From 08c046b3b0050be90e8f2555d47b1876971c4e4a Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Mon, 24 Jan 2022 17:43:20 -0600 Subject: [PATCH] docs: Manual secure configuration for ECS --- website/content/docs/ecs/index.mdx | 6 +- .../docs/ecs/manual/acl-controller.mdx | 213 +++++++++++++++++ .../install.mdx} | 37 ++- .../docs/ecs/manual/secure-configuration.mdx | 215 ++++++++++++++++++ website/content/docs/ecs/requirements.mdx | 4 +- .../docs/ecs/{ => terraform}/install.mdx | 2 +- .../migrate-existing-tasks.mdx | 4 +- .../secure-configuration.mdx} | 10 +- website/data/docs-nav-data.json | 42 +++- 9 files changed, 501 insertions(+), 32 deletions(-) create mode 100644 website/content/docs/ecs/manual/acl-controller.mdx rename website/content/docs/ecs/{manual-installation.mdx => manual/install.mdx} (92%) create mode 100644 website/content/docs/ecs/manual/secure-configuration.mdx rename website/content/docs/ecs/{ => terraform}/install.mdx (99%) rename website/content/docs/ecs/{ => terraform}/migrate-existing-tasks.mdx (96%) rename website/content/docs/ecs/{production-installation.mdx => terraform/secure-configuration.mdx} (92%) diff --git a/website/content/docs/ecs/index.mdx b/website/content/docs/ecs/index.mdx index 1078d65c76..cf9e638160 100644 --- a/website/content/docs/ecs/index.mdx +++ b/website/content/docs/ecs/index.mdx @@ -9,7 +9,8 @@ description: >- # AWS ECS Consul service mesh applications can be deployed on [AWS Elastic Container Service](https://aws.amazon.com/ecs/) (ECS) -using our official Terraform modules. +using either our official [Terraform modules](/docs/ecs/terraform/install) or without Terraform by [manually configuring +the task definition](/docs/ecs/manual/install). ## Service Mesh @@ -37,4 +38,5 @@ There are several ways to get started with Consul with ECS. * The [Consul with Dev Server on Fargate](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate) example installation deploys a sample application in ECS using the Fargate launch type. * The [Consul with Dev Server on EC2](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-ec2) example installation deploys a sample application in ECS using the EC2 launch type. -See the [Requirements](/docs/ecs/requirements) and the full [Install Guide](/docs/ecs/install) when you're ready to install Consul on an existing ECS cluster and add existing tasks to the service mesh. +See the [Requirements](/docs/ecs/requirements) and then choose whether to [install with Terraform](/docs/ecs/terraform/install) or [install without Terraform](/docs/ecs/manual/install) +when you're ready to install Consul on an existing ECS cluster and add tasks to the service mesh. diff --git a/website/content/docs/ecs/manual/acl-controller.mdx b/website/content/docs/ecs/manual/acl-controller.mdx new file mode 100644 index 0000000000..7264ea4f2d --- /dev/null +++ b/website/content/docs/ecs/manual/acl-controller.mdx @@ -0,0 +1,213 @@ +--- +layout: docs +page_title: ACL Controller - AWS ECS +description: >- + Manual Deployment of the ACL Controller for Consul Service Mesh on AWS ECS (Elastic Container Service). +--- + +# Install the ACL Controller + +This topic describes how to manually deploy the ACL controller to [automatically provision ACL tokens](/docs/ecs/architecture#automatic-acl-token-provisioning) for Consul on ECS. +If you are using Terraform, refer to the [Terraform Secure Configuration](/docs/ecs/terraform/secure-configuration) page to deploy the ACL controller. + +## Prerequisites + +* Your application tasks must include certain tags to be compatible with the ACL controller. +Refer to the [Task Tags](/docs/ecs/manual/install#task-tags) section of the installation page. +* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the following [Learn Guides](https://learn.hashicorp.com/collections/consul/security) for an introduction and the [ACL system](/docs/security/acl) documentation for more information. + +## Setup AWS Secrets Manager + +The ACL controller supports managing secrets in AWS Secrets Manager. + +Before deploying the ACL controller for the first time, you must [create the following secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) from Consul in AWS Secrets Manager. + +| Secret | Initial Value | Sample Secret Name | +| --------------------- | -------------- | ------------------------------ | +| Consul server CA cert | Set | `my-consul-ca-cert` | +| Bootstrap ACL Token | Set | `my-consul-bootstrap-token` | +| Consul Client ACL Token | Empty | `-consul-client-token` | + +The secret for the client token must be intially empty. The ACL controller creates the client token in Consul +and stores the token in Secrets Manager. In the secret name, `` should be replaced with the +[secret name prefix](/docs/ecs/manual/acl-controller#secret-name-prefix) of your choice. + +### Secret Name Prefix + +The ACL controller requires that the secrets it reads and writes are named with a unique prefix. The name prefix is used +in the [Task Role Policy](/docs/ecs/manual/acl-controller#task-role-policy) to limit the ACL controller's access within +AWS Secrets Manager to only those secrets strictly needed by the ACL controller. + +The name prefix should be unique among secrets your AWS account. We recommend a short (8 character) random +string for the prefix. + +-> **NOTE:** If you are using the ACL controller with multiple ECS clusters, each cluster requires +its own instance of the ACL controller, and each instance of the ACL controller should have a unique +name prefix. + +## Task Definition + +You must create a task definition to deploy the ACL controller in your ECS cluster. +The ACL controller must run in the same ECS cluster hosting your service mesh application +tasks. + +The following example shows how the task definition should be configured for the ACL controller. + +```json +{ + "family": "my-consul-acl-controller". + "networkMode": "awsvpc", + "containerDefinitions": [ + { + "name": "acl-controller", + "image": "public.ecr.aws/hashicorp/consul-ecs:", + "essential": true, + "command": [ + "acl-controller", + "-consul-client-secret-arn", "arn:aws:secretsmanager:us-west-2:000000000000:secret:-consul-client-token", + "-secret-name-prefix", "", + ], + "secrets": [ + { + "name": "CONSUL_HTTP_TOKEN", + "valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-bootstrap-token" + }, + { + "name": "CONSUL_CACERT_PEM", + "valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-ca-cert" + } + ], + "environment": [ + { + "name": "CONSUL_HTTP_ADDR", + "value": "" + } + ] + } + ] +} +``` + +You must include the following top-level fields. + +| Field name | Type | Description | +| ----------- | ------- | ---------------------------------------------------------------------------- | +| `family` | string | The task family name of your choice. | +| `networkMode` | string | Must be `awsvpc`, which is the only network mode supported by Consul on ECS. | + +In the `containerDefinitions` list, include one container with the following fields. + +| Field name | Type | Description | +| ----------- | ------- | -------------------------------------------------------------------------------------------------------------------------------- | +| `name` | string | The container name, which should be `acl-controller` | +| `image` | string | The `consul-ecs` image. Use our public AWS registry, `public.ecr.aws/hashicorp/consul-ecs`, to avoid rate limits. | +| `command` | list | Must be set as shown. The startup command for the ACL controller. | +| `essential` | boolean | Must be `true` to ensure the container health ties into the health of the task. | +| `secrets` | list | Must have `CONSUL_HTTP_TOKEN` set to the ACL bootstrap token and `CONSUL_CACERT_PEM` set to the Consul server CA certificate. | +| `environment` | string | Must set the `CONSUL_HTTP_ADDR` environment variable to the address of the HTTP API of your Consul servers. | + +The following CLI options are required in the `command` field of the container definition. + +| Flag | Type | Description | +| --------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------- | +| `-consul-client-secret-arn` | string | The secret where the ACL controller will store the Consul client token. | +| `-secret-name-prefix` | string | The [secret name prefix](/docs/ecs/manual/acl-controller#secret-name-prefix) that you chose for this ACL controller. | + +## ECS Service + +Once the task definition is created, define an ECS service in order to start an ACL controller task. + +The following example contains the recommended settings for the ACL controller. Refer to +the [ECS service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service_definition_parameters.html) documentation +to complete the remaining details for your use case. + +```json +{ + "cluster": "" + "desiredCount": 1, + "launchType": "FARGATE", + "serviceName": "my-acl-controller", + "taskDefinition": "", + ... +} +``` + +| Field name | Type | Description | +| ---------------- | ------- | ---------------------------------------------------------------------------------------------------------------- | +| `cluster` | string | Set to your ECS cluster name or ARN. This must be the same ECS cluster where your service mesh applications run. | +| `desiredCount` | integer | Must be 1. Only one instance of the ACL controller should run per ECS cluster. | +| `launchType` | string | Consul on ECS supports both the `FARGATE` and `EC2` launch types. | +| `serviceName` | string | The service name of your choice. | +| `taskDefinition` | string | Must be set to the ACL controller [task definition](/docs/ecs/manual/acl-controller#task-definition). | + +## AWS IAM Roles + +The ECS task and execution roles must be configured to allow the ACL controller access +to the ECS API and Secrets Manager API. + +### Task Role Policy + +The following example shows the policy needed for the ECS task role for the ACL controller. +This grants the ACL controller permission to list tasks, describe tasks, and read and update +secrets. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecs:ListTasks", + "ecs:DescribeTasks" + ], + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:UpdateSecret" + ], + "Resource": [ + "arn:aws:secretsmanager:us-west-2:000000000000:secret:-*" + ] + } + ] +} +``` + +The following are the required permissions. You will need to substitute `` with your chosen [name prefix](/docs/ecs/manual/acl-controller#secret-name-prefix). + +| Action | Resource | Description | +| ------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------------- | +| `ecs:ListTasks` | `*` | Allow the ACL controller to watch for new tasks. | +| `ecs:DescribeTasks` | `*` | Allow the ACL controller to retrieve details for new tasks. | +| `secretsmanager:GetSecretValue` | `arn:aws:secretsmanager:us-west-2:000000000000:secret:-*` | Allow the ACL controller to read secrets with a name prefix. | +| `secretsmanager:UpdateSecret` | `arn:aws:secretsmanager:us-west-2:000000000000:secret:-*` | Allow the ACL controller to store Consul ACL tokens in secrets with a name prefix. | + +### Execution Role Policy + +The following IAM policy document allows ECS to retrieve secrets needed +to start the ACL controller task from AWS Secrets Manager, including the ACL +bootstrap token. + +The following example shows the policy needed for the execution role. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Resource": [ + "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-bootstrap-token", + "arn:aws:secretsmanager:us-west-2:000000000000:secret:-consul-client-token" + ] + } + ] +} +``` diff --git a/website/content/docs/ecs/manual-installation.mdx b/website/content/docs/ecs/manual/install.mdx similarity index 92% rename from website/content/docs/ecs/manual-installation.mdx rename to website/content/docs/ecs/manual/install.mdx index 31e57eac3f..87b98ed86f 100644 --- a/website/content/docs/ecs/manual-installation.mdx +++ b/website/content/docs/ecs/manual/install.mdx @@ -7,7 +7,7 @@ description: >- # Manual Installation -The following instructions describe how to manually create the ECS task definition using the [`consul-ecs` Docker image](https://gallery.ecr.aws/hashicorp/consul-ecs) without Terraform. Refer to the [Consul ECS Terraform module](/docs/ecs/install) documentation for an alternative method for installing Consul on ECS. +The following instructions describe how to manually create the ECS task definition using the [`consul-ecs` Docker image](https://gallery.ecr.aws/hashicorp/consul-ecs) without Terraform. Refer to the [Consul ECS Terraform module](/docs/ecs/terraform/install) documentation for an alternative method for installing Consul on ECS. This topic does not include instructions for creating all AWS resources necessary to install Consul, such as a VPC or the ECS cluster. Refer to the linked guides in the [Getting Started](/docs/ecs#getting-started) section for complete, runnable examples. @@ -47,6 +47,16 @@ during task startup. } ], "containerDefinitions": [...] + "tags": [ + { + "key": "consul.hashicorp.com/mesh", + "value": "true" + }, + { + "key": "consul.hashicorp.com/service-name", + "value": "example-client-app" + } + ] } ``` @@ -57,6 +67,16 @@ during task startup. | `volumes` | list | Must be defined as shown above. Volumes are used to share configuration between containers for intial task setup. | | `containerDefinitions` | list | The list of containers to run in this task (see [Application container](#application-container)). | +### Task Tags + +The `tags` list must include the following if you are using the ACL controller in a [secure configuration](/docs/manual/secure-configuration). +Without these tags, the ACL controller will be unable to provision a service token for the task. + +| Tag Key | Tag Value | Description | +| ----------------------------------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------- | +| `consul.hashicorp.com/mesh` | `true` (string) | The ACL controller ignores tasks without this tag set to `true`. | +| `consul.hashicorp.com/service-name` | Consul service name | Specifies the Consul service associated with this task. Required if the service name is different than the task `family`. | + ## Application container First, include your application container in the `containerDefinitions` list @@ -339,13 +359,13 @@ configuration to a shared volume. -| Field name | Type | Description | -| ----------- | ------- | ------------------------------------------------------------------------------------------------------------------- | -| `name` | string | The container name should be `consul-ecs-mesh-init`. | -| `image` | string | The `consul-ecs` image. Use our public AWS registry, `public.ecr.aws/hashicorp/consul-ecs`, to avoid rate limits. | -| `mountPoints` | list | Must be set as show above, so the `consul` and `consul-ecs` binaries can be shared among containers for task setup. | -| `command` | list | Set the `["mesh-init"]` so that the container runs the `consul-ecs mesh-init` command. | -| `environment` | list | This must include the [`CONSUL_ECS_CONFIG_JSON`](/docs/ecs/manual-installation#consul_ecs_config_json) variable. See below for details. | +| Field name | Type | Description | +| ----------- | ------- | --------------------------------------------------------------------------------------------------------------------------------------- | +| `name` | string | The container name should be `consul-ecs-mesh-init`. | +| `image` | string | The `consul-ecs` image. Use our public AWS registry, `public.ecr.aws/hashicorp/consul-ecs`, to avoid rate limits. | +| `mountPoints` | list | Must be set as show above, so the `consul` and `consul-ecs` binaries can be shared among containers for task setup. | +| `command` | list | Set to `["mesh-init"]` so that the container runs the `consul-ecs mesh-init` command. | +| `environment` | list | This must include the [`CONSUL_ECS_CONFIG_JSON`](/docs/ecs/manual-installation#consul_ecs_config_json) variable. See below for details. | ### `CONSUL_ECS_CONFIG_JSON` @@ -529,3 +549,4 @@ and `consul-ecs-mesh-init` containers. * Create the task definition using the [AWS Console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html) or the [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/ecs/register-task-definition.html), or another method of your choice. * Create an [ECS Service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html) to start tasks using the task definition. +* Follow the [Secure Configration](/docs/ecs/manual/secure-configuration) to get production-ready. diff --git a/website/content/docs/ecs/manual/secure-configuration.mdx b/website/content/docs/ecs/manual/secure-configuration.mdx new file mode 100644 index 0000000000..57b12467c1 --- /dev/null +++ b/website/content/docs/ecs/manual/secure-configuration.mdx @@ -0,0 +1,215 @@ +--- +layout: docs +page_title: Secure Configuration - AWS ECS +description: >- + Manual Secure Confguration of the Consul Service Mesh on AWS ECS (Elastic Container Service). +--- + +# Secure Configuration + +For a production-ready installation of Consul on ECS, you will need to make sure that the cluster is secured. +A secure Consul cluster should include the following: + +1. [TLS Encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers. +1. [Gossip Encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic. +1. [Access Control (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh. + +-> **NOTE:** This page assumes that you have already configured your Consul server with the above features. + +## Prerequisites + +* You should already have followed the [installation instructions](/docs/ecs/manual/install) to understand how to define +the necessary components of the task definition for Consul on ECS. +* You should be familiar with [specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) on ECS. +* You should be familiar with configuring Consul's secure features, including how to create ACL tokens and policies. Refer to the following [Learn Guides](https://learn.hashicorp.com/collections/consul/security) for an introduction and the [ACL system](/docs/security/acl) documentation for more information. + +## ACL Tokens + +You must create two types of ACL tokens for Consul on ECS: + +* **Client tokens:** used by the `consul-client` containers to join the Consul cluster +* **Service tokens:** used by sidecar containers for service registration and health syncing + +The following sections describe the ACL polices which must be associated with these token types. + +-> **NOTE:** This section describes how operators would create ACL tokens by hand. To ease operator +burden, the ACL Controller can automatically create ACL tokens for Consul on ECS. Refer to the +[ACL Controller](/docs/manual/acl-controller) page for installation details. + +### Create Consul client token + +You must create a token for the Consul client. This is a shared token used by the `consul-client` +containers to join the Consul cluster. + +The following is the ACL policy needed for the Consul client token: + +```hcl +node_prefix "" { + policy = "write" +} +service_prefix "" { + policy = "read" +} +``` + +This policy allows `node:write` for any node name, which is necessary because the Consul node +names on ECS are not known until runtime. + +### Create service tokens + +Service tokens should be associated with a [service identity](https://www.consul.io/docs/security/acl/acl-system#acl-service-identities). +The service identity includes `service:write` permissions for the service and sidecar proxy. + +The following example shows how to use the Consul CLI to create a service token for a service named `example-client-app`: + +```shell +consul acl token create -service-identity=example-client-app ... +``` + +-> **NOTE**: You will need to create one service token for each registered Consul service in ECS, +including when new services are added to the service mesh. + +## Secret storage + +You should securely store the following secrets in order to make them available to ECS tasks. + +1. Consul Server CA certificate +2. Consul gossip encryption key +3. Consul client ACL token +4. Consul service ACL tokens (one per service) + +These secrets can be securely stored and passed to ECS tasks using either of the following AWS secret services: + +* [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html) +* [AWS Secrets Manager](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html) + +Once the secrets are stored they can be referenced using their ARN. The following shows +example secret ARNs when using AWS Secrets Manager: + +| Secret | Sample Secret ARN | +| ---------------------- | ---------------------------------------------------------------------------------- | +| Consul Server CA Cert | `arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-ca-cert` | +| Gossip encryption key | `arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-gossip-key` | +| Client token | `arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-client-token` | +| Service token | `arn:aws:secretsmanager:us-west-2:000000000000:secret:my-example-client-app-token` | + +## Configure `consul-client` + +The following secrets must be passed to the `consul-client` container: + +* Consul server CA certificate +* Gossip encryption key +* Consul client ACL token + +The following example shows how to include these secrets in the task definition. The `secrets` +list specifies environment variable `name`s that will be set to the secret values for this container. +ECS automatically fetches the secret values specified in the `valueFrom` fields during task provisioning. + +```json +{ + "containerDefinitions": [ + { + "name": "consul-client" + "image": "public.ecr.aws/hashicorp/consul:", + "secrets": [ + { + "name": "CONSUL_CACERT", + "valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-ca-cert" + }, + { + "name": "CONSUL_GOSSIP_ENCRYPTION_KEY", + "valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-gossip-key" + }, + { + "name": "AGENT_TOKEN", + "valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-client-token" + } + ] + }, + ... + ] +} +``` + +Next, update Consul configuration options to pass the secrets to the Consul client. + +The following is an example of the *additional* content to include in the `consul-client` startup script. Refer to the [install +page](/docs/ecs/manual/install#consul-client-container) for the remainder of the startup script and how to pass this +script to the container. + + + +```shell +... + +# Write the CA Cert to a file +echo "$CONSUL_CACERT" > /tmp/consul-ca-cert.pem + +# Write the Consul agent configuration file. +cat << EOF > /consul/agent-defaults.hcl +... + +# Configure gossip encryption key +encrypt = "$CONSUL_GOSSIP_ENCRYPTION_KEY" + +# Configure TLS settings +auto_encrypt = { + tls = true + ip_san = ["$ECS_IPV4"] +} +ca_file = "/tmp/consul-ca-cert.pem" +verify_outgoing = true + +# Configure ACLs +acl { + enabled = true + default_policy = "deny" + down_policy = "async-cache" + tokens { + agent = "$AGENT_TOKEN" + } +} + +EOF +``` + + + +The following are the additional fields that must be included in the Consul client configuration file. + +| Field name | Type | Description | +| --------------------------------------------------------- | ------- | ------------------------------------------------------------------------------------ | +| [`encrypt`](/docs/agent/options#_encrypt) | string | Specifies the gossip encryption key | +| [`ca_file`](/docs/agent/options#ca_file) | string | Specifies the Consul server CA cert for TLS verification. | +| [`acl.enabled`](/docs/agent/options#acl_enabled) | boolen | Enable ACLs for this agent. | +| [`acl.tokens.agent`](/docs/agent/options#acl_tokens_agent) | string | Specifies the Consul client token which authorizes this agent with Consul servers. | + +## Configure `consul-ecs-mesh-init` and `consul-ecs-health-sync` + +Both `consul-ecs-mesh-init` and `consul-ecs-health-sync` containers need to be configured with +the service ACL token. This allows these containers to make HTTP API requests to the local +Consul client for service registration and health syncing. + +The following shows how to set the `CONSUL_HTTP_TOKEN` variable to the service token for the `example-client-app` service, +if the token is stored in AWS Secrets Manager. + + + +```json +{ + "containerDefinitions": [ + { + "secrets": [ + { + "name": "CONSUL_HTTP_TOKEN", + "valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-example-client-app-token" + } + ] + }, + ... + ], + ... +} +``` + + diff --git a/website/content/docs/ecs/requirements.mdx b/website/content/docs/ecs/requirements.mdx index faedb2f2a3..972b545a56 100644 --- a/website/content/docs/ecs/requirements.mdx +++ b/website/content/docs/ecs/requirements.mdx @@ -15,9 +15,9 @@ The following requirements must be met in order to install Consul on ECS: 1. **ACL Controller:** If you are running a secure Consul installation with ACLs enabled, configure the ACL controller. 1. **Sidecar containers:** Consul on ECS requires two sidecar containers to run in each ECS task: a Consul agent container and a sidecar proxy container. These additional sidecar containers must - be included in the ECS task definition. The [Consul ECS Terraform module](/docs/ecs/install) + be included in the ECS task definition. The [Consul ECS Terraform module](/docs/ecs/terraform/install) will include these sidecar containers for you. If you do not use Terraform, you can construct - the task definition yourself by following [our documentation](/docs/ecs/manual-installation). + the task definition yourself by following [our documentation](/docs/ecs/manual/install). 1. **Routing:** With your application running in tasks as part of the mesh, you must specify the upstream services that your application calls. You will also need to change the URLs your application uses to ensure the application is making requests through the service mesh. diff --git a/website/content/docs/ecs/install.mdx b/website/content/docs/ecs/terraform/install.mdx similarity index 99% rename from website/content/docs/ecs/install.mdx rename to website/content/docs/ecs/terraform/install.mdx index ce51332b59..6d98026667 100644 --- a/website/content/docs/ecs/install.mdx +++ b/website/content/docs/ecs/terraform/install.mdx @@ -268,7 +268,7 @@ python manage.py runserver "127.0.0.1:8080" ## Next Steps -- Configure a secure [Production Installation](/docs/ecs/production-installation). +- Follow the [Secure Configuration](/docs/ecs/secure-configuration) to get production-ready. - Now that your applications are running in the service mesh, read about other [Service Mesh features](/docs/connect). - View the [Architecture](/docs/ecs/architecture) documentation to understand diff --git a/website/content/docs/ecs/migrate-existing-tasks.mdx b/website/content/docs/ecs/terraform/migrate-existing-tasks.mdx similarity index 96% rename from website/content/docs/ecs/migrate-existing-tasks.mdx rename to website/content/docs/ecs/terraform/migrate-existing-tasks.mdx index 0d6a069233..7281a7a11b 100644 --- a/website/content/docs/ecs/migrate-existing-tasks.mdx +++ b/website/content/docs/ecs/terraform/migrate-existing-tasks.mdx @@ -90,7 +90,7 @@ module "my_task" { } ] - port = "9090" + port = 9090 retry_join = ["
"] } ``` @@ -111,5 +111,5 @@ resource. Now that your task(s) are migrated to the `mesh-task` module, -- Start at the [ECS Service section](/docs/ecs/install#ecs-service) of the Installation Guide to continue installing Consul on ECS. +- Start at the [ECS Service section](/docs/ecs/terraform/install#ecs-service) of the Installation Guide to continue installing Consul on ECS. - Refer to the [`mesh-task` reference documentation](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task?tab=inputs) for all available inputs to your mesh tasks. diff --git a/website/content/docs/ecs/production-installation.mdx b/website/content/docs/ecs/terraform/secure-configuration.mdx similarity index 92% rename from website/content/docs/ecs/production-installation.mdx rename to website/content/docs/ecs/terraform/secure-configuration.mdx index 9c8c6c6e6c..0d6e9ef483 100644 --- a/website/content/docs/ecs/production-installation.mdx +++ b/website/content/docs/ecs/terraform/secure-configuration.mdx @@ -1,11 +1,11 @@ --- layout: docs -page_title: Production Installation - AWS ECS +page_title: Secure Configuration - AWS ECS description: >- - Production Installation of the Consul Service Mesh on AWS ECS (Elastic Container Service). + Secure Configuration of the Consul Service Mesh on AWS ECS (Elastic Container Service) with Terraform. --- -# Production Installation +# Secure Configuration For a production-ready installation of Consul on ECS, you will need to make sure that the cluster is secured. A secure Consul cluster should include the following: @@ -68,7 +68,7 @@ deploying this controller. ## Deploy Services Once the ACL controller is up and running, you will be able to deploy services on the mesh using the [`mesh-task` module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task). -Start with the basic configuration for the [Task Module](/docs/ecs/install#task-module) and specify additional settings to make the configuration production-ready. +Start with the basic configuration for the [Task Module](/docs/ecs/terraform/install#task-module) and specify additional settings to make the configuration production-ready. First, you will need to create an AWS Secrets Manager secret for the gossip encryption key that the Consul clients should use. @@ -104,5 +104,5 @@ module "my_task" { } ``` -Now you can deploy your services! Follow the rest of the steps in the [Installation instructions](/docs/ecs/install#task-module) +Now you can deploy your services! Follow the rest of the steps in the [Installation instructions](/docs/ecs/terraform/install#task-module) to deploy and connect your services. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 3e1566d563..e55bf32d1a 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -612,16 +612,38 @@ "path": "ecs/requirements" }, { - "title": "Installation with Terraform", - "path": "ecs/install" + "title": "Install with Terraform", + "routes": [ + { + "title": "Installation", + "path": "ecs/terraform/install" + }, + { + "title": "Secure Configuration", + "path": "ecs/terraform/secure-configuration" + }, + { + "title": "Migrate Existing Tasks", + "path": "ecs/terraform/migrate-existing-tasks" + } + ] }, { - "title": "Production Installation", - "path": "ecs/production-installation" - }, - { - "title": "Migrate Existing Tasks", - "path": "ecs/migrate-existing-tasks" + "title": "Install Manually", + "routes": [ + { + "title": "Installation", + "path": "ecs/manual/install" + }, + { + "title": "Secure Configuration", + "path": "ecs/manual/secure-configuration" + }, + { + "title": "ACL Controller", + "path": "ecs/manual/acl-controller" + } + ] }, { "title": "Architecture", @@ -630,10 +652,6 @@ { "title": "Consul Enterprise", "path": "ecs/enterprise" - }, - { - "title": "Manual Installation", - "path": "ecs/manual-installation" } ] },