Terraform module which creates AWS App Runner resources.
See examples directory for working examples to reference:
module "app_runner_shared_configs" {
source = "terraform-aws-modules/app-runner/aws"
# Disable service resources
create_service = false
connections = {
# The AWS Connector for GitHub connects to your GitHub account is a one-time setup,
# You can reuse the connection for creating multiple App Runner services based on repositories in this account.
# After creation, you must complete the authentication handshake using the App Runner console.
github = {
provider_type = "GITHUB"
}
}
auto_scaling_configurations = {
mini = {
name = "mini"
max_concurrency = 20
max_size = 5
min_size = 1
tags = {
Type = "Mini"
}
}
mega = {
name = "mega"
max_concurrency = 200
max_size = 25
min_size = 5
tags = {
Type = "MEGA"
}
}
}
tags = {
Terraform = "true"
Environment = "dev"
}
}module "app_runner_code_base" {
source = "terraform-aws-modules/app-runner/aws"
service_name = "example-code-base"
# From shared configs created above
auto_scaling_configuration_arn = module.app_runner_shared_configs.auto_scaling_configurations["mini"].arn
source_configuration = {
authentication_configuration = {
# From shared configs created above
connection_arn = module.app_runner_shared_configs.connections["github"].arn
}
auto_deployments_enabled = false
code_repository = {
code_configuration = {
configuration_source = "REPOSITORY"
}
repository_url = "https://github.com/aws-containers/hello-app-runner"
source_code_version = {
type = "BRANCH"
value = "main"
}
}
}
tags = {
Terraform = "true"
Environment = "dev"
}
}module "app_runner_image_base" {
source = "terraform-aws-modules/app-runner/aws"
service_name = "example-image-base"
# From shared configs
auto_scaling_configuration_arn = module.app_runner_shared_configs.auto_scaling_configurations["mega"].arn
# IAM instance profile permissions to access secrets
instance_policy_statements = {
GetSecretValue = {
actions = ["secretsmanager:GetSecretValue"]
resources = [aws_secretsmanager_secret.this.arn]
}
}
source_configuration = {
auto_deployments_enabled = false
image_repository = {
image_configuration = {
port = 8000
runtime_environment_variables = {
MY_VARIABLE = "hello!"
}
runtime_environment_secrets = {
MY_SECRET = aws_secretsmanager_secret.this.arn
}
}
image_identifier = "public.ecr.aws/aws-containers/hello-app-runner:latest"
image_repository_type = "ECR_PUBLIC"
}
}
create_vpc_connector = true
vpc_connector_subnets = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
vpc_connector_security_groups = ["sg-12345678"]
network_configuration = {
egress_configuration = {
egress_type = "VPC"
}
}
enable_observability_configuration = true
tags = {
Terraform = "true"
Environment = "dev"
}
}module "app_runner_private" {
source = "terraform-aws-modules/app-runner/aws"
service_name = "example-private"
...
# Ingress
create_ingress_vpc_connection = true
ingress_vpc_id = "vpc-12345678"
ingress_vpc_endpoint_id = "vpce-01234567890123456 s"
# Egress
create_vpc_connector = true
vpc_connector_subnets = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
vpc_connector_security_groups = ["sg-12345678"]
network_configuration = {
ingress_configuration = {
is_publicly_accessible = false
}
egress_configuration = {
egress_type = "VPC"
}
}
tags = {
Terraform = "true"
Environment = "dev"
}
}Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.51 |
| Name | Version |
|---|---|
| aws | >= 4.51 |
No modules.
| Name | Type |
|---|---|
| aws_apprunner_auto_scaling_configuration_version.this | resource |
| aws_apprunner_connection.this | resource |
| aws_apprunner_custom_domain_association.this | resource |
| aws_apprunner_observability_configuration.this | resource |
| aws_apprunner_service.this | resource |
| aws_apprunner_vpc_connector.this | resource |
| aws_apprunner_vpc_ingress_connection.this | resource |
| aws_iam_policy.access | resource |
| aws_iam_policy.instance | resource |
| aws_iam_role.access | resource |
| aws_iam_role.instance | resource |
| aws_iam_role_policy_attachment.access | resource |
| aws_iam_role_policy_attachment.access_additional | resource |
| aws_iam_role_policy_attachment.instance | resource |
| aws_iam_role_policy_attachment.instance_additional | resource |
| aws_iam_role_policy_attachment.instance_xray | resource |
| aws_iam_policy_document.access | data source |
| aws_iam_policy_document.access_assume_role | data source |
| aws_iam_policy_document.instance | data source |
| aws_iam_policy_document.instance_assume_role | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_iam_role_description | Description of the role | string |
null |
no |
| access_iam_role_name | Name to use on IAM role created | string |
null |
no |
| access_iam_role_path | IAM role path | string |
null |
no |
| access_iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string |
null |
no |
| access_iam_role_policies | IAM policies to attach to the IAM role | map(string) |
{} |
no |
| access_iam_role_use_name_prefix | Determines whether the IAM role name (iam_role_name) is used as a prefix |
bool |
true |
no |
| auto_scaling_configuration_arn | ARN of an App Runner automatic scaling configuration resource that you want to associate with your service. If not provided, App Runner associates the latest revision of a default auto scaling configuration | string |
null |
no |
| auto_scaling_configurations | Map of auto-scaling configuration definitions to create | any |
{} |
no |
| connections | Map of connection definitions to create | any |
{} |
no |
| create | Determines whether resources will be created (affects all resources) | bool |
true |
no |
| create_access_iam_role | Determines whether an IAM role is created or to use an existing IAM role | bool |
false |
no |
| create_custom_domain_association | Determines whether a Custom Domain Association will be created | bool |
false |
no |
| create_ingress_vpc_connection | Determines whether a VPC ingress configuration will be created | bool |
false |
no |
| create_instance_iam_role | Determines whether an IAM role is created or to use an existing IAM role | bool |
true |
no |
| create_service | Determines whether the service will be created | bool |
true |
no |
| create_vpc_connector | Determines whether a VPC Connector will be created | bool |
false |
no |
| domain_name | The custom domain endpoint to association. Specify a base domain e.g., example.com or a subdomain e.g., subdomain.example.com |
string |
"" |
no |
| enable_observability_configuration | Determines whether an X-Ray Observability Configuration will be created and assigned to the service | bool |
true |
no |
| enable_www_subdomain | Whether to associate the subdomain with the App Runner service in addition to the base domain. Defaults to true |
bool |
null |
no |
| encryption_configuration | The encryption configuration for the service | any |
{} |
no |
| health_check_configuration | The health check configuration for the service | any |
{} |
no |
| ingress_vpc_endpoint_id | The ID of the VPC endpoint that is used for the VPC ingress configuration | string |
"" |
no |
| ingress_vpc_id | The ID of the VPC that is used for the VPC ingress configuration | string |
"" |
no |
| instance_configuration | The instance configuration for the service | any |
{} |
no |
| instance_iam_role_description | Description of the role | string |
null |
no |
| instance_iam_role_name | Name to use on IAM role created | string |
null |
no |
| instance_iam_role_path | IAM role path | string |
null |
no |
| instance_iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string |
null |
no |
| instance_iam_role_policies | IAM policies to attach to the IAM role | map(string) |
{} |
no |
| instance_iam_role_use_name_prefix | Determines whether the IAM role name (iam_role_name) is used as a prefix |
bool |
true |
no |
| instance_policy_statements | A map of IAM policy statements for custom permission usage | any |
{} |
no |
| network_configuration | The network configuration for the service | any |
{} |
no |
| observability_configuration | The observability configuration for the service | any |
{} |
no |
| private_ecr_arn | The ARN of the private ECR repository that contains the service image to launch | string |
null |
no |
| service_name | The name of the service | string |
"" |
no |
| source_configuration | The source configuration for the service | any |
{} |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| vpc_connector_name | The name of the VPC Connector | string |
"" |
no |
| vpc_connector_security_groups | The security groups to use for the VPC Connector | list(string) |
[] |
no |
| vpc_connector_subnets | The subnets to use for the VPC Connector | list(string) |
[] |
no |
| Name | Description |
|---|---|
| access_iam_role_arn | The Amazon Resource Name (ARN) specifying the IAM role |
| access_iam_role_name | The name of the IAM role |
| access_iam_role_unique_id | Stable and unique string identifying the IAM role |
| auto_scaling_configurations | Map of attribute maps for all autoscaling configurations created |
| connections | Map of attribute maps for all connections created |
| custom_domain_association_certificate_validation_records | A set of certificate CNAME records used for this domain name |
| custom_domain_association_dns_target | The App Runner subdomain of the App Runner service. The custom domain name is mapped to this target name. Attribute only available if resource created (not imported) with Terraform |
| custom_domain_association_id | The domain_name and service_arn separated by a comma (,) |
| instance_iam_role_arn | The Amazon Resource Name (ARN) specifying the IAM role |
| instance_iam_role_name | The name of the IAM role |
| instance_iam_role_unique_id | Stable and unique string identifying the IAM role |
| observability_configuration_arn | ARN of this observability configuration |
| observability_configuration_latest | Whether the observability configuration has the highest observability_configuration_revision among all configurations that share the same observability_configuration_name |
| observability_configuration_revision | The revision of the observability configuration |
| observability_configuration_status | The current state of the observability configuration. An INACTIVE configuration revision has been deleted and can't be used. It is permanently removed some time after deletion |
| service_arn | The Amazon Resource Name (ARN) of the service |
| service_id | An alphanumeric ID that App Runner generated for this service. Unique within the AWS Region |
| service_status | The current state of the App Runner service |
| service_url | A subdomain URL that App Runner generated for this service. You can use this URL to access your service web application |
| vpc_connector_arn | The Amazon Resource Name (ARN) of VPC connector |
| vpc_connector_revision | The revision of VPC connector. It's unique among all the active connectors ("Status": "ACTIVE") that share the same Name |
| vpc_connector_status | The current state of the VPC connector. If the status of a connector revision is INACTIVE, it was deleted and can't be used. Inactive connector revisions are permanently removed some time after they are deleted |
| vpc_ingress_connection_arn | The Amazon Resource Name (ARN) of the VPC Ingress Connection |
| vpc_ingress_connection_domain_name | The domain name associated with the VPC Ingress Connection resource |
Apache-2.0 Licensed. See LICENSE.