aws-ia / ecs-blueprints Goto Github PK

Configure and deploy complete ECS solutions with Terraform or CDK

License: Apache License 2.0

HCL 39.64% JavaScript 7.73% Dockerfile 0.63% CSS 1.12% Shell 1.53% EJS 4.06% Python 41.21% Makefile 0.01% Batchfile 0.10% HTML 0.21% TypeScript 3.75%

devops ecs ecs-fargate

ecs-blueprints's Introduction

Amazon ECS Blueprints

Welcome to Amazon ECS Blueprints!

When new users want to adopt containers to build, deploy, and run their applications, it often takes them several months to learn, setup, and realize container benefits. With Amazon Elastic Container Service (ECS) and AWS Fargate users don't need to manage any middleware, any EC2, or host OS. With ECS Solution Blueprints, we want new users to achieve benefits of container-based modernization in hours rather than months!

The blueprints are meant to give new users a jumpstart, and enable them to learn-by-doing. With blueprints we aspire to codify best practices, well-designed architecture patterns, and provide end-to-end solutions addressing CI/CD, observability, security, and cost efficiency.

We fully expect you to get started by copying the modules and examples but we do not expect you to maintain any conformity to this repository. In others words, we expect that you will adapt and extend the modules and examples code to suit your needs. If you feel your use cases and solutions will help other users, we encourage you to contribute your solutions to ECS Solution Blueprints.

Prerequisites

You can use AWS Cloud9 which has all the prerequisites preinstalled and skip to Quick Start
Mac (tested with OS version 12.+) and AWS Cloud9 Linux machines. We have not tested with Windows machines
IaC Tool
- Terraform (tested version v1.3.7 on darwin_amd64)
- AWS CDK (tested vision 2.70.+)
Git (tested version 2.27.0)
AWS CLI
AWS test account with administrator role access
Configure the AWS credentials on your machine ~/.aws/credentials. You need to use the following format:

[AWS_PROFILE_NAME]
aws_access_key_id = Replace_with_the_correct_access_Key
aws_secret_access_key = Replace_with_the_correct_secret_Key

Export the AWS profile name

export AWS_PROFILE=your_profile_name

You can also set the default region and output format in ~/.aws/config. Something like:

[default]
output = json
region = us-west-2

Quick Start for ECS Blueprints for Terraform

Please refer ECS Blueprints Workshop in detail.

Fork this repository.
Clone your forked repository to your laptop/Cloud9 VM.

git clone https://github.com/<your-repo>/ecs-blueprints.git

Start with core-infra to create cluster, VPC, and require IAM

cd ecs-blueprints/terraform/fargate-examples/core-infra/

terraform init
terraform plan
terraform apply --auto-approve

Now we can deploy a load balanced service along with CI/CD pipeline to the above cluster

cd ../lb-service
terraform init
terraform plan
terraform apply --auto-approve

You can use the ALB URL from terraform output to access the load balanced service. The above will give you a good understanding about the basics of ECS Fargate, and ECS service. You can use these as building blocks to create and deploy many ECS services. Next you can try other example blueprints.

Repository overview

This repository has 3 main folders

modules: Each module is a collection one or more resources that are used together to address specific needs. If you are going to contribue new modules, that is, commonly used group of resources, then put them in the modules folder.
examples (aka solution blueprints): This folder contains solution blueprints that are meant to address end-to-end requirements for specific scenarios. If you are looking to contribute new blueprints, put them in the examples folder.
application-code: These are just sample applications used in the examples. Currently, these applications are basic but we encourage contributing more real world applications that can help uncover specific aspects of containerized applications. For example, an application that can be used to test autoscaling, or an application that has long running sessions and would work better with blue/green deployments.

Support & Feedback

ECS Blueprints for Terraform is maintained by AWS Solution Architects. It is not part of an AWS service and support is provided best-effort by the ECS Blueprints community.

To post feedback, submit feature ideas, or report bugs, please use the Issues section of this GitHub repository.

For architectural details, step-by-step instructions, and customization options, see our documentation under each folder.

If you are interested in contributing to ECS Blueprints, see the Contribution guide.

Contributing

See CONTRIBUTING for more information.

Security

See CONTRIBUTING for more information.

ecs-blueprints's People

Stargazers

Watchers

Forkers

nvpnathan dipendraniraula shaisrin000 sdsysadmin happymanocha suzith psinghegain gkms-gkms ssikdar500 arv1ndgopal gygamz prakkie-others js5950 kadamsai-aws avichum pdeshmuk mrpaulywu mike-kuzn jchenzhi gr8sk8s mikearruda n-nabi vpopiol aamahajan-rax aamahaja-amzn dsilverio70 aroshmw sajjanavs anupmenon22 gryczka kennyguzman preddy727 anilraut30 chengxu32 henriquesantanati mihneaspirescu tiagopache clementbernet marinaburkhardt imchalla njingu90 kishacodes samtimur koraakdas dinops tripravi abdulkhader86 mattiaperi fessy1der kingleelight justanothercog youngjeong46 edsonmarquesio ishuar rahul-ponce thiernodcire mansoorahmed0024 gourav445 yazeez a-weed hieu-hybytes jldeen electrokat ziwooda hamza4522 damianariel82 krvax rjrpaz georgecodde josefloressv arief-hidayat vijay-kukreja-clearscale biswajitbabu msafeem-devops aws-devops-projects elveena023 furiouz07 harimalayappan lazghab tkhieu paperslack adamjkeller hybytes tusharsharmaid mwaters2000 jessewang-arvatosystems lintdeveloper juwisnie darren-ter ramyajella equitymultiple suryakakanadan youwalther65 jpzimmerman hareeshi itwiths omar-faruk01 jaknn chukwuemekaaham sandrociceros-brlink

ecs-blueprints's Issues

bug: update quickstart for terraform

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Module version [Required]: there is no tag yet, however this is the commit: b317923
Terraform version: Terraform v1.4.0 on darwin_arm64

Provider version(s): provider registry.terraform.io/hashicorp/aws v4.58.0

Reproduction Code [Required]

Steps to reproduce the behavior:

Expected behavior

The command cp terraform.tfvars.example terraform.tfvars to work

Actual behavior

cd ecs-blueprints/examples/core-infra/

terraform init

cp terraform.tfvars.example terraform.tfvars
# exit code 1

Terminal Output Screenshot(s)

cd ecs-blueprints/examples/core-infra
terraform init

cp terraform.tfvars.example terraform.tfvars
cp: terraform.tfvars.example: No such file or directory

Additional context

the only terraform.tfvars.example I found was in the backstage folder

Cannot create S3 bucket because of the bucket ACL.

Description

If your request is for a new feature, please use the Feature request template.

✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Module version [Required]:

    {
      "Key": "codepipeline_s3_bucket",
      "Source": "registry.terraform.io/terraform-aws-modules/s3-bucket/aws",
      "Version": "3.13.0",
      "Dir": ".terraform/modules/codepipeline_s3_bucket"
    },
    {
      "Key": "ecs_service_definition_arm64.container_definition",
      "Source": "../container-definition",
      "Dir": ".terraform/modules/ecs_service_definition_arm64/modules/container-definition"
    },
    {
      "Key": "service_alb_amd64",
      "Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
      "Version": "8.6.1",
      "Dir": ".terraform/modules/service_alb_amd64"
    },
    {
      "Key": "codebuild_ci_amd64",
      "Source": "../../modules/codebuild",
      "Dir": "../../modules/codebuild"
    },
    {
      "Key": "service_alb_arm64",
      "Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
      "Version": "8.6.1",
      "Dir": ".terraform/modules/service_alb_arm64"
    },
    {
      "Key": "ecs_service_definition_amd64.container_definition",
      "Source": "../container-definition",
      "Dir": ".terraform/modules/ecs_service_definition_amd64/modules/container-definition"
    },
    {
      "Key": "",
      "Source": "",
      "Dir": "."
    },
    {
      "Key": "ecs_service_definition_arm64",
      "Source": "registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service",
      "Version": "5.2.0",
      "Dir": ".terraform/modules/ecs_service_definition_arm64/modules/service"
    },
    {
      "Key": "codepipeline_ci_cd",
      "Source": "../../modules/codepipeline",
      "Dir": "../../modules/codepipeline"
    },
    {
      "Key": "container_image_ecr",
      "Source": "registry.terraform.io/terraform-aws-modules/ecr/aws",
      "Version": "1.6.0",
      "Dir": ".terraform/modules/container_image_ecr"
    },
    {
      "Key": "ecs_service_definition_amd64",
      "Source": "registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service",
      "Version": "5.2.0",
      "Dir": ".terraform/modules/ecs_service_definition_amd64/modules/service"
    },
    {
      "Key": "codebuild_ci_manifest",
      "Source": "../../modules/codebuild",
      "Dir": "../../modules/codebuild"
    },
    {
      "Key": "codebuild_ci_arm64",
      "Source": "../../modules/codebuild",
      "Dir": "../../modules/codebuild"
    }

Terraform version: Terraform v1.3.9 on darwin_arm64

Provider version(s):
- registry.terraform.io/hashicorp/aws v4.67.0
- provider registry.terraform.io/hashicorp/random v3.5.1

Reproduction Code [Required]

Steps to reproduce the behavior:
After installing core-infra and creating github token, deploy Graviton and Multi-architecture Container Images.

cd ecs-blueprints/terraform/fargate-examples/graviton
terraform init
terraform plan
terraform apply -auto-approve

Expected behavior

ECS service with graviton deployed.

Actual behavior

Cannot deploy the infra because of the recent change in S3 bucket ACL (link)

Terminal Output Screenshot(s)

Additional context

https://aws.amazon.com/ko/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
https://stackoverflow.com/questions/76049290/error-accesscontrollistnotsupported-when-trying-to-create-a-bucket-acl-in-aws

[FEATURE] The `lambda_role` for the queue-processing example is allowed too many actions

Is your feature request related to a problem? Please describe

The IAM role for the Lambda function of the queue-processing example, lambda_role, is allowed to perform the actions as per below:

      "sqs:ChangeMessageVisibility",
      "sqs:ChangeMessageVisibilityBatch",
      "sqs:SendMessage",
      "sqs:DeleteMessage",
      "sqs:DeleteMessageBatch",
      "sqs:GetQueueAttributes",
      "sqs:GetQueueUrl",
      "sqs:ReceiveMessage"

These actions certainly apply to the task role, and they are allowed for it, but are not expected for the Lambda function itself.

Describe the solution you'd like

In line with the principle of least privilege, the list of allowed actions for the Lambda function should only contain:

      "sqs:GetQueueAttributes",

Aqua Security Addon

[FEATURE] Example with ECS Service Connect in Terraform

Is your feature request related to a problem? Please describe

When microservices needs to talk to each others, the new recommend way to do it is usung ECS service connect.

Describe the solution you'd like

I would like a pattern that shows how to best implement ECS service connect in terraform

Kyverno Policy Management Addon

"lb-service" docker build issue

Description

Running "lb-service" example after successfully deploying "core-infra" I run into docker build issue

If your request is for a new feature, please use the Feature request template.

[x ] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

Module version [Required]:
$ cat .terraform/modules/modules.json | jq
{
"Modules": [
{
"Key": "codepipeline_ci_cd",
"Source": "../../modules/codepipeline",
"Dir": "../../modules/codepipeline"
},
{
"Key": "codepipeline_s3_bucket",
"Source": "registry.terraform.io/terraform-aws-modules/s3-bucket/aws",
"Version": "3.4.0",
"Dir": ".terraform/modules/codepipeline_s3_bucket"
},
{
"Key": "container_image_ecr",
"Source": "registry.terraform.io/terraform-aws-modules/ecr/aws",
"Version": "1.4.0",
"Dir": ".terraform/modules/container_image_ecr"
},
{
"Key": "ecs_service_definition",
"Source": "../../modules/ecs-service",
"Dir": "../../modules/ecs-service"
},
{
"Key": "ecs_service_definition.task_main_app_container",
"Source": "../ecs-container-definition",
"Dir": "../../modules/ecs-container-definition"
},
{
"Key": "service_alb",
"Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
"Version": "7.0.0",
"Dir": ".terraform/modules/service_alb"
},
{
"Key": "service_alb_security_group",
"Source": "registry.terraform.io/terraform-aws-modules/security-group/aws",
"Version": "4.13.1",
"Dir": ".terraform/modules/service_alb_security_group"
},
{
"Key": "codebuild_ci",
"Source": "../../modules/codebuild",
"Dir": "../../modules/codebuild"
},
{
"Key": "ecs_service_definition.task_sidecar_containers",
"Source": "../ecs-container-definition",
"Dir": "../../modules/ecs-container-definition"
},
{
"Key": "service_task_security_group",
"Source": "registry.terraform.io/terraform-aws-modules/security-group/aws",
"Version": "4.13.1",
"Dir": ".terraform/modules/service_task_security_group"
},
{
"Key": "",
"Source": "",
"Dir": "."
}
]
}
Terraform version: 1.2.4

Provider version(s):

Terraform v1.2.4
on linux_amd64

provider registry.terraform.io/hashicorp/aws v4.36.1
provider registry.terraform.io/hashicorp/random v3.4.3

Reproduction Code [Required]

Steps to reproduce the behavior:

terraform init
teraform plan
terraform apply -auto-aprove

local "docker build ." in directory "terraform-aws-ecs-blueprints/application-code/ecsdemo-frontend" gave same docker build error

Expected behavior

Successful docker build, docker push and container image in ECR registry, which can be used for ECS service

Terminal Output Screenshot(s)

CodeBuild -> Build Logs
...
nokogiri-1.13.9-x86_64-linux requires ruby version < 3.2.dev, >= 2.6, which is
incompatible with the current version, ruby 2.5.9p229

The command '/bin/sh -c apt-get update && apt-get -y install iproute2 curl jq libgmp3-dev ruby-dev build-essential sqlite libsqlite3-dev python3 python3-pip && gem install bundler:1.17.3 && bundle install && pip3 install awscli netaddr && apt-get autoremove -y --purge && apt-get remove -y --auto-remove --purge ruby-dev libgmp3-dev build-essential libsqlite3-dev && apt-get clean && rm -rvf /root/* /root/.gem* /var/cache/*' returned a non-zero code: 5

[Container] 2022/10/24 13:19:52 Command did not exit successfully docker build -t $REPO_URL $FOLDER_PATH exit status 5

Extensibility guide for partners

lb-service from terraform blueprints fails with 'invalid function argument' and 'multiple EC2 VPCs...'

Description

Following quick-start step by step I'm unable to plan nor apply the lb-service of the terraform blueprint.

Plan: 7 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid function argument
│ 
│   on main.tf line 139, in module "ecs_service_definition":
│  139:   task_exec_iam_role_arn = one(data.aws_iam_roles.ecs_core_infra_exec_role.arns)
│     ├────────────────
│     │ while calling one(list)
│     │ data.aws_iam_roles.ecs_core_infra_exec_role.arns is set of string with 2 elements
│ 
│ Invalid value for "list" parameter: must be a list, set, or tuple value with either zero or one elements.
╵
╷
│ Error: multiple EC2 VPCs matched; use additional constraints to reduce matches to a single EC2 VPC
│ 
│   with data.aws_vpc.vpc,
│   on main.tf line 169, in data "aws_vpc" "vpc":
│  169: data "aws_vpc" "vpc" {
│

If your request is for a new feature, please use the Feature request template.

✋ I have searched the open/closed issues and my issue is not listed.

Versions

Module version [Required]:
{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"ecs_service_definition","Source":"registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service","Version":"5.0.1","Dir":".terraform/modules/ecs_service_definition/modules/service"},{"Key":"ecs_service_definition.container_definition","Source":"../container-definition","Dir":".terraform/modules/ecs_service_definition/modules/container-definition"},{"Key":"service_alb","Source":"registry.terraform.io/terraform-aws-modules/alb/aws","Version":"8.6.0","Dir":".terraform/modules/service_alb"}]}%
Terraform version: 1.4.6
Provider version(s): registry.terraform.io/hashicorp/aws v4.65.0

Reproduction Code [Required]

Steps to reproduce the behavior:

Followed quick-start step by step.
cd lb-service
terraform init
terraform plan

Expected behavior

Terraform plan should plan the set of actions to be reproduced

Actual behavior

Below described error messages

Terminal Output Screenshot(s)

Plan: 7 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid function argument
│ 
│   on main.tf line 139, in module "ecs_service_definition":
│  139:   task_exec_iam_role_arn = one(data.aws_iam_roles.ecs_core_infra_exec_role.arns)
│     ├────────────────
│     │ while calling one(list)
│     │ data.aws_iam_roles.ecs_core_infra_exec_role.arns is set of string with 2 elements
│ 
│ Invalid value for "list" parameter: must be a list, set, or tuple value with either zero or one elements.
╵
╷
│ Error: multiple EC2 VPCs matched; use additional constraints to reduce matches to a single EC2 VPC
│ 
│   with data.aws_vpc.vpc,
│   on main.tf line 169, in data "aws_vpc" "vpc":
│  169: data "aws_vpc" "vpc" {
│

[FEATURE] ECS/EC2 Example using Bottlerocket

Is your feature request related to a problem? Please describe

Today the examples for ECS/EC2 utilize AL2. This would create an example that uses Bottlerocket

Describe the solution you'd like

The ability to provision an ECS Cluster and corresponding data plane using BR.

Sysdig Addon

[QUESTION] AWS will discontinue CodeStar on July 31, 2024 - how will that impact the examples here?

Please describe your question here

As someone perusing and evaluating this very helpful repository and its suggested solutions, I've seen that there are some references to AWS CodeStar in the infrastructure code. After going to the docs, I see that it's changing in July: What Is AWS CodeStar? - AWS CodeStar

On July 31, 2024, Amazon Web Services (AWS) will discontinue support for creating and viewing AWS CodeStar projects. After July 31, 2024, you will no longer be able to access the AWS CodeStar console or create new projects. However, the AWS resources created by AWS CodeStar, including your source repositories, pipelines, and builds, will be unaffected by this change and will continue to function. AWS CodeStar Connections will not be impacted by this discontinuation.

Will the examples continue to work after then? If not, what are the expected workarounds?

Provide link to the example related to the question

Yes, I have checked the repo for existing issues before raising this question

[FEATURE] Support multiple port_mappings for the primary container

Is your feature request related to a problem? Please describe

Primary container in the ECS Service module only supports 1 port/protocol.

Describe the solution you'd like

ECS Service module support port_mappings map. This will allow multiple ports to be exposed on the primary container.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.
N/A

Additional context

Add any other context or screenshots about the feature request here.

[FEATURE] Example emphasizing private subnets and IPV6

Is your feature request related to a problem? Please describe

With recent changes to how AWS charges for IPv4 addresses, it would be useful to have a clear example in ECS Blueprints that demonstrates an architecture that minimizes the need for public IPv4 addresses and emphasizes private subnets, ideally with ipv6.

Describe the solution you'd like

Given that ECS/F requires dual stack ipv6 today, we could show provisioning a VPC with an ipv6 range enabled and how it works with tasks? Fuzzy on how exactly this should work but emphasizing ipv6, and de-emphasizing ipv4 where possible.

[FEATURE] `distutils.util.strtobool` needs replacement

Is your feature request related to a problem? Please describe

ECS Blueprints for CDK(Python) uses distutils.util.strtobool and this package is to be removed in Python 3.12.

Describe the solution you'd like

An alternative is to use str2bool from PyPI:

[FEATURE]Allow variable customisations for region, vpc cidr..

Is your feature request related to a problem? Please describe

We should provide an easy way for users to change creation specifications like Region name, vpc cidr.. by providing variables with sane default

also the core-infra by default creation name is not meaningful enough, maybe have a default to ecs-blueprint-code-infra ?

Backstage Addon

[FEATURE] Document GitHub token permissions required

Is your feature request related to a problem? Please describe

Document the GitHub permissions required for the personal access token for users
Also, how can users use GitHub app auth instead of personal access tokens - https://docs.aws.amazon.com/codepipeline/latest/userguide/update-github-action-connections.html ?

[cdk][generative-ai-service] - error cdk ls when nothing is already installed

Description

When following the workshop with nothing already installed, doing a cdk ls provide the following error:

Traceback (most recent call last):
  File "/home/ubuntu/environment/ecs/terraform/ecs-blueprints/cdk/examples/generative_ai_service/app.py", line 79, in <module>
    gen_ai_stack_props.sd_namespace = [
                                      ^
IndexError: list index out of range

Subprocess exited with error 1

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Module version [Required]:
Terraform version:

Provider version(s):

Reproduction Code [Required]

Steps to reproduce the behavior:

Expected behavior

Actual behavior

Terminal Output Screenshot(s)

Additional context

[FEATURE] Allow user to connect into ECS tasks via ecs exec

Is your feature request related to a problem? Please describe

We should allow users to connect into ECS tasks by providing configuration to for ecs exec

Describe the solution you'd like

Configure the bucket s3 that will securely store the commands executed in ecs tasks

Model data not available in S3 bucket

Description

By following this Blog post - [https://aws.amazon.com/blogs/containers/build-generative-ai-apps-on-amazon-ecs-for-sagemaker-jumpstart/]. During the "Deploy the Amazon SageMaker environment" step, receiving this error:

❌  GenAITxt2TxtSageMakerStack failed: Error: The stack named GenAITxt2TxtSageMakerStack failed creation, it may need to be manually delete
d from the AWS console: ROLLBACK_COMPLETE: Could not find model data at s3://jumpstart-cache-prod-eu-central-1/huggingface-text2text/huggin
gface-text2text-flan-t5-xl/artifacts/inference-prepack/v2.0.0/. (Service: AmazonSageMaker; Status Code: 400; Error Code: ValidationExceptio
n; Request ID: 21fad4ed-7e71-404d-9fe2-f93ae7f53648; Proxy: null)

After executing: cdk deploy GenAITxt2ImgSageMakerStack --require-approval never

Suggestion

Please add model data to the bucket

[FEATURE] Multi-account ECS blueprint

Is your feature request related to a problem? Please describe

Account level security access control

Describe the solution you'd like

Customers commonly use multiple accounts for e.g. -/ one account for CI/CD shared services -/ account for test/staging cluster -/ production account. This blueprint will define multi-account setup to use for running containers on ECS. Following is the desired account structure:

CI/CD and associated services in one account
an account with test cluster and test ECR images
an account with production cluster and production ECR images

Make the blueprint flexible so that it is easier for customer to add more accounts for e.g. staging, Q/A etc. The designer should review AWS Control Tower, AWS Organization and landing zone best practices to align with the latest well-architected for multi-account setup.

[FEATURE] Update README.md for core / loadbalancer to mention CodeStar SNS notification creation delay.

Is your feature request related to a problem? Please describe

When running the TF on a new account with no CodeStar service link roles enabled the following error appears on creating sns notification

│ Error: error creating codestar notification rule: ConfigurationException: AWS CodeStar Notifications could not create the AWS CloudWatch Events managed rule in your AWS account. If this is your first time creating a notification rule, the service-linked role for AWS CodeStar Notifications might not yet exist. Creation of this role might take up to 15 minutes. Until it exists, notification rule creation will fail. Wait 15 minutes, and then try again. If this is is not the first time you are creating a notification rule, there might be a problem with a network connection, or one or more AWS services might be experiencing issues. Verify your network connection and check to see if there are any issues with AWS services in your AWS Region before trying again.
│ 
│   with module.codepipeline_ci_cd.aws_codestarnotifications_notification_rule.this,
│   on ../../modules/codepipeline/main.tf line 76, in resource "aws_codestarnotifications_notification_rule" "this":
│   76: resource "aws_codestarnotifications_notification_rule" "this" {

Describe the solution you'd like

Suggest updating the README.md documentation under
https://github.com/aws-ia/terraform-aws-ecs-blueprints/tree/main/examples/lb-service
to mention/warn of this error and to redo terraform apply - or enable a wait mechanism or create service link role prior to notification creation.

Describe alternatives you've considered

Re-do terraform apply

Additional context

Add any other context or screenshots about the feature request here.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role

Gitlab Integration

[FEATURE] Document creation of AWS CodeStart Notifications service-linked role

Is your feature request related to a problem? Please describe

Document creation of AWS CodeStart Notifications service-linked role. If users do not have this role in their account already, they will face an error like the one shown below. Reference https://docs.aws.amazon.com/dtconsole/latest/userguide/using-service-linked-roles.html#slr-permissions

AWS CodeStar Notifications could not create the AWS CloudWatch Events managed rule in your AWS account. 
If this is your first time creating a notification rule, the service-linked role for AWS CodeStar Notifications might not yet exist.
Creation of this role might take up to 15 minutes. Until it exists, notification rule creation will fail.

Datadog Pattern

[FEATURE] Path to ECS v5 module

This is for tracking only:

Validate ECS service connect functionality
Validate changes are properly ignored when integrating with a load balancer (target group ARNs)
Validate changes are properly ignored when updating task definition externally (Terraform should still be able to update the task definition but will not revert the changes made externally)
Validate changes are properly ignored when using CodeDeploy blue/green deployment (task definition will be ignored entirely in this scenario)

Terraform backstage errors

Description

Tried deploying the terraform/backstage example and received the following 2 errors:

│ Error: creating RDS Cluster (backstage-db): DBSubnetGroupNotFoundFault: DB subnet group 'backstage-db' does not exist.
│       status code: 404, request id: 3e1d882a-5a14-45f2-ad01-17bff9f33a03
│ 
│   with module.aurora_postgresdb.aws_rds_cluster.this[0],
│   on .terraform/modules/aurora_postgresdb/main.tf line 39, in resource "aws_rds_cluster" "this":
│   39: resource "aws_rds_cluster" "this" {
│ 
╵
╷
│ Error: creating S3 Bucket (codepipeline-us-east-1-20240416185721255000000008) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: X33SEHZFNBEKADPK, HostID: +ucmEDDvw5gcnspNZlPlSTcZaua4WnMFeR+gm8b9o8J6T8ZNRotiDLoVLJGyn1TlqEJ9SD1BoRc=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│ 
│   with module.codepipeline_s3_bucket.aws_s3_bucket_acl.this[0],
│   on .terraform/modules/codepipeline_s3_bucket/main.tf line 45, in resource "aws_s3_bucket_acl" "this":
│   45: resource "aws_s3_bucket_acl" "this" {

If your request is for a new feature, please use the Feature request template.

✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Module version [Required]:
Terraform version:
Provider version(s):

Terraform v1.8.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.45.0
+ provider registry.terraform.io/hashicorp/random v3.6.1

Reproduction Code [Required]

terraform/fargate-examples/backstage

Steps to reproduce the behavior:

Expected behavior

complete successfully

Actual behavior

│ Error: creating RDS Cluster (backstage-db): DBSubnetGroupNotFoundFault: DB subnet group 'backstage-db' does not exist.
│       status code: 404, request id: 3e1d882a-5a14-45f2-ad01-17bff9f33a03
│ 
│   with module.aurora_postgresdb.aws_rds_cluster.this[0],
│   on .terraform/modules/aurora_postgresdb/main.tf line 39, in resource "aws_rds_cluster" "this":
│   39: resource "aws_rds_cluster" "this" {
│ 
╵
╷
│ Error: creating S3 Bucket (codepipeline-us-east-1-20240416185721255000000008) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: X33SEHZFNBEKADPK, HostID: +ucmEDDvw5gcnspNZlPlSTcZaua4WnMFeR+gm8b9o8J6T8ZNRotiDLoVLJGyn1TlqEJ9SD1BoRc=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│ 
│   with module.codepipeline_s3_bucket.aws_s3_bucket_acl.this[0],
│   on .terraform/modules/codepipeline_s3_bucket/main.tf line 45, in resource "aws_s3_bucket_acl" "this":
│   45: resource "aws_s3_bucket_acl" "this" {