dxw · DrizzlyOwl · Sep 20, 2024
diff --git a/README.md b/README.md
diff --git a/container-definitions/app.json.tpl b/container-definitions/app.json.tpl
@@ -10,7 +10,7 @@
         "tag": "${syslog_tag}"
       }
     },
-    %{else}
+    %{ else }
     %{ if cloudwatch_log_group != "" }
     "logConfiguration": {
       "logDriver": "awslogs",
@@ -39,6 +39,11 @@
         "containerPort": ${container_port}
       }
     ],
+    %{ if enable_sidecar_container },
+    "healthCheck": {
+      "command": ["CMD-SHELL", "curl -f localhost:${container_port} || exit 1]
+    },
+    %{ endif }
     %{ endif }
     %{ if environment != "[]" }
     "environment": ${environment},
@@ -63,13 +68,65 @@
     %{ if security_options != "[]" }
     "dockerSecurityOptions": ${security_options},
     %{ endif }
-    %{if entrypoint != "[]"}
+    %{ if entrypoint != "[]" }
     "entrypoint": ${entrypoint},
     %{ endif }
-    %{if command != "[]"}
+    %{ if command != "[]" }
     "command": ${command},
     %{ endif }
     "memoryReservation": 16,
     "essential": true
   }
+  {% if enable_sidecar_container },
+  {
+    "image": "${sidecar_image}",
+    "name": "${sidecar_container_name}",
+    %{ if syslog_address != "" }
+    "logConfiguration": {
+      "logDriver": "syslog",
+      "options": {
+        "syslog-address": "${syslog_address}",
+        "tag": "${syslog_tag}"
+      }
+    },
+    %{ else }
+    %{ if cloudwatch_log_group != "" }
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        %{ if awslogs_stream_prefix != "" }
+        "awslogs-stream-prefix": "${awslogs_stream_prefix}",
+        %{ endif }
+        "awslogs-group": "${cloudwatch_log_group}",
+        "awslogs-region": "${region}"
+      }
+    },
+    %{ else }
+    "logConfiguration": {
+      "logDriver": "json-file"
+    },
+    %{ endif }
+    "portMappings": [
+      {
+        "hostPort": 0,
+        "protocol": "tcp",
+        "containerPort": 8080
+      }
+    ],
+    %{ if sidecar_environment != "[]" }
+    "environment": ${sidecar_environment},
+    %{ endif }
+    %{ if sidecar_entrypoint != "[]" }
+    "entrypoint": ${sidecar_entrypoint},
+    %{ endif }
+    "memoryReservation": 16,
+    "essential": true,
+    "dependsOn": [
+      {
+        "containerName": "${container_name}",
+        "condition": "HEALTHY"
+      }
+    ]
+  }
+  %{ endif }
 ]
diff --git a/ecs-cluster-infrastructure-datadog-agent-service.tf b/ecs-cluster-infrastructure-datadog-agent-service.tf
@@ -235,12 +235,17 @@ resource "aws_ecs_task_definition" "infrastructure_ecs_cluster_datadog_agent" {
           ]
         }
       })
-      security_options      = jsonencode([])
-      syslog_address        = ""
-      syslog_tag            = ""
-      cloudwatch_log_group  = aws_cloudwatch_log_group.infrastructure_ecs_cluster_datadog_agent[0].name
-      awslogs_stream_prefix = ""
-      region                = local.aws_region
+      security_options         = jsonencode([])
+      syslog_address           = ""
+      syslog_tag               = ""
+      cloudwatch_log_group     = aws_cloudwatch_log_group.infrastructure_ecs_cluster_datadog_agent[0].name
+      awslogs_stream_prefix    = ""
+      region                   = local.aws_region
+      enable_sidecar_container = false
+      sidecar_container_name   = ""
+      sidecar_image            = ""
+      sidecar_environment      = "[]"
+      sidecar_entrypoint       = "[]"
     }
   )
 

diff --git a/ecs-cluster-infrastructure-logspout-service.tf b/ecs-cluster-infrastructure-logspout-service.tf
@@ -20,13 +20,18 @@ resource "aws_ecs_task_definition" "infrastructure_ecs_cluster_logspout" {
           containerPath = "/var/run/docker.sock"
         }
       ])
-      linux_parameters      = jsonencode({})
-      security_options      = jsonencode([])
-      syslog_address        = ""
-      syslog_tag            = ""
-      cloudwatch_log_group  = ""
-      awslogs_stream_prefix = ""
-      region                = local.aws_region
+      linux_parameters         = jsonencode({})
+      security_options         = jsonencode([])
+      syslog_address           = ""
+      syslog_tag               = ""
+      cloudwatch_log_group     = ""
+      awslogs_stream_prefix    = ""
+      region                   = local.aws_region
+      enable_sidecar_container = false
+      sidecar_container_name   = ""
+      sidecar_image            = ""
+      sidecar_environment      = "[]"
+      sidecar_entrypoint       = "[]"
     }
   )
 

diff --git a/ecs-cluster-infrastructure-service-scheduled-task.tf b/ecs-cluster-infrastructure-service-scheduled-task.tf
@@ -40,12 +40,17 @@ resource "aws_ecs_task_definition" "infrastructure_ecs_cluster_service_scheduled
       linux_parameters = jsonencode({
         initProcessEnabled = false
       })
-      security_options      = jsonencode([])
-      syslog_address        = !local.infrastructure_ecs_cluster_logspout_enabled ? local.infrastructure_ecs_cluster_syslog_docker_address : ""
-      syslog_tag            = "${local.resource_prefix}-${each.key}-{{.ID}}"
-      cloudwatch_log_group  = !local.infrastructure_ecs_cluster_logspout_enabled ? each.value["enable_cloudwatch_logs"] == true ? aws_cloudwatch_log_group.infrastructure_ecs_cluster_service[each.value["container_name"]].name : "" : ""
-      awslogs_stream_prefix = ""
-      region                = local.aws_region
+      security_options         = jsonencode([])
+      syslog_address           = !local.infrastructure_ecs_cluster_logspout_enabled ? local.infrastructure_ecs_cluster_syslog_docker_address : ""
+      syslog_tag               = "${local.resource_prefix}-${each.key}-{{.ID}}"
+      cloudwatch_log_group     = !local.infrastructure_ecs_cluster_logspout_enabled ? each.value["enable_cloudwatch_logs"] == true ? aws_cloudwatch_log_group.infrastructure_ecs_cluster_service[each.value["container_name"]].name : "" : ""
+      awslogs_stream_prefix    = ""
+      region                   = local.aws_region
+      enable_sidecar_container = false
+      sidecar_container_name   = ""
+      sidecar_image            = ""
+      sidecar_environment      = "[]"
+      sidecar_entrypoint       = "[]"
     }
   )
   execution_role_arn       = aws_iam_role.infrastructure_ecs_cluster_service_task_execution[each.value["container_name"]].arn

diff --git a/ecs-cluster-infrastructure-service.tf b/ecs-cluster-infrastructure-service.tf
@@ -242,12 +242,17 @@ resource "aws_ecs_task_definition" "infrastructure_ecs_cluster_service" {
       linux_parameters = each.value["enable_execute_command"] == true ? jsonencode({
         initProcessEnabled = true
       }) : "{}"
-      security_options      = jsonencode([])
-      syslog_address        = !local.infrastructure_ecs_cluster_logspout_enabled ? local.infrastructure_ecs_cluster_syslog_docker_address : ""
-      syslog_tag            = "${local.resource_prefix}-${each.key}-{{.ID}}"
-      cloudwatch_log_group  = !local.infrastructure_ecs_cluster_logspout_enabled ? each.value["enable_cloudwatch_logs"] == true ? aws_cloudwatch_log_group.infrastructure_ecs_cluster_service[each.key].name : "" : ""
-      awslogs_stream_prefix = ""
-      region                = local.aws_region
+      security_options         = jsonencode([])
+      syslog_address           = !local.infrastructure_ecs_cluster_logspout_enabled ? local.infrastructure_ecs_cluster_syslog_docker_address : ""
+      syslog_tag               = "${local.resource_prefix}-${each.key}-{{.ID}}"
+      cloudwatch_log_group     = !local.infrastructure_ecs_cluster_logspout_enabled ? each.value["enable_cloudwatch_logs"] == true ? aws_cloudwatch_log_group.infrastructure_ecs_cluster_service[each.key].name : "" : ""
+      awslogs_stream_prefix    = ""
+      region                   = local.aws_region
+      enable_sidecar_container = each.value["enable_sidecar_container"]
+      sidecar_container_name   = "${each.key}-sidecar"
+      sidecar_image            = each.value["sidecar_image"]
+      sidecar_environment      = "[]"
+      sidecar_entrypoint       = "[]"
     }
   )
   execution_role_arn       = aws_iam_role.infrastructure_ecs_cluster_service_task_execution[each.key].arn

diff --git a/rds-infrastructure-s3-backups-task-definition.tf b/rds-infrastructure-s3-backups-task-definition.tf
@@ -168,12 +168,17 @@ resource "aws_ecs_task_definition" "infrastructure_rds_s3_backups_scheduled_task
       linux_parameters = jsonencode({
         initProcessEnabled = false
       })
-      security_options      = jsonencode([])
-      syslog_address        = ""
-      syslog_tag            = ""
-      cloudwatch_log_group  = aws_cloudwatch_log_group.infrastructure_rds_s3_backups[each.key].name
-      awslogs_stream_prefix = "${local.resource_prefix}-rds-s3-backups-${each.key}"
-      region                = local.aws_region
+      security_options         = jsonencode([])
+      syslog_address           = ""
+      syslog_tag               = ""
+      cloudwatch_log_group     = aws_cloudwatch_log_group.infrastructure_rds_s3_backups[each.key].name
+      awslogs_stream_prefix    = "${local.resource_prefix}-rds-s3-backups-${each.key}"
+      region                   = local.aws_region
+      enable_sidecar_container = false
+      sidecar_container_name   = ""
+      sidecar_image            = ""
+      sidecar_environment      = "[]"
+      sidecar_entrypoint       = "[]"
     }
   )
   execution_role_arn       = aws_iam_role.infrastructure_rds_s3_backups_task_execution[each.key].arn

diff --git a/variables.tf b/variables.tf
@@ -580,9 +580,11 @@ variable "infrastructure_ecs_cluster_services" {
         container_count: Number of containers to launch for the service
         container_heath_check_path: Destination for the health check request
         container_heath_grace_period: Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown
+        enable_sidecar_container: Launch a sidecar container that will act as a proxy for all incoming traffic
+        sidecar_image: A specific Docker tag to use for the sidecar container. Defaults to nginx:stable (eg. nginx:1.27.1)
         scheduled_tasks: A map of scheduled tasks that use the same image as the service defined eg. { "name" => { "entrypoint" = ["bundle", "exec", "run_jobs"], "schedule_expression" = "cron(* * * * ? *)" } }
         domain_names: Domain names to assign to CloudFront aliases, and the Application Load Balancer's `host_header` condition
-        enable_cloudfront: Enable cloadfront for the service
+        enable_cloudfront: Enable CloudFront for the service
         cloudfront_tls_certificate_arn: Certificate ARN to attach to CloudFront - must contain the names provided in `domain_names`
         cloudfront_access_logging_enabled: Enable access logging for the distribution to the infrastructure S3 logs bucket
         cloudfront_bypass_protection_enabled: This adds a secret header at the CloudFront level, which is then checked by the ALB listener rules. Requests are only forwarded if the header matches, preventing requests going directly to the ALB.
@@ -633,6 +635,8 @@ variable "infrastructure_ecs_cluster_services" {
     container_count              = optional(number, null)
     container_heath_check_path   = optional(string, null)
     container_heath_grace_period = optional(number, null)
+    enable_sidecar_container     = optional(bool, false)
+    sidecar_image                = optional(string, "nginx:stable")
     scheduled_tasks = optional(map(object({
       entrypoint          = list(string)
       schedule_expression = string