ECS Task Module

Terraform module for creating an standalone ECS task definitions.

Modules

Name	Source	Version
ecs_service	terraform-aws-modules/ecs/aws//modules/service	6.2.1

Inputs

Name	Description	Type	Default	Required
capacity_provider_strategy	Cluster-level strategy enforcement	map(object({ base = optional(number) capacity_provider = string weight = optional(number) }))	null	no
command	The command to run in the container	list(string)	[]	no
container_cpu	The number of CPU units to reserve for the container	number	256	no
container_image	The container image to use	string	n/a	yes
container_memory	The amount of memory to reserve for the container	number	256	no
container_runtime_user	The user to run the container as (set in container definition).	string	null	no
cpu_architecture	The CPU architecture of the container	string	"ARM64"	no
create	Whether to create the ECS service	bool	true	no
dd_agent_apm_enabled	Whether to enable Datadog APM (Application Performance Monitoring) for distributed tracing. Only applies when dd_enabled is true.	bool	true	no
dd_agent_container_monitoring_enabled	Whether to enable Datadog container-level monitoring (CPU, memory, network metrics). Only applies when dd_enabled is true.	bool	true	no
dd_agent_metrics_enabled	Whether to enable Datadog metrics collection via DogStatsD. Only applies when dd_enabled is true.	bool	true	no
dd_api_key_parameter_name	The name of the Parameter Store parameter containing the Datadog API key	string	"/datadog/DD_API_KEY"	no
dd_apm_enabled	DEPRECATED: Use dd_agent_apm_enabled instead. Kept for backward compatibility.	bool	true	no
dd_apm_ignore_resources_string	Datadog APM ignore resources string, e.g. 'GET /healthcheck	string	""	no
dd_enable_auto_multiline_detect	Automatic multi-line detection allows the Agent to detect and aggregate common multi-line logs automatically.	bool	false	no
dd_enabled	Master switch for Datadog monitoring. When true, enables all monitoring features (logs, APM, metrics, container monitoring) unless explicitly disabled via granular flags. When false, all monitoring is disabled regardless of granular flag settings.	bool	false	no
dd_fluentbit_base_config	Base Fluent Bit configuration file path. Defaults to built-in parse-json.conf	string	"/fluent-bit/configs/parse-json.conf"	no
dd_fluentbit_enable_ecs_log_metadata	Enable ECS log metadata in Fluent Bit. Only applies when using custom Fluent Bit config.	bool	true	no
dd_fluentbit_s3_config	S3 ARN for custom Fluent Bit configuration file (e.g., arn:aws:s3:::bucket-name/path/to/fluentbit.conf). When provided, uses init-image and downloads config from S3 before starting Fluent Bit	string	null	no
dd_log_level	The log level for the Datadog agent	string	"INFO"	no
dd_logs_enabled	Whether to enable Datadog log forwarding via Fluent Bit. Only applies when dd_enabled is true.	bool	true	no
dd_site	The Datadog site to send data to	string	"datadoghq.eu"	no
dd_source	The source of the logs	string	"ecs_task"	no
dd_tags	Map of tags to apply to the Datadog agent	map(string)	{}	no
env	The environment the service is running in	string	n/a	yes
environment_variables	Map of environment variables to set in the container	map(string)	{}	no
ephemeral_storage	The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate	object({ size_in_gib = number })	null	no
launch_type	Optional ECS launch type	string	null	no
mount_points	List of mount points to attach to the container	list(object({ source_volume = string container_path = string read_only = bool }))	[]	no
parameter_store_secret_names	Map of Parameter Store secret names to attach to the ECS service	map(string)	{}	no
restart_policy	Restart policy for the task	object({ enabled = optional(bool) ignoredExitCodes = optional(list(number)) restartAttemptPeriod = optional(number) })	{ "enabled": false }	no
secretsmanager_secret_names	Map of Secrets Manager secret names to attach to the ECS service	map(string)	{}	no
subnet_ids	Use by the service module to place the security group in correct vpc	list(string)	n/a	yes
task_exec_additional_secret_arns	Additional Secrets Manager secret ARNs to grant task execution role access to (in addition to those in secretsmanager_secret_names)	list(string)	[]	no
task_exec_additional_ssm_param_arns	Additional SSM Parameter Store ARNs to grant task execution role access to (in addition to those in parameter_store_secret_names)	list(string)	[]	no
task_name	The name of the ECS task	string	n/a	yes

Outputs

Name	Description
security_group_id	The security group ID for the ECS service
task_definition_arn	The ARN of the ECS task definition
tasks_execution_iam_role_arn	The IAM execution role ARN for the ECS tasks
tasks_execution_iam_role_name	The IAM execution role name for the ECS tasks
tasks_iam_role_arn	The IAM execution role ARN for the ECS tasks. Use this to attache policies for other AWS services, e.g. access to S3 bucket.
tasks_iam_role_name	The IAM execution role name for the ECS tasks. Use this to attache policies for other AWS services, e.g. access to S3 bucket.

IAM Permissions for Secrets

The module creates IAM policies with permissions ONLY for the secrets you use. No wildcards, no broad permissions.

1. Basic secrets

module "ecs_task" {
  source = "./modules/ecs_task"

  secretsmanager_secret_names = {
    "DATABASE_PASSWORD" = aws_secretsmanager_secret.db_password.name
    "API_KEY"           = aws_secretsmanager_secret.api_key.name
  }

  parameter_store_secret_names = {
    "REDIS_URL" = aws_ssm_parameter.redis_url.name
  }
}

The module creates IAM permissions for these secrets automatically.

2. Manual mode (advanced)

task_exec_additional_secret_arns = [
  "arn:aws:secretsmanager:us-east-1:123456789012:secret:shared-secret"
]

task_exec_additional_ssm_param_arns = [
  "arn:aws:ssm:us-east-1:123456789012:parameter/shared-param"
]

Use this when you need secrets that are not in secretsmanager_secret_names or parameter_store_secret_names.