feat: Adds X-Ray integration

README.md

@@ -127,6 +127,7 @@ Before using this module, ensure you have the following:
 | [aws_iam_role.ecs_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.ecs_ebs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ecs_service_role_ecs_task_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ecs_task_role_xray_daemon_write_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_user.directus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy.kms_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_lb.directus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
@@ -170,6 +171,7 @@ Before using this module, ensure you have the following:
 | <a name="input_enable_ecs_volume"></a> [enable\_ecs\_volume](#input\_enable\_ecs\_volume) | Whether to enable ECS volume | `bool` | `false` | no |
 | <a name="input_enable_s3_bucket_versioning"></a> [enable\_s3\_bucket\_versioning](#input\_enable\_s3\_bucket\_versioning) | Whether to enable S3 bucket versioning | `bool` | `true` | no |
 | <a name="input_enable_ses_emails_sending"></a> [enable\_ses\_emails\_sending](#input\_enable\_ses\_emails\_sending) | Whether to enable sending emails using SES | `bool` | `false` | no |
+| <a name="input_enable_xray_integration"></a> [enable\_xray\_integration](#input\_enable\_xray\_integration) | Whether to enable X-Ray integration | `bool` | `false` | no |
 | <a name="input_force_new_ecs_deployment_on_apply"></a> [force\_new\_ecs\_deployment\_on\_apply](#input\_force\_new\_ecs\_deployment\_on\_apply) | Whether to force a new deployment of the ECS service on apply | `bool` | `false` | no |
 | <a name="input_image_tag"></a> [image\_tag](#input\_image\_tag) | The tag of the Docker image | `string` | `"latest"` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The ID of the KMS key | `string` | `""` | no |

containers.tf

@@ -0,0 +1,80 @@
+locals {
+  directus_container = {
+    name      = local.service_name
+    image     = "directus/directus:${var.image_tag}"
+    cpu       = var.cpu
+    memory    = var.memory
+    essential = true
+    secrets = concat([
+      { name : "SECRET", valueFrom : aws_secretsmanager_secret_version.directus_secret_version.arn },
+      { name : "ADMIN_PASSWORD", valueFrom : aws_secretsmanager_secret_version.directus_admin_password_version.arn },
+      { name : "DB_PASSWORD", valueFrom : "${var.rds_database_password_secrets_manager_arn}:password::" },
+      { name : "STORAGE_S3_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
+      { name : "STORAGE_S3_SECRET", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
+      ],
+      var.enable_ses_emails_sending ? [
+        { name : "EMAIL_SES_CREDENTIALS__ACCESS_KEY_ID", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
+        { name : "EMAIL_SES_CREDENTIALS__SECRET_ACCESS_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
+    ] : [])
+    environment = [for key, value in local.environment_vars : {
+      name  = key
+      value = value
+    }]
+    linuxParameters = {
+      initProcessEnabled = true
+    }
+    logConfiguration = {
+      logDriver = "awslogs"
+      options = {
+        "awslogs-create-group"  = var.create_cloudwatch_logs_group ? "true" : "false"
+        "awslogs-group"         = "/aws/ecs/${var.application_name}"
+        "awslogs-region"        = data.aws_region.current.name
+        "awslogs-stream-prefix" = var.cloudwatch_logs_stream_prefix
+      }
+    }
+    healthCheck = {
+      command     = ["CMD-SHELL", "wget -qO- http://localhost:${local.directus_port}${local.healthcheck_path} | grep -q 'ok' || exit 1"]
+      interval    = 60
+      timeout     = 10
+      retries     = 10
+      startPeriod = 60
+    }
+    portMappings = [
+      {
+        containerPort = local.directus_port
+        hostPort      = local.directus_port
+        protocol      = "tcp"
+      }
+    ]
+  }
+
+  xray_daemon_container = {
+    name       = "xray-daemon"
+    image      = "public.ecr.aws/xray/aws-xray-daemon:3.x"
+    cpu        = 32
+    memory     = 256
+    entryPoint = ["/xray", "-b", "0.0.0.0:2000", "-o"]
+    essential  = true
+    healthCheck = {
+      command  = ["CMD", "/xray", "--version", "||", "exit 1"]
+      interval = 5
+      timeout  = 2
+      retries  = 1
+    }
+    logConfiguration = {
+      logDriver = "awslogs"
+      options = {
+        "awslogs-create-group"  = var.create_cloudwatch_logs_group ? "true" : "false"
+        "awslogs-group"         = "/aws/ecs/${var.application_name}-xray-daemon"
+        "awslogs-region"        = data.aws_region.current.name
+        "awslogs-stream-prefix" = var.cloudwatch_logs_stream_prefix
+      }
+    }
+    portMappings = [
+      {
+        containerPort = 2000
+        protocol      = "udp"
+      }
+    ]
+  }
+}

examples/main.tf

@@ -52,6 +52,7 @@ module "directus" {
   ecs_service_enable_execute_command = true # Allows you to connect via CLI to the ECS Task Container (just like `docker exec`). It's disabled by default.
   enable_ses_emails_sending          = true
   enable_ecs_volume                  = false
+  enable_xray_integration            = true
   force_new_ecs_deployment_on_apply  = true
 
   # Add additional custom configuration here (https://docs.directus.io/self-hosted/config-options.html#configuration-options)

iam.tf

@@ -50,6 +50,12 @@ resource "aws_iam_role_policy_attachment" "ecs_service_role_ecs_task_execution"
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
+resource "aws_iam_role_policy_attachment" "ecs_task_role_xray_daemon_write_access" {
+  count      = var.enable_xray_integration ? 1 : 0
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+}
+
 resource "aws_iam_role" "ecs_task_role" {
   name = "${var.application_name}-ecs-task-role"
 

main.tf

@@ -57,56 +57,7 @@ locals {
     } : {}
   )
 
-  container_definitions = [
-    {
-      name      = local.service_name
-      image     = "directus/directus:${var.image_tag}"
-      cpu       = var.cpu
-      memory    = var.memory
-      essential = true
-      secrets = concat([
-        { name : "SECRET", valueFrom : aws_secretsmanager_secret_version.directus_secret_version.arn },
-        { name : "ADMIN_PASSWORD", valueFrom : aws_secretsmanager_secret_version.directus_admin_password_version.arn },
-        { name : "DB_PASSWORD", valueFrom : "${var.rds_database_password_secrets_manager_arn}:password::" },
-        { name : "STORAGE_S3_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
-        { name : "STORAGE_S3_SECRET", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
-        ],
-        var.enable_ses_emails_sending ? [
-          { name : "EMAIL_SES_CREDENTIALS__ACCESS_KEY_ID", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
-          { name : "EMAIL_SES_CREDENTIALS__SECRET_ACCESS_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
-      ] : [])
-      environment = [for key, value in local.environment_vars : {
-        name  = key
-        value = value
-      }]
-      linuxParameters = {
-        initProcessEnabled = true
-      }
-      logConfiguration = {
-        logDriver = "awslogs"
-        options = {
-          "awslogs-create-group"  = var.create_cloudwatch_logs_group ? "true" : "false"
-          "awslogs-group"         = "/aws/ecs/${var.application_name}"
-          "awslogs-region"        = data.aws_region.current.name
-          "awslogs-stream-prefix" = var.cloudwatch_logs_stream_prefix
-        }
-      }
-      healthCheck = {
-        command     = ["CMD-SHELL", "wget -qO- http://localhost:${local.directus_port}${local.healthcheck_path} | grep -q 'ok' || exit 1"]
-        interval    = 60
-        timeout     = 10
-        retries     = 10
-        startPeriod = 60
-      }
-      portMappings = [
-        {
-          containerPort = local.directus_port
-          hostPort      = local.directus_port
-          protocol      = "tcp"
-        }
-      ]
-    }
-  ]
+  container_definitions = concat([local.directus_container], var.enable_xray_integration ? [local.xray_daemon_container] : [])
 }
 
 data "aws_region" "current" {}
@@ -434,8 +385,8 @@ resource "aws_ecs_task_definition" "directus" {
 
   network_mode = "awsvpc"
 
-  cpu    = var.cpu
-  memory = var.memory
+  cpu    = var.enable_xray_integration ? var.cpu * 2 : var.cpu
+  memory = var.enable_xray_integration ? var.memory * 2 : var.memory
 
   execution_role_arn = module.ecs.task_exec_iam_role_arn
   task_role_arn      = aws_iam_role.ecs_task_role.arn

variables.tf

@@ -22,6 +22,12 @@ variable "load_balancer_prefix_list_ids" {
   default     = []
 }
 
+variable "enable_xray_integration" {
+  description = "Whether to enable X-Ray integration"
+  type        = bool
+  default     = false
+}
+
 variable "enable_ecs_volume" {
   description = "Whether to enable ECS volume"
   type        = bool