Skip to content

Latest commit

 

History

History
313 lines (260 loc) · 21.4 KB

README.md

File metadata and controls

313 lines (260 loc) · 21.4 KB

AWS App Runner Terraform module

Terraform module which creates AWS App Runner resources.

SWUbanner

Usage

See examples directory for working examples to reference:

AppRunner Common/Shared Configurations

module "app_runner_shared_configs" {
  source = "terraform-aws-modules/app-runner/aws"

  # Disable service resources
  create_service = false

  connections = {
    # The AWS Connector for GitHub connects to your GitHub account is a one-time setup,
    # You can reuse the connection for creating multiple App Runner services based on repositories in this account.
    # After creation, you must complete the authentication handshake using the App Runner console.
    github = {
      provider_type = "GITHUB"
    }
  }

  auto_scaling_configurations = {
    mini = {
      name            = "mini"
      max_concurrency = 20
      max_size        = 5
      min_size        = 1

      tags = {
        Type = "Mini"
      }
    }

    mega = {
      name            = "mega"
      max_concurrency = 200
      max_size        = 25
      min_size        = 5

      tags = {
        Type = "MEGA"
      }
    }
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Code Based AppRunner Service

module "app_runner_code_base" {
  source = "terraform-aws-modules/app-runner/aws"

  service_name = "example-code-base"

  # From shared configs created above
  auto_scaling_configuration_arn = module.app_runner_shared_configs.auto_scaling_configurations["mini"].arn

  source_configuration = {
    authentication_configuration = {
      # From shared configs created above
      connection_arn = module.app_runner_shared_configs.connections["github"].arn
    }
    auto_deployments_enabled = false
    code_repository = {
      code_configuration = {
        configuration_source = "REPOSITORY"
      }
      repository_url = "https://github.com/aws-containers/hello-app-runner"
      source_code_version = {
        type  = "BRANCH"
        value = "main"
      }
    }
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Image Based AppRunner Service

module "app_runner_image_base" {
  source = "terraform-aws-modules/app-runner/aws"

  service_name = "example-image-base"

  # From shared configs
  auto_scaling_configuration_arn = module.app_runner_shared_configs.auto_scaling_configurations["mega"].arn

  # IAM instance profile permissions to access secrets
  instance_policy_statements = {
    GetSecretValue = {
      actions   = ["secretsmanager:GetSecretValue"]
      resources = [aws_secretsmanager_secret.this.arn]
    }
  }

  source_configuration = {
    auto_deployments_enabled = false
    image_repository = {
      image_configuration = {
        port = 8000
        runtime_environment_variables = {
          MY_VARIABLE = "hello!"
        }
        runtime_environment_secrets = {
          MY_SECRET = aws_secretsmanager_secret.this.arn
        }
      }
      image_identifier      = "public.ecr.aws/aws-containers/hello-app-runner:latest"
      image_repository_type = "ECR_PUBLIC"
    }
  }

  create_vpc_connector          = true
  vpc_connector_subnets         = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
  vpc_connector_security_groups = ["sg-12345678"]
  network_configuration = {
    egress_configuration = {
      egress_type = "VPC"
    }
  }

  enable_observability_configuration = true

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Private AppRunner Service

module "app_runner_private" {
  source = "terraform-aws-modules/app-runner/aws"

  service_name = "example-private"

  ...

  # Ingress
  create_ingress_vpc_connection = true
  ingress_vpc_id                = "vpc-12345678"
  ingress_vpc_endpoint_id       = "vpce-01234567890123456 s"

  # Egress
  create_vpc_connector          = true
  vpc_connector_subnets         = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
  vpc_connector_security_groups = ["sg-12345678"]

  network_configuration = {
    ingress_configuration = {
      is_publicly_accessible = false
    }
    egress_configuration = {
      egress_type = "VPC"
    }
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name Version
terraform >= 1.0
aws >= 4.51

Providers

Name Version
aws >= 4.51

Modules

No modules.

Resources

Name Type
aws_apprunner_auto_scaling_configuration_version.this resource
aws_apprunner_connection.this resource
aws_apprunner_custom_domain_association.this resource
aws_apprunner_observability_configuration.this resource
aws_apprunner_service.this resource
aws_apprunner_vpc_connector.this resource
aws_apprunner_vpc_ingress_connection.this resource
aws_iam_policy.access resource
aws_iam_policy.instance resource
aws_iam_role.access resource
aws_iam_role.instance resource
aws_iam_role_policy_attachment.access resource
aws_iam_role_policy_attachment.access_additional resource
aws_iam_role_policy_attachment.instance resource
aws_iam_role_policy_attachment.instance_additional resource
aws_iam_role_policy_attachment.instance_xray resource
aws_iam_policy_document.access data source
aws_iam_policy_document.access_assume_role data source
aws_iam_policy_document.instance data source
aws_iam_policy_document.instance_assume_role data source
aws_partition.current data source

Inputs

Name Description Type Default Required
access_iam_role_description Description of the role string null no
access_iam_role_name Name to use on IAM role created string null no
access_iam_role_path IAM role path string null no
access_iam_role_permissions_boundary ARN of the policy that is used to set the permissions boundary for the IAM role string null no
access_iam_role_policies IAM policies to attach to the IAM role map(string) {} no
access_iam_role_use_name_prefix Determines whether the IAM role name (iam_role_name) is used as a prefix bool true no
auto_scaling_configuration_arn ARN of an App Runner automatic scaling configuration resource that you want to associate with your service. If not provided, App Runner associates the latest revision of a default auto scaling configuration string null no
auto_scaling_configurations Map of auto-scaling configuration definitions to create any {} no
connections Map of connection definitions to create any {} no
create Determines whether resources will be created (affects all resources) bool true no
create_access_iam_role Determines whether an IAM role is created or to use an existing IAM role bool false no
create_custom_domain_association Determines whether a Custom Domain Association will be created bool false no
create_ingress_vpc_connection Determines whether a VPC ingress configuration will be created bool false no
create_instance_iam_role Determines whether an IAM role is created or to use an existing IAM role bool true no
create_service Determines whether the service will be created bool true no
create_vpc_connector Determines whether a VPC Connector will be created bool false no
domain_name The custom domain endpoint to association. Specify a base domain e.g., example.com or a subdomain e.g., subdomain.example.com string "" no
enable_observability_configuration Determines whether an X-Ray Observability Configuration will be created and assigned to the service bool true no
enable_www_subdomain Whether to associate the subdomain with the App Runner service in addition to the base domain. Defaults to true bool null no
encryption_configuration The encryption configuration for the service any {} no
health_check_configuration The health check configuration for the service any {} no
ingress_vpc_endpoint_id The ID of the VPC endpoint that is used for the VPC ingress configuration string "" no
ingress_vpc_id The ID of the VPC that is used for the VPC ingress configuration string "" no
instance_configuration The instance configuration for the service any {} no
instance_iam_role_description Description of the role string null no
instance_iam_role_name Name to use on IAM role created string null no
instance_iam_role_path IAM role path string null no
instance_iam_role_permissions_boundary ARN of the policy that is used to set the permissions boundary for the IAM role string null no
instance_iam_role_policies IAM policies to attach to the IAM role map(string) {} no
instance_iam_role_use_name_prefix Determines whether the IAM role name (iam_role_name) is used as a prefix bool true no
instance_policy_statements A map of IAM policy statements for custom permission usage any {} no
network_configuration The network configuration for the service any {} no
observability_configuration The observability configuration for the service any {} no
private_ecr_arn The ARN of the private ECR repository that contains the service image to launch string null no
service_name The name of the service string "" no
source_configuration The source configuration for the service any {} no
tags A map of tags to add to all resources map(string) {} no
vpc_connector_name The name of the VPC Connector string "" no
vpc_connector_security_groups The security groups to use for the VPC Connector list(string) [] no
vpc_connector_subnets The subnets to use for the VPC Connector list(string) [] no

Outputs

Name Description
access_iam_role_arn The Amazon Resource Name (ARN) specifying the IAM role
access_iam_role_name The name of the IAM role
access_iam_role_unique_id Stable and unique string identifying the IAM role
auto_scaling_configurations Map of attribute maps for all autoscaling configurations created
connections Map of attribute maps for all connections created
custom_domain_association_certificate_validation_records A set of certificate CNAME records used for this domain name
custom_domain_association_dns_target The App Runner subdomain of the App Runner service. The custom domain name is mapped to this target name. Attribute only available if resource created (not imported) with Terraform
custom_domain_association_id The domain_name and service_arn separated by a comma (,)
instance_iam_role_arn The Amazon Resource Name (ARN) specifying the IAM role
instance_iam_role_name The name of the IAM role
instance_iam_role_unique_id Stable and unique string identifying the IAM role
observability_configuration_arn ARN of this observability configuration
observability_configuration_latest Whether the observability configuration has the highest observability_configuration_revision among all configurations that share the same observability_configuration_name
observability_configuration_revision The revision of the observability configuration
observability_configuration_status The current state of the observability configuration. An INACTIVE configuration revision has been deleted and can't be used. It is permanently removed some time after deletion
service_arn The Amazon Resource Name (ARN) of the service
service_id An alphanumeric ID that App Runner generated for this service. Unique within the AWS Region
service_status The current state of the App Runner service
service_url A subdomain URL that App Runner generated for this service. You can use this URL to access your service web application
vpc_connector_arn The Amazon Resource Name (ARN) of VPC connector
vpc_connector_revision The revision of VPC connector. It's unique among all the active connectors ("Status": "ACTIVE") that share the same Name
vpc_connector_status The current state of the VPC connector. If the status of a connector revision is INACTIVE, it was deleted and can't be used. Inactive connector revisions are permanently removed some time after they are deleted
vpc_ingress_connection_arn The Amazon Resource Name (ARN) of the VPC Ingress Connection
vpc_ingress_connection_domain_name The domain name associated with the VPC Ingress Connection resource

License

Apache-2.0 Licensed. See LICENSE.