terraform-aws-modules · lukzhang · Nov 8, 2025 · Nov 8, 2025 · Nov 8, 2025 · Nov 8, 2025
diff --git a/modules/container-definition/README.md b/modules/container-definition/README.md
@@ -145,6 +145,7 @@ No modules.
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Set to `0` to keep logs indefinitely | `number` | `14` | no |
 | <a name="input_cloudwatch_log_group_use_name_prefix"></a> [cloudwatch\_log\_group\_use\_name\_prefix](#input\_cloudwatch\_log\_group\_use\_name\_prefix) | Determines whether the log group name should be used as a prefix | `bool` | `false` | no |
 | <a name="input_command"></a> [command](#input\_command) | The command that's passed to the container | `list(string)` | `null` | no |
+| <a name="input_credentialSpecs"></a> [credentialSpecs](#input\_credentialSpecs) | Specs for Credentials for gMSA (Windows containers) | `list(string)` | `null` | no |
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | The number of cpu units to reserve for the container. This is optional for tasks using Fargate launch type and the total amount of `cpu` of all containers in a task will need to be lower than the task-level cpu value | `number` | `null` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
 | <a name="input_dependsOn"></a> [dependsOn](#input\_dependsOn) | The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY | <pre>list(object({<br/>    condition     = string<br/>    containerName = string<br/>  }))</pre> | `null` | no |

diff --git a/modules/container-definition/main.tf b/modules/container-definition/main.tf
@@ -39,6 +39,7 @@ locals {
   definition = {
     command                = var.command
     cpu                    = var.cpu
+    credentialSpecs        = var.credentialSpecs
     dependsOn              = var.dependsOn
     disableNetworking      = local.is_not_windows ? var.disableNetworking : null
     dnsSearchDomains       = local.is_not_windows ? var.dnsSearchDomains : null

diff --git a/modules/container-definition/variables.tf b/modules/container-definition/variables.tf
@@ -34,6 +34,12 @@ variable "cpu" {
   default     = null
 }
 
+variable "credentialSpecs" {
+  description = "Specs for Credentials for gMSA (Windows containers)."
+  type        = list(string)
+  default     = null
+}
+
 # tflint-ignore: terraform_naming_convention
 variable "dependsOn" {
   description = "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY"

diff --git a/modules/service/README.md b/modules/service/README.md
@@ -238,7 +238,7 @@ module "ecs_service" {
 | <a name="input_availability_zone_rebalancing"></a> [availability\_zone\_rebalancing](#input\_availability\_zone\_rebalancing) | ECS automatically redistributes tasks within a service across Availability Zones (AZs) to mitigate the risk of impaired application availability due to underlying infrastructure failures and task lifecycle activities. The valid values are `ENABLED` and `DISABLED`. Defaults to `DISABLED` | `string` | `null` | no |
 | <a name="input_capacity_provider_strategy"></a> [capacity\_provider\_strategy](#input\_capacity\_provider\_strategy) | Capacity provider strategies to use for the service. Can be one or more | <pre>map(object({<br/>    base              = optional(number)<br/>    capacity_provider = string<br/>    weight            = optional(number)<br/>  }))</pre> | `null` | no |
 | <a name="input_cluster_arn"></a> [cluster\_arn](#input\_cluster\_arn) | ARN of the ECS cluster where the resources will be provisioned | `string` | `""` | no |
-| <a name="input_container_definitions"></a> [container\_definitions](#input\_container\_definitions) | A map of valid [container definitions](http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html). Please note that you should only provide values that are part of the container definition document | <pre>map(object({<br/>    create                  = optional(bool, true)<br/>    operating_system_family = optional(string)<br/>    tags                    = optional(map(string))<br/><br/>    # Container definition<br/>    command = optional(list(string))<br/>    cpu     = optional(number)<br/>    dependsOn = optional(list(object({<br/>      condition     = string<br/>      containerName = string<br/>    })))<br/>    disableNetworking     = optional(bool)<br/>    dnsSearchDomains      = optional(list(string))<br/>    dnsServers            = optional(list(string))<br/>    dockerLabels          = optional(map(string))<br/>    dockerSecurityOptions = optional(list(string))<br/>    # enable_execute_command = optional(bool, false) Set in standalone variable<br/>    entrypoint = optional(list(string))<br/>    environment = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })))<br/>    environmentFiles = optional(list(object({<br/>      type  = string<br/>      value = string<br/>    })))<br/>    essential = optional(bool)<br/>    extraHosts = optional(list(object({<br/>      hostname  = string<br/>      ipAddress = string<br/>    })))<br/>    firelensConfiguration = optional(object({<br/>      options = optional(map(string))<br/>      type    = optional(string)<br/>    }))<br/>    healthCheck = optional(object({<br/>      command     = optional(list(string), [])<br/>      interval    = optional(number, 30)<br/>      retries     = optional(number, 3)<br/>      startPeriod = optional(number)<br/>      timeout     = optional(number, 5)<br/>    }))<br/>    hostname    = optional(string)<br/>    image       = optional(string)<br/>    interactive = optional(bool)<br/>    links       = optional(list(string))<br/>    linuxParameters = optional(object({<br/>      capabilities = optional(object({<br/>        add  = optional(list(string))<br/>        drop = optional(list(string))<br/>      }))<br/>      devices = optional(list(object({<br/>        containerPath = optional(string)<br/>        hostPath      = optional(string)<br/>        permissions   = optional(list(string))<br/>      })))<br/>      initProcessEnabled = optional(bool)<br/>      maxSwap            = optional(number)<br/>      sharedMemorySize   = optional(number)<br/>      swappiness         = optional(number)<br/>      tmpfs = optional(list(object({<br/>        containerPath = string<br/>        mountOptions  = optional(list(string))<br/>        size          = number<br/>      })))<br/>    }))<br/>    logConfiguration = optional(object({<br/>      logDriver = optional(string)<br/>      options   = optional(map(string))<br/>      secretOptions = optional(list(object({<br/>        name      = string<br/>        valueFrom = string<br/>      })))<br/>    }))<br/>    memory            = optional(number)<br/>    memoryReservation = optional(number)<br/>    mountPoints = optional(list(object({<br/>      containerPath = optional(string)<br/>      readOnly      = optional(bool)<br/>      sourceVolume  = optional(string)<br/>    })))<br/>    name = optional(string)<br/>    portMappings = optional(list(object({<br/>      appProtocol        = optional(string)<br/>      containerPort      = optional(number)<br/>      containerPortRange = optional(string)<br/>      hostPort           = optional(number)<br/>      name               = optional(string)<br/>      protocol           = optional(string)<br/>    })))<br/>    privileged             = optional(bool)<br/>    pseudoTerminal         = optional(bool)<br/>    readonlyRootFilesystem = optional(bool)<br/>    repositoryCredentials = optional(object({<br/>      credentialsParameter = optional(string)<br/>    }))<br/>    resourceRequirements = optional(list(object({<br/>      type  = string<br/>      value = string<br/>    })))<br/>    restartPolicy = optional(object({<br/>      enabled              = optional(bool)<br/>      ignoredExitCodes     = optional(list(number))<br/>      restartAttemptPeriod = optional(number)<br/>      })<br/>    )<br/>    secrets = optional(list(object({<br/>      name      = string<br/>      valueFrom = string<br/>    })))<br/>    startTimeout = optional(number, 30)<br/>    stopTimeout  = optional(number, 120)<br/>    systemControls = optional(list(object({<br/>      namespace = optional(string)<br/>      value     = optional(string)<br/>    })))<br/>    ulimits = optional(list(object({<br/>      hardLimit = number<br/>      name      = string<br/>      softLimit = number<br/>    })))<br/>    user               = optional(string)<br/>    versionConsistency = optional(string)<br/>    volumesFrom = optional(list(object({<br/>      readOnly        = optional(bool)<br/>      sourceContainer = optional(string)<br/>    })))<br/>    workingDirectory = optional(string)<br/><br/>    # Cloudwatch Log Group<br/>    service                                = optional(string)<br/>    enable_cloudwatch_logging              = optional(bool)<br/>    create_cloudwatch_log_group            = optional(bool)<br/>    cloudwatch_log_group_name              = optional(string)<br/>    cloudwatch_log_group_use_name_prefix   = optional(bool)<br/>    cloudwatch_log_group_class             = optional(string)<br/>    cloudwatch_log_group_retention_in_days = optional(number)<br/>    cloudwatch_log_group_kms_key_id        = optional(string)<br/>  }))</pre> | `{}` | no |
+| <a name="input_container_definitions"></a> [container\_definitions](#input\_container\_definitions) | A map of valid [container definitions](http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html). Please note that you should only provide values that are part of the container definition document | <pre>map(object({<br/>    create                  = optional(bool, true)<br/>    operating_system_family = optional(string)<br/>    tags                    = optional(map(string))<br/><br/>    # Container definition<br/>    command = optional(list(string))<br/>    cpu     = optional(number)<br/>    <br/>    credentialSpecs     = optional(list(string))<br/>    dependsOn = optional(list(object({<br/>      condition     = string<br/>      containerName = string<br/>    })))<br/>    disableNetworking     = optional(bool)<br/>    dnsSearchDomains      = optional(list(string))<br/>    dnsServers            = optional(list(string))<br/>    dockerLabels          = optional(map(string))<br/>    dockerSecurityOptions = optional(list(string))<br/>    # enable_execute_command = optional(bool, false) Set in standalone variable<br/>    entrypoint = optional(list(string))<br/>    environment = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })))<br/>    environmentFiles = optional(list(object({<br/>      type  = string<br/>      value = string<br/>    })))<br/>    essential = optional(bool)<br/>    extraHosts = optional(list(object({<br/>      hostname  = string<br/>      ipAddress = string<br/>    })))<br/>    firelensConfiguration = optional(object({<br/>      options = optional(map(string))<br/>      type    = optional(string)<br/>    }))<br/>    healthCheck = optional(object({<br/>      command     = optional(list(string), [])<br/>      interval    = optional(number, 30)<br/>      retries     = optional(number, 3)<br/>      startPeriod = optional(number)<br/>      timeout     = optional(number, 5)<br/>    }))<br/>    hostname    = optional(string)<br/>    image       = optional(string)<br/>    interactive = optional(bool)<br/>    links       = optional(list(string))<br/>    linuxParameters = optional(object({<br/>      capabilities = optional(object({<br/>        add  = optional(list(string))<br/>        drop = optional(list(string))<br/>      }))<br/>      devices = optional(list(object({<br/>        containerPath = optional(string)<br/>        hostPath      = optional(string)<br/>        permissions   = optional(list(string))<br/>      })))<br/>      initProcessEnabled = optional(bool)<br/>      maxSwap            = optional(number)<br/>      sharedMemorySize   = optional(number)<br/>      swappiness         = optional(number)<br/>      tmpfs = optional(list(object({<br/>        containerPath = string<br/>        mountOptions  = optional(list(string))<br/>        size          = number<br/>      })))<br/>    }))<br/>    logConfiguration = optional(object({<br/>      logDriver = optional(string)<br/>      options   = optional(map(string))<br/>      secretOptions = optional(list(object({<br/>        name      = string<br/>        valueFrom = string<br/>      })))<br/>    }))<br/>    memory            = optional(number)<br/>    memoryReservation = optional(number)<br/>    mountPoints = optional(list(object({<br/>      containerPath = optional(string)<br/>      readOnly      = optional(bool)<br/>      sourceVolume  = optional(string)<br/>    })))<br/>    name = optional(string)<br/>    portMappings = optional(list(object({<br/>      appProtocol        = optional(string)<br/>      containerPort      = optional(number)<br/>      containerPortRange = optional(string)<br/>      hostPort           = optional(number)<br/>      name               = optional(string)<br/>      protocol           = optional(string)<br/>    })))<br/>    privileged             = optional(bool)<br/>    pseudoTerminal         = optional(bool)<br/>    readonlyRootFilesystem = optional(bool)<br/>    repositoryCredentials = optional(object({<br/>      credentialsParameter = optional(string)<br/>    }))<br/>    resourceRequirements = optional(list(object({<br/>      type  = string<br/>      value = string<br/>    })))<br/>    restartPolicy = optional(object({<br/>      enabled              = optional(bool)<br/>      ignoredExitCodes     = optional(list(number))<br/>      restartAttemptPeriod = optional(number)<br/>      })<br/>    )<br/>    secrets = optional(list(object({<br/>      name      = string<br/>      valueFrom = string<br/>    })))<br/>    startTimeout = optional(number, 30)<br/>    stopTimeout  = optional(number, 120)<br/>    systemControls = optional(list(object({<br/>      namespace = optional(string)<br/>      value     = optional(string)<br/>    })))<br/>    ulimits = optional(list(object({<br/>      hardLimit = number<br/>      name      = string<br/>      softLimit = number<br/>    })))<br/>    user               = optional(string)<br/>    versionConsistency = optional(string)<br/>    volumesFrom = optional(list(object({<br/>      readOnly        = optional(bool)<br/>      sourceContainer = optional(string)<br/>    })))<br/>    workingDirectory = optional(string)<br/><br/>    # Cloudwatch Log Group<br/>    service                                = optional(string)<br/>    enable_cloudwatch_logging              = optional(bool)<br/>    create_cloudwatch_log_group            = optional(bool)<br/>    cloudwatch_log_group_name              = optional(string)<br/>    cloudwatch_log_group_use_name_prefix   = optional(bool)<br/>    cloudwatch_log_group_class             = optional(string)<br/>    cloudwatch_log_group_retention_in_days = optional(number)<br/>    cloudwatch_log_group_kms_key_id        = optional(string)<br/>  }))</pre> | `{}` | no |
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | Number of cpu units used by the task. If the `requires_compatibilities` is `FARGATE` this field is required | `number` | `1024` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether the ECS service IAM role should be created | `bool` | `true` | no |

diff --git a/modules/service/main.tf b/modules/service/main.tf
@@ -814,6 +814,7 @@ module "container_definition" {
   # Container Definition
   command                = each.value.command
   cpu                    = each.value.cpu
+  credentialSpecs        = each.value.credentialSpecs
   dependsOn              = each.value.dependsOn
   disableNetworking      = each.value.disableNetworking
   dnsSearchDomains       = each.value.dnsSearchDomains

diff --git a/modules/service/variables.tf b/modules/service/variables.tf
@@ -475,8 +475,9 @@ variable "container_definitions" {
     tags                    = optional(map(string))
 
     # Container definition
-    command = optional(list(string))
-    cpu     = optional(number)
+    command         = optional(list(string))
+    cpu             = optional(number)
+    credentialSpecs = optional(list(string))
     dependsOn = optional(list(object({
       condition     = string
       containerName = string

diff --git a/variables.tf b/variables.tf
@@ -445,8 +445,9 @@ variable "services" {
       tags                    = optional(map(string))
 
       # Container definition
-      command = optional(list(string))
-      cpu     = optional(number)
+      command         = optional(list(string))
+      cpu             = optional(number)
+      credentialSpecs = optional(list(string))
       dependsOn = optional(list(object({
         condition     = string
         containerName = string

diff --git a/wrappers/container-definition/main.tf b/wrappers/container-definition/main.tf
@@ -9,8 +9,9 @@ module "wrapper" {
   cloudwatch_log_group_retention_in_days = try(each.value.cloudwatch_log_group_retention_in_days, var.defaults.cloudwatch_log_group_retention_in_days, 14)
   cloudwatch_log_group_use_name_prefix   = try(each.value.cloudwatch_log_group_use_name_prefix, var.defaults.cloudwatch_log_group_use_name_prefix, false)
   command                                = try(each.value.command, var.defaults.command, null)
-  cpu                                    = try(each.value.cpu, var.defaults.cpu, null)
+  cpu                                    = try(each.value.cpu, var.defaults.cpu, null)  
   create_cloudwatch_log_group            = try(each.value.create_cloudwatch_log_group, var.defaults.create_cloudwatch_log_group, true)
+  credentialSpecs                        = try(each.value.credentialSpecs, var.defaults.credentialSpecs, null)
   dependsOn                              = try(each.value.dependsOn, var.defaults.dependsOn, null)
   disableNetworking                      = try(each.value.disableNetworking, var.defaults.disableNetworking, null)
   dnsSearchDomains                       = try(each.value.dnsSearchDomains, var.defaults.dnsSearchDomains, null)