Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
11 changed files
with
253 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
# ECS with terraform | ||
|
||
## Prerequis | ||
|
||
Nous considérerons ici que certains éléments existent déjà dans le compte AWS ou nous ferons nos tests. Notamment un VPC configuré avec des réseaux privé ayant un accès a internet via une NAT Gateway. | ||
Le repository de démonstration contient du code permettant de mettre en place ces prerequis si necessaire. | ||
|
||
## Cluster et 1er container | ||
|
||
Commençons par créer le cluster et faire tourner un simple container dessus. | ||
Il nous faut donc : | ||
- un cluster et un log group associé, | ||
- un service & une task definition, | ||
- un rôle iam (qui permettra à terme de donner des droits au container), | ||
- un security group | ||
|
||
Nous prendrons une image Debian pour faciliter les tests dans un premier temps. Le code ressemble donc à : | ||
|
||
```terraform | ||
locals { | ||
prefix = "${var.project_prefix}-${var.env}" | ||
app_name = "myapp" | ||
} | ||
resource "aws_cloudwatch_log_group" "ecs_cluster" { | ||
name = "${local.prefix}-ecs-cluster" | ||
} | ||
resource "aws_ecs_cluster" "this" { | ||
name = local.prefix | ||
configuration { | ||
execute_command_configuration { | ||
logging = "OVERRIDE" | ||
log_configuration { | ||
cloud_watch_log_group_name = aws_cloudwatch_log_group.ecs_cluster.name | ||
} | ||
} | ||
} | ||
} | ||
resource "aws_ecs_task_definition" "myapp" { | ||
family = "${local.prefix}-${local.app_name}" | ||
requires_compatibilities = ["FARGATE"] | ||
network_mode = "awsvpc" | ||
cpu = 1024 | ||
memory = 2048 | ||
task_role_arn = aws_iam_role.ecs_task_role_myapp.arn | ||
container_definitions = jsonencode([ | ||
{ | ||
name = local.app_name | ||
image = "debian:buster-20230411-slim" | ||
cpu = 1024 | ||
memory = 2048 | ||
command = [ "sleep", "3600" ], | ||
linuxParameters = { | ||
"initProcessEnabled"= true | ||
} | ||
} | ||
]) | ||
runtime_platform { | ||
operating_system_family = "LINUX" | ||
cpu_architecture = "X86_64" | ||
} | ||
} | ||
resource "aws_ecs_service" "myapp" { | ||
name = "${local.prefix}-${local.app_name}" | ||
cluster = aws_ecs_cluster.this.id | ||
task_definition = aws_ecs_task_definition.myapp.arn | ||
desired_count = 1 | ||
enable_execute_command = true | ||
launch_type = "FARGATE" | ||
network_configuration { | ||
subnets = var.private_subnets | ||
security_groups = [aws_security_group.myapp.id] | ||
assign_public_ip = false | ||
} | ||
} | ||
resource "aws_iam_role" "ecs_task_role_myapp" { | ||
name = "${local.prefix}-ecs-task-role-${local.app_name}" | ||
assume_role_policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = "sts:AssumeRole" | ||
Effect = "Allow" | ||
Sid = "" | ||
Principal = { | ||
Service = "ecs-tasks.amazonaws.com" | ||
} | ||
} | ||
] | ||
}) | ||
inline_policy { | ||
name = "requirements-for-ecs-exec" | ||
policy = jsonencode({ | ||
Version: "2012-10-17", | ||
Statement: [] | ||
}) | ||
} | ||
} | ||
resource "aws_security_group" "myapp" { | ||
name = "${local.prefix}-ecs-${local.app_name}" | ||
description = "manage rules for ${local.app_name} ecs service" | ||
vpc_id = var.vpc_id | ||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
ipv6_cidr_blocks = ["::/0"] | ||
} | ||
} | ||
``` | ||
|
||
We now have a first container running on aws : | ||
![cluster-1st-container-running](./img/cluster-1st-container-running.png) |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# ecs-global | ||
|
||
Define common ecs resource like ecs cluster or s3 bucket to store artifacts. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
resource "aws_ecs_task_definition" "myapp" { | ||
family = "${local.prefix}-${local.app_name}" | ||
requires_compatibilities = ["FARGATE"] | ||
network_mode = "awsvpc" | ||
cpu = 1024 | ||
memory = 2048 | ||
|
||
task_role_arn = aws_iam_role.ecs_task_role_myapp.arn | ||
|
||
container_definitions = jsonencode([ | ||
{ | ||
name = local.app_name | ||
image = "debian:buster-20230411-slim" | ||
cpu = 1024 | ||
memory = 2048 | ||
command = [ "sleep", "3600" ] | ||
} | ||
]) | ||
|
||
runtime_platform { | ||
operating_system_family = "LINUX" | ||
cpu_architecture = "X86_64" | ||
} | ||
} | ||
|
||
resource "aws_ecs_service" "myapp" { | ||
name = "${local.prefix}-${local.app_name}" | ||
cluster = aws_ecs_cluster.this.id | ||
task_definition = aws_ecs_task_definition.myapp.arn | ||
desired_count = 1 | ||
|
||
enable_execute_command = true | ||
|
||
launch_type = "FARGATE" | ||
|
||
network_configuration { | ||
subnets = var.private_subnets | ||
security_groups = [aws_security_group.myapp.id] | ||
assign_public_ip = false | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
resource "aws_cloudwatch_log_group" "ecs_cluster" { | ||
name = "${local.prefix}-ecs-cluster" | ||
} | ||
|
||
resource "aws_ecs_cluster" "this" { | ||
name = local.prefix | ||
|
||
configuration { | ||
execute_command_configuration { | ||
logging = "OVERRIDE" | ||
|
||
log_configuration { | ||
cloud_watch_log_group_name = aws_cloudwatch_log_group.ecs_cluster.name | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
resource "aws_iam_role" "ecs_task_role_myapp" { | ||
name = "${local.prefix}-ecs-task-role-${local.app_name}" | ||
|
||
assume_role_policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = "sts:AssumeRole" | ||
Effect = "Allow" | ||
Sid = "" | ||
Principal = { | ||
Service = "ecs-tasks.amazonaws.com" | ||
} | ||
} | ||
] | ||
}) | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
locals { | ||
prefix = "${var.project_prefix}-${var.env}" | ||
app_name = "myapp" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
resource "aws_security_group" "myapp" { | ||
name = "${local.prefix}-ecs-${local.app_name}" | ||
description = "manage rules for ${local.app_name} ecs service" | ||
vpc_id = var.vpc_id | ||
|
||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
ipv6_cidr_blocks = ["::/0"] | ||
} | ||
} |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
variable "env" { | ||
description = "The env" | ||
type = string | ||
} | ||
variable "project_prefix" { | ||
description = "The prefix to use for naming resources, used in conjonction with env" | ||
type = string | ||
default = "ec2_ssm" | ||
} | ||
|
||
variable "vpc_id" { | ||
type = string | ||
description = "The id of the VPC to use" | ||
} | ||
variable "private_subnets" { | ||
type = list(string) | ||
description = "The list of ids of the private_subnets to use" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters