Network configuration with Terraform >= 0.12

ecs_service.tf

####################
# MyService
####################
data "aws_ecs_task_definition" "myservice" {
  task_definition = "myservice-${var.environment}"
}

resource "aws_ecs_service" "myservice" {
  name                               = "myservice"
  cluster                            = "${var.name}-${var.environment}"
  task_definition                    = data.aws_ecs_task_definition.myservice.id
  desired_count                      = 1
  deployment_minimum_healthy_percent = 0
  deployment_maximum_percent         = 100

  ordered_placement_strategy {
    type  = "binpack"
    field = "cpu"
  }

  network_configuration {
    subnets = [aws_subnet.internal[0].id, aws_subnet.internal[1].id, aws_subnet.internal[2].id]
  }

  lifecycle {
    create_before_destroy = true
    ignore_changes        = [desired_count, task_definition]
  }

  service_registries {
    registry_arn = aws_service_discovery_service.myservice.arn
  }
}

resource "aws_service_discovery_service" "myservice" {
  name = "myservice"

  dns_config {
    namespace_id = aws_service_discovery_private_dns_namespace.private.id

    dns_records {
      ttl  = 60
      type = "A"
    }

    routing_policy = "MULTIVALUE"
  }

  health_check_custom_config {
    failure_threshold = 1
  }
}

variables.tf

variable "name" {
  default = "myservice"
}

variable "environment" {
  default = "production"
}

##################
#  Networking
##################
variable "cidr" {
  default = "33.0.0.0/16"
}
variable "availability_zones" {
  default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
}

variable internal_subnets {
  default = ["33.0.32.0/19", "33.0.96.0/19", "33.0.160.0/19"]
}

variable external_subnets {
  default = ["33.0.0.0/19", "33.0.64.0/19", "33.0.128.0/19"]
}

variable private_dns_name {
  default = "sd.myservice.local"
 }

vpc.tf

####################
# VPC
####################
resource "aws_vpc" "main" {
  cidr_block                       = var.cidr
  enable_dns_support               = true
  enable_dns_hostnames             = true
  assign_generated_ipv6_cidr_block = true

  tags = {
    Name        = "${var.name}-${var.environment}"
    Environment = var.environment
    Terraform   = true
  }
}

####################
# Service discovery
####################
resource "aws_service_discovery_private_dns_namespace" "private" {
  name        = var.private_dns_name
  description = "Service discovery under private DNS"
  vpc         = aws_vpc.main.id
}

####################
# External subnets
####################
resource "aws_subnet" "external" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "${element(var.external_subnets, count.index)}"
  availability_zone       = "${element(var.availability_zones, count.index)}"
  count                   = "${length(var.external_subnets)}"
  map_public_ip_on_launch = true

  tags = {
    Name        = "${var.name}-${format("external-%03d", count.index + 1)}"
    Environment = var.environment
    Terraform   = true
  }
}

####################
# Internal subnets
####################
resource "aws_subnet" "internal" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "${element(var.internal_subnets, count.index)}"
  availability_zone = "${element(var.availability_zones, count.index)}"
  count             = "${length(var.internal_subnets)}"

  tags = {
    Name        = "${var.name}-${format("internal-%03d", count.index + 1)}"
    Environment = var.environment
    Terraform   = true
  }
}


####################
# NAT EIP
####################
resource "aws_eip" "nat" {
  vpc = true
}

####################
# Default security group
####################
resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.main.id

  ingress {
    protocol  = -1
    self      = true
    from_port = 0
    to_port   = 0
  }

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = [var.cidr]
    description = "VPC CIDR"
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

####################
# IGW
####################
resource "aws_internet_gateway" "main" {
  vpc_id = aws_vpc.main.id

  tags = {
    Name        = "${var.name}-${var.environment}"
    Environment = var.environment
    Terraform   = true
  }
}

####################
# NAT gateway
####################
resource "aws_nat_gateway" "main" {
  count         = 1
  allocation_id = "${element(aws_eip.nat.*.id, count.index)}"
  subnet_id     = "${element(aws_subnet.external.*.id, count.index)}"
  depends_on    = ["aws_internet_gateway.main"]

  tags = {
    Name      = "${var.environment} NAT"
    Terraform = true
  }
}

####################
# VPC IGW route table
####################
resource "aws_route_table" "vpc_igw" {
  vpc_id     = aws_vpc.main.id
  depends_on = ["aws_internet_gateway.main"]

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.main.id
  }

  tags = {
    Environment = var.environment
    Terraform   = true
  }
}

resource "aws_route_table_association" "external_subnet_a" {
  depends_on     = ["aws_subnet.external"]
  subnet_id      = "${element(aws_subnet.external.*.id, 0)}"
  route_table_id = aws_route_table.vpc_igw.id
}

resource "aws_route_table_association" "external_subnet_b" {
  depends_on     = ["aws_subnet.external"]
  subnet_id      = "${element(aws_subnet.external.*.id, 1)}"
  route_table_id = aws_route_table.vpc_igw.id
}

resource "aws_route_table_association" "external_subnet_c" {
  depends_on     = ["aws_subnet.external"]
  subnet_id      = "${element(aws_subnet.external.*.id, 2)}"
  route_table_id = aws_route_table.vpc_igw.id
}