From 6d25844ddbd4827d2bcdb53052fa33c81953cb2f Mon Sep 17 00:00:00 2001
From: pbenefice <pierre@benefice.io>
Date: Thu, 27 Apr 2023 14:59:55 +0200
Subject: [PATCH] feat: enable ecs exec

---
 README.md                                     | 22 ++++++
 doc/article.md                                | 68 +++++++++++++++++++
 terraform/modules/ecs/ecs-app.tf              |  4 ++
 terraform/modules/ecs/iam.tf                  | 21 ++++++
 terraform/modules/ecs/outputs.tf              |  4 ++
 .../stacks/ecs-with-terraform/outputs.tf      |  5 ++
 6 files changed, 124 insertions(+)

diff --git a/README.md b/README.md
index c50c4b8..be25daf 100644
--- a/README.md
+++ b/README.md
@@ -17,3 +17,25 @@ Docker images :
 
 [Hashicorp Demo App](https://github.com/hashicorp/demo-consul-101/tree/master)  
 https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/networking-connecting-services.html  
+
+## Examples
+
+### ECS Exec
+
+From the console gather the ecs cluster name, the task id and the container you want to exec into, then issue the following command :  
+
+```
+aws ecs execute-command --cluster <cluster_name> \
+    --task <task_id> \
+    --container <container_name> \
+    --interactive \
+    --command "/bin/sh"
+```
+
+```
+aws ecs execute-command --cluster ecsWithTf-dev \
+    --task 32f4aaa9555f4a188789226094c70485 \
+    --container myapp \
+    --interactive \
+    --command "/bin/sh"
+```
diff --git a/doc/article.md b/doc/article.md
index 115b6aa..1cc0831 100644
--- a/doc/article.md
+++ b/doc/article.md
@@ -128,3 +128,71 @@ resource "aws_security_group" "myapp" {
 
 We now have a first container running on aws :  
 ![cluster-1st-container-running](./img/cluster-1st-container-running.png)  
+
+## ECS Exec
+
+[ECS Exec](https://docs.aws.amazon.com/en_en/AmazonECS/latest/userguide/ecs-exec.html) est une feature qui permet d'interagir et notamment se connecter dans les containers directement via la cli aws.  
+En s'appuyant sur les prerequis détaillés dans le lien précédent, modifions le rôle iam pour y ajouter une policy inline et la définiton de notre task pour activer la feature :
+
+```
+resource "aws_iam_role" "ecs_task_role_myapp" {
+  name = "${local.prefix}-ecs-task-role-${local.app_name}"
+
+  ...
+
+  inline_policy {
+    name = "requirements-for-ecs-exec"
+
+    policy = jsonencode({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ssmmessages:CreateControlChannel",
+            "ssmmessages:CreateDataChannel",
+            "ssmmessages:OpenControlChannel",
+            "ssmmessages:OpenDataChannel"
+          ],
+          "Resource": "*"
+        }
+      ]
+    })
+  }
+
+}
+
+resource "aws_ecs_task_definition" "myapp" {
+  task_role_arn = aws_iam_role.ecs_task_role_myapp.arn
+
+  ...
+
+  container_definitions = jsonencode([
+    {
+      image = "debian:buster-20230411-slim"
+
+      ...
+
+      linuxParameters = {
+        "initProcessEnabled"= true
+      }
+    }
+  ])
+}
+```
+
+Nous pouvons dés lors utiliser la cli aws pour se connecter directement dans le container Debian. Il suffit de récupérer via la console le nom du cluster ECS, l'id de la task et le nom du container pour forger une commande similaire à :  
+
+```shell
+aws ecs execute-command --cluster ecsWithTf-dev \
+    --task 32f4aaa9555f4a188789226094c70485 \
+    --container myapp \
+    --interactive \
+    --command "/bin/sh"
+```
+
+Nous avons un pied directement dans le cluster :  
+```
+# uname -a
+Linux ip-10-0-3-184.eu-west-1.compute.internal 5.10.177-158.645.amzn2.x86_64 #1 SMP Thu Apr 6 16:53:11 UTC 2023 x86_64 GNU/Linux
+```
diff --git a/terraform/modules/ecs/ecs-app.tf b/terraform/modules/ecs/ecs-app.tf
index 3c87fac..3bb1d5a 100644
--- a/terraform/modules/ecs/ecs-app.tf
+++ b/terraform/modules/ecs/ecs-app.tf
@@ -14,6 +14,10 @@ resource "aws_ecs_task_definition" "myapp" {
       cpu     = 1024
       memory  = 2048
       command = [ "sleep", "3600" ]
+
+      linuxParameters = {
+        "initProcessEnabled"= true
+      }
     }
   ])
 
diff --git a/terraform/modules/ecs/iam.tf b/terraform/modules/ecs/iam.tf
index 93c7b65..0d44872 100644
--- a/terraform/modules/ecs/iam.tf
+++ b/terraform/modules/ecs/iam.tf
@@ -14,5 +14,26 @@ resource "aws_iam_role" "ecs_task_role_myapp" {
       }
     ]
   })
+
+  inline_policy {
+    name = "requirements-for-ecs-exec"
+
+    policy = jsonencode({
+      Version: "2012-10-17",
+      Statement: [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ssmmessages:CreateControlChannel",
+            "ssmmessages:CreateDataChannel",
+            "ssmmessages:OpenControlChannel",
+            "ssmmessages:OpenDataChannel"
+          ],
+          "Resource": "*"
+        }
+      ]
+    })
+  }
+
 }
 
diff --git a/terraform/modules/ecs/outputs.tf b/terraform/modules/ecs/outputs.tf
index e69de29..a7ac019 100644
--- a/terraform/modules/ecs/outputs.tf
+++ b/terraform/modules/ecs/outputs.tf
@@ -0,0 +1,4 @@
+output "cluster_id" {
+  description = "ID of the created ecs cluster"
+  value       = aws_ecs_cluster.this.id
+}
diff --git a/terraform/stacks/ecs-with-terraform/outputs.tf b/terraform/stacks/ecs-with-terraform/outputs.tf
index 58f1722..0ffbacd 100644
--- a/terraform/stacks/ecs-with-terraform/outputs.tf
+++ b/terraform/stacks/ecs-with-terraform/outputs.tf
@@ -7,3 +7,8 @@ output "bastion_id" {
   description = "ID of the ec2 instance created"
   value       = module.bastion.instance_id
 }
+
+output "module_ecs" {
+  description = "module ecs"
+  value       = module.ecs
+}