terraform-aws-modules
diff --git a/‎modules/container-definition/README.md
Lines changed: 8 additions & 6 deletions b/‎modules/container-definition/README.md
Lines changed: 8 additions & 6 deletions
diff --git a/‎modules/container-definition/main.tf
Lines changed: 9 additions & 4 deletions b/‎modules/container-definition/main.tf
Lines changed: 9 additions & 4 deletions
diff --git a/‎modules/container-definition/variables.tf
Lines changed: 49 additions & 28 deletions b/‎modules/container-definition/variables.tf
Lines changed: 49 additions & 28 deletions
@@ -167,28 +167,30 @@ No modules.
 | <a name="input_interactive"></a> [interactive](#input\_interactive) | When this parameter is `true`, you can deploy containerized applications that require `stdin` or a `tty` to be allocated | `bool` | `false` | no |
 | <a name="input_links"></a> [links](#input\_links) | The links parameter allows containers to communicate with each other without the need for port mappings. This parameter is only supported if the network mode of a task definition is `bridge` | `list(string)` | `null` | no |
 | <a name="input_linuxParameters"></a> [linuxParameters](#input\_linuxParameters) | Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more information see [KernelCapabilities](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_KernelCapabilities.html) | <pre>object({<br/>    capabilities = optional(object({<br/>      add  = optional(list(string))<br/>      drop = optional(list(string))<br/>    }))<br/>    devices = optional(list(object({<br/>      containerPath = optional(string)<br/>      hostPath      = optional(string)<br/>      permissions   = optional(list(string))<br/>    })))<br/>    initProcessEnabled = optional(bool, false)<br/>    maxSwap            = optional(number)<br/>    sharedMemorySize   = optional(number)<br/>    swappiness         = optional(number)<br/>    tmpfs = optional(list(object({<br/>      containerPath = string<br/>      mountOptions  = optional(list(string))<br/>      size          = number<br/>    })))<br/>  })</pre> | <pre>{<br/>  "initProcessEnabled": false<br/>}</pre> | no |
-| <a name="input_logConfiguration"></a> [logConfiguration](#input\_logConfiguration) | The log configuration for the container. For more information see [LogConfiguration](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html) | `any` | `{}` | no |
+| <a name="input_logConfiguration"></a> [logConfiguration](#input\_logConfiguration) | The log configuration for the container. For more information see [LogConfiguration](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html) | <pre>object({<br/>    logDriver = optional(string)<br/>    options   = optional(map(string))<br/>    secretOptions = optional(list(object({<br/>      name      = string<br/>      valueFrom = string<br/>    })))<br/>  })</pre> | `{}` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | The amount (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed. The total amount of memory reserved for all containers within a task must be lower than the task `memory` value, if one is specified | `number` | `null` | no |
 | <a name="input_memoryReservation"></a> [memoryReservation](#input\_memoryReservation) | The soft limit (in MiB) of memory to reserve for the container. When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit. However, your container can consume more memory when it needs to, up to either the hard limit specified with the `memory` parameter (if applicable), or all of the available memory on the container instance | `number` | `null` | no |
-| <a name="input_mountPoints"></a> [mountPoints](#input\_mountPoints) | The mount points for data volumes in your container | `list(any)` | `null` | no |
+| <a name="input_mountPoints"></a> [mountPoints](#input\_mountPoints) | The mount points for data volumes in your container | <pre>list(object({<br/>    containerPath = optional(string)<br/>    readOnly      = optional(bool)<br/>    sourceVolume  = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of a container. If you're linking multiple containers together in a task definition, the name of one container can be entered in the links of another container to connect the containers. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed | `string` | `null` | no |
 | <a name="input_operating_system_family"></a> [operating\_system\_family](#input\_operating\_system\_family) | The OS family for task | `string` | `"LINUX"` | no |
-| <a name="input_portMappings"></a> [portMappings](#input\_portMappings) | The list of port mappings for the container. Port mappings allow containers to access ports on the host container instance to send or receive traffic. For task definitions that use the awsvpc network mode, only specify the containerPort. The hostPort can be left blank or it must be the same value as the containerPort | <pre>list(object({<br/>    appProtocol   = optional(string)<br/>    containerPort = number<br/>    hostPort      = optional(number)<br/>    name          = string<br/>    protocol      = optional(string)<br/>  }))</pre> | `null` | no |
+| <a name="input_portMappings"></a> [portMappings](#input\_portMappings) | The list of port mappings for the container. Port mappings allow containers to access ports on the host container instance to send or receive traffic. For task definitions that use the awsvpc network mode, only specify the containerPort. The hostPort can be left blank or it must be the same value as the containerPort | <pre>list(object({<br/>    appProtocol        = optional(string)<br/>    containerPort      = optional(number)<br/>    containerPortRange = optional(string)<br/>    hostPort           = optional(number)<br/>    name               = optional(string)<br/>    protocol           = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_privileged"></a> [privileged](#input\_privileged) | When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user) | `bool` | `false` | no |
 | <a name="input_pseudoTerminal"></a> [pseudoTerminal](#input\_pseudoTerminal) | When this parameter is true, a `TTY` is allocated | `bool` | `false` | no |
 | <a name="input_readonlyRootFilesystem"></a> [readonlyRootFilesystem](#input\_readonlyRootFilesystem) | When this parameter is true, the container is given read-only access to its root file system | `bool` | `true` | no |
-| <a name="input_repositoryCredentials"></a> [repositoryCredentials](#input\_repositoryCredentials) | Container repository credentials; required when using a private repo.  This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials | `map(string)` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
+| <a name="input_repositoryCredentials"></a> [repositoryCredentials](#input\_repositoryCredentials) | Container repository credentials; required when using a private repo.  This map currently supports a single key; "credentialsParameter", which should be the ARN of a Secrets Manager's secret holding the credentials | <pre>object({<br/>    credentialsParameter = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_resourceRequirements"></a> [resourceRequirements](#input\_resourceRequirements) | The type and amount of a resource to assign to a container. The only supported resource is a GPU | <pre>list(object({<br/>    type  = string<br/>    value = string<br/>  }))</pre> | `null` | no |
 | <a name="input_restartPolicy"></a> [restartPolicy](#input\_restartPolicy) | Container restart policy; helps overcome transient failures faster and maintain task availability | <pre>object({<br/>    enabled              = optional(bool, true)<br/>    ignoredExitCodes     = optional(list(number))<br/>    restartAttemptPeriod = optional(number)<br/>  })</pre> | <pre>{<br/>  "enabled": true<br/>}</pre> | no |
 | <a name="input_secrets"></a> [secrets](#input\_secrets) | The secrets to pass to the container. For more information, see [Specifying Sensitive Data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the Amazon Elastic Container Service Developer Guide | <pre>list(object({<br/>    name      = string<br/>    valueFrom = string<br/>  }))</pre> | `null` | no |
 | <a name="input_service"></a> [service](#input\_service) | The name of the service that the container definition is associated with | `string` | `""` | no |
 | <a name="input_startTimeout"></a> [startTimeout](#input\_startTimeout) | Time duration (in seconds) to wait before giving up on resolving dependencies for a container | `number` | `30` | no |
 | <a name="input_stopTimeout"></a> [stopTimeout](#input\_stopTimeout) | Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own | `number` | `120` | no |
-| <a name="input_systemControls"></a> [systemControls](#input\_systemControls) | A list of namespaced kernel parameters to set in the container | `list(map(string))` | `null` | no |
+| <a name="input_systemControls"></a> [systemControls](#input\_systemControls) | A list of namespaced kernel parameters to set in the container | <pre>list(object({<br/>    namespace = optional(string)<br/>    value     = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_ulimits"></a> [ulimits](#input\_ulimits) | A list of ulimits to set in the container. If a ulimit value is specified in a task definition, it overrides the default values set by Docker | <pre>list(object({<br/>    hardLimit = number<br/>    name      = string<br/>    softLimit = number<br/>  }))</pre> | `null` | no |
 | <a name="input_user"></a> [user](#input\_user) | The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set | `string` | `null` | no |
-| <a name="input_volumesFrom"></a> [volumesFrom](#input\_volumesFrom) | Data volumes to mount from another container | <pre>list(object({<br/>    readOnly        = bool<br/>    sourceContainer = string<br/>  }))</pre> | `null` | no |
+| <a name="input_versionConsistency"></a> [versionConsistency](#input\_versionConsistency) | Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest | `string` | `"disabled"` | no |
+| <a name="input_volumesFrom"></a> [volumesFrom](#input\_volumesFrom) | Data volumes to mount from another container | <pre>list(object({<br/>    readOnly        = optional(bool)<br/>    sourceContainer = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_workingDirectory"></a> [workingDirectory](#input\_workingDirectory) | The working directory to run commands inside the container | `string` | `null` | no |
 
 ## Outputs
 
@@ -1,19 +1,21 @@
-data "aws_region" "current" {}
+data "aws_region" "current" {
+  region = var.region
+}
 
 locals {
   is_not_windows = contains(["LINUX"], var.operating_system_family)
 
   log_group_name = try(coalesce(var.cloudwatch_log_group_name, "/aws/ecs/${var.service}/${var.name}"), "")
 
   logConfiguration = merge(
-    { for k, v in {
+    {
       logDriver = "awslogs",
       options = {
         awslogs-region        = data.aws_region.current.region,
         awslogs-group         = try(aws_cloudwatch_log_group.this[0].name, ""),
         awslogs-stream-prefix = "ecs"
       },
-    } : k => v if var.enable_cloudwatch_logging },
+    },
     var.logConfiguration
   )
 
@@ -40,7 +42,7 @@ locals {
     interactive            = var.interactive
     links                  = local.is_not_windows ? var.links : null
     linuxParameters        = local.is_not_windows ? local.linuxParameters : null
-    logConfiguration       = length(local.logConfiguration) > 0 ? local.logConfiguration : null
+    logConfiguration       = var.create_cloudwatch_log_group ? local.logConfiguration : var.logConfiguration
     memory                 = var.memory
     memoryReservation      = var.memoryReservation
     mountPoints            = var.mountPoints
@@ -58,6 +60,7 @@ locals {
     systemControls         = var.systemControls
     ulimits                = local.is_not_windows ? var.ulimits : null
     user                   = local.is_not_windows ? var.user : null
+    versionConsistency     = var.versionConsistency
     volumesFrom            = var.volumesFrom
     workingDirectory       = var.workingDirectory
   }
@@ -69,6 +72,8 @@ locals {
 resource "aws_cloudwatch_log_group" "this" {
   count = var.create_cloudwatch_log_group && var.enable_cloudwatch_logging ? 1 : 0
 
+  region = var.region
+
   name              = var.cloudwatch_log_group_use_name_prefix ? null : local.log_group_name
   name_prefix       = var.cloudwatch_log_group_use_name_prefix ? "${local.log_group_name}-" : null
   log_group_class   = var.cloudwatch_log_group_class
 
@@ -1,9 +1,21 @@
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "operating_system_family" {
   description = "The OS family for task"
   type        = string
   default     = "LINUX"
 }
 
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
+
 ################################################################################
 # Container Definition
 ################################################################################
@@ -178,15 +190,14 @@ variable "linuxParameters" {
 
 variable "logConfiguration" {
   description = "The log configuration for the container. For more information see [LogConfiguration](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html)"
-  # type = object({
-  #   logDriver = optional(string)
-  #   options   = optional(map(string))
-  #   secretOptions = optional(list(object({
-  #     name      = string
-  #     valueFrom = string
-  #   })))
-  # })
-  type    = any
+  type = object({
+    logDriver = optional(string)
+    options   = optional(map(string))
+    secretOptions = optional(list(object({
+      name      = string
+      valueFrom = string
+    })))
+  })
   default = {}
 }
 
@@ -204,8 +215,12 @@ variable "memoryReservation" {
 
 variable "mountPoints" {
   description = "The mount points for data volumes in your container"
-  type        = list(any)
-  default     = null
+  type = list(object({
+    containerPath = optional(string)
+    readOnly      = optional(bool)
+    sourceVolume  = optional(string)
+  }))
+  default = null
 }
 
 variable "name" {
@@ -217,11 +232,12 @@ variable "name" {
 variable "portMappings" {
   description = "The list of port mappings for the container. Port mappings allow containers to access ports on the host container instance to send or receive traffic. For task definitions that use the awsvpc network mode, only specify the containerPort. The hostPort can be left blank or it must be the same value as the containerPort"
   type = list(object({
-    appProtocol   = optional(string)
-    containerPort = number
-    hostPort      = optional(number)
-    name          = string
-    protocol      = optional(string)
+    appProtocol        = optional(string)
+    containerPort      = optional(number)
+    containerPortRange = optional(string)
+    hostPort           = optional(number)
+    name               = optional(string)
+    protocol           = optional(string)
   }))
   default = null
 }
@@ -246,8 +262,10 @@ variable "readonlyRootFilesystem" {
 
 variable "repositoryCredentials" {
   description = "Container repository credentials; required when using a private repo.  This map currently supports a single key; \"credentialsParameter\", which should be the ARN of a Secrets Manager's secret holding the credentials"
-  type        = map(string)
-  default     = null
+  type = object({
+    credentialsParameter = optional(string)
+  })
+  default = null
 }
 
 variable "resourceRequirements" {
@@ -294,8 +312,11 @@ variable "stopTimeout" {
 
 variable "systemControls" {
   description = "A list of namespaced kernel parameters to set in the container"
-  type        = list(map(string))
-  default     = null
+  type = list(object({
+    namespace = optional(string)
+    value     = optional(string)
+  }))
+  default = null
 }
 
 variable "ulimits" {
@@ -314,11 +335,17 @@ variable "user" {
   default     = null
 }
 
+variable "versionConsistency" {
+  description = "Specifies whether Amazon ECS will resolve the container image tag provided in the container definition to an image digest"
+  type        = string
+  default     = "disabled"
+}
+
 variable "volumesFrom" {
   description = "Data volumes to mount from another container"
   type = list(object({
-    readOnly        = bool
-    sourceContainer = string
+    readOnly        = optional(bool)
+    sourceContainer = optional(string)
   }))
   default = null
 }
@@ -380,9 +407,3 @@ variable "cloudwatch_log_group_kms_key_id" {
   type        = string
   default     = null
 }
-
-variable "tags" {
-  description = "A map of tags to add to all resources"
-  type        = map(string)
-  default     = {}
-}