Skip to main content
The Express Service module creates an ECS Express Gateway Service — a simplified deployment model with opinionated defaults. 
module "ecs_express_service" {
  source  = "terraform-aws-modules/ecs/aws//modules/express-service"
  version = "~> 7.0"

  name = "my-express-service"

  cpu    = 1024
  memory = 4096

  network_configuration = {
    subnets = ["subnet-abcde012", "subnet-bcde012a"]
  }

  primary_container = {
    container_port = 3000
    image          = "public.ecr.aws/aws-containers/ecsdemo-frontend:776fd50"
  }

  scaling_target = {
    auto_scaling_metric       = "AVERAGE_CPU"
    auto_scaling_target_value = "80"
    max_task_count            = 3
    min_task_count            = 1
  }

  vpc_id = module.vpc.vpc_id

  tags = { Environment = "dev" }
}

Resource Creation Controls

create
bool
Determines whether resources will be created. Default: true.

Service

cluster
string
Name or ARN of the ECS cluster. Defaults to the default cluster. Default: null.
name
string
Name of the service. If not specified, a name is generated. Changing this forces re-creation. Default: "".
cpu
string
CPU units for the task. Valid values are powers of 2 between 256 and 4096. Default: null.
memory
string
Memory in MiB for the task. Valid values are between 512 and 8192. Default: null.
health_check_path
string
Path for health check requests. Default: null (/ping).
network_configuration
object
Network configuration for the service revision.Default: null.
primary_container
object
Primary container configuration for the service revision.Default: null.
scaling_target
object
Auto-scaling configuration for the service revision.Default: null.

Security Group

create_security_group
bool
Create a security group for the service. Default: true.
security_group_name
string
Security group name. Default: null.
security_group_use_name_prefix
bool
Use security group name as prefix. Default: true.
security_group_description
string
Security group description. Default: null.
security_group_ingress_rules
map(object)
Ingress rules for the security group. Default: {}.
security_group_egress_rules
map(object)
Egress rules for the security group. Default: {}.
security_group_tags
map(string)
Additional security group tags. Default: {}.
vpc_id
string
VPC ID for the security group. Default: null.

IAM — Execution Role

create_execution_iam_role
bool
Create the task execution IAM role. Default: true.
execution_iam_role_arn
string
Existing execution IAM role ARN. Default: null.
execution_iam_role_name
string
Execution IAM role name. Default: null.
execution_iam_role_use_name_prefix
bool
Use name as prefix. Default: true.
execution_iam_role_path
string
IAM role path. Default: null.
execution_iam_role_description
string
Role description. Default: null.
execution_iam_role_permissions_boundary
string
Permissions boundary ARN. Default: null.
execution_iam_role_policies
map(string)
Policy ARNs to attach. Default: {}.
execution_iam_role_tags
map(string)
Additional tags. Default: {}.
execution_iam_role_max_session_duration
number
Maximum session duration in seconds. Default: null.
create_execution_policy
bool
Create the execution IAM policy with ECR, CloudWatch, Secrets Manager, and SSM permissions. Default: true.
execution_ssm_param_arns
list(string)
SSM parameter ARNs the execution role can read. Default: [].
execution_secret_arns
list(string)
Secrets Manager ARNs the execution role can read. Default: [].
execution_iam_statements
map(object)
Custom IAM statements for the execution role. Default: null.
execution_iam_policy_path
string
Path for the execution IAM policy. Default: null.

IAM — Infrastructure Role

create_infrastructure_iam_role
bool
Create the infrastructure IAM role. Default: true.
infrastructure_iam_role_arn
string
Existing infrastructure IAM role ARN. Default: null.
infrastructure_iam_role_name
string
Infrastructure IAM role name. Default: null.
infrastructure_iam_role_use_name_prefix
bool
Use name as prefix. Default: true.
infrastructure_iam_role_path
string
IAM role path. Default: null.
infrastructure_iam_role_description
string
Role description. Default: null.
infrastructure_iam_role_permissions_boundary
string
Permissions boundary ARN. Default: null.
infrastructure_iam_role_tags
map(string)
Additional tags. Default: {}.

IAM — Task Role

create_task_iam_role
bool
Create the task runtime IAM role. Default: true.
task_iam_role_arn
string
Existing task IAM role ARN. Default: null.
task_iam_role_name
string
Task IAM role name. Default: null.
task_iam_role_use_name_prefix
bool
Use name as prefix. Default: true.
task_iam_role_path
string
IAM role path. Default: null.
task_iam_role_description
string
Role description. Default: null.
task_iam_role_permissions_boundary
string
Permissions boundary ARN. Default: null.
task_iam_role_policies
map(string)
Additional policy ARNs to attach. Default: {}.
task_iam_role_statements
map(object)
Custom IAM statements for the task role. Default: null.
task_iam_role_tags
map(string)
Additional tags. Default: {}.
task_iam_role_max_session_duration
number
Maximum session duration in seconds. Default: null.

CloudWatch Log Group

create_cloudwatch_log_group
bool
Create a CloudWatch log group for the service. Default: true.
cloudwatch_log_group_name
string
Custom log group name. Default: null.
cloudwatch_log_group_retention_in_days
number
Log retention in days. Default: 14.
cloudwatch_log_group_kms_key_id
string
KMS Key ARN for log encryption. Default: null.
cloudwatch_log_group_class
string
Log class: STANDARD or INFREQUENT_ACCESS. Default: null.
cloudwatch_log_group_tags
map(string)
Additional log group tags. Default: {}.

Misc

region
string
AWS region. Defaults to provider region. Default: null.
tags
map(string)
Tags for all resources. Default: {}.

Build docs developers (and LLMs) love

Get started for freeTalk to us