Terraform module which creates Cloudflare Zero Trust tunnel on AWS running as a ECS container:
- Runs an ECS service
- Stream logs to a CloudWatch log group encrypted with a KMS key
- Supports running ECS tasks on Fargate
To run this module, you can either use the default Docker image
docker.io/shmileee/cloudflared-tunnel:latest or build your own. For relevant
files, see ./docker directory.
module "tunnel" {
source = "shmileee/cloudflared/aws"
name_prefix = "my-tunnel"
environment = "prod"
tunnel_url = "https://my.private.service.endpoint.com"
tunnel_hostname = "my.internal.company.net"
s3_bucket_arn = "<s3 bucket arn>"
s3_cert_path = "s3://my-bucket/cert.pem"
vpc_id = local.vpc_id
subnet_ids = local.public_subnets
}| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 3.70 |
| Name | Version |
|---|---|
| aws | >= 3.70 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.main | resource |
| aws_ecs_cluster.tunnels | resource |
| aws_ecs_service.tunnel | resource |
| aws_ecs_task_definition.main | resource |
| aws_iam_role.task_execution_role | resource |
| aws_iam_role.task_role | resource |
| aws_iam_role_policy.task_execution_role_policy | resource |
| aws_iam_role_policy.task_role_policy | resource |
| aws_kms_key.main | resource |
| aws_security_group.ecs_sg | resource |
| aws_security_group_rule.app_ecs_allow_outbound | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.cloudwatch_logs_allow_kms | data source |
| aws_iam_policy_document.ecs_assume_role_policy | data source |
| aws_iam_policy_document.task_execution_role_policy_doc | data source |
| aws_iam_policy_document.task_role_policy_doc | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assign_public_ip | Whether this instance should be accessible from the public internet. Default is false. | bool |
true |
no |
| container_definitions | Container definitions provided as valid JSON document. Default uses shmileee/cloudflared-tunnel:latest | string |
"" |
no |
| docker_image | Full name of the Docker image to be used by ECS task. | string |
"docker.io/shmileee/cloudflared-tunnel:latest" |
no |
| ecr_repo_arns | The ARNs of the ECR repos. By default, allows all repositories. | list(string) |
[ |
no |
| ecs_use_fargate | Whether to use Fargate for the task definition. | bool |
true |
no |
| environment | Environment tag, e.g prod. | string |
n/a | yes |
| logs_cloudwatch_group | CloudWatch log group to create and use. Default: /ecs/{environment}/{name_prefix} | string |
"" |
no |
| manage_ecs_security_group | Enable creation and management of the ECS security group and rules | bool |
true |
no |
| name_prefix | A prefix used for naming resources. | string |
"cloudflared-tunnel" |
no |
| s3_bucket_arn | ARN for S3 bucket where Cloudflare certificate is stored. | string |
null |
no |
| s3_cert_path | Full path to where Cloudflare certificate is stored, e.g. s3://my-bucket/cert.pem | string |
null |
no |
| subnet_ids | Subnet IDs for the ECS tasks. | list(string) |
n/a | yes |
| tags | A map of tags (key-value pairs) passed to resources. | map(string) |
{} |
no |
| tasks_desired_count | The number of instances of a task definition. | number |
1 |
no |
| tunnel_hostname | User friendly hostname of the tunnel, e.g. test.internal.example.com | string |
n/a | yes |
| tunnel_url | URL where cloudflared tunnel should point to. | string |
n/a | yes |
| vpc_id | VPC ID to be used by ECS. | string |
n/a | yes |
| Name | Description |
|---|---|
| name_prefix | n/a |
| tags | n/a |
Oleksandr Ponomarov.
MIT License. See LICENSE for full details.