diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index 229165e..fc0bf14 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -44,6 +44,7 @@ updates:
       - "infrastructure/modules/cw-firehose-splunk"
       - "infrastructure/modules/ecr"
       - "infrastructure/modules/ecs-cluster"
+      - "infrastructure/modules/ecs-service"
       - "infrastructure/modules/elasticache"
       - "infrastructure/modules/github-config"
       - "infrastructure/modules/guardduty"
diff --git a/.gitleaksignore b/.gitleaksignore
index f97f5c8..bf9d628 100644
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -5,3 +5,7 @@ e876843351a025eb754ec61982c8b7d95deeb709:.pre-commit-config.yaml:ipv4:119
 e364bc1869c67729653c7efb4d6169f2294e68de:.pre-commit-config.yaml:ipv4:110
 62088509f98ce02ce379adef2168b867eecfb5da:.pre-commit-config.yaml:ipv4:110
 a3fa25da4e8f9eaa2e28c29f6196f23bfe87a58d:.pre-commit-config.yaml:ipv4:119
+# Historical false positive: example ARN comment in tags/main.tf contained hex-like content
+# which triggered the ipv6 rule. Comment updated in later commit; old commits suppressed here.
+7b49758d98757e8f404cb2c540c1f146afd6e395:infrastructure/modules/tags/main.tf:ipv6:131
+091dcd76884ffd307aee6c6b306b015c065f4896:infrastructure/modules/tags/main.tf:ipv6:131
diff --git a/infrastructure/modules/ecs-service/.terraform.lock.hcl b/infrastructure/modules/ecs-service/.terraform.lock.hcl
new file mode 100644
index 0000000..eb4f3fd
--- /dev/null
+++ b/infrastructure/modules/ecs-service/.terraform.lock.hcl
@@ -0,0 +1,30 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "6.51.0"
+  constraints = ">= 6.34.0"
+  hashes = [
+    "h1:017ISHZZBI+yeqA4AAtgLQJC7Lhd4wYM7tEKYmlk/7Y=",
+    "h1:4c8zjgtGH0QgP+p/cF1UqdqkvD7V5i0ZxqslieZLTbc=",
+    "h1:QWxF+1ePJ4qFCHEc6PyHNeXc865wLvrWVl71d/nABa8=",
+    "h1:aPBmqoiYqfrIgCGwzuemljkOXuGCYQRTXo91nQxrE+s=",
+    "h1:bclp+xS1fYeOCil0XZO6mKvEeHFESt5K/XotVSZND54=",
+    "zh:03fcea0a1ea2ca81d62d4d2e2961181bef9068b1c701f2cddc4aa5fac105818a",
+    "zh:1213944cd623143974ea5c9b70b22ae1ccca33d743924c149ed089d34b8e08b4",
+    "zh:190a46da0c69082b74da48238ce134d2fc9893e09122ac249c5689f88eab7e13",
+    "zh:1b312a4b53fa3cf731f95e674c033865feea5455f163b86136f2614424637293",
+    "zh:2b319814806222c5aba196b1a78756a6b36dc5c91f85edda349234d8a2f20a6a",
+    "zh:2bddf92c8efc6ad445a2eb8a0e5f88742a0596392c3a4ebc350ebb4105a4a96d",
+    "zh:3bef0c4f675c09034ff017cf899977b1765b2c0b3d1e489bcb06a5fcac316e2d",
+    "zh:47c46b5aa22199638fed5c93b195bbfd1182a1408edad4e5c39d4a73a04493f6",
+    "zh:5f808699650f6db961964466c77f5a581eab142a91c2e54810bb09b6f2fcd3f2",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:ada97e6be10164f452e278c23412b8597698a9c95ffb68fe83629d63d85906f3",
+    "zh:c4d73a91810d8dbcf9abbd431d41fcceebb48f8b6fd3c28a84bb3c6ed08be2e9",
+    "zh:c63ec875d38fc557b16b0b2b0ab1c7635852799453113240e21a52409de94a71",
+    "zh:cdd0209a755fc3aa14855aa013dae4b166a2fc7f6d3cbb673f7ff2142f5b63a2",
+    "zh:e5e665a27290391fd1bffc093ab68b596f6c507785be2e3f0949fab4fd6aec1b",
+    "zh:f6c42046a31d65eff2793737656b38931f90318b53661046bb84326cd4cb558f",
+  ]
+}
diff --git a/infrastructure/modules/ecs-service/README.md b/infrastructure/modules/ecs-service/README.md
new file mode 100644
index 0000000..98a686e
--- /dev/null
+++ b/infrastructure/modules/ecs-service/README.md
@@ -0,0 +1,478 @@
+# ECS Service
+
+NHS Screening wrapper around the community
+[`terraform-aws-modules/ecs/aws//modules/service`](https://registry.terraform.io/modules/terraform-aws-modules/ecs/aws/latest/submodules/service)
+submodule that enforces the platform's baseline controls and consumes
+the shared `context.tf` for naming and tagging.
+
+## What this module enforces
+
+|Control|How it is enforced|
+|---|---|
+|No public IP|`assign_public_ip` defaults to `false`; tasks run on private subnets|
+|ECS-managed tags|`enable_ecs_managed_tags` defaults to `true`; AWS propagates resource tags to tasks|
+|Tag propagation|`propagate_tags` defaults to `TASK_DEFINITION` so tasks inherit service tags|
+|Creation gate|`create = module.this.enabled`; no resources are created when the module is disabled|
+|Consistent naming|Service name is sourced from `local.service_name` (context-derived or `var.service_name` override)|
+|Consistent tagging|All resources tagged via `module.this.tags`|
+
+## Usage
+
+### Minimal Fargate service
+
+```hcl
+module "api_service" {
+  source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/ecs-service?ref=<tag>"
+
+  service              = "bcss"
+  project              = "api"
+  environment          = "development"
+  name                 = "web-api"
+  cluster_arn          = module.ecs_cluster.arn
+  subnet_ids           = module.vpc.private_subnets
+
+  container_definitions = {
+    app = {
+      image      = "my-registry.dkr.ecr.eu-west-2.amazonaws.com/my-app:latest"
+      cpu        = 512
+      memory     = 1024
+      essential  = true
+    }
+  }
+}
+```
+
+### Fargate service with load balancer
+
+```hcl
+module "web_service" {
+  source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/ecs-service?ref=<tag>"
+
+  service     = "bcss"
+  project     = "web"
+  environment = "prod"
+  name        = "frontend"
+
+  cluster_arn = module.ecs_cluster.arn
+  vpc_id      = module.vpc.vpc_id
+  subnet_ids  = module.vpc.private_subnets
+
+  container_definitions = {
+    web = {
+      image      = "my-registry.dkr.ecr.eu-west-2.amazonaws.com/web-app:v1.2.3"
+      cpu        = 512
+      memory     = 1024
+      essential  = true
+      port_mappings = [{
+        container_port = 8080
+        host_port      = 8080
+      }]
+    }
+  }
+
+  load_balancer = {
+    web = {
+      container_name   = "web"
+      container_port   = 8080
+      target_group_arn = module.alb.target_group_arn
+    }
+  }
+
+  health_check_grace_period_seconds = 60
+}
+```
+
+### Fargate service with autoscaling
+
+```hcl
+module "worker_service" {
+  source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/ecs-service?ref=<tag>"
+
+  service     = "bcss"
+  project     = "jobs"
+  environment = "prod"
+  name        = "background-worker"
+
+  cluster_arn = module.ecs_cluster.arn
+  vpc_id      = module.vpc.vpc_id
+  subnet_ids  = module.vpc.private_subnets
+
+  container_definitions = {
+    worker = {
+      image      = "my-registry.dkr.ecr.eu-west-2.amazonaws.com/worker:latest"
+      cpu        = 256
+      memory     = 512
+      essential  = true
+    }
+  }
+
+  desired_count              = 2
+  enable_autoscaling         = true
+  autoscaling_min_capacity   = 2
+  autoscaling_max_capacity   = 10
+
+  autoscaling_policies = {
+    cpu = {
+      policy_type = "TargetTrackingScaling"
+      target_tracking_scaling_policy_configuration = {
+        target_value       = 70.0
+        predefined_metric_specification = {
+          predefined_metric_type = "ECSServiceAverageCPUUtilization"
+        }
+      }
+    }
+  }
+}
+```
+
+### Service reading secrets from Secrets Manager
+
+```hcl
+module "api_service" {
+  source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/ecs-service?ref=<tag>"
+
+  service     = "bcss"
+  project     = "api"
+  environment = "prod"
+  name        = "web-api"
+
+  cluster_arn = module.ecs_cluster.arn
+  vpc_id      = module.vpc.vpc_id
+  subnet_ids  = module.vpc.private_subnets
+
+  # Grant the task execution role permission to read these secrets.
+  # The values are injected into the container at runtime via the
+  # secrets block in the container definition below.
+  task_exec_secret_arns = [
+    module.db_credentials.secret_arn,
+    module.api_key.secret_arn,
+  ]
+
+  container_definitions = {
+    app = {
+      image     = "my-registry.dkr.ecr.eu-west-2.amazonaws.com/my-app:latest"
+      cpu       = 512
+      memory    = 1024
+      essential = true
+
+      secrets = [
+        {
+          name      = "DB_PASSWORD"
+          valueFrom = module.db_credentials.secret_arn
+        },
+        {
+          name      = "API_KEY"
+          valueFrom = module.api_key.secret_arn
+        },
+      ]
+    }
+  }
+}
+```
+
+### Blue/green deployment
+
+```hcl
+module "api_service" {
+  source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/ecs-service?ref=<tag>"
+
+  service     = "bcss"
+  project     = "api"
+  environment = "prod"
+  name        = "web-api"
+
+  cluster_arn = module.ecs_cluster.arn
+  vpc_id      = module.vpc.vpc_id
+  subnet_ids  = module.vpc.private_subnets
+
+  deployment_configuration = {
+    strategy             = "BLUE_GREEN"
+    bake_time_in_minutes = 5
+  }
+
+  deployment_circuit_breaker = {
+    enable   = true
+    rollback = true
+  }
+
+  container_definitions = {
+    app = {
+      image     = "my-registry.dkr.ecr.eu-west-2.amazonaws.com/my-app:latest"
+      cpu       = 512
+      memory    = 1024
+      essential = true
+    }
+  }
+}
+```
+
+### Preserving an existing service name
+
+Use `service_name` when you wish to explicitly define a service name i.e. when the ECS service was previously created outside Terraform and the name must be kept stable:
+
+```hcl
+module "legacy_service" {
+  source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/ecs-service?ref=<tag>"
+
+  service     = "bcss"
+  project     = "api"
+  environment = "prod"
+  name        = "web-api"
+
+  service_name = "bcss-legacy-worker" # overrides the context-derived name
+
+  cluster_arn = module.ecs_cluster.arn
+  vpc_id      = module.vpc.vpc_id
+  subnet_ids  = module.vpc.private_subnets
+
+  container_definitions = {
+    app = {
+      image     = "my-registry.dkr.ecr.eu-west-2.amazonaws.com/my-app:latest"
+      cpu       = 256
+      memory    = 512
+      essential = true
+    }
+  }
+}
+```
+
+## Conventions
+
+- Service name defaults to `module.this.name` (derived from `context.tf`). Supply
+  `service`, `project`, `environment`, and `name` inputs to control the generated
+  name. Set `service_name` to override the context-derived name with an explicit
+  value — useful when an existing ECS service name must be preserved.
+- `assign_public_ip` defaults to `false`. Only set it to `true` for public-facing
+  Fargate services that intentionally require direct internet access; this is rare
+  in the NHS Screening platform.
+- `enable_autoscaling` defaults to `true`. Set it to `false` for batch or
+  short-lived services that do not require auto-scaling.
+- `desired_count` defaults to `1`. Adjust to match your workload requirements.
+- The caller must supply the ECS cluster ARN (`cluster_arn`) and the VPC subnet
+  IDs (`subnet_ids`). These are not managed by this module.
+
+## What this module does NOT do
+
+- Create an ECS cluster. Use the `ecs-cluster` module and pass the ARN via
+  `cluster_arn`.
+- Create VPCs, subnets, or security groups. The caller is responsible for
+  networking; pass existing security group IDs via `security_group_ids` or let
+  the module create one via `create_security_group = true`.
+- Create load balancers or target groups. Configure these separately and pass
+  the target group ARN(s) via `load_balancer`.
+- Build or push container images. Use the `ecr` module for the registry.
+- Manage KMS encryption at the ECS service level. Task-level secrets encryption
+  is handled via the task execution IAM role and the `secrets-manager` or
+  `parameter_store` modules.
+- Create CloudWatch log groups. Define these in your container definitions or
+  provision them separately.
+
+<!-- vale off -->
+<!-- markdownlint-disable -->
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+| ---- | ------- |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.34 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+| ---- | ------ | ------- |
+| <a name="module_ecs_service"></a> [ecs\_service](#module\_ecs\_service) | terraform-aws-modules/ecs/aws//modules/service | 7.5.0 |
+| <a name="module_this"></a> [this](#module\_this) | ../tags | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+| ---- | ----------- | ---- | ------- | :------: |
+| <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br/>This is for some rare cases where resources want additional configuration of tags<br/>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
+| <a name="input_alarms"></a> [alarms](#input\_alarms) | Information about the CloudWatch alarms | <pre>object({<br/>    alarm_names = list(string)<br/>    enable      = optional(bool, true)<br/>    rollback    = optional(bool, true)<br/>  })</pre> | `null` | no |
+| <a name="input_application_role"></a> [application\_role](#input\_application\_role) | The role the application is performing | `string` | `"General"` | no |
+| <a name="input_assign_public_ip"></a> [assign\_public\_ip](#input\_assign\_public\_ip) | Assign a public IP address to the ENI (Fargate launch type only) | `bool` | `false` | no |
+| <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br/>in the order they appear in the list. New attributes are appended to the<br/>end of the list. The elements of the list are joined by the `delimiter`<br/>and treated as a single ID element. | `list(string)` | `[]` | no |
+| <a name="input_autoscaling_max_capacity"></a> [autoscaling\_max\_capacity](#input\_autoscaling\_max\_capacity) | Maximum number of tasks to run in your service | `number` | `10` | no |
+| <a name="input_autoscaling_min_capacity"></a> [autoscaling\_min\_capacity](#input\_autoscaling\_min\_capacity) | Minimum number of tasks to run in your service | `number` | `1` | no |
+| <a name="input_autoscaling_policies"></a> [autoscaling\_policies](#input\_autoscaling\_policies) | Map of autoscaling policies to create for the service | <pre>map(object({<br/>    name        = optional(string) # Will fall back to the key name if not provided<br/>    policy_type = optional(string, "TargetTrackingScaling")<br/>    predictive_scaling_policy_configuration = optional(object({<br/>      max_capacity_breach_behavior = optional(string)<br/>      max_capacity_buffer          = optional(number)<br/>      metric_specification = list(object({<br/>        customized_capacity_metric_specification = optional(object({<br/>          metric_data_query = list(object({<br/>            expression = optional(string)<br/>            id         = string<br/>            label      = optional(string)<br/>            metric_stat = optional(object({<br/>              metric = object({<br/>                dimension = optional(list(object({<br/>                  name  = string<br/>                  value = string<br/>                })))<br/>                metric_name = optional(string)<br/>                namespace   = optional(string)<br/>              })<br/>              stat = string<br/>              unit = optional(string)<br/>            }))<br/>            return_data = optional(bool)<br/>          }))<br/>        }))<br/>        customized_load_metric_specification = optional(object({<br/>          metric_data_query = list(object({<br/>            expression = optional(string)<br/>            id         = string<br/>            label      = optional(string)<br/>            metric_stat = optional(object({<br/>              metric = object({<br/>                dimension = optional(list(object({<br/>                  name  = string<br/>                  value = string<br/>                })))<br/>                metric_name = optional(string)<br/>                namespace   = optional(string)<br/>              })<br/>              stat = string<br/>              unit = optional(string)<br/>            }))<br/>            return_data = optional(bool)<br/>          }))<br/>        }))<br/>        customized_scaling_metric_specification = optional(object({<br/>          metric_data_query = list(object({<br/>            expression = optional(string)<br/>            id         = string<br/>            label      = optional(string)<br/>            metric_stat = optional(object({<br/>              metric = object({<br/>                dimension = optional(list(object({<br/>                  name  = string<br/>                  value = string<br/>                })))<br/>                metric_name = optional(string)<br/>                namespace   = optional(string)<br/>              })<br/>              stat = string<br/>              unit = optional(string)<br/>            }))<br/>            return_data = optional(bool)<br/>          }))<br/>        }))<br/>        predefined_load_metric_specification = optional(object({<br/>          predefined_metric_type = string<br/>          resource_label         = optional(string)<br/>        }))<br/>        predefined_metric_pair_specification = optional(object({<br/>          predefined_metric_type = string<br/>          resource_label         = optional(string)<br/>        }))<br/>        predefined_scaling_metric_specification = optional(object({<br/>          predefined_metric_type = string<br/>          resource_label         = optional(string)<br/>        }))<br/>        target_value = number<br/>      }))<br/>      mode                   = optional(string)<br/>      scheduling_buffer_time = optional(number)<br/>    }))<br/>    step_scaling_policy_configuration = optional(object({<br/>      adjustment_type          = optional(string)<br/>      cooldown                 = optional(number)<br/>      metric_aggregation_type  = optional(string)<br/>      min_adjustment_magnitude = optional(number)<br/>      step_adjustment = optional(list(object({<br/>        metric_interval_lower_bound = optional(string)<br/>        metric_interval_upper_bound = optional(string)<br/>        scaling_adjustment          = number<br/>      })))<br/>    }))<br/>    target_tracking_scaling_policy_configuration = optional(object({<br/>      customized_metric_specification = optional(object({<br/>        dimensions = optional(list(object({<br/>          name  = string<br/>          value = string<br/>        })))<br/>        metric_name = optional(string)<br/>        metrics = optional(list(object({<br/>          expression = optional(string)<br/>          id         = string<br/>          label      = optional(string)<br/>          metric_stat = optional(object({<br/>            metric = object({<br/>              dimensions = optional(list(object({<br/>                name  = string<br/>                value = string<br/>              })))<br/>              metric_name = string<br/>              namespace   = string<br/>            })<br/>            stat = string<br/>            unit = optional(string)<br/>          }))<br/>          return_data = optional(bool)<br/>        })))<br/>        namespace = optional(string)<br/>        statistic = optional(string)<br/>        unit      = optional(string)<br/>      }))<br/>      disable_scale_in = optional(bool)<br/>      predefined_metric_specification = optional(object({<br/>        predefined_metric_type = string<br/>        resource_label         = optional(string)<br/>      }))<br/>      scale_in_cooldown  = optional(number, 300)<br/>      scale_out_cooldown = optional(number, 60)<br/>      target_value       = optional(number, 75)<br/>    }))<br/>  }))</pre> | <pre>{<br/>  "cpu": {<br/>    "policy_type": "TargetTrackingScaling",<br/>    "target_tracking_scaling_policy_configuration": {<br/>      "predefined_metric_specification": {<br/>        "predefined_metric_type": "ECSServiceAverageCPUUtilization"<br/>      }<br/>    }<br/>  },<br/>  "memory": {<br/>    "policy_type": "TargetTrackingScaling",<br/>    "target_tracking_scaling_policy_configuration": {<br/>      "predefined_metric_specification": {<br/>        "predefined_metric_type": "ECSServiceAverageMemoryUtilization"<br/>      }<br/>    }<br/>  }<br/>}</pre> | no |
+| <a name="input_autoscaling_scheduled_actions"></a> [autoscaling\_scheduled\_actions](#input\_autoscaling\_scheduled\_actions) | Map of autoscaling scheduled actions to create for the service | <pre>map(object({<br/>    name         = optional(string)<br/>    min_capacity = number<br/>    max_capacity = number<br/>    schedule     = string<br/>    start_time   = optional(string)<br/>    end_time     = optional(string)<br/>    timezone     = optional(string)<br/>  }))</pre> | `null` | no |
+| <a name="input_autoscaling_suspended_state"></a> [autoscaling\_suspended\_state](#input\_autoscaling\_suspended\_state) | Configuration block that specifies whether the scaling activities for the service are in a suspended state | <pre>object({<br/>    dynamic_scaling_in_suspended  = optional(bool, false)<br/>    dynamic_scaling_out_suspended = optional(bool, false)<br/>    scheduled_scaling_suspended   = optional(bool, false)<br/>  })</pre> | `null` | no |
+| <a name="input_availability_zone_rebalancing"></a> [availability\_zone\_rebalancing](#input\_availability\_zone\_rebalancing) | ECS automatically redistributes tasks within a service across Availability Zones (AZs) to mitigate the risk of impaired application availability due to underlying infrastructure failures and task lifecycle activities. The valid values are `ENABLED` and `DISABLED`. Defaults to `DISABLED` | `string` | `null` | no |
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region | `string` | `"eu-west-2"` | no |
+| <a name="input_capacity_provider_strategy"></a> [capacity\_provider\_strategy](#input\_capacity\_provider\_strategy) | Capacity provider strategies to use for the service. Can be one or more | <pre>map(object({<br/>    base              = optional(number)<br/>    capacity_provider = string<br/>    weight            = optional(number)<br/>  }))</pre> | `null` | no |
+| <a name="input_cluster_arn"></a> [cluster\_arn](#input\_cluster\_arn) | ARN of the ECS cluster where the resources will be provisioned | `string` | `""` | no |
+| <a name="input_container_definitions"></a> [container\_definitions](#input\_container\_definitions) | A map of valid container definitions <http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html>. Please note that you should only provide values that are part of the container definition document | <pre>map(object({<br/>    create                  = optional(bool, true)<br/>    operating_system_family = optional(string)<br/>    tags                    = optional(map(string)) # Container definition<br/>    command                 = optional(list(string))<br/>    cpu                     = optional(number)<br/>    credentialSpecs         = optional(list(string))<br/>    dependsOn = optional(list(object({<br/>      condition     = string<br/>      containerName = string<br/>    })))<br/>    disableNetworking      = optional(bool)<br/>    dnsSearchDomains       = optional(list(string))<br/>    dnsServers             = optional(list(string))<br/>    dockerLabels           = optional(map(string))<br/>    dockerSecurityOptions  = optional(list(string))<br/>    enable_execute_command = optional(bool, false) # Set in standalone variable<br/>    entrypoint             = optional(list(string))<br/>    environment = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })))<br/>    environmentFiles = optional(list(object({<br/>      type  = string<br/>      value = string<br/>    })))<br/>    essential = optional(bool)<br/>    extraHosts = optional(list(object({<br/>      hostname  = string<br/>      ipAddress = string<br/>    })))<br/>    firelensConfiguration = optional(object({<br/>      options = optional(map(string))<br/>      type    = optional(string)<br/>    }))<br/>    healthCheck = optional(object({<br/>      command     = optional(list(string), [])<br/>      interval    = optional(number, 30)<br/>      retries     = optional(number, 3)<br/>      startPeriod = optional(number)<br/>      timeout     = optional(number, 5)<br/>    }))<br/>    hostname    = optional(string)<br/>    image       = optional(string)<br/>    interactive = optional(bool)<br/>    links       = optional(list(string))<br/>    linuxParameters = optional(object({<br/>      capabilities = optional(object({<br/>        add  = optional(list(string))<br/>        drop = optional(list(string))<br/>      }))<br/>      devices = optional(list(object({<br/>        containerPath = optional(string)<br/>        hostPath      = optional(string)<br/>        permissions   = optional(list(string))<br/>      })))<br/>      initProcessEnabled = optional(bool)<br/>      maxSwap            = optional(number)<br/>      sharedMemorySize   = optional(number)<br/>      swappiness         = optional(number)<br/>      tmpfs = optional(list(object({<br/>        containerPath = string<br/>        mountOptions  = optional(list(string))<br/>        size          = number<br/>      })))<br/>    }))<br/>    logConfiguration = optional(object({<br/>      logDriver = optional(string)<br/>      options   = optional(map(string))<br/>      secretOptions = optional(list(object({<br/>        name      = string<br/>        valueFrom = string<br/>      })))<br/>    }))<br/>    memory            = optional(number)<br/>    memoryReservation = optional(number)<br/>    mountPoints = optional(list(object({<br/>      containerPath = optional(string)<br/>      readOnly      = optional(bool)<br/>      sourceVolume  = optional(string)<br/>    })))<br/>    name = optional(string)<br/>    portMappings = optional(list(object({<br/>      appProtocol        = optional(string)<br/>      containerPort      = optional(number)<br/>      containerPortRange = optional(string)<br/>      hostPort           = optional(number)<br/>      name               = optional(string)<br/>      protocol           = optional(string)<br/>    })))<br/>    privileged             = optional(bool)<br/>    pseudoTerminal         = optional(bool)<br/>    readonlyRootFilesystem = optional(bool)<br/>    repositoryCredentials = optional(object({<br/>      credentialsParameter = optional(string)<br/>    }))<br/>    resourceRequirements = optional(list(object({<br/>      type  = string<br/>      value = string<br/>    })))<br/>    restartPolicy = optional(object({<br/>      enabled              = optional(bool)<br/>      ignoredExitCodes     = optional(list(number))<br/>      restartAttemptPeriod = optional(number)<br/>    }))<br/>    secrets = optional(list(object({<br/>      name      = string<br/>      valueFrom = string<br/>    })))<br/>    startTimeout = optional(number, 30)<br/>    stopTimeout  = optional(number, 120)<br/>    systemControls = optional(list(object({<br/>      namespace = optional(string)<br/>      value     = optional(string)<br/>    })))<br/>    ulimits = optional(list(object({<br/>      hardLimit = number<br/>      name      = string<br/>      softLimit = number<br/>    })))<br/>    user               = optional(string)<br/>    versionConsistency = optional(string)<br/>    volumesFrom = optional(list(object({<br/>      readOnly        = optional(bool)<br/>      sourceContainer = optional(string)<br/>    })))<br/>    workingDirectory = optional(string)<br/>    # Cloudwatch Log Group<br/>    service                                = optional(string)<br/>    enable_cloudwatch_logging              = optional(bool)<br/>    create_cloudwatch_log_group            = optional(bool)<br/>    cloudwatch_log_group_name              = optional(string)<br/>    cloudwatch_log_group_use_name_prefix   = optional(bool)<br/>    cloudwatch_log_group_class             = optional(string)<br/>    cloudwatch_log_group_retention_in_days = optional(number)<br/>    cloudwatch_log_group_kms_key_id        = optional(string)<br/>  }))</pre> | `{}` | no |
+| <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br/>See description of individual variables for details.<br/>Leave string and numeric variables as `null` to use default value.<br/>Individual variable settings (non-null) override settings in context object,<br/>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br/>  "additional_tag_map": {},<br/>  "attributes": [],<br/>  "delimiter": null,<br/>  "descriptor_formats": {},<br/>  "enabled": true,<br/>  "environment": null,<br/>  "id_length_limit": null,<br/>  "label_key_case": null,<br/>  "label_order": [],<br/>  "label_value_case": null,<br/>  "labels_as_tags": [<br/>    "unset"<br/>  ],<br/>  "name": null,<br/>  "project": null,<br/>  "regex_replace_chars": null,<br/>  "region": null,<br/>  "service": null,<br/>  "stack": null,<br/>  "tags": {},<br/>  "terraform_source": null,<br/>  "workspace": null<br/>}</pre> | no |
+| <a name="input_cpu"></a> [cpu](#input\_cpu) | Number of cpu units used by the task. If the `requires_compatibilities` is `FARGATE` this field is required | `number` | `1024` | no |
+| <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether the ECS service IAM role should be created | `bool` | `true` | no |
+| <a name="input_create_infrastructure_iam_role"></a> [create\_infrastructure\_iam\_role](#input\_create\_infrastructure\_iam\_role) | Determines whether the ECS infrastructure IAM role should be created | `bool` | `true` | no |
+| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
+| <a name="input_create_service"></a> [create\_service](#input\_create\_service) | Determines whether service resource will be created (set to `false` in case you want to create task definition only) | `bool` | `true` | no |
+| <a name="input_create_task_definition"></a> [create\_task\_definition](#input\_create\_task\_definition) | Determines whether to create a task definition or use existing/provided | `bool` | `true` | no |
+| <a name="input_create_task_exec_iam_role"></a> [create\_task\_exec\_iam\_role](#input\_create\_task\_exec\_iam\_role) | Determines whether the ECS task definition IAM role should be created | `bool` | `true` | no |
+| <a name="input_create_task_exec_policy"></a> [create\_task\_exec\_policy](#input\_create\_task\_exec\_policy) | Determines whether the ECS task definition IAM policy should be created. This includes permissions included in AmazonECSTaskExecutionRolePolicy as well as access to secrets and SSM parameters | `bool` | `true` | no |
+| <a name="input_create_tasks_iam_role"></a> [create\_tasks\_iam\_role](#input\_create\_tasks\_iam\_role) | Determines whether the ECS tasks IAM role should be created | `bool` | `true` | no |
+| <a name="input_data_classification"></a> [data\_classification](#input\_data\_classification) | Used to identify the data classification of the resource, e.g 1-5 | `string` | `"n/a"` | no |
+| <a name="input_data_type"></a> [data\_type](#input\_data\_type) | The tag data\_type | `string` | `"None"` | no |
+| <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br/>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
+| <a name="input_deployment_circuit_breaker"></a> [deployment\_circuit\_breaker](#input\_deployment\_circuit\_breaker) | Configuration block for deployment circuit breaker | <pre>object({<br/>    enable   = bool<br/>    rollback = bool<br/>  })</pre> | `null` | no |
+| <a name="input_deployment_configuration"></a> [deployment\_configuration](#input\_deployment\_configuration) | Configuration block for deployment settings | <pre>object({<br/>    strategy             = optional(string)<br/>    bake_time_in_minutes = optional(string)<br/>    canary_configuration = optional(object({<br/>      canary_bake_time_in_minutes = optional(string)<br/>      canary_percent              = optional(string)<br/>    }))<br/>    linear_configuration = optional(object({<br/>      step_bake_time_in_minutes = optional(string)<br/>      step_percent              = optional(string)<br/>    }))<br/>    lifecycle_hook = optional(map(object({<br/>      hook_target_arn  = string<br/>      role_arn         = optional(string)<br/>      lifecycle_stages = list(string)<br/>      hook_details     = optional(string)<br/>    })))<br/>  })</pre> | `null` | no |
+| <a name="input_deployment_controller"></a> [deployment\_controller](#input\_deployment\_controller) | Configuration block for deployment controller configuration | <pre>object({<br/>    type = optional(string)<br/>  })</pre> | `null` | no |
+| <a name="input_deployment_maximum_percent"></a> [deployment\_maximum\_percent](#input\_deployment\_maximum\_percent) | Upper limit (as a percentage of the service's `desired_count`) of the number of running tasks that can be running in a service during a deployment | `number` | `200` | no |
+| <a name="input_deployment_minimum_healthy_percent"></a> [deployment\_minimum\_healthy\_percent](#input\_deployment\_minimum\_healthy\_percent) | Lower limit (as a percentage of the service's `desired_count`) of the number of running tasks that must remain running and healthy in a service during a deployment | `number` | `66` | no |
+| <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/>    format = string<br/>    labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
+| <a name="input_desired_count"></a> [desired\_count](#input\_desired\_count) | Number of instances of the task definition to place and keep running | `number` | `1` | no |
+| <a name="input_enable_autoscaling"></a> [enable\_autoscaling](#input\_enable\_autoscaling) | Determines whether to enable autoscaling for the service | `bool` | `true` | no |
+| <a name="input_enable_ecs_managed_tags"></a> [enable\_ecs\_managed\_tags](#input\_enable\_ecs\_managed\_tags) | Specifies whether to enable Amazon ECS managed tags for the tasks within the service | `bool` | `true` | no |
+| <a name="input_enable_execute_command"></a> [enable\_execute\_command](#input\_enable\_execute\_command) | Specifies whether to enable Amazon ECS Exec for the tasks within the service | `bool` | `false` | no |
+| <a name="input_enable_fault_injection"></a> [enable\_fault\_injection](#input\_enable\_fault\_injection) | Enables fault injection and allows for fault injection requests to be accepted from the task's containers. Default is `false` | `bool` | `null` | no |
+| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used to indicate role, e.g. 'prd', 'dev', 'test', 'preprod', 'prod', 'uat' | `string` | `null` | no |
+| <a name="input_ephemeral_storage"></a> [ephemeral\_storage](#input\_ephemeral\_storage) | The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate | <pre>object({<br/>    size_in_gib = number<br/>  })</pre> | `null` | no |
+| <a name="input_external_id"></a> [external\_id](#input\_external\_id) | The external ID associated with the task set | `string` | `null` | no |
+| <a name="input_force_delete"></a> [force\_delete](#input\_force\_delete) | Enable to delete a service even if it wasn't scaled down to zero tasks. It's only necessary to use this if the service uses the `REPLICA` scheduling strategy | `bool` | `null` | no |
+| <a name="input_force_new_deployment"></a> [force\_new\_deployment](#input\_force\_new\_deployment) | Enable to force a new task deployment of the service. This can be used to update tasks to use a newer Docker image with same image/tag combination, roll Fargate tasks onto a newer platform version, or immediately deploy `ordered_placement_strategy` and `placement_constraints` updates | `bool` | `true` | no |
+| <a name="input_health_check_grace_period_seconds"></a> [health\_check\_grace\_period\_seconds](#input\_health\_check\_grace\_period\_seconds) | Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 2147483647. Only valid for services configured to use load balancers | `number` | `null` | no |
+| <a name="input_iam_role_arn"></a> [iam\_role\_arn](#input\_iam\_role\_arn) | Existing IAM role ARN | `string` | `null` | no |
+| <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| <a name="input_iam_role_statements"></a> [iam\_role\_statements](#input\_iam\_role\_statements) | A map of IAM policy statements <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement> for custom permission usage | <pre>list(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br/>Set to `0` for unlimited length.<br/>Set to `null` for keep the existing setting, which defaults to `0`.<br/>Does not affect `id_full`. | `number` | `null` | no |
+| <a name="input_ignore_task_definition_changes"></a> [ignore\_task\_definition\_changes](#input\_ignore\_task\_definition\_changes) | Whether changes to service `task_definition` changes should be ignored | `bool` | `false` | no |
+| <a name="input_infrastructure_iam_role_arn"></a> [infrastructure\_iam\_role\_arn](#input\_infrastructure\_iam\_role\_arn) | Existing IAM role ARN | `string` | `null` | no |
+| <a name="input_infrastructure_iam_role_description"></a> [infrastructure\_iam\_role\_description](#input\_infrastructure\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| <a name="input_infrastructure_iam_role_name"></a> [infrastructure\_iam\_role\_name](#input\_infrastructure\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| <a name="input_infrastructure_iam_role_path"></a> [infrastructure\_iam\_role\_path](#input\_infrastructure\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| <a name="input_infrastructure_iam_role_permissions_boundary"></a> [infrastructure\_iam\_role\_permissions\_boundary](#input\_infrastructure\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| <a name="input_infrastructure_iam_role_tags"></a> [infrastructure\_iam\_role\_tags](#input\_infrastructure\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| <a name="input_infrastructure_iam_role_use_name_prefix"></a> [infrastructure\_iam\_role\_use\_name\_prefix](#input\_infrastructure\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| <a name="input_ipc_mode"></a> [ipc\_mode](#input\_ipc\_mode) | IPC resource namespace to be used for the containers in the task The valid values are `host`, `task`, and `none` | `string` | `null` | no |
+| <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br/>Does not affect keys of tags passed in via the `tags` input.<br/>Possible values: `lower`, `title`, `upper`.<br/>Default value: `title`. | `string` | `null` | no |
+| <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br/>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br/>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
+| <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br/>set as tag values, and output by this module individually.<br/>Does not affect values of tags passed in via the `tags` input.<br/>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br/>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br/>Default value: `lower`. | `string` | `null` | no |
+| <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br/>Default is to include all labels.<br/>Tags with empty values will not be included in the `tags` output.<br/>Set to `[]` to suppress all generated tags.<br/>**Notes:**<br/>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br/>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br/>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br/>  "default"<br/>]</pre> | no |
+| <a name="input_launch_type"></a> [launch\_type](#input\_launch\_type) | Launch type on which to run your service. The valid values are `EC2`, `FARGATE`, and `EXTERNAL`. Defaults to `FARGATE` | `string` | `"FARGATE"` | no |
+| <a name="input_load_balancer"></a> [load\_balancer](#input\_load\_balancer) | Configuration block for load balancers | <pre>map(object({<br/>    container_name   = string<br/>    container_port   = number<br/>    elb_name         = optional(string)<br/>    target_group_arn = optional(string)<br/>    advanced_configuration = optional(object({<br/>      alternate_target_group_arn = string<br/>      production_listener_rule   = string # Should be optional but bug in provider<br/>      role_arn                   = optional(string)<br/>      test_listener_rule         = optional(string)<br/>    }))<br/>  }))</pre> | `null` | no |
+| <a name="input_memory"></a> [memory](#input\_memory) | Amount of memory (in MiB) used by the task. If the `requires_compatibilities` is `FARGATE` this field is required | `number` | `2048` | no |
+| <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br/>This is the only ID element not also included as a `tag`.<br/>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
+| <a name="input_network_mode"></a> [network\_mode](#input\_network\_mode) | Docker networking mode to use for the containers in the task. Valid values are `none`, `bridge`, `awsvpc`, and `host` | `string` | `"awsvpc"` | no |
+| <a name="input_on_off_pattern"></a> [on\_off\_pattern](#input\_on\_off\_pattern) | Used to turn resources on and off based on a time pattern | `string` | `"n/a"` | no |
+| <a name="input_ordered_placement_strategy"></a> [ordered\_placement\_strategy](#input\_ordered\_placement\_strategy) | Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence | <pre>list(object({<br/>    field = optional(string)<br/>    type  = string<br/>  }))</pre> | `null` | no |
+| <a name="input_owner"></a> [owner](#input\_owner) | The name and or NHS.net email address of the service owner | `string` | `"None"` | no |
+| <a name="input_pid_mode"></a> [pid\_mode](#input\_pid\_mode) | Process namespace to use for the containers in the task. The valid values are `host` and `task` | `string` | `null` | no |
+| <a name="input_placement_constraints"></a> [placement\_constraints](#input\_placement\_constraints) | Configuration block for rules that are taken into consideration during task placement (up to max of 10). This is set at the service, see `task_definition_placement_constraints` for setting at the task definition | <pre>map(object({<br/>    expression = optional(string)<br/>    type       = string<br/>  }))</pre> | `null` | no |
+| <a name="input_platform_version"></a> [platform\_version](#input\_platform\_version) | Platform version on which to run your service. Only applicable for `launch_type` set to `FARGATE`. Defaults to `LATEST` | `string` | `null` | no |
+| <a name="input_project"></a> [project](#input\_project) | ID element. A project identifier, indicating the name or role of the project the resource is for, such as `website` or `api` | `string` | `null` | no |
+| <a name="input_propagate_tags"></a> [propagate\_tags](#input\_propagate\_tags) | Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are `SERVICE` and `TASK_DEFINITION` | `string` | `null` | no |
+| <a name="input_proxy_configuration"></a> [proxy\_configuration](#input\_proxy\_configuration) | Configuration block for the App Mesh proxy | <pre>object({<br/>    container_name = string<br/>    properties     = optional(map(string))<br/>    type           = optional(string)<br/>  })</pre> | `null` | no |
+| <a name="input_public_facing"></a> [public\_facing](#input\_public\_facing) | Whether this resource is public facing | `bool` | `false` | no |
+| <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br/>Characters matching the regex will be removed from the ID elements.<br/>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | ID element \_(Rarely used, not included by default)\_.  Usually an abbreviation of the selected AWS region e.g. 'uw2', 'ew2' or 'gbl' for resources like IAM roles that have no region | `string` | `null` | no |
+| <a name="input_requires_compatibilities"></a> [requires\_compatibilities](#input\_requires\_compatibilities) | Set of launch types required by the task. The valid values are `EC2`, `FARGATE`, `EXTERNAL`, and `MANAGED_INSTANCES` | `list(string)` | <pre>[<br/>  "FARGATE"<br/>]</pre> | no |
+| <a name="input_runtime_platform"></a> [runtime\_platform](#input\_runtime\_platform) | Configuration block for `runtime_platform` that containers in your task may use | <pre>object({<br/>    cpu_architecture        = optional(string, "X86_64")<br/>    operating_system_family = optional(string, "LINUX")<br/>  })</pre> | `{}` | no |
+| <a name="input_scale"></a> [scale](#input\_scale) | A floating-point percentage of the desired number of tasks to place and keep running in the task set | <pre>object({<br/>    unit  = optional(string)<br/>    value = optional(number)<br/>  })</pre> | `null` | no |
+| <a name="input_scheduling_strategy"></a> [scheduling\_strategy](#input\_scheduling\_strategy) | Scheduling strategy to use for the service. The valid values are `REPLICA` and `DAEMON`. Defaults to `REPLICA` | `string` | `null` | no |
+| <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
+| <a name="input_security_group_egress_rules"></a> [security\_group\_egress\_rules](#input\_security\_group\_egress\_rules) | Security group egress rules to add to the security group created | <pre>map(object({<br/>    name                         = optional(string)<br/>    cidr_ipv4                    = optional(string)<br/>    cidr_ipv6                    = optional(string)<br/>    description                  = optional(string)<br/>    from_port                    = optional(string)<br/>    ip_protocol                  = optional(string, "tcp")<br/>    prefix_list_id               = optional(string)<br/>    referenced_security_group_id = optional(string)<br/>    tags                         = optional(map(string), {})<br/>    to_port                      = optional(string)<br/>  }))</pre> | `{}` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | List of security groups to associate with the task or service | `list(string)` | `[]` | no |
+| <a name="input_security_group_ingress_rules"></a> [security\_group\_ingress\_rules](#input\_security\_group\_ingress\_rules) | Security group ingress rules to add to the security group created | <pre>map(object({<br/>    name                         = optional(string)<br/>    cidr_ipv4                    = optional(string)<br/>    cidr_ipv6                    = optional(string)<br/>    description                  = optional(string)<br/>    from_port                    = optional(string)<br/>    ip_protocol                  = optional(string, "tcp")<br/>    prefix_list_id               = optional(string)<br/>    referenced_security_group_id = optional(string)<br/>    tags                         = optional(map(string), {})<br/>    to_port                      = optional(string)<br/>  }))</pre> | `{}` | no |
+| <a name="input_security_group_name"></a> [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no |
+| <a name="input_security_group_tags"></a> [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no |
+| <a name="input_security_group_use_name_prefix"></a> [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `bool` | `true` | no |
+| <a name="input_service"></a> [service](#input\_service) | ID element. Usually an abbreviation of your service directorate name, e.g. 'bcss' or 'csms', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| <a name="input_service_category"></a> [service\_category](#input\_service\_category) | The tag service\_category | `string` | `"n/a"` | no |
+| <a name="input_service_connect_configuration"></a> [service\_connect\_configuration](#input\_service\_connect\_configuration) | The ECS Service Connect configuration for this service to discover and connect to services, and be discovered by, and connected from, other services within a namespace | <pre>object({<br/>    enabled = optional(bool, true)<br/>    access_log_configuration = optional(object({<br/>      format                   = string<br/>      include_query_parameters = optional(string)<br/>    }))<br/>    log_configuration = optional(object({<br/>      log_driver = string<br/>      options    = optional(map(string))<br/>      secret_option = optional(list(object({<br/>        name       = string<br/>        value_from = string<br/>      })))<br/>    }))<br/>    namespace = optional(string)<br/>    service = optional(list(object({<br/>      client_alias = optional(object({<br/>        dns_name = optional(string)<br/>        port     = number<br/>        test_traffic_rules = optional(list(object({<br/>          header = optional(object({<br/>            name = string<br/>            value = object({<br/>              exact = string<br/>            })<br/>          }))<br/>        })))<br/>      }))<br/>      discovery_name        = optional(string)<br/>      ingress_port_override = optional(number)<br/>      port_name             = string<br/>      timeout = optional(object({<br/>        idle_timeout_seconds        = optional(number)<br/>        per_request_timeout_seconds = optional(number)<br/>      }))<br/>      tls = optional(object({<br/>        issuer_cert_authority = object({<br/>          aws_pca_authority_arn = string<br/>        })<br/>        kms_key  = optional(string)<br/>        role_arn = optional(string)<br/>      }))<br/>    })))<br/>  })</pre> | `null` | no |
+| <a name="input_service_name"></a> [service\_name](#input\_service\_name) | Name of the service | `string` | `null` | no |
+| <a name="input_service_registries"></a> [service\_registries](#input\_service\_registries) | Service discovery registries for the service | <pre>object({<br/>    container_name = optional(string)<br/>    container_port = optional(number)<br/>    port           = optional(number)<br/>    registry_arn   = string<br/>  })</pre> | `null` | no |
+| <a name="input_service_tags"></a> [service\_tags](#input\_service\_tags) | A map of additional tags to add to the service | `map(string)` | `{}` | no |
+| <a name="input_sigint_rollback"></a> [sigint\_rollback](#input\_sigint\_rollback) | Whether to enable graceful termination of deployments using SIGINT signals. Only applicable when using ECS deployment controller and requires wait\_for\_steady\_state = true. Default is false | `bool` | `null` | no |
+| <a name="input_skip_destroy"></a> [skip\_destroy](#input\_skip\_destroy) | If true, the task is not deleted when the service is deleted | `bool` | `null` | no |
+| <a name="input_stack"></a> [stack](#input\_stack) | ID element. The name of the stack/component, e.g. `database`, `web`, `waf`, `eks` | `string` | `null` | no |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnets to associate with the task or service | `list(string)` | `[]` | no |
+| <a name="input_tag_version"></a> [tag\_version](#input\_tag\_version) | Used to identify the tagging version in use | `string` | `"1.0"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br/>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
+| <a name="input_task_definition_arn"></a> [task\_definition\_arn](#input\_task\_definition\_arn) | Existing task definition ARN. Required when `create_task_definition` is `false` | `string` | `null` | no |
+| <a name="input_task_definition_placement_constraints"></a> [task\_definition\_placement\_constraints](#input\_task\_definition\_placement\_constraints) | Configuration block for rules that are taken into consideration during task placement (up to max of 10). This is set at the task definition, see `placement_constraints` for setting at the service | <pre>map(object({<br/>    expression = optional(string)<br/>    type       = string<br/>  }))</pre> | `null` | no |
+| <a name="input_task_exec_iam_policy_path"></a> [task\_exec\_iam\_policy\_path](#input\_task\_exec\_iam\_policy\_path) | Path for the iam role | `string` | `null` | no |
+| <a name="input_task_exec_iam_role_arn"></a> [task\_exec\_iam\_role\_arn](#input\_task\_exec\_iam\_role\_arn) | Existing IAM role ARN | `string` | `null` | no |
+| <a name="input_task_exec_iam_role_description"></a> [task\_exec\_iam\_role\_description](#input\_task\_exec\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| <a name="input_task_exec_iam_role_max_session_duration"></a> [task\_exec\_iam\_role\_max\_session\_duration](#input\_task\_exec\_iam\_role\_max\_session\_duration) | Maximum session duration (in seconds) for ECS task execution role. Default is 3600. | `number` | `null` | no |
+| <a name="input_task_exec_iam_role_name"></a> [task\_exec\_iam\_role\_name](#input\_task\_exec\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| <a name="input_task_exec_iam_role_path"></a> [task\_exec\_iam\_role\_path](#input\_task\_exec\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| <a name="input_task_exec_iam_role_permissions_boundary"></a> [task\_exec\_iam\_role\_permissions\_boundary](#input\_task\_exec\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| <a name="input_task_exec_iam_role_policies"></a> [task\_exec\_iam\_role\_policies](#input\_task\_exec\_iam\_role\_policies) | Map of IAM role policy ARNs to attach to the IAM role | `map(string)` | `null` | no |
+| <a name="input_task_exec_iam_role_tags"></a> [task\_exec\_iam\_role\_tags](#input\_task\_exec\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| <a name="input_task_exec_iam_role_use_name_prefix"></a> [task\_exec\_iam\_role\_use\_name\_prefix](#input\_task\_exec\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`task_exec_iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| <a name="input_task_exec_iam_statements"></a> [task\_exec\_iam\_statements](#input\_task\_exec\_iam\_statements) | A map of IAM policy statements <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement> for custom permission usage | <pre>list(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_task_exec_secret_arns"></a> [task\_exec\_secret\_arns](#input\_task\_exec\_secret\_arns) | List of SecretsManager secret ARNs the task execution role will be permitted to get/read | `list(string)` | `[]` | no |
+| <a name="input_task_exec_ssm_param_arns"></a> [task\_exec\_ssm\_param\_arns](#input\_task\_exec\_ssm\_param\_arns) | List of SSM parameter ARNs the task execution role will be permitted to get/read | `list(string)` | `[]` | no |
+| <a name="input_task_tags"></a> [task\_tags](#input\_task\_tags) | A map of additional tags to add to the task definition/set created | `map(string)` | `{}` | no |
+| <a name="input_tasks_iam_role_arn"></a> [tasks\_iam\_role\_arn](#input\_tasks\_iam\_role\_arn) | Existing IAM role ARN | `string` | `null` | no |
+| <a name="input_tasks_iam_role_description"></a> [tasks\_iam\_role\_description](#input\_tasks\_iam\_role\_description) | Description of the role | `string` | `null` | no |
+| <a name="input_tasks_iam_role_max_session_duration"></a> [tasks\_iam\_role\_max\_session\_duration](#input\_tasks\_iam\_role\_max\_session\_duration) | Maximum session duration (in seconds) for ECS tasks role. Default is 3600. | `number` | `null` | no |
+| <a name="input_tasks_iam_role_name"></a> [tasks\_iam\_role\_name](#input\_tasks\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
+| <a name="input_tasks_iam_role_path"></a> [tasks\_iam\_role\_path](#input\_tasks\_iam\_role\_path) | IAM role path | `string` | `null` | no |
+| <a name="input_tasks_iam_role_permissions_boundary"></a> [tasks\_iam\_role\_permissions\_boundary](#input\_tasks\_iam\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM role | `string` | `null` | no |
+| <a name="input_tasks_iam_role_policies"></a> [tasks\_iam\_role\_policies](#input\_tasks\_iam\_role\_policies) | Map of additional IAM role policy ARNs to attach to the IAM role | `map(string)` | `null` | no |
+| <a name="input_tasks_iam_role_statements"></a> [tasks\_iam\_role\_statements](#input\_tasks\_iam\_role\_statements) | A map of IAM policy statements <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement> for custom permission usage | <pre>list(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_tasks_iam_role_tags"></a> [tasks\_iam\_role\_tags](#input\_tasks\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
+| <a name="input_tasks_iam_role_use_name_prefix"></a> [tasks\_iam\_role\_use\_name\_prefix](#input\_tasks\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`tasks_iam_role_name`) is used as a prefix | `bool` | `true` | no |
+| <a name="input_terraform_source"></a> [terraform\_source](#input\_terraform\_source) | Source location to record in the Terraform\_source tag. Defaults to this module path. | `string` | `null` | no |
+| <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Create, update, and delete timeout configurations for the service | <pre>object({<br/>    create = optional(string)<br/>    delete = optional(string)<br/>    update = optional(string)<br/>  })</pre> | `null` | no |
+| <a name="input_tool"></a> [tool](#input\_tool) | The tool used to deploy the resource | `string` | `"Terraform"` | no |
+| <a name="input_track_latest"></a> [track\_latest](#input\_track\_latest) | Whether should track latest `ACTIVE` task definition on AWS or the one created with the resource stored in state. Useful in the event the task definition is modified outside of this resource | `bool` | `true` | no |
+| <a name="input_triggers"></a> [triggers](#input\_triggers) | Map of arbitrary keys and values that, when changed, will trigger an in-place update (redeployment). Useful with `timestamp()` | `map(string)` | `null` | no |
+| <a name="input_volume"></a> [volume](#input\_volume) | Configuration block for volumes that containers in your task may use | <pre>map(object({<br/>    configure_at_launch = optional(bool)<br/>    docker_volume_configuration = optional(object({<br/>      autoprovision = optional(bool)<br/>      driver        = optional(string)<br/>      driver_opts   = optional(map(string))<br/>      labels        = optional(map(string))<br/>      scope         = optional(string)<br/>    }))<br/>    efs_volume_configuration = optional(object({<br/>      authorization_config = optional(object({<br/>        access_point_id = optional(string)<br/>        iam             = optional(string)<br/>      }))<br/>      file_system_id          = string<br/>      root_directory          = optional(string)<br/>      transit_encryption      = optional(string)<br/>      transit_encryption_port = optional(number)<br/>    }))<br/>    fsx_windows_file_server_volume_configuration = optional(object({<br/>      authorization_config = optional(object({<br/>        credentials_parameter = string<br/>        domain                = string<br/>      }))<br/>      file_system_id = string<br/>      root_directory = string<br/>    }))<br/>    host_path = optional(string)<br/>    name      = optional(string)<br/>  }))</pre> | `null` | no |
+| <a name="input_volume_configuration"></a> [volume\_configuration](#input\_volume\_configuration) | Configuration for a volume specified in the task definition as a volume that is configured at launch time | <pre>object({<br/>    name = string<br/>    managed_ebs_volume = object({<br/>      encrypted        = optional(bool)<br/>      file_system_type = optional(string)<br/>      iops             = optional(number)<br/>      kms_key_id       = optional(string)<br/>      size_in_gb       = optional(number)<br/>      snapshot_id      = optional(string)<br/>      tag_specifications = optional(list(object({<br/>        propagate_tags = optional(string, "TASK_DEFINITION")<br/>        resource_type  = string<br/>        tags           = optional(map(string))<br/>      })))<br/>      throughput                 = optional(number)<br/>      volume_initialization_rate = optional(number)<br/>      volume_type                = optional(string)<br/>    })<br/>  })</pre> | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID where to deploy the task or service. If not provided, the VPC ID is derived from the subnets provided | `string` | `null` | no |
+| <a name="input_vpc_lattice_configurations"></a> [vpc\_lattice\_configurations](#input\_vpc\_lattice\_configurations) | The VPC Lattice configuration for your service that allows Lattice to connect, secure, and monitor your service across multiple accounts and VPCs | <pre>object({<br/>    role_arn         = string<br/>    target_group_arn = string<br/>    port_name        = string<br/>  })</pre> | `null` | no |
+| <a name="input_wait_for_steady_state"></a> [wait\_for\_steady\_state](#input\_wait\_for\_steady\_state) | If true, Terraform will wait for the service to reach a steady state before continuing. Default is `false` | `bool` | `null` | no |
+| <a name="input_wait_until_stable"></a> [wait\_until\_stable](#input\_wait\_until\_stable) | Whether terraform should wait until the task set has reached `STEADY_STATE` | `bool` | `null` | no |
+| <a name="input_wait_until_stable_timeout"></a> [wait\_until\_stable\_timeout](#input\_wait\_until\_stable\_timeout) | Wait timeout for task set to reach `STEADY_STATE`. Valid time units include `ns`, `us` (or µs), `ms`, `s`, `m`, and `h`. Default `10m` | `string` | `null` | no |
+| <a name="input_workspace"></a> [workspace](#input\_workspace) | ID element. The Terraform workspace, to help ensure generated IDs are unique across workspaces | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+| ---- | ----------- |
+| <a name="output_autoscaling_policies"></a> [autoscaling\_policies](#output\_autoscaling\_policies) | Map of autoscaling policies and their attributes |
+| <a name="output_autoscaling_scheduled_actions"></a> [autoscaling\_scheduled\_actions](#output\_autoscaling\_scheduled\_actions) | Map of autoscaling scheduled actions and their attributes |
+| <a name="output_container_definitions"></a> [container\_definitions](#output\_container\_definitions) | Container definitions |
+| <a name="output_ecs_service_id"></a> [ecs\_service\_id](#output\_ecs\_service\_id) | ARN that identifies the service |
+| <a name="output_ecs_service_name"></a> [ecs\_service\_name](#output\_ecs\_service\_name) | Name of the service |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | Service IAM role ARN |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | Service IAM role name |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the service IAM role |
+| <a name="output_infrastructure_iam_role_arn"></a> [infrastructure\_iam\_role\_arn](#output\_infrastructure\_iam\_role\_arn) | Infrastructure IAM role ARN |
+| <a name="output_infrastructure_iam_role_name"></a> [infrastructure\_iam\_role\_name](#output\_infrastructure\_iam\_role\_name) | Infrastructure IAM role name |
+| <a name="output_security_group_arn"></a> [security\_group\_arn](#output\_security\_group\_arn) | ARN of the security group |
+| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
+| <a name="output_task_definition_arn"></a> [task\_definition\_arn](#output\_task\_definition\_arn) | Full ARN of the Task Definition (including both `family` and `revision`) |
+| <a name="output_task_definition_family"></a> [task\_definition\_family](#output\_task\_definition\_family) | The unique name of the task definition |
+| <a name="output_task_definition_revision"></a> [task\_definition\_revision](#output\_task\_definition\_revision) | Revision of the task in a particular family |
+| <a name="output_task_exec_iam_role_arn"></a> [task\_exec\_iam\_role\_arn](#output\_task\_exec\_iam\_role\_arn) | Task execution IAM role ARN |
+| <a name="output_task_exec_iam_role_name"></a> [task\_exec\_iam\_role\_name](#output\_task\_exec\_iam\_role\_name) | Task execution IAM role name |
+| <a name="output_task_exec_iam_role_unique_id"></a> [task\_exec\_iam\_role\_unique\_id](#output\_task\_exec\_iam\_role\_unique\_id) | Stable and unique string identifying the task execution IAM role |
+| <a name="output_task_set_arn"></a> [task\_set\_arn](#output\_task\_set\_arn) | The ARN that identifies the task set |
+| <a name="output_task_set_id"></a> [task\_set\_id](#output\_task\_set\_id) | The ID of the task set |
+| <a name="output_task_set_stability_status"></a> [task\_set\_stability\_status](#output\_task\_set\_stability\_status) | The stability status. This indicates whether the task set has reached a steady state |
+| <a name="output_task_set_status"></a> [task\_set\_status](#output\_task\_set\_status) | The status of the task set |
+| <a name="output_tasks_iam_role_arn"></a> [tasks\_iam\_role\_arn](#output\_tasks\_iam\_role\_arn) | Tasks IAM role ARN |
+| <a name="output_tasks_iam_role_name"></a> [tasks\_iam\_role\_name](#output\_tasks\_iam\_role\_name) | Tasks IAM role name |
+| <a name="output_tasks_iam_role_unique_id"></a> [tasks\_iam\_role\_unique\_id](#output\_tasks\_iam\_role\_unique\_id) | Stable and unique string identifying the tasks IAM role |
+<!-- END_TF_DOCS -->
+<!-- markdownlint-restore -->
+<!-- vale on -->
diff --git a/infrastructure/modules/ecs-service/context.tf b/infrastructure/modules/ecs-service/context.tf
new file mode 100644
index 0000000..62befcb
--- /dev/null
+++ b/infrastructure/modules/ecs-service/context.tf
@@ -0,0 +1,376 @@
+# tflint-ignore-file: terraform_standard_module_structure, terraform_unused_declarations
+#
+# ONLY EDIT THIS FILE IN github.com/NHSDigital/screening-terraform-modules-aws/infrastructure/modules/tags
+# All other instances of this file should be a copy of that one
+#
+#
+# Copy this file from https://github.com/NHSDigital/screening-terraform-modules-aws/blob/master/infrastructure/modules/tags/exports/context.tf
+# and then place it in your Terraform module to automatically get
+# tag module standard configuration inputs suitable for passing
+# to other modules.
+#
+# curl -sL https://raw.githubusercontent.com/NHSDigital/screening-terraform-modules-aws/master/infrastructure/modules/tags/exports/context.tf -o context.tf
+#
+# Modules should access the whole context as `module.this.context`
+# to get the input variables with nulls for defaults,
+# for example `context = module.this.context`,
+# and access individual variables as `module.this.<var>`,
+# with final values filled in.
+#
+# For example, when using defaults, `module.this.context.delimiter`
+# will be null, and `module.this.delimiter` will be `-` (hyphen).
+#
+
+module "this" {
+  source = "../tags"
+
+  enabled             = var.enabled
+  service             = var.service
+  project             = var.project
+  region              = var.region
+  environment         = var.environment
+  stack               = var.stack
+  workspace           = var.workspace
+  name                = var.name
+  delimiter           = var.delimiter
+  attributes          = var.attributes
+  tags                = var.tags
+  additional_tag_map  = var.additional_tag_map
+  label_order         = var.label_order
+  regex_replace_chars = var.regex_replace_chars
+  id_length_limit     = var.id_length_limit
+  label_key_case      = var.label_key_case
+  label_value_case    = var.label_value_case
+  terraform_source    = coalesce(var.terraform_source, path.module)
+  descriptor_formats  = var.descriptor_formats
+  labels_as_tags      = var.labels_as_tags
+
+  context = var.context
+}
+
+# Copy contents of screening-terraform-modules-aws/tags/variables.tf here
+# tflint-ignore: terraform_unused_declarations
+variable "aws_region" {
+  type        = string
+  description = "The AWS region"
+  default     = "eu-west-2"
+  validation {
+    condition     = contains(["eu-west-1", "eu-west-2", "us-east-1"], var.aws_region)
+    error_message = "AWS Region must be one of eu-west-1, eu-west-2, us-east-1"
+  }
+}
+
+variable "context" {
+  type = any
+  default = {
+    enabled             = true
+    service             = null
+    project             = null
+    region              = null
+    environment         = null
+    stack               = null
+    workspace           = null
+    name                = null
+    delimiter           = null
+    attributes          = []
+    tags                = {}
+    additional_tag_map  = {}
+    regex_replace_chars = null
+    label_order         = []
+    id_length_limit     = null
+    label_key_case      = null
+    label_value_case    = null
+    terraform_source    = null
+    descriptor_formats  = {}
+    # Note: we have to use [] instead of null for unset lists due to
+    # https://github.com/hashicorp/terraform/issues/28137
+    # which was not fixed until Terraform 1.0.0,
+    # but we want the default to be all the labels in `label_order`
+    # and we want users to be able to prevent all tag generation
+    # by setting `labels_as_tags` to `[]`, so we need
+    # a different sentinel to indicate "default"
+    labels_as_tags = ["unset"]
+  }
+  description = <<-EOT
+    Single object for setting entire context at once.
+    See description of individual variables for details.
+    Leave string and numeric variables as `null` to use default value.
+    Individual variable settings (non-null) override settings in context object,
+    except for attributes, tags, and additional_tag_map, which are merged.
+  EOT
+
+  validation {
+    condition     = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
+    error_message = "Allowed values: `lower`, `title`, `upper`."
+  }
+
+  validation {
+    condition     = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
+    error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
+  }
+}
+
+variable "terraform_source" {
+  type        = string
+  default     = null
+  description = "Source location to record in the Terraform_source tag. Defaults to this module path."
+}
+
+variable "enabled" {
+  type        = bool
+  default     = null
+  description = "Set to false to prevent the module from creating any resources"
+}
+
+variable "service" {
+  type        = string
+  default     = null
+  description = "ID element. Usually an abbreviation of your service directorate name, e.g. 'bcss' or 'csms', to help ensure generated IDs are globally unique"
+}
+
+variable "region" {
+  type        = string
+  default     = null
+  description = "ID element _(Rarely used, not included by default)_.  Usually an abbreviation of the selected AWS region e.g. 'uw2', 'ew2' or 'gbl' for resources like IAM roles that have no region"
+}
+
+variable "project" {
+  type        = string
+  default     = null
+  description = "ID element. A project identifier, indicating the name or role of the project the resource is for, such as `website` or `api`"
+}
+variable "stack" {
+  type        = string
+  default     = null
+  description = "ID element. The name of the stack/component, e.g. `database`, `web`, `waf`, `eks`"
+}
+variable "workspace" {
+  type        = string
+  default     = null
+  description = "ID element. The Terraform workspace, to help ensure generated IDs are unique across workspaces"
+}
+variable "environment" {
+  type        = string
+  default     = null
+  description = "ID element. Usually used to indicate role, e.g. 'prd', 'dev', 'test', 'preprod', 'prod', 'uat'"
+}
+
+variable "name" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
+    This is the only ID element not also included as a `tag`.
+    The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
+    EOT
+}
+
+variable "delimiter" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    Delimiter to be used between ID elements.
+    Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
+  EOT
+}
+
+variable "attributes" {
+  type        = list(string)
+  default     = []
+  description = <<-EOT
+    ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
+    in the order they appear in the list. New attributes are appended to the
+    end of the list. The elements of the list are joined by the `delimiter`
+    and treated as a single ID element.
+    EOT
+}
+
+variable "labels_as_tags" {
+  type        = set(string)
+  default     = ["default"]
+  description = <<-EOT
+    Set of labels (ID elements) to include as tags in the `tags` output.
+    Default is to include all labels.
+    Tags with empty values will not be included in the `tags` output.
+    Set to `[]` to suppress all generated tags.
+    **Notes:**
+      The value of the `name` tag, if included, will be the `id`, not the `name`.
+      Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
+      changed in later chained modules. Attempts to change it will be silently ignored.
+    EOT
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = <<-EOT
+    Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
+    Neither the tag keys nor the tag values will be modified by this module.
+    EOT
+}
+
+variable "additional_tag_map" {
+  type        = map(string)
+  default     = {}
+  description = <<-EOT
+    Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
+    This is for some rare cases where resources want additional configuration of tags
+    and therefore take a list of maps with tag key, value, and additional configuration.
+    EOT
+}
+
+variable "label_order" {
+  type        = list(string)
+  default     = null
+  description = <<-EOT
+    The order in which the labels (ID elements) appear in the `id`.
+    Defaults to ["namespace", "environment", "stage", "name", "attributes"].
+    You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
+    EOT
+}
+
+variable "regex_replace_chars" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    Terraform regular expression (regex) string.
+    Characters matching the regex will be removed from the ID elements.
+    If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
+  EOT
+}
+
+variable "id_length_limit" {
+  type        = number
+  default     = null
+  description = <<-EOT
+    Limit `id` to this many characters (minimum 6).
+    Set to `0` for unlimited length.
+    Set to `null` for keep the existing setting, which defaults to `0`.
+    Does not affect `id_full`.
+  EOT
+  validation {
+    condition     = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
+    error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
+  }
+}
+
+variable "label_key_case" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    Controls the letter case of the `tags` keys (label names) for tags generated by this module.
+    Does not affect keys of tags passed in via the `tags` input.
+    Possible values: `lower`, `title`, `upper`.
+    Default value: `title`.
+  EOT
+
+  validation {
+    condition     = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
+    error_message = "Allowed values: `lower`, `title`, `upper`."
+  }
+}
+
+variable "label_value_case" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    Controls the letter case of ID elements (labels) as included in `id`,
+    set as tag values, and output by this module individually.
+    Does not affect values of tags passed in via the `tags` input.
+    Possible values: `lower`, `title`, `upper` and `none` (no transformation).
+    Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
+    Default value: `lower`.
+  EOT
+
+  validation {
+    condition     = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
+    error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
+  }
+}
+
+variable "descriptor_formats" {
+  type        = any
+  default     = {}
+  description = <<-EOT
+    Describe additional descriptors to be output in the `descriptors` output map.
+    Map of maps. Keys are names of descriptors. Values are maps of the form
+    `{
+        format = string
+        labels = list(string)
+    }`
+    (Type is `any` so the map values can later be enhanced to provide additional options.)
+    `format` is a Terraform format string to be passed to the `format()` function.
+    `labels` is a list of labels, in order, to pass to `format()` function.
+    Label values will be normalized before being passed to `format()` so they will be
+    identical to how they appear in `id`.
+    Default is `{}` (`descriptors` output will be empty).
+    EOT
+}
+
+variable "owner" {
+  type        = string
+  description = "The name and or NHS.net email address of the service owner"
+  default     = "None"
+}
+
+variable "tag_version" {
+  type        = string
+  description = "Used to identify the tagging version in use"
+  default     = "1.0"
+}
+
+variable "data_classification" {
+  type        = string
+  description = "Used to identify the data classification of the resource, e.g 1-5"
+  default     = "n/a"
+  validation {
+    condition     = contains(["n/a", "1", "2", "3", "4", "5"], var.data_classification)
+    error_message = "Data Classification must be \"n/a\" or between 1-5"
+  }
+}
+
+variable "data_type" {
+  type        = string
+  description = "The tag data_type"
+  default     = "None"
+  validation {
+    condition     = contains(["None", "PCD", "PID", "Anonymised", "UserAccount", "Audit"], var.data_type)
+    error_message = "Data Type must be one of None, PCD, PID, Anonymised, UserAccount, Audit"
+  }
+}
+
+
+variable "public_facing" {
+  type        = bool
+  description = "Whether this resource is public facing"
+  default     = false
+}
+
+variable "service_category" {
+  type        = string
+  description = "The tag service_category"
+  default     = "n/a"
+  validation {
+    condition     = contains(["n/a", "Bronze", "Silver", "Gold", "Platinum"], var.service_category)
+    error_message = "The Service Category must be one of n/a, Bronze, Silver, Gold, Platinum"
+  }
+}
+variable "on_off_pattern" {
+  type        = string
+  description = "Used to turn resources on and off based on a time pattern"
+  default     = "n/a"
+}
+
+variable "application_role" {
+  type        = string
+  description = "The role the application is performing"
+  default     = "General"
+}
+
+variable "tool" {
+  type        = string
+  description = "The tool used to deploy the resource"
+  default     = "Terraform"
+}
+
+#### End of copy of screening-terraform-modules-aws/tags/variables.tf
diff --git a/infrastructure/modules/ecs-service/locals.tf b/infrastructure/modules/ecs-service/locals.tf
new file mode 100644
index 0000000..4ff52fa
--- /dev/null
+++ b/infrastructure/modules/ecs-service/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  # Service name is derived from context. The community module receives
+  # module.this.name directly so that context-driven label ordering is
+  # preserved without an intermediate local in the common case.
+  service_name = var.service_name != null ? var.service_name : module.this.name
+}
diff --git a/infrastructure/modules/ecs-service/main.tf b/infrastructure/modules/ecs-service/main.tf
new file mode 100644
index 0000000..054ea64
--- /dev/null
+++ b/infrastructure/modules/ecs-service/main.tf
@@ -0,0 +1,140 @@
+################################################################
+# ECS Service
+#
+# Thin NHS wrapper around the community ECS service submodule
+# (terraform-aws-modules/ecs/aws//modules/service) that
+# enforces the screening platform's baseline controls:
+#
+#   * No public IP: assign_public_ip defaults to false
+#   * ECS-managed tags: enable_ecs_managed_tags defaults to true
+#   * Tag propagation: propagate_tags defaults to TASK_DEFINITION
+#   * Creation gated by module.this.enabled
+#
+# Naming: context.tf via module.this by default; caller may override
+# with var.service_name. Tagging is always via module.this.tags.
+################################################################
+
+module "ecs_service" {
+  source  = "terraform-aws-modules/ecs/aws//modules/service"
+  version = "7.5.0"
+
+  create = module.this.enabled
+  name   = local.service_name
+  tags   = module.this.tags
+
+  alarms                                       = var.alarms
+  assign_public_ip                             = var.assign_public_ip
+  autoscaling_max_capacity                     = var.autoscaling_max_capacity
+  autoscaling_min_capacity                     = var.autoscaling_min_capacity
+  autoscaling_policies                         = var.autoscaling_policies
+  autoscaling_scheduled_actions                = var.autoscaling_scheduled_actions
+  autoscaling_suspended_state                  = var.autoscaling_suspended_state
+  availability_zone_rebalancing                = var.availability_zone_rebalancing
+  capacity_provider_strategy                   = var.capacity_provider_strategy
+  cluster_arn                                  = var.cluster_arn
+  container_definitions                        = var.container_definitions
+  cpu                                          = var.cpu
+  create_iam_role                              = var.create_iam_role
+  create_infrastructure_iam_role               = var.create_infrastructure_iam_role
+  create_security_group                        = var.create_security_group
+  create_service                               = var.create_service
+  create_task_definition                       = var.create_task_definition
+  create_task_exec_iam_role                    = var.create_task_exec_iam_role
+  create_task_exec_policy                      = var.create_task_exec_policy
+  create_tasks_iam_role                        = var.create_tasks_iam_role
+  deployment_circuit_breaker                   = var.deployment_circuit_breaker
+  deployment_configuration                     = var.deployment_configuration
+  deployment_controller                        = var.deployment_controller
+  deployment_maximum_percent                   = var.deployment_maximum_percent
+  deployment_minimum_healthy_percent           = var.deployment_minimum_healthy_percent
+  desired_count                                = var.desired_count
+  enable_autoscaling                           = var.enable_autoscaling
+  enable_ecs_managed_tags                      = var.enable_ecs_managed_tags
+  enable_execute_command                       = var.enable_execute_command
+  enable_fault_injection                       = var.enable_fault_injection
+  ephemeral_storage                            = var.ephemeral_storage
+  external_id                                  = var.external_id
+  force_delete                                 = var.force_delete
+  force_new_deployment                         = var.force_new_deployment
+  health_check_grace_period_seconds            = var.health_check_grace_period_seconds
+  iam_role_arn                                 = var.iam_role_arn
+  iam_role_description                         = var.iam_role_description
+  iam_role_name                                = var.iam_role_name
+  iam_role_path                                = var.iam_role_path
+  iam_role_permissions_boundary                = var.iam_role_permissions_boundary
+  iam_role_statements                          = var.iam_role_statements
+  iam_role_tags                                = var.iam_role_tags
+  iam_role_use_name_prefix                     = var.iam_role_use_name_prefix
+  ignore_task_definition_changes               = var.ignore_task_definition_changes
+  infrastructure_iam_role_arn                  = var.infrastructure_iam_role_arn
+  infrastructure_iam_role_description          = var.infrastructure_iam_role_description
+  infrastructure_iam_role_name                 = var.infrastructure_iam_role_name
+  infrastructure_iam_role_path                 = var.infrastructure_iam_role_path
+  infrastructure_iam_role_permissions_boundary = var.infrastructure_iam_role_permissions_boundary
+  infrastructure_iam_role_tags                 = var.infrastructure_iam_role_tags
+  infrastructure_iam_role_use_name_prefix      = var.infrastructure_iam_role_use_name_prefix
+  ipc_mode                                     = var.ipc_mode
+  launch_type                                  = var.launch_type
+  load_balancer                                = var.load_balancer
+  memory                                       = var.memory
+  network_mode                                 = var.network_mode
+  ordered_placement_strategy                   = var.ordered_placement_strategy
+  pid_mode                                     = var.pid_mode
+  placement_constraints                        = var.placement_constraints
+  platform_version                             = var.platform_version
+  propagate_tags                               = var.propagate_tags
+  proxy_configuration                          = var.proxy_configuration
+  requires_compatibilities                     = var.requires_compatibilities
+  runtime_platform                             = var.runtime_platform
+  scale                                        = var.scale
+  scheduling_strategy                          = var.scheduling_strategy
+  security_group_description                   = var.security_group_description
+  security_group_egress_rules                  = var.security_group_egress_rules
+  security_group_ids                           = var.security_group_ids
+  security_group_ingress_rules                 = var.security_group_ingress_rules
+  security_group_name                          = var.security_group_name
+  security_group_tags                          = var.security_group_tags
+  security_group_use_name_prefix               = var.security_group_use_name_prefix
+  service_connect_configuration                = var.service_connect_configuration
+  service_registries                           = var.service_registries
+  service_tags                                 = var.service_tags
+  sigint_rollback                              = var.sigint_rollback
+  skip_destroy                                 = var.skip_destroy
+  subnet_ids                                   = var.subnet_ids
+  task_definition_arn                          = var.task_definition_arn
+  task_definition_placement_constraints        = var.task_definition_placement_constraints
+  task_exec_iam_policy_path                    = var.task_exec_iam_policy_path
+  task_exec_iam_role_arn                       = var.task_exec_iam_role_arn
+  task_exec_iam_role_description               = var.task_exec_iam_role_description
+  task_exec_iam_role_max_session_duration      = var.task_exec_iam_role_max_session_duration
+  task_exec_iam_role_name                      = var.task_exec_iam_role_name
+  task_exec_iam_role_path                      = var.task_exec_iam_role_path
+  task_exec_iam_role_permissions_boundary      = var.task_exec_iam_role_permissions_boundary
+  task_exec_iam_role_policies                  = var.task_exec_iam_role_policies
+  task_exec_iam_role_tags                      = var.task_exec_iam_role_tags
+  task_exec_iam_role_use_name_prefix           = var.task_exec_iam_role_use_name_prefix
+  task_exec_iam_statements                     = var.task_exec_iam_statements
+  task_exec_secret_arns                        = var.task_exec_secret_arns
+  task_exec_ssm_param_arns                     = var.task_exec_ssm_param_arns
+  task_tags                                    = var.task_tags
+  tasks_iam_role_arn                           = var.tasks_iam_role_arn
+  tasks_iam_role_description                   = var.tasks_iam_role_description
+  tasks_iam_role_max_session_duration          = var.tasks_iam_role_max_session_duration
+  tasks_iam_role_name                          = var.tasks_iam_role_name
+  tasks_iam_role_path                          = var.tasks_iam_role_path
+  tasks_iam_role_permissions_boundary          = var.tasks_iam_role_permissions_boundary
+  tasks_iam_role_policies                      = var.tasks_iam_role_policies
+  tasks_iam_role_statements                    = var.tasks_iam_role_statements
+  tasks_iam_role_tags                          = var.tasks_iam_role_tags
+  tasks_iam_role_use_name_prefix               = var.tasks_iam_role_use_name_prefix
+  timeouts                                     = var.timeouts
+  track_latest                                 = var.track_latest
+  triggers                                     = var.triggers
+  volume                                       = var.volume
+  volume_configuration                         = var.volume_configuration
+  vpc_id                                       = var.vpc_id
+  vpc_lattice_configurations                   = var.vpc_lattice_configurations
+  wait_for_steady_state                        = var.wait_for_steady_state
+  wait_until_stable                            = var.wait_until_stable
+  wait_until_stable_timeout                    = var.wait_until_stable_timeout
+}
diff --git a/infrastructure/modules/ecs-service/outputs.tf b/infrastructure/modules/ecs-service/outputs.tf
new file mode 100644
index 0000000..45595c4
--- /dev/null
+++ b/infrastructure/modules/ecs-service/outputs.tf
@@ -0,0 +1,124 @@
+output "ecs_service_id" {
+  description = "ARN that identifies the service"
+  value       = module.ecs_service.id
+}
+
+output "ecs_service_name" {
+  description = "Name of the service"
+  value       = module.ecs_service.name
+}
+
+output "autoscaling_policies" {
+  description = "Map of autoscaling policies and their attributes"
+  value       = module.ecs_service.autoscaling_policies
+}
+
+output "autoscaling_scheduled_actions" {
+  description = "Map of autoscaling scheduled actions and their attributes"
+  value       = module.ecs_service.autoscaling_scheduled_actions
+}
+
+output "container_definitions" {
+  description = "Container definitions"
+  value       = module.ecs_service.container_definitions
+}
+
+output "iam_role_arn" {
+  description = "Service IAM role ARN"
+  value       = module.ecs_service.iam_role_arn
+}
+
+output "iam_role_name" {
+  description = "Service IAM role name"
+  value       = module.ecs_service.iam_role_name
+}
+
+output "iam_role_unique_id" {
+  description = "Stable and unique string identifying the service IAM role"
+  value       = module.ecs_service.iam_role_unique_id
+}
+
+output "infrastructure_iam_role_arn" {
+  description = "Infrastructure IAM role ARN"
+  value       = module.ecs_service.infrastructure_iam_role_arn
+}
+
+output "infrastructure_iam_role_name" {
+  description = "Infrastructure IAM role name"
+  value       = module.ecs_service.infrastructure_iam_role_name
+}
+
+output "security_group_arn" {
+  description = "ARN of the security group"
+  value       = module.ecs_service.security_group_arn
+}
+
+output "security_group_id" {
+  description = "ID of the security group"
+  value       = module.ecs_service.security_group_id
+}
+
+output "task_definition_arn" {
+  description = "Full ARN of the Task Definition (including both `family` and `revision`)"
+  value       = module.ecs_service.task_definition_arn
+}
+
+output "task_definition_family" {
+  description = "The unique name of the task definition"
+  value       = module.ecs_service.task_definition_family
+}
+
+output "task_definition_revision" {
+  description = "Revision of the task in a particular family"
+  value       = module.ecs_service.task_definition_revision
+}
+
+output "task_exec_iam_role_arn" {
+  description = "Task execution IAM role ARN"
+  value       = module.ecs_service.task_exec_iam_role_arn
+}
+
+output "task_exec_iam_role_name" {
+  description = "Task execution IAM role name"
+  value       = module.ecs_service.task_exec_iam_role_name
+}
+
+output "task_exec_iam_role_unique_id" {
+  description = "Stable and unique string identifying the task execution IAM role"
+  value       = module.ecs_service.task_exec_iam_role_unique_id
+}
+
+output "task_set_arn" {
+  description = "The ARN that identifies the task set"
+  value       = module.ecs_service.task_set_arn
+}
+
+output "task_set_id" {
+  description = "The ID of the task set"
+  value       = module.ecs_service.task_set_id
+}
+
+output "task_set_stability_status" {
+  description = "The stability status. This indicates whether the task set has reached a steady state"
+  value       = module.ecs_service.task_set_stability_status
+}
+
+output "task_set_status" {
+  description = "The status of the task set"
+  value       = module.ecs_service.task_set_status
+}
+
+output "tasks_iam_role_arn" {
+  description = "Tasks IAM role ARN"
+  value       = module.ecs_service.tasks_iam_role_arn
+}
+
+output "tasks_iam_role_name" {
+  description = "Tasks IAM role name"
+  value       = module.ecs_service.tasks_iam_role_name
+}
+
+output "tasks_iam_role_unique_id" {
+  description = "Stable and unique string identifying the tasks IAM role"
+  value       = module.ecs_service.tasks_iam_role_unique_id
+}
diff --git a/infrastructure/modules/ecs-service/variables.tf b/infrastructure/modules/ecs-service/variables.tf
new file mode 100644
index 0000000..bdb6ed0
--- /dev/null
+++ b/infrastructure/modules/ecs-service/variables.tf
@@ -0,0 +1,1247 @@
+################################################################
+# ECS Service-specific inputs.
+#
+# Naming, tagging and the master `enabled` switch come from
+# context.tf via `module.this`.
+################################################################
+
+variable "alarms" {
+  description = "Information about the CloudWatch alarms"
+  type = object({
+    alarm_names = list(string)
+    enable      = optional(bool, true)
+    rollback    = optional(bool, true)
+  })
+  default = null
+}
+
+variable "assign_public_ip" {
+  description = "Assign a public IP address to the ENI (Fargate launch type only)"
+  type        = bool
+  default     = false
+}
+
+variable "autoscaling_max_capacity" {
+  description = "Maximum number of tasks to run in your service"
+  type        = number
+  default     = 10
+}
+
+variable "autoscaling_min_capacity" {
+  description = "Minimum number of tasks to run in your service"
+  type        = number
+  default     = 1
+}
+
+variable "autoscaling_policies" {
+  description = "Map of autoscaling policies to create for the service"
+  type = map(object({
+    name        = optional(string) # Will fall back to the key name if not provided
+    policy_type = optional(string, "TargetTrackingScaling")
+    predictive_scaling_policy_configuration = optional(object({
+      max_capacity_breach_behavior = optional(string)
+      max_capacity_buffer          = optional(number)
+      metric_specification = list(object({
+        customized_capacity_metric_specification = optional(object({
+          metric_data_query = list(object({
+            expression = optional(string)
+            id         = string
+            label      = optional(string)
+            metric_stat = optional(object({
+              metric = object({
+                dimension = optional(list(object({
+                  name  = string
+                  value = string
+                })))
+                metric_name = optional(string)
+                namespace   = optional(string)
+              })
+              stat = string
+              unit = optional(string)
+            }))
+            return_data = optional(bool)
+          }))
+        }))
+        customized_load_metric_specification = optional(object({
+          metric_data_query = list(object({
+            expression = optional(string)
+            id         = string
+            label      = optional(string)
+            metric_stat = optional(object({
+              metric = object({
+                dimension = optional(list(object({
+                  name  = string
+                  value = string
+                })))
+                metric_name = optional(string)
+                namespace   = optional(string)
+              })
+              stat = string
+              unit = optional(string)
+            }))
+            return_data = optional(bool)
+          }))
+        }))
+        customized_scaling_metric_specification = optional(object({
+          metric_data_query = list(object({
+            expression = optional(string)
+            id         = string
+            label      = optional(string)
+            metric_stat = optional(object({
+              metric = object({
+                dimension = optional(list(object({
+                  name  = string
+                  value = string
+                })))
+                metric_name = optional(string)
+                namespace   = optional(string)
+              })
+              stat = string
+              unit = optional(string)
+            }))
+            return_data = optional(bool)
+          }))
+        }))
+        predefined_load_metric_specification = optional(object({
+          predefined_metric_type = string
+          resource_label         = optional(string)
+        }))
+        predefined_metric_pair_specification = optional(object({
+          predefined_metric_type = string
+          resource_label         = optional(string)
+        }))
+        predefined_scaling_metric_specification = optional(object({
+          predefined_metric_type = string
+          resource_label         = optional(string)
+        }))
+        target_value = number
+      }))
+      mode                   = optional(string)
+      scheduling_buffer_time = optional(number)
+    }))
+    step_scaling_policy_configuration = optional(object({
+      adjustment_type          = optional(string)
+      cooldown                 = optional(number)
+      metric_aggregation_type  = optional(string)
+      min_adjustment_magnitude = optional(number)
+      step_adjustment = optional(list(object({
+        metric_interval_lower_bound = optional(string)
+        metric_interval_upper_bound = optional(string)
+        scaling_adjustment          = number
+      })))
+    }))
+    target_tracking_scaling_policy_configuration = optional(object({
+      customized_metric_specification = optional(object({
+        dimensions = optional(list(object({
+          name  = string
+          value = string
+        })))
+        metric_name = optional(string)
+        metrics = optional(list(object({
+          expression = optional(string)
+          id         = string
+          label      = optional(string)
+          metric_stat = optional(object({
+            metric = object({
+              dimensions = optional(list(object({
+                name  = string
+                value = string
+              })))
+              metric_name = string
+              namespace   = string
+            })
+            stat = string
+            unit = optional(string)
+          }))
+          return_data = optional(bool)
+        })))
+        namespace = optional(string)
+        statistic = optional(string)
+        unit      = optional(string)
+      }))
+      disable_scale_in = optional(bool)
+      predefined_metric_specification = optional(object({
+        predefined_metric_type = string
+        resource_label         = optional(string)
+      }))
+      scale_in_cooldown  = optional(number, 300)
+      scale_out_cooldown = optional(number, 60)
+      target_value       = optional(number, 75)
+    }))
+  }))
+  default = {
+    "cpu" : {
+      "policy_type" : "TargetTrackingScaling",
+      "target_tracking_scaling_policy_configuration" : {
+        "predefined_metric_specification" : {
+          "predefined_metric_type" : "ECSServiceAverageCPUUtilization"
+        }
+      }
+    },
+    "memory" : {
+      "policy_type" : "TargetTrackingScaling",
+      "target_tracking_scaling_policy_configuration" : {
+        "predefined_metric_specification" : {
+          "predefined_metric_type" : "ECSServiceAverageMemoryUtilization"
+        }
+      }
+    }
+  }
+}
+
+variable "autoscaling_scheduled_actions" {
+  description = "Map of autoscaling scheduled actions to create for the service"
+  type = map(object({
+    name         = optional(string)
+    min_capacity = number
+    max_capacity = number
+    schedule     = string
+    start_time   = optional(string)
+    end_time     = optional(string)
+    timezone     = optional(string)
+  }))
+  default = null
+}
+
+variable "autoscaling_suspended_state" {
+  description = "Configuration block that specifies whether the scaling activities for the service are in a suspended state"
+  type = object({
+    dynamic_scaling_in_suspended  = optional(bool, false)
+    dynamic_scaling_out_suspended = optional(bool, false)
+    scheduled_scaling_suspended   = optional(bool, false)
+  })
+  default = null
+}
+
+variable "availability_zone_rebalancing" {
+  description = "ECS automatically redistributes tasks within a service across Availability Zones (AZs) to mitigate the risk of impaired application availability due to underlying infrastructure failures and task lifecycle activities. The valid values are `ENABLED` and `DISABLED`. Defaults to `DISABLED`"
+  type        = string
+  default     = null
+}
+
+variable "capacity_provider_strategy" {
+  description = "Capacity provider strategies to use for the service. Can be one or more"
+  type = map(object({
+    base              = optional(number)
+    capacity_provider = string
+    weight            = optional(number)
+  }))
+  default = null
+}
+
+variable "cluster_arn" {
+  description = "ARN of the ECS cluster where the resources will be provisioned"
+  type        = string
+  default     = ""
+}
+
+variable "container_definitions" {
+  description = "A map of valid container definitions <http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html>. Please note that you should only provide values that are part of the container definition document"
+  type = map(object({
+    create                  = optional(bool, true)
+    operating_system_family = optional(string)
+    tags                    = optional(map(string)) # Container definition
+    command                 = optional(list(string))
+    cpu                     = optional(number)
+    credentialSpecs         = optional(list(string))
+    dependsOn = optional(list(object({
+      condition     = string
+      containerName = string
+    })))
+    disableNetworking      = optional(bool)
+    dnsSearchDomains       = optional(list(string))
+    dnsServers             = optional(list(string))
+    dockerLabels           = optional(map(string))
+    dockerSecurityOptions  = optional(list(string))
+    enable_execute_command = optional(bool, false) # Set in standalone variable
+    entrypoint             = optional(list(string))
+    environment = optional(list(object({
+      name  = string
+      value = string
+    })))
+    environmentFiles = optional(list(object({
+      type  = string
+      value = string
+    })))
+    essential = optional(bool)
+    extraHosts = optional(list(object({
+      hostname  = string
+      ipAddress = string
+    })))
+    firelensConfiguration = optional(object({
+      options = optional(map(string))
+      type    = optional(string)
+    }))
+    healthCheck = optional(object({
+      command     = optional(list(string), [])
+      interval    = optional(number, 30)
+      retries     = optional(number, 3)
+      startPeriod = optional(number)
+      timeout     = optional(number, 5)
+    }))
+    hostname    = optional(string)
+    image       = optional(string)
+    interactive = optional(bool)
+    links       = optional(list(string))
+    linuxParameters = optional(object({
+      capabilities = optional(object({
+        add  = optional(list(string))
+        drop = optional(list(string))
+      }))
+      devices = optional(list(object({
+        containerPath = optional(string)
+        hostPath      = optional(string)
+        permissions   = optional(list(string))
+      })))
+      initProcessEnabled = optional(bool)
+      maxSwap            = optional(number)
+      sharedMemorySize   = optional(number)
+      swappiness         = optional(number)
+      tmpfs = optional(list(object({
+        containerPath = string
+        mountOptions  = optional(list(string))
+        size          = number
+      })))
+    }))
+    logConfiguration = optional(object({
+      logDriver = optional(string)
+      options   = optional(map(string))
+      secretOptions = optional(list(object({
+        name      = string
+        valueFrom = string
+      })))
+    }))
+    memory            = optional(number)
+    memoryReservation = optional(number)
+    mountPoints = optional(list(object({
+      containerPath = optional(string)
+      readOnly      = optional(bool)
+      sourceVolume  = optional(string)
+    })))
+    name = optional(string)
+    portMappings = optional(list(object({
+      appProtocol        = optional(string)
+      containerPort      = optional(number)
+      containerPortRange = optional(string)
+      hostPort           = optional(number)
+      name               = optional(string)
+      protocol           = optional(string)
+    })))
+    privileged             = optional(bool)
+    pseudoTerminal         = optional(bool)
+    readonlyRootFilesystem = optional(bool)
+    repositoryCredentials = optional(object({
+      credentialsParameter = optional(string)
+    }))
+    resourceRequirements = optional(list(object({
+      type  = string
+      value = string
+    })))
+    restartPolicy = optional(object({
+      enabled              = optional(bool)
+      ignoredExitCodes     = optional(list(number))
+      restartAttemptPeriod = optional(number)
+    }))
+    secrets = optional(list(object({
+      name      = string
+      valueFrom = string
+    })))
+    startTimeout = optional(number, 30)
+    stopTimeout  = optional(number, 120)
+    systemControls = optional(list(object({
+      namespace = optional(string)
+      value     = optional(string)
+    })))
+    ulimits = optional(list(object({
+      hardLimit = number
+      name      = string
+      softLimit = number
+    })))
+    user               = optional(string)
+    versionConsistency = optional(string)
+    volumesFrom = optional(list(object({
+      readOnly        = optional(bool)
+      sourceContainer = optional(string)
+    })))
+    workingDirectory = optional(string)
+    # Cloudwatch Log Group
+    service                                = optional(string)
+    enable_cloudwatch_logging              = optional(bool)
+    create_cloudwatch_log_group            = optional(bool)
+    cloudwatch_log_group_name              = optional(string)
+    cloudwatch_log_group_use_name_prefix   = optional(bool)
+    cloudwatch_log_group_class             = optional(string)
+    cloudwatch_log_group_retention_in_days = optional(number)
+    cloudwatch_log_group_kms_key_id        = optional(string)
+  }))
+  default = {}
+}
+
+variable "cpu" {
+  description = "Number of cpu units used by the task. If the `requires_compatibilities` is `FARGATE` this field is required"
+  type        = number
+  default     = 1024
+}
+
+variable "create_iam_role" {
+  description = "Determines whether the ECS service IAM role should be created"
+  type        = bool
+  default     = true
+}
+
+variable "create_infrastructure_iam_role" {
+  description = "Determines whether the ECS infrastructure IAM role should be created"
+  type        = bool
+  default     = true
+}
+
+variable "create_security_group" {
+  description = "Determines if a security group is created"
+  type        = bool
+  default     = true
+}
+
+variable "create_service" {
+  description = "Determines whether service resource will be created (set to `false` in case you want to create task definition only)"
+  type        = bool
+  default     = true
+}
+
+variable "create_task_definition" {
+  description = "Determines whether to create a task definition or use existing/provided"
+  type        = bool
+  default     = true
+}
+
+variable "create_task_exec_iam_role" {
+  description = "Determines whether the ECS task definition IAM role should be created"
+  type        = bool
+  default     = true
+}
+
+variable "create_task_exec_policy" {
+  description = "Determines whether the ECS task definition IAM policy should be created. This includes permissions included in AmazonECSTaskExecutionRolePolicy as well as access to secrets and SSM parameters"
+  type        = bool
+  default     = true
+}
+
+variable "create_tasks_iam_role" {
+  description = "Determines whether the ECS tasks IAM role should be created"
+  type        = bool
+  default     = true
+}
+
+variable "deployment_circuit_breaker" {
+  description = "Configuration block for deployment circuit breaker"
+  type = object({
+    enable   = bool
+    rollback = bool
+  })
+  default = null
+}
+
+variable "deployment_configuration" {
+  description = "Configuration block for deployment settings"
+  type = object({
+    strategy             = optional(string)
+    bake_time_in_minutes = optional(string)
+    canary_configuration = optional(object({
+      canary_bake_time_in_minutes = optional(string)
+      canary_percent              = optional(string)
+    }))
+    linear_configuration = optional(object({
+      step_bake_time_in_minutes = optional(string)
+      step_percent              = optional(string)
+    }))
+    lifecycle_hook = optional(map(object({
+      hook_target_arn  = string
+      role_arn         = optional(string)
+      lifecycle_stages = list(string)
+      hook_details     = optional(string)
+    })))
+  })
+  default = null
+}
+
+variable "deployment_controller" {
+  description = "Configuration block for deployment controller configuration"
+  type = object({
+    type = optional(string)
+  })
+  default = null
+}
+
+variable "deployment_maximum_percent" {
+  description = "Upper limit (as a percentage of the service's `desired_count`) of the number of running tasks that can be running in a service during a deployment"
+  type        = number
+  default     = 200
+}
+
+variable "deployment_minimum_healthy_percent" {
+  description = "Lower limit (as a percentage of the service's `desired_count`) of the number of running tasks that must remain running and healthy in a service during a deployment"
+  type        = number
+  default     = 66
+}
+
+variable "desired_count" {
+  description = "Number of instances of the task definition to place and keep running"
+  type        = number
+  default     = 1
+}
+
+variable "enable_autoscaling" {
+  description = "Determines whether to enable autoscaling for the service"
+  type        = bool
+  default     = true
+}
+
+variable "enable_ecs_managed_tags" {
+  description = "Specifies whether to enable Amazon ECS managed tags for the tasks within the service"
+  type        = bool
+  default     = true
+}
+
+variable "enable_execute_command" {
+  description = "Specifies whether to enable Amazon ECS Exec for the tasks within the service"
+  type        = bool
+  default     = false
+}
+
+variable "enable_fault_injection" {
+  description = "Enables fault injection and allows for fault injection requests to be accepted from the task's containers. Default is `false`"
+  type        = bool
+  default     = null
+}
+
+variable "ephemeral_storage" {
+  description = "The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate"
+  type = object({
+    size_in_gib = number
+  })
+  default = null
+}
+
+variable "external_id" {
+  description = "The external ID associated with the task set"
+  type        = string
+  default     = null
+}
+
+variable "force_delete" {
+  description = "Enable to delete a service even if it wasn't scaled down to zero tasks. It's only necessary to use this if the service uses the `REPLICA` scheduling strategy"
+  type        = bool
+  default     = null
+}
+
+variable "force_new_deployment" {
+  description = "Enable to force a new task deployment of the service. This can be used to update tasks to use a newer Docker image with same image/tag combination, roll Fargate tasks onto a newer platform version, or immediately deploy `ordered_placement_strategy` and `placement_constraints` updates"
+  type        = bool
+  default     = true
+}
+
+variable "health_check_grace_period_seconds" {
+  description = "Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 2147483647. Only valid for services configured to use load balancers"
+  type        = number
+  default     = null
+}
+
+variable "iam_role_arn" {
+  description = "Existing IAM role ARN"
+  type        = string
+  default     = null
+}
+
+variable "iam_role_description" {
+  description = "Description of the role"
+  type        = string
+  default     = null
+}
+
+variable "iam_role_name" {
+  description = "Name to use on IAM role created"
+  type        = string
+  default     = null
+}
+
+variable "iam_role_path" {
+  description = "IAM role path"
+  type        = string
+  default     = null
+}
+
+variable "iam_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+  type        = string
+  default     = null
+}
+
+variable "iam_role_statements" {
+  description = "A map of IAM policy statements <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement> for custom permission usage"
+  type = list(object({
+    sid           = optional(string)
+    actions       = optional(list(string))
+    not_actions   = optional(list(string))
+    effect        = optional(string)
+    resources     = optional(list(string))
+    not_resources = optional(list(string))
+    principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    not_principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    condition = optional(list(object({
+      test     = string
+      values   = list(string)
+      variable = string
+    })))
+  }))
+  default = null
+}
+
+variable "iam_role_tags" {
+  description = "A map of additional tags to add to the IAM role created"
+  type        = map(string)
+  default     = {}
+}
+
+variable "iam_role_use_name_prefix" {
+  description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
+  type        = bool
+  default     = true
+}
+
+variable "ignore_task_definition_changes" {
+  description = "Whether changes to service `task_definition` changes should be ignored"
+  type        = bool
+  default     = false
+}
+
+variable "infrastructure_iam_role_arn" {
+  description = "Existing IAM role ARN"
+  type        = string
+  default     = null
+}
+
+variable "infrastructure_iam_role_description" {
+  description = "Description of the role"
+  type        = string
+  default     = null
+}
+
+variable "infrastructure_iam_role_name" {
+  description = "Name to use on IAM role created"
+  type        = string
+  default     = null
+}
+
+variable "infrastructure_iam_role_path" {
+  description = "IAM role path"
+  type        = string
+  default     = null
+}
+
+variable "infrastructure_iam_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+  type        = string
+  default     = null
+}
+
+variable "infrastructure_iam_role_tags" {
+  description = "A map of additional tags to add to the IAM role created"
+  type        = map(string)
+  default     = {}
+}
+
+variable "infrastructure_iam_role_use_name_prefix" {
+  description = "Determines whether the IAM role name (`iam_role_name`) is used as a prefix"
+  type        = bool
+  default     = true
+}
+
+variable "ipc_mode" {
+  description = "IPC resource namespace to be used for the containers in the task The valid values are `host`, `task`, and `none`"
+  type        = string
+  default     = null
+}
+
+variable "launch_type" {
+  description = "Launch type on which to run your service. The valid values are `EC2`, `FARGATE`, and `EXTERNAL`. Defaults to `FARGATE`"
+  type        = string
+  default     = "FARGATE"
+}
+
+variable "load_balancer" {
+  description = "Configuration block for load balancers"
+  type = map(object({
+    container_name   = string
+    container_port   = number
+    elb_name         = optional(string)
+    target_group_arn = optional(string)
+    advanced_configuration = optional(object({
+      alternate_target_group_arn = string
+      production_listener_rule   = string # Should be optional but bug in provider
+      role_arn                   = optional(string)
+      test_listener_rule         = optional(string)
+    }))
+  }))
+  default = null
+}
+
+variable "memory" {
+  description = "Amount of memory (in MiB) used by the task. If the `requires_compatibilities` is `FARGATE` this field is required"
+  type        = number
+  default     = 2048
+}
+
+variable "network_mode" {
+  description = "Docker networking mode to use for the containers in the task. Valid values are `none`, `bridge`, `awsvpc`, and `host`"
+  type        = string
+  default     = "awsvpc"
+}
+
+variable "ordered_placement_strategy" {
+  description = "Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence"
+  type = list(object({
+    field = optional(string)
+    type  = string
+  }))
+  default = null
+}
+
+variable "pid_mode" {
+  description = "Process namespace to use for the containers in the task. The valid values are `host` and `task`"
+  type        = string
+  default     = null
+}
+
+variable "placement_constraints" {
+  description = "Configuration block for rules that are taken into consideration during task placement (up to max of 10). This is set at the service, see `task_definition_placement_constraints` for setting at the task definition"
+  type = map(object({
+    expression = optional(string)
+    type       = string
+  }))
+  default = null
+}
+
+variable "platform_version" {
+  description = "Platform version on which to run your service. Only applicable for `launch_type` set to `FARGATE`. Defaults to `LATEST`"
+  type        = string
+  default     = null
+}
+
+variable "propagate_tags" {
+  description = "Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are `SERVICE` and `TASK_DEFINITION`"
+  type        = string
+  default     = null
+}
+
+variable "proxy_configuration" {
+  description = "Configuration block for the App Mesh proxy"
+  type = object({
+    container_name = string
+    properties     = optional(map(string))
+    type           = optional(string)
+  })
+  default = null
+}
+
+variable "requires_compatibilities" {
+  description = "Set of launch types required by the task. The valid values are `EC2`, `FARGATE`, `EXTERNAL`, and `MANAGED_INSTANCES`"
+  type        = list(string)
+  default     = ["FARGATE"]
+}
+
+variable "runtime_platform" {
+  description = "Configuration block for `runtime_platform` that containers in your task may use"
+  type = object({
+    cpu_architecture        = optional(string, "X86_64")
+    operating_system_family = optional(string, "LINUX")
+  })
+  default = {}
+}
+
+variable "scale" {
+  description = "A floating-point percentage of the desired number of tasks to place and keep running in the task set"
+  type = object({
+    unit  = optional(string)
+    value = optional(number)
+  })
+  default = null
+}
+
+variable "scheduling_strategy" {
+  description = "Scheduling strategy to use for the service. The valid values are `REPLICA` and `DAEMON`. Defaults to `REPLICA`"
+  type        = string
+  default     = null
+}
+
+variable "security_group_description" {
+  description = "Description of the security group created"
+  type        = string
+  default     = null
+}
+
+variable "security_group_egress_rules" {
+  description = "Security group egress rules to add to the security group created"
+  type = map(object({
+    name                         = optional(string)
+    cidr_ipv4                    = optional(string)
+    cidr_ipv6                    = optional(string)
+    description                  = optional(string)
+    from_port                    = optional(string)
+    ip_protocol                  = optional(string, "tcp")
+    prefix_list_id               = optional(string)
+    referenced_security_group_id = optional(string)
+    tags                         = optional(map(string), {})
+    to_port                      = optional(string)
+  }))
+  default = {}
+}
+
+variable "security_group_ids" {
+  description = "List of security groups to associate with the task or service"
+  type        = list(string)
+  default     = []
+}
+
+variable "security_group_ingress_rules" {
+  description = "Security group ingress rules to add to the security group created"
+  type = map(object({
+    name                         = optional(string)
+    cidr_ipv4                    = optional(string)
+    cidr_ipv6                    = optional(string)
+    description                  = optional(string)
+    from_port                    = optional(string)
+    ip_protocol                  = optional(string, "tcp")
+    prefix_list_id               = optional(string)
+    referenced_security_group_id = optional(string)
+    tags                         = optional(map(string), {})
+    to_port                      = optional(string)
+  }))
+  default = {}
+}
+
+variable "security_group_name" {
+  description = "Name to use on security group created"
+  type        = string
+  default     = null
+}
+
+variable "security_group_tags" {
+  description = "A map of additional tags to add to the security group created"
+  type        = map(string)
+  default     = {}
+}
+
+variable "security_group_use_name_prefix" {
+  description = "Determines whether the security group name (`security_group_name`) is used as a prefix"
+  type        = bool
+  default     = true
+}
+
+variable "service_connect_configuration" {
+  description = "The ECS Service Connect configuration for this service to discover and connect to services, and be discovered by, and connected from, other services within a namespace"
+  type = object({
+    enabled = optional(bool, true)
+    access_log_configuration = optional(object({
+      format                   = string
+      include_query_parameters = optional(string)
+    }))
+    log_configuration = optional(object({
+      log_driver = string
+      options    = optional(map(string))
+      secret_option = optional(list(object({
+        name       = string
+        value_from = string
+      })))
+    }))
+    namespace = optional(string)
+    service = optional(list(object({
+      client_alias = optional(object({
+        dns_name = optional(string)
+        port     = number
+        test_traffic_rules = optional(list(object({
+          header = optional(object({
+            name = string
+            value = object({
+              exact = string
+            })
+          }))
+        })))
+      }))
+      discovery_name        = optional(string)
+      ingress_port_override = optional(number)
+      port_name             = string
+      timeout = optional(object({
+        idle_timeout_seconds        = optional(number)
+        per_request_timeout_seconds = optional(number)
+      }))
+      tls = optional(object({
+        issuer_cert_authority = object({
+          aws_pca_authority_arn = string
+        })
+        kms_key  = optional(string)
+        role_arn = optional(string)
+      }))
+    })))
+  })
+  default = null
+}
+
+variable "service_name" {
+  description = "Name of the service"
+  type        = string
+  default     = null
+}
+
+variable "service_registries" {
+  description = "Service discovery registries for the service"
+  type = object({
+    container_name = optional(string)
+    container_port = optional(number)
+    port           = optional(number)
+    registry_arn   = string
+  })
+  default = null
+}
+
+variable "service_tags" {
+  description = "A map of additional tags to add to the service"
+  type        = map(string)
+  default     = {}
+}
+
+variable "sigint_rollback" {
+  description = "Whether to enable graceful termination of deployments using SIGINT signals. Only applicable when using ECS deployment controller and requires wait_for_steady_state = true. Default is false"
+  type        = bool
+  default     = null
+}
+
+variable "skip_destroy" {
+  description = "If true, the task is not deleted when the service is deleted"
+  type        = bool
+  default     = null
+}
+
+variable "subnet_ids" {
+  description = "List of subnets to associate with the task or service"
+  type        = list(string)
+  default     = []
+}
+
+variable "task_definition_arn" {
+  description = "Existing task definition ARN. Required when `create_task_definition` is `false`"
+  type        = string
+  default     = null
+}
+
+variable "task_definition_placement_constraints" {
+  description = "Configuration block for rules that are taken into consideration during task placement (up to max of 10). This is set at the task definition, see `placement_constraints` for setting at the service"
+  type = map(object({
+    expression = optional(string)
+    type       = string
+  }))
+  default = null
+}
+
+variable "task_exec_iam_policy_path" {
+  description = "Path for the iam role"
+  type        = string
+  default     = null
+}
+
+variable "task_exec_iam_role_arn" {
+  description = "Existing IAM role ARN"
+  type        = string
+  default     = null
+}
+
+variable "task_exec_iam_role_description" {
+  description = "Description of the role"
+  type        = string
+  default     = null
+}
+
+variable "task_exec_iam_role_max_session_duration" {
+  description = "Maximum session duration (in seconds) for ECS task execution role. Default is 3600."
+  type        = number
+  default     = null
+}
+
+variable "task_exec_iam_role_name" {
+  description = "Name to use on IAM role created"
+  type        = string
+  default     = null
+}
+
+variable "task_exec_iam_role_path" {
+  description = "IAM role path"
+  type        = string
+  default     = null
+}
+
+variable "task_exec_iam_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+  type        = string
+  default     = null
+}
+
+variable "task_exec_iam_role_policies" {
+  description = "Map of IAM role policy ARNs to attach to the IAM role"
+  type        = map(string)
+  default     = null
+}
+
+variable "task_exec_iam_role_tags" {
+  description = "A map of additional tags to add to the IAM role created"
+  type        = map(string)
+  default     = {}
+}
+
+variable "task_exec_iam_role_use_name_prefix" {
+  description = "Determines whether the IAM role name (`task_exec_iam_role_name`) is used as a prefix"
+  type        = bool
+  default     = true
+}
+
+variable "task_exec_iam_statements" {
+  description = "A map of IAM policy statements <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement> for custom permission usage"
+  type = list(object({
+    sid           = optional(string)
+    actions       = optional(list(string))
+    not_actions   = optional(list(string))
+    effect        = optional(string)
+    resources     = optional(list(string))
+    not_resources = optional(list(string))
+    principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    not_principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    condition = optional(list(object({
+      test     = string
+      values   = list(string)
+      variable = string
+    })))
+  }))
+  default = null
+}
+
+variable "task_exec_secret_arns" {
+  description = "List of SecretsManager secret ARNs the task execution role will be permitted to get/read"
+  type        = list(string)
+  default     = []
+}
+
+variable "task_exec_ssm_param_arns" {
+  description = "List of SSM parameter ARNs the task execution role will be permitted to get/read"
+  type        = list(string)
+  default     = []
+}
+
+variable "task_tags" {
+  description = "A map of additional tags to add to the task definition/set created"
+  type        = map(string)
+  default     = {}
+}
+
+variable "tasks_iam_role_arn" {
+  description = "Existing IAM role ARN"
+  type        = string
+  default     = null
+}
+
+variable "tasks_iam_role_description" {
+  description = "Description of the role"
+  type        = string
+  default     = null
+}
+
+variable "tasks_iam_role_max_session_duration" {
+  description = "Maximum session duration (in seconds) for ECS tasks role. Default is 3600."
+  type        = number
+  default     = null
+}
+
+variable "tasks_iam_role_name" {
+  description = "Name to use on IAM role created"
+  type        = string
+  default     = null
+}
+
+variable "tasks_iam_role_path" {
+  description = "IAM role path"
+  type        = string
+  default     = null
+}
+
+variable "tasks_iam_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the IAM role"
+  type        = string
+  default     = null
+}
+
+variable "tasks_iam_role_policies" {
+  description = "Map of additional IAM role policy ARNs to attach to the IAM role"
+  type        = map(string)
+  default     = null
+}
+
+variable "tasks_iam_role_statements" {
+  description = "A map of IAM policy statements <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement> for custom permission usage"
+  type = list(object({
+    sid           = optional(string)
+    actions       = optional(list(string))
+    not_actions   = optional(list(string))
+    effect        = optional(string)
+    resources     = optional(list(string))
+    not_resources = optional(list(string))
+    principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    not_principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    condition = optional(list(object({
+      test     = string
+      values   = list(string)
+      variable = string
+    })))
+  }))
+  default = null
+}
+
+variable "tasks_iam_role_tags" {
+  description = "A map of additional tags to add to the IAM role created"
+  type        = map(string)
+  default     = {}
+}
+
+variable "tasks_iam_role_use_name_prefix" {
+  description = "Determines whether the IAM role name (`tasks_iam_role_name`) is used as a prefix"
+  type        = bool
+  default     = true
+}
+
+variable "timeouts" {
+  description = "Create, update, and delete timeout configurations for the service"
+  type = object({
+    create = optional(string)
+    delete = optional(string)
+    update = optional(string)
+  })
+  default = null
+}
+
+variable "track_latest" {
+  description = "Whether should track latest `ACTIVE` task definition on AWS or the one created with the resource stored in state. Useful in the event the task definition is modified outside of this resource"
+  type        = bool
+  default     = true
+}
+
+variable "triggers" {
+  description = "Map of arbitrary keys and values that, when changed, will trigger an in-place update (redeployment). Useful with `timestamp()`"
+  type        = map(string)
+  default     = null
+}
+
+variable "volume" {
+  description = "Configuration block for volumes that containers in your task may use"
+  type = map(object({
+    configure_at_launch = optional(bool)
+    docker_volume_configuration = optional(object({
+      autoprovision = optional(bool)
+      driver        = optional(string)
+      driver_opts   = optional(map(string))
+      labels        = optional(map(string))
+      scope         = optional(string)
+    }))
+    efs_volume_configuration = optional(object({
+      authorization_config = optional(object({
+        access_point_id = optional(string)
+        iam             = optional(string)
+      }))
+      file_system_id          = string
+      root_directory          = optional(string)
+      transit_encryption      = optional(string)
+      transit_encryption_port = optional(number)
+    }))
+    fsx_windows_file_server_volume_configuration = optional(object({
+      authorization_config = optional(object({
+        credentials_parameter = string
+        domain                = string
+      }))
+      file_system_id = string
+      root_directory = string
+    }))
+    host_path = optional(string)
+    name      = optional(string)
+  }))
+  default = null
+}
+
+variable "volume_configuration" {
+  description = "Configuration for a volume specified in the task definition as a volume that is configured at launch time"
+  type = object({
+    name = string
+    managed_ebs_volume = object({
+      encrypted        = optional(bool)
+      file_system_type = optional(string)
+      iops             = optional(number)
+      kms_key_id       = optional(string)
+      size_in_gb       = optional(number)
+      snapshot_id      = optional(string)
+      tag_specifications = optional(list(object({
+        propagate_tags = optional(string, "TASK_DEFINITION")
+        resource_type  = string
+        tags           = optional(map(string))
+      })))
+      throughput                 = optional(number)
+      volume_initialization_rate = optional(number)
+      volume_type                = optional(string)
+    })
+  })
+  default = null
+}
+
+variable "vpc_id" {
+  description = "The VPC ID where to deploy the task or service. If not provided, the VPC ID is derived from the subnets provided"
+  type        = string
+  default     = null
+}
+
+variable "vpc_lattice_configurations" {
+  description = "The VPC Lattice configuration for your service that allows Lattice to connect, secure, and monitor your service across multiple accounts and VPCs"
+  type = object({
+    role_arn         = string
+    target_group_arn = string
+    port_name        = string
+  })
+  default = null
+}
+
+variable "wait_for_steady_state" {
+  description = "If true, Terraform will wait for the service to reach a steady state before continuing. Default is `false`"
+  type        = bool
+  default     = null
+}
+
+variable "wait_until_stable" {
+  description = "Whether terraform should wait until the task set has reached `STEADY_STATE`"
+  type        = bool
+  default     = null
+}
+
+variable "wait_until_stable_timeout" {
+  description = "Wait timeout for task set to reach `STEADY_STATE`. Valid time units include `ns`, `us` (or µs), `ms`, `s`, `m`, and `h`. Default `10m`"
+  type        = string
+  default     = null
+}
diff --git a/infrastructure/modules/ecs-service/versions.tf b/infrastructure/modules/ecs-service/versions.tf
new file mode 100644
index 0000000..542c57d
--- /dev/null
+++ b/infrastructure/modules/ecs-service/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.13"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.34"
+    }
+  }
+}
diff --git a/scripts/config/gitleaks.toml b/scripts/config/gitleaks.toml
index af5f0bb..8371dcb 100644
--- a/scripts/config/gitleaks.toml
+++ b/scripts/config/gitleaks.toml
@@ -11,8 +11,31 @@ regex = '''[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'''
 [rules.allowlist]
 regexTarget = "match"
 regexes = [
-  # Exclude the private network IPv4 addresses as well as the DNS servers for Google and OpenDNS
-  '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|208\.67\.222\.222|208\.67\.220\.220)''',
+  # Exclude private/reserved IPv4 addresses and well-known DNS servers used in docs/examples.
+  # Includes RFC5737 TEST-NET ranges: 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24
+  '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|192\.0\.2\.[0-9]{1,3}|198\.51\.100\.[0-9]{1,3}|203\.0\.113\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|1\.1\.1\.1|1\.0\.0\.1)''',
+]
+
+[[rules]]
+description = "IPv6"
+id = "ipv6"
+# Matches valid IPv6 forms requiring at least 2 groups on each side of :: to
+# avoid false positives from AWS ARNs (which use :: between region and account).
+#   full:          2001:0db8:85a3:0000:0000:8a2e:0370:7334
+#   compressed:    2001:db8::1, fe80:db8::1
+#   trailing ::    fe80:db8:: (2+ groups required before ::)
+#   leading ::     ::db8:1    (2+ groups required after ::)
+# Note: RE2 does not support lookahead/lookbehind so boundary enforcement is
+# achieved structurally via minimum repetition counts.
+regex = '''(?i)(?:[0-9a-f]{1,4}:){7}[0-9a-f]{1,4}|(?:[0-9a-f]{1,4}:){2,7}:|(?:[0-9a-f]{1,4}:){1,6}:[0-9a-f]{1,4}|(?:[0-9a-f]{1,4}:){1,5}(?::[0-9a-f]{1,4}){1,2}|(?:[0-9a-f]{1,4}:){1,4}(?::[0-9a-f]{1,4}){1,3}|(?:[0-9a-f]{1,4}:){1,3}(?::[0-9a-f]{1,4}){1,4}|(?:[0-9a-f]{1,4}:){1,2}(?::[0-9a-f]{1,4}){1,5}|[0-9a-f]{1,4}:(?::[0-9a-f]{1,4}){1,6}|:(?::[0-9a-f]{1,4}){2,7}'''
+
+[rules.allowlist]
+regexTarget = "match"
+regexes = [
+  # Exclude IPv6 documentation prefixes used in examples.
+  # RFC3849: 2001:db8::/32
+  # RFC9637: 3fff::/20 (3fff:0000:: to 3fff:0fff::)
+  '''(?i)(^|[^0-9a-f])(2001:db8:|3fff:0[0-9a-f]{0,3}:)''',
 ]
 
 [allowlist]