Skip to main content
Use the cluster sub-module when you want to manage the ECS cluster separately from services. 
module "ecs_cluster" {
  source  = "terraform-aws-modules/ecs/aws//modules/cluster"
  version = "~> 7.0"

  name = "my-cluster"
  # ...
}

Resource Creation Controls

create
bool
Determines whether resources will be created (affects all resources). Default: true.

Cluster

name
string
Name of the ECS cluster (up to 255 letters, numbers, hyphens, and underscores). Default: "".
configuration
object
The execute command configuration for the cluster.Default: sets cloud_watch_log_group_name = "placeholder".
service_connect_defaults
object
Default Service Connect namespace for the cluster.Default: null.
setting
list(object)
Cluster settings. Used to enable Container Insights. Default: [{ name = "containerInsights", value = "enabled" }].

Capacity Providers

cluster_capacity_providers
list(string)
List of capacity provider names (e.g., ["FARGATE", "FARGATE_SPOT"]) to associate with the cluster. Providers created by this module are automatically added. Default: [].
cluster_capacity_providers_wait_duration
string
Duration to wait after the cluster becomes active before attaching capacity providers. Default: "20s".
default_capacity_provider_strategy
map(object)
Default capacity provider strategy for the cluster.Default: {}.
capacity_providers
map(object)
Map of capacity provider definitions to create.Default: {}.

CloudWatch Logging

create_cloudwatch_log_group
bool
Create a CloudWatch log group for cluster logs. Default: true.
cloudwatch_log_group_name
string
Custom CloudWatch Log Group name. Default: null.
cloudwatch_log_group_retention_in_days
number
Log retention in days. Default: 90.
cloudwatch_log_group_kms_key_id
string
KMS Key ARN for log group encryption. Default: null.
cloudwatch_log_group_class
string
Log class: STANDARD or INFREQUENT_ACCESS. Default: null.
cloudwatch_log_group_tags
map(string)
Additional tags for the log group. Default: {}.

IAM — Infrastructure Role

create_infrastructure_iam_role
bool
Create the ECS infrastructure IAM role. Default: true.
infrastructure_iam_role_name
string
Name for the infrastructure IAM role. Default: null.
infrastructure_iam_role_use_name_prefix
bool
Use name as prefix. Default: true.
infrastructure_iam_role_path
string
IAM role path. Default: null.
infrastructure_iam_role_description
string
Role description. Default: null.
infrastructure_iam_role_permissions_boundary
string
Permissions boundary ARN. Default: null.
infrastructure_iam_role_source_policy_documents
list(string)
Policy documents merged into role (unique sids). Default: [].
infrastructure_iam_role_override_policy_documents
list(string)
Policy documents that override matching statements. Default: [].
infrastructure_iam_role_statements
map(object)
Custom IAM policy statements. Default: null.
infrastructure_iam_role_tags
map(string)
Additional tags. Default: {}.

IAM — Task Execution Role

create_task_exec_iam_role
bool
Create a cluster-level task execution IAM role. Default: false.
task_exec_iam_role_name
string
Name for the task execution role. Default: null.
task_exec_iam_role_use_name_prefix
bool
Use name as prefix. Default: true.
task_exec_iam_role_path
string
IAM role path. Default: null.
task_exec_iam_role_description
string
Role description. Default: null.
task_exec_iam_role_permissions_boundary
string
Permissions boundary ARN. Default: null.
task_exec_iam_role_policies
map(string)
Policy ARNs to attach. Default: {}.
task_exec_iam_role_tags
map(string)
Additional tags. Default: {}.
create_task_exec_policy
bool
Create the task execution policy with ECR pull, CloudWatch logging, Secrets Manager, and SSM access. Default: true.
task_exec_secret_arns
list(string)
Secrets Manager ARNs the execution role can read. Default: [].
task_exec_ssm_param_arns
list(string)
SSM parameter ARNs the execution role can read. Default: [].
task_exec_iam_statements
map(object)
Custom IAM statements for the execution role. Default: null.

IAM — Node Role (Managed Instances)

create_node_iam_instance_profile
bool
Create an IAM instance profile for Managed Instances nodes. Default: true.
node_iam_role_name
string
Name for the node IAM role/instance profile. Default: null.
node_iam_role_use_name_prefix
bool
Use name as prefix. Default: true.
node_iam_role_path
string
IAM role path. Default: null.
node_iam_role_description
string
Role description. Default: "ECS Managed Instances node IAM role".
node_iam_role_permissions_boundary
string
Permissions boundary ARN. Default: null.
node_iam_role_additional_policies
map(string)
Additional policy ARNs to attach. Default: {}.
node_iam_role_source_policy_documents
list(string)
Policy documents merged into node role. Default: [].
node_iam_role_override_policy_documents
list(string)
Policy documents that override matching statements. Default: [].
node_iam_role_statements
map(object)
Custom IAM statements for the node role. Default: null.
node_iam_role_tags
map(string)
Additional tags. Default: {}.

Security Group (Managed Instances)

create_security_group
bool
Create a security group for Managed Instances. Default: true.
security_group_name
string
Security group name. Default: null.
security_group_use_name_prefix
bool
Use name as prefix. Default: true.
security_group_description
string
Security group description. Default: null.
security_group_ingress_rules
map(object)
Ingress rules for the security group. Default: {}.
security_group_egress_rules
map(object)
Egress rules. Default includes allow-all IPv4 and IPv6.
security_group_tags
map(string)
Additional tags. Default: {}.
vpc_id
string
VPC ID for the security group. Default: null.

Misc

region
string
AWS region. Defaults to provider region. Default: null.
tags
map(string)
Tags for all resources. Default: {}.
disable_v7_default_name_description
bool
Deprecated — will be removed in v8.0. Disables v7.0 name/description postfixes. Default: false.

Build docs developers (and LLMs) love

Get started for freeTalk to us