refactor(modules)!: remove asg sub-module

Author: saumitra-dev

README.md

@@ -22,7 +22,6 @@ Terraform module to deploy production-ready applications and services on an exis
 |------|--------|---------|
 | <a name="module_acm"></a> [acm](#module\_acm) | ./modules/acm | n/a |
 | <a name="module_alb"></a> [alb](#module\_alb) | ./modules/alb | n/a |
-| <a name="module_asg"></a> [asg](#module\_asg) | ./modules/asg | n/a |
 | <a name="module_capacity_provider"></a> [capacity\_provider](#module\_capacity\_provider) | ./modules/capacity-provider | n/a |
 
 ## Resources
@@ -39,13 +38,11 @@ Terraform module to deploy production-ready applications and services on an exis
 | <a name="input_acm_amazon_issued_certificates"></a> [acm\_amazon\_issued\_certificates](#input\_acm\_amazon\_issued\_certificates) | Amazon-issued ACM certificates to create | `any` | `{}` | no |
 | <a name="input_acm_imported_certificates"></a> [acm\_imported\_certificates](#input\_acm\_imported\_certificates) | Imported ACM certificates to create | `any` | `{}` | no |
 | <a name="input_acm_private_ca_issued_certificates"></a> [acm\_private\_ca\_issued\_certificates](#input\_acm\_private\_ca\_issued\_certificates) | Private CA Issued ACM certificates to create | `any` | `{}` | no |
-| <a name="input_autoscaling_group"></a> [autoscaling\_group](#input\_autoscaling\_group) | Configuration for Autoscaling Group | `any` | `{}` | no |
 | <a name="input_capacity_provider_default_auto_scaling_group_arn"></a> [capacity\_provider\_default\_auto\_scaling\_group\_arn](#input\_capacity\_provider\_default\_auto\_scaling\_group\_arn) | Default Autoscaling Group to use with the Capacity Providers | `string` | `null` | no |
 | <a name="input_capacity_providers"></a> [capacity\_providers](#input\_capacity\_providers) | Capacity Providers to create for use within the ECS Cluster | `any` | `{}` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the ECS Cluster to use with the ECS Service | `string` | n/a | yes |
 | <a name="input_create_acm"></a> [create\_acm](#input\_create\_acm) | Creates the ACM certificates to use with the Load Balancer | `bool` | `false` | no |
 | <a name="input_create_alb"></a> [create\_alb](#input\_create\_alb) | Creates a new Application Load Balancer to use with the ECS Service | `bool` | `true` | no |
-| <a name="input_create_autoscaling_group"></a> [create\_autoscaling\_group](#input\_create\_autoscaling\_group) | Creates a new Autoscaling group to use with the ECS Service | `bool` | `true` | no |
 | <a name="input_create_capacity_provider"></a> [create\_capacity\_provider](#input\_create\_capacity\_provider) | Creates a new Capacity Provider to use with the Autoscaling Group | `bool` | `true` | no |
 | <a name="input_default_capacity_providers_strategies"></a> [default\_capacity\_providers\_strategies](#input\_default\_capacity\_providers\_strategies) | Default Capacity Provider Strategies to use | `any` | `[]` | no |
 | <a name="input_load_balancer"></a> [load\_balancer](#input\_load\_balancer) | Configuration for the Application Load Balancer | `any` | `{}` | no |
@@ -67,13 +64,6 @@ Terraform module to deploy production-ready applications and services on an exis
 | <a name="output_alb_zone_id"></a> [alb\_zone\_id](#output\_alb\_zone\_id) | Canonical hosted zone ID of the Load Balancer (to be used in a Route 53 Alias record) |
 | <a name="output_amazon_issued_acm_certificates_arns"></a> [amazon\_issued\_acm\_certificates\_arns](#output\_amazon\_issued\_acm\_certificates\_arns) | ARNs of the Amazon issued ACM certificates |
 | <a name="output_amazon_issued_acm_certificates_validation_records"></a> [amazon\_issued\_acm\_certificates\_validation\_records](#output\_amazon\_issued\_acm\_certificates\_validation\_records) | Validation Records of the Amazon issued ACM certificates |
-| <a name="output_asg_arn"></a> [asg\_arn](#output\_asg\_arn) | ARN of the Autoscaling group |
-| <a name="output_asg_iam_instance_profile_arn"></a> [asg\_iam\_instance\_profile\_arn](#output\_asg\_iam\_instance\_profile\_arn) | ARN of the IAM Instance Profile |
-| <a name="output_asg_iam_instance_profile_id"></a> [asg\_iam\_instance\_profile\_id](#output\_asg\_iam\_instance\_profile\_id) | Identifier of the IAM Instance Profile |
-| <a name="output_asg_iam_role_id"></a> [asg\_iam\_role\_id](#output\_asg\_iam\_role\_id) | Identifier of the IAM Role |
-| <a name="output_asg_id"></a> [asg\_id](#output\_asg\_id) | Identifier of the Autoscaling group |
-| <a name="output_asg_launch_template_arn"></a> [asg\_launch\_template\_arn](#output\_asg\_launch\_template\_arn) | ARN of the Launch Template |
-| <a name="output_asg_launch_template_id"></a> [asg\_launch\_template\_id](#output\_asg\_launch\_template\_id) | Identifier of the Launch Template |
 | <a name="output_capacity_provider_arns"></a> [capacity\_provider\_arns](#output\_capacity\_provider\_arns) | ARNs for the ECS Capacity Providers |
 | <a name="output_capacity_provider_ecs_cluster_capacity_providers_id"></a> [capacity\_provider\_ecs\_cluster\_capacity\_providers\_id](#output\_capacity\_provider\_ecs\_cluster\_capacity\_providers\_id) | Identifier for the ECS Cluster Capacity Providers |
 | <a name="output_capacity_provider_ids"></a> [capacity\_provider\_ids](#output\_capacity\_provider\_ids) | Identifiers for the ECS Capacity Providers |

examples/complete/main.tf

@@ -1,5 +1,6 @@
 provider "aws" {
-  region = local.region
+  region  = local.region
+  profile = "dev"
 
   default_tags {
     tags = local.default_tags
@@ -108,33 +109,8 @@ module "ecs_deployment" {
     ]
   }
 
-  # ASG
-  autoscaling_group = {
-    name                  = "${local.name_prefix}my-asg"
-    vpc_zone_identifier   = module.vpc.private_subnets
-    protect_from_scale_in = true
-
-    desired_capacity = 1
-    min_size         = 1
-    max_size         = 1
-
-    launch_template = {
-      name                   = "${local.name_prefix}my-launch-template"
-      image_id               = data.aws_ami.ecs_optimized_amzn_linux.id
-      instance_type          = "t2.micro"
-      vpc_security_group_ids = [aws_security_group.allow_all_within_vpc.id]
-      user_data              = <<-EOT
-          #!/bin/bash
-          echo ECS_CLUSTER=${local.cluster_name} >> /etc/ecs/ecs.config
-        EOT
-    }
-
-    iam_role_policy_attachments = [
-      "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
-    ]
-  }
-
   # Capacity Provider
+  capacity_provider_default_auto_scaling_group_arn = module.asg.autoscaling_group_arn
   capacity_providers = {
     my-capacity-provider = {
       name = "${local.name_prefix}my-capacity-provider"
@@ -199,6 +175,8 @@ module "ecs_deployment" {
       }
     }
   }
+
+  depends_on = [module.asg]
 }
 
 ################################################################################
@@ -220,6 +198,44 @@ module "vpc" {
   enable_vpn_gateway = false
 }
 
+module "asg" {
+  source = "terraform-aws-modules/autoscaling/aws"
+
+  name = "${local.name_prefix}my-asg"
+
+  min_size            = 1
+  max_size            = 1
+  desired_capacity    = 1
+  health_check_type   = "EC2"
+  vpc_zone_identifier = module.vpc.private_subnets
+
+  # Launch template
+  launch_template_name        = "${local.name_prefix}my-asg"
+  launch_template_description = "My example Launch template"
+  image_id                    = data.aws_ami.ecs_optimized_amzn_linux.image_id
+  instance_type               = "t2.micro"
+  update_default_version      = true
+  security_groups             = [aws_security_group.allow_all_within_vpc.id]
+
+  # IAM role & instance profile
+  create_iam_instance_profile = true
+  iam_role_name               = "${local.name_prefix}my-asg"
+  iam_role_description        = "My example IAM role for ${local.name_prefix}my-asg"
+  iam_role_policies = {
+    AmazonEC2ContainerServiceforEC2Role = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
+    AmazonSSMManagedInstanceCore        = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
+
+  # This will ensure imdsv2 is enabled, required, and a single hop which is aws security
+  # best practices
+  # See https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-4
+  metadata_options = {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 1
+  }
+}
+
 ################################################################################
 # # ACM
 ################################################################################

examples/complete/outputs.tf

@@ -66,22 +66,22 @@ output "vpc_public_subnets_arns" {
 
 output "asg_id" {
   description = "Identifier of the Autoscaling group"
-  value       = module.ecs_deployment.asg_id
+  value       = module.asg.autoscaling_group_id
 }
 
 output "asg_arn" {
   description = "ARN of the Autoscaling group"
-  value       = module.ecs_deployment.asg_arn
+  value       = module.asg.autoscaling_group_arn
 }
 
 output "launch_template_id" {
   description = "Identifier of the Launch Template"
-  value       = module.ecs_deployment.asg_launch_template_id
+  value       = module.asg.launch_template_id
 }
 
 output "launch_template_arn" {
   description = "ARN of the Launch Template"
-  value       = module.ecs_deployment.asg_launch_template_arn
+  value       = module.asg.launch_template_arn
 }
 
 ################################################################################
@@ -90,17 +90,17 @@ output "launch_template_arn" {
 
 output "iam_instance_role_id" {
   description = "Identifier of the IAM Instance Role"
-  value       = module.ecs_deployment.asg_iam_role_id
+  value       = module.asg.iam_role_unique_id
 }
 
 output "iam_instance_profile_id" {
   description = "Identifier of the IAM Instance Profile"
-  value       = module.ecs_deployment.asg_iam_instance_profile_id
+  value       = module.asg.iam_instance_profile_id
 }
 
 output "iam_instance_profile_arn" {
   description = "ARN of the IAM Instance Profile"
-  value       = module.ecs_deployment.asg_iam_instance_profile_arn
+  value       = module.asg.iam_instance_profile_arn
 }
 
 ################################################################################

main.tf

@@ -147,8 +147,6 @@ resource "aws_ecs_service" "this" {
   }
 
   tags = try(var.service.tags, {})
-
-  depends_on = [module.asg]
 }
 
 ################################################################################
@@ -277,41 +275,6 @@ resource "aws_ecs_task_definition" "this" {
   tags = try(var.task_definition.tags, {})
 }
 
-################################################################################
-# Autoscaling Group Sub-module
-################################################################################
-
-module "asg" {
-  source = "./modules/asg"
-
-  count = var.create_autoscaling_group ? 1 : 0
-
-  name                = try(var.autoscaling_group.name, null)
-  vpc_zone_identifier = try(var.autoscaling_group.vpc_zone_identifier, [])
-
-  desired_capacity      = try(var.autoscaling_group.desired_capacity, null)
-  min_size              = try(var.autoscaling_group.min_size, null)
-  max_size              = try(var.autoscaling_group.max_size, null)
-  protect_from_scale_in = try(var.autoscaling_group.protect_from_scale_in, null)
-
-  # Launch Template
-  create_launch_template = try(var.autoscaling_group.create_launch_template, true)
-  launch_template_id     = try(var.autoscaling_group.launch_template_id, null)
-  launch_template        = try(var.autoscaling_group.launch_template, {})
-
-  # IAM Instance Profile
-  create_iam_role             = try(var.autoscaling_group.create_iam_role, true)
-  iam_role_name               = try(var.autoscaling_group.iam_role_name, null)
-  iam_role_policy_attachments = try(var.autoscaling_group.iam_role_policy_attachments, [])
-  iam_role_tags               = try(var.autoscaling_group.iam_role_tags, {})
-  create_iam_instance_profile = try(var.autoscaling_group.create_iam_instance_profile, true)
-  iam_instance_profile_name   = try(var.autoscaling_group.iam_instance_profile_name, null)
-  iam_instance_profile_tags   = try(var.autoscaling_group.iam_instance_profile_tags, {})
-
-  instances_tags = try(var.autoscaling_group.instances_tags, {})
-  tags           = try(var.autoscaling_group.tags, {})
-}
-
 ################################################################################
 # Capacity Provider Sub-module
 ################################################################################
@@ -322,7 +285,7 @@ module "capacity_provider" {
   count = var.create_capacity_provider ? 1 : 0
 
   ecs_cluster_name               = var.cluster_name
-  default_auto_scaling_group_arn = var.create_autoscaling_group ? try(module.asg[0].arn, "") : var.capacity_provider_default_auto_scaling_group_arn
+  default_auto_scaling_group_arn = var.capacity_provider_default_auto_scaling_group_arn
 
   capacity_providers                   = var.capacity_providers
   default_capacity_provider_strategies = var.default_capacity_providers_strategies