed outputs:
 
-    -
+    - `cluster` sub-module
+      - None
+    - `container-definition` sub-module
+      - None
+    - `service` sub-module
+      - `task_definition_family_revision`
 
 5. Renamed outputs:
 
-    -
+    - `cluster` sub-module
+      - None
+    - `container-definition` sub-module
+      - None
+    - `service` sub-module
+      - None
 
 6. Added outputs:
 
-    -
+    - `cluster` sub-module
+      - None
+    - `container-definition` sub-module
+      - None
+    - `service` sub-module
+      - `infrastructure_iam_role_arn`
+      - `infrastructure_iam_role_name`
 
 ## Upgrade Migrations
 
 ### Before 5.x Example
 
+#### Cluster Sub-Module
+
 ```hcl
-module "ecs" {
-  source  = "terraform-aws-modules/ecs/aws"
+module "ecs_cluster" {
+  source  = "terraform-aws-modules/ecs/aws//modules/cluster"
+  version = "~> 5.0"
+
+  # Truncated for brevity ...
+
+  # Capacity provider
+  fargate_capacity_providers = {
+    FARGATE = {
+      default_capacity_provider_strategy = {
+        weight = 50
+        base   = 20
+      }
+    }
+    FARGATE_SPOT = {
+      default_capacity_provider_strategy = {
+        weight = 50
+      }
+    }
+  }
+}
+```
+
+#### Service Sub-Module
+
+```hcl
+module "ecs_service" {
+  source  = "terraform-aws-modules/ecs/aws//modules/service"
   version = "~> 5.0"
 
   # Truncated for brevity ...
@@ -122,6 +242,18 @@ module "ecs" {
     }
   }
 
+  service_connect_configuration = {
+    namespace = aws_service_discovery_http_namespace.this.arn
+    service = {
+      client_alias = {
+        port     = 3000
+        dns_name = "ecsdemo-frontend"
+      }
+      port_name      = "ecsdemo-frontend"
+      discovery_name = "ecsdemo-frontend"
+    }
+  }
+
   security_group_rules = {
     alb_ingress_3000 = {
       type                     = "ingress"
@@ -142,10 +274,32 @@ module "ecs" {
 
 ### After 6.x Example
 
-#### Service
+#### Cluster Sub-Module
 
 ```hcl
-module "ecs" {
+module "ecs_cluster" {
+  source  = "terraform-aws-modules/ecs/aws//modules/cluster"
+  version = "~> 6.0"
+
+  # Truncated for brevity ...
+
+  # Cluster capacity providers
+  default_capacity_provider_strategy = {
+    FARGATE = {
+      weight = 50
+      base   = 20
+    }
+    FARGATE_SPOT = {
+      weight = 50
+    }
+  }
+}
+```
+
+#### Service Sub-Module
+
+```hcl
+module "ecs_service" {
   source  = "terraform-aws-modules/ecs/aws//modules/service"
   version = "~> 6.0"
 
@@ -224,6 +378,20 @@ module "ecs" {
     }
   }
 
+  service_connect_configuration = {
+    namespace = aws_service_discovery_http_namespace.this.arn
+    service = [
+      {
+        client_alias = {
+          port     = 3000
+          dns_name = "ecsdemo-frontend"
+        }
+        port_name      = "ecsdemo-frontend"
+        discovery_name = "ecsdemo-frontend"
+      }
+    ]
+  }
+
   security_group_ingress_rules = {
     alb_3000 = {
       description                  = "Service port"
@@ -242,15 +410,16 @@ module "ecs" {
 
 ### State Changes
 
-#### Service
+#### Service Sub-Module
+
+Due to the change from `aws_security_group_rule` to `aws_vpc_security_group_ingress_rule` and `aws_vpc_security_group_egress_rule`, the following reference state changes are required to maintain the current security group rules. (Note: these are different resources so they cannot be moved with `terraform mv ...`)
 
 ```sh
 terraform state rm 'module.ecs_service.aws_security_group_rule.this["alb_ingress_3000"]'
 terraform state import 'module.ecs_service.aws_vpc_security_group_ingress_rule.this["alb_3000"]' 'sg-xxx'
 
 terraform state rm 'module.ecs_service.aws_security_group_rule.this["egress_all"]'
 terraform state import 'module.ecs_service.aws_vpc_security_group_egress_rule.this["all"]' 'sg-xxx'
-
 ```
 
 The inline tasks `aws_iam_role_policy` cannot be moved or imported into a standalone `aws_iam_policy`. It must be re-created.
@@ -0,0 +1,92 @@
+# ECS Container Definition
+
+Configuration in this directory creates:
+
+- ECS container definition
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_alb"></a> [alb](#module\_alb) | terraform-aws-modules/alb/aws | ~> 9.0 |
+| <a name="module_ecs_cluster"></a> [ecs\_cluster](#module\_ecs\_cluster) | ../../modules/cluster | n/a |
+| <a name="module_ecs_service"></a> [ecs\_service](#module\_ecs\_service) | ../../modules/service | n/a |
+| <a name="module_ecs_task_definition"></a> [ecs\_task\_definition](#module\_ecs\_task\_definition) | ../../modules/service | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_service_discovery_http_namespace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/service_discovery_http_namespace) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_ssm_parameter.fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cluster_arn"></a> [cluster\_arn](#output\_cluster\_arn) | ARN that identifies the cluster |
+| <a name="output_cluster_autoscaling_capacity_providers"></a> [cluster\_autoscaling\_capacity\_providers](#output\_cluster\_autoscaling\_capacity\_providers) | Map of capacity providers created and their attributes |
+| <a name="output_cluster_capacity_providers"></a> [cluster\_capacity\_providers](#output\_cluster\_capacity\_providers) | Map of cluster capacity providers attributes |
+| <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | ID that identifies the cluster |
+| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | Name that identifies the cluster |
+| <a name="output_service_autoscaling_policies"></a> [service\_autoscaling\_policies](#output\_service\_autoscaling\_policies) | Map of autoscaling policies and their attributes |
+| <a name="output_service_autoscaling_scheduled_actions"></a> [service\_autoscaling\_scheduled\_actions](#output\_service\_autoscaling\_scheduled\_actions) | Map of autoscaling scheduled actions and their attributes |
+| <a name="output_service_container_definitions"></a> [service\_container\_definitions](#output\_service\_container\_definitions) | Container definitions |
+| <a name="output_service_iam_role_arn"></a> [service\_iam\_role\_arn](#output\_service\_iam\_role\_arn) | Service IAM role ARN |
+| <a name="output_service_iam_role_name"></a> [service\_iam\_role\_name](#output\_service\_iam\_role\_name) | Service IAM role name |
+| <a name="output_service_iam_role_unique_id"></a> [service\_iam\_role\_unique\_id](#output\_service\_iam\_role\_unique\_id) | Stable and unique string identifying the service IAM role |
+| <a name="output_service_id"></a> [service\_id](#output\_service\_id) | ARN that identifies the service |
+| <a name="output_service_name"></a> [service\_name](#output\_service\_name) | Name of the service |
+| <a name="output_service_security_group_arn"></a> [service\_security\_group\_arn](#output\_service\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
+| <a name="output_service_security_group_id"></a> [service\_security\_group\_id](#output\_service\_security\_group\_id) | ID of the security group |
+| <a name="output_service_task_definition_arn"></a> [service\_task\_definition\_arn](#output\_service\_task\_definition\_arn) | Full ARN of the Task Definition (including both `family` and `revision`) |
+| <a name="output_service_task_definition_family"></a> [service\_task\_definition\_family](#output\_service\_task\_definition\_family) | The unique name of the task definition |
+| <a name="output_service_task_definition_revision"></a> [service\_task\_definition\_revision](#output\_service\_task\_definition\_revision) | Revision of the task in a particular family |
+| <a name="output_service_task_exec_iam_role_arn"></a> [service\_task\_exec\_iam\_role\_arn](#output\_service\_task\_exec\_iam\_role\_arn) | Task execution IAM role ARN |
+| <a name="output_service_task_exec_iam_role_name"></a> [service\_task\_exec\_iam\_role\_name](#output\_service\_task\_exec\_iam\_role\_name) | Task execution IAM role name |
+| <a name="output_service_task_exec_iam_role_unique_id"></a> [service\_task\_exec\_iam\_role\_unique\_id](#output\_service\_task\_exec\_iam\_role\_unique\_id) | Stable and unique string identifying the task execution IAM role |
+| <a name="output_service_task_set_arn"></a> [service\_task\_set\_arn](#output\_service\_task\_set\_arn) | The Amazon Resource Name (ARN) that identifies the task set |
+| <a name="output_service_task_set_id"></a> [service\_task\_set\_id](#output\_service\_task\_set\_id) | The ID of the task set |
+| <a name="output_service_task_set_stability_status"></a> [service\_task\_set\_stability\_status](#output\_service\_task\_set\_stability\_status) | The stability status. This indicates whether the task set has reached a steady state |
+| <a name="output_service_task_set_status"></a> [service\_task\_set\_status](#output\_service\_task\_set\_status) | The status of the task set |
+| <a name="output_service_tasks_iam_role_arn"></a> [service\_tasks\_iam\_role\_arn](#output\_service\_tasks\_iam\_role\_arn) | Tasks IAM role ARN |
+| <a name="output_service_tasks_iam_role_name"></a> [service\_tasks\_iam\_role\_name](#output\_service\_tasks\_iam\_role\_name) | Tasks IAM role name |
+| <a name="output_service_tasks_iam_role_unique_id"></a> [service\_tasks\_iam\_role\_unique\_id](#output\_service\_tasks\_iam\_role\_unique\_id) | Stable and unique string identifying the tasks IAM role |
+| <a name="output_task_definition_run_task_command"></a> [task\_definition\_run\_task\_command](#output\_task\_definition\_run\_task\_command) | awscli command to run the standalone task |
+<!-- END_TF_DOCS -->
+
+## License
+
+Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-ecs/blob/master/LICENSE).