// the find
cloudposse/terraform-aws-ecs-alb-service-task
Terraform module which implements an ECS service which exposes a web service via ALB.
Terraform module that wires up an ECS service (Fargate or EC2) with an ALB target group, handling task definition, IAM roles, security groups, and service connect in one shot. Part of the Cloud Posse ecosystem, so it uses their null-label convention throughout. Aimed at teams who want a batteries-included ECS deployment without writing all the IAM and SG boilerplate themselves.
- Covers the full surface area: task definition, four separate IAM roles (task, exec, service, service-connect TLS), security group rules for ALB/NLB ingress, EFS/EBS/FSx/bind-mount volumes, capacity provider strategies, and Service Connect with TLS — most competitors miss at least two of these.
- The four aws_ecs_service resource variants (ignore task def, ignore desired count, ignore both, ignore neither) cleanly handle the Terraform lifecycle problem of CI/CD pipelines owning task definition updates without requiring external workarounds.
- Terratest integration test covers the complete example end-to-end against a real AWS account, which is more than most community modules ship.
- Actively maintained — last push May 2026, Renovate configured for dependency updates, and the AWS provider floor is pinned to 5.85 so you get modern ECS features.
- The four-resource ignore_changes hack is messy and fragile; if you need a fifth lifecycle variation you're stuck, and it inflates the plan output considerably. Terraform's ignore_changes can't be dynamic, so this is a real architectural dead end.
- Hard dependency on the Cloud Posse null-label/context.tf pattern adds ~200 lines of boilerplate context variables to every call site. Teams not already using Cloud Posse tooling will find the namespace/stage/environment/tenant labeling system unfamiliar and annoying to integrate.
- Security group default description is 'Allow ALL egress from ECS service' and egress is wide open by default (enable_all_egress_rule = true); this is fine for getting started but could silently pass security reviews if someone forgets to tighten it.
- No support for ECS volume configurations using the newer managed EBS volume feature (ecs_task_definition volume.configure_at_launch), which is now the recommended approach for stateful Fargate workloads — you'd have to work around the module for that.