feat: built-in native ECS blue green deployment

[oycyc]

AWS ECS now supports native built in blue green deployments!
https://aws.amazon.com/about-aws/whats-new/2025/07/amazon-ecs-built-in-blue-green-deployments/

There are 3 corresponding Terraform blocks/attributes to support this, which has been added into the provider by an official AWS contributor in this PR: hashicorp/terraform-provider-aws#43434

Add support in this module for those 3 for the ECS service resource configuration blocks/attributes:

• deployment_configuration
• load_balancer.advanced_configuration
• service.client_alias.test_traffic_rules

In this PR, there is 4 cases of resource "aws_ecs_service" "xyz", which is why the 200+ LOC when in reality, it should be under 50 LOC. The same 3 blocks are required to be reflected over to all 4 resources, similar to other existing dynamic blocks.

I've tested that this is backwards compatible in that there is no diff when using pointed at this within many other root modules that has an ECS load balancer block attached (with and without).

[oycyc]

/terratest

[oycyc]

/terratest

[oycyc]

/terratest

[oycyc]

/terratest

[oycyc]

/terratest

[oycyc]

/terratest

[cl0udf0x]

@oycyc thanks for this. I have been testing with the following configuration:

module "ecs_alb_service_task" {
...
...
deployment_configuration = {
  stratergy            = "BLUE_GREEN"
  bake_time_in_minutes = 3
}

ecs_load_balancers = [
    {
      container_name   = "nginx"
      elb_name         = null
      target_group_arn = module.alb.default_target_group_arn
      container_port   = var.alb_target_port
      advanced_configuration = {
        alternate_target_group_arn = "${aws_lb_target_group.blue_green_tg.arn}"
        production_listener_rule = "arn:aws:elasticloadbalancing:XXXXXXXXX:XXXXXXXXX:listener-rule/app/alb-web/XXXXXXXXX/XXXXXXXXX/XXXXXXXXX"
        role_arn                 = "arn:aws:iam::XXXXXXXXX:role/test-bluegreen"
       
    }
  ]

}

resource "aws_lb_target_group" "blue_green_tg" {
    name             = "bluegreen-tg"
    port             = var.alb_target_port 
    protocol         = "HTTP"
    protocol_version = "HTTP1"
    target_type      = "ip"
    vpc_id           = data.aws_vpc.selected.id
}

The test-bluegreen role has the AmazonECSInfrastructureRolePolicyForLoadBalancers policy attached.

The Terraform apply completes successfully, but the deployment configuration of the Fargate service doesn't change to blue/green.

Any ideas?

Terraform v1.13.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v6.14.1
+ provider registry.terraform.io/hashicorp/local v2.5.3
+ provider registry.terraform.io/hashicorp/null v3.2.4
+ provider registry.terraform.io/hashicorp/random v3.7.2
+ provider registry.terraform.io/hashicorp/time v0.10.0
+ provider registry.terraform.io/hashicorp/tls v4.1.0

UPDATE:

If I manually attach the alternative target group to the ALB listener rule via the console (setting the weighting to 0), the deployment configuration "blue_green" can be enabled.

Running "force new deployment" via the console switches the traffic to the alternative target group as expected.

The alternate target_group is not being attached to the listener by Terraform....