mirror of
https://github.com/status-im/consul.git
synced 2025-01-11 06:16:08 +00:00
Merge pull request #11033 from hashicorp/consul-ecs-beta-docs
updates to ECS docs per beta release
This commit is contained in:
commit
2604719ce6
@ -11,8 +11,6 @@ Installing Consul on ECS is a multi-part process:
|
|||||||
|
|
||||||
1. [**Terraform:**](#terraform) Your tasks must be specified in Terraform using [`ecs_task_definition`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition)
|
1. [**Terraform:**](#terraform) Your tasks must be specified in Terraform using [`ecs_task_definition`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition)
|
||||||
and [`ecs_service`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) resources.
|
and [`ecs_service`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) resources.
|
||||||
1. [**Consul Server:**](#consul-server) You must deploy the Consul server onto the cluster using the [`dev-server` module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/dev-server).
|
|
||||||
1. [**Task IAM Role:**](#task-iam-role) Modify task IAM role to add `ecs:ListTasks` and `ecs:DescribeTasks` permissions.
|
|
||||||
1. [**Task Module:**](#task-module) You can then take your `ecs_task_definition` resources and copy their configuration into a new [`mesh-task` module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task)
|
1. [**Task Module:**](#task-module) You can then take your `ecs_task_definition` resources and copy their configuration into a new [`mesh-task` module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task)
|
||||||
resource that will add the necessary containers to the task definition.
|
resource that will add the necessary containers to the task definition.
|
||||||
1. [**Routing:**](#routing) With your tasks as part of the mesh, you must specify their upstream
|
1. [**Routing:**](#routing) With your tasks as part of the mesh, you must specify their upstream
|
||||||
@ -39,8 +37,6 @@ resource "aws_ecs_task_definition" "my_task" {
|
|||||||
network_mode = "awsvpc"
|
network_mode = "awsvpc"
|
||||||
cpu = 256
|
cpu = 256
|
||||||
memory = 512
|
memory = 512
|
||||||
execution_role_arn = "arn:aws:iam::111111111111:role/execution-role"
|
|
||||||
task_role_arn = "arn:aws:iam::111111111111:role/task-role"
|
|
||||||
container_definitions = jsonencode(
|
container_definitions = jsonencode(
|
||||||
[{
|
[{
|
||||||
name = "example-client-app"
|
name = "example-client-app"
|
||||||
@ -72,136 +68,6 @@ resource "aws_ecs_service" "my_task" {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
## Consul Server
|
|
||||||
|
|
||||||
With your tasks defined in Terraform, you're ready to run the Consul server
|
|
||||||
on ECS.
|
|
||||||
|
|
||||||
-> **NOTE:** This is a development-only Consul server. It has no persistent
|
|
||||||
storage and so will lose any data when it restarts. This should only be
|
|
||||||
used for test workloads. In the future, we will support Consul servers
|
|
||||||
running in HashiCorp Cloud Platform and on EC2 VMs for production workloads.
|
|
||||||
|
|
||||||
In order to deploy the Consul server, use the `dev-server` module:
|
|
||||||
|
|
||||||
```hcl
|
|
||||||
module "dev_consul_server" {
|
|
||||||
source = "hashicorp/consul/aws-ecs//modules/dev-server"
|
|
||||||
version = "<latest version>"
|
|
||||||
|
|
||||||
ecs_cluster_arn = var.ecs_cluster_arn
|
|
||||||
subnet_ids = var.subnet_ids
|
|
||||||
lb_vpc_id = var.vpc_id
|
|
||||||
load_balancer_enabled = true
|
|
||||||
lb_subnets = var.lb_subnet_ids
|
|
||||||
lb_ingress_rule_cidr_blocks = var.lb_ingress_rule_cidr_blocks
|
|
||||||
log_configuration = {
|
|
||||||
logDriver = "awslogs"
|
|
||||||
options = {
|
|
||||||
awslogs-group = aws_cloudwatch_log_group.log_group.name
|
|
||||||
awslogs-region = var.region
|
|
||||||
awslogs-stream-prefix = "consul-server"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
data "aws_security_group" "vpc_default" {
|
|
||||||
name = "default"
|
|
||||||
vpc_id = var.vpc_id
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "aws_security_group_rule" "ingress_from_server_alb_to_ecs" {
|
|
||||||
type = "ingress"
|
|
||||||
from_port = 8500
|
|
||||||
to_port = 8500
|
|
||||||
protocol = "tcp"
|
|
||||||
source_security_group_id = module.dev_consul_server.lb_security_group_id
|
|
||||||
security_group_id = data.aws_security_group.vpc_default.id
|
|
||||||
}
|
|
||||||
|
|
||||||
output "consul_server_url" {
|
|
||||||
value = "http://${module.dev_consul_server.lb_dns_name}:8500"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
-> **NOTE:** The documentation for all possible inputs can be found in the [module reference
|
|
||||||
docs](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/dev-server?tab=inputs).
|
|
||||||
|
|
||||||
The example code above will create a Consul server ECS task and Application Load
|
|
||||||
Balancer for the Consul UI. You can then use the output `consul_server_url` as
|
|
||||||
the URL to the Consul server.
|
|
||||||
|
|
||||||
## Task IAM Role
|
|
||||||
|
|
||||||
Your tasks must have an IAM role that allows them to list and describe
|
|
||||||
other tasks. This is required in order for the tasks to find the IP
|
|
||||||
address of the Consul server.
|
|
||||||
|
|
||||||
The specific permissions needed are:
|
|
||||||
|
|
||||||
1. `ecs:ListTasks` on resource `*`.
|
|
||||||
1. `ecs:DescribeTasks` on all tasks in this account and region. You can either
|
|
||||||
use `*` for simplicity or scope it to the region and account, e.g. `arn:aws:ecs:us-east-1:1111111111111:task/*`. If
|
|
||||||
your account is configured to use the new, [longer ECS task ARN format](https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-account-settings.html#ecs-resource-ids)
|
|
||||||
then you can further scope `ecs:DescribeTasks` down to tasks in a specific cluster, e.g. `arn:aws:ecs:us-east-1:1111111111111:task/MY_CLUSTER_NAME/*`.
|
|
||||||
|
|
||||||
The IAM role's ARN will be passed into the `mesh-task` module in the next step
|
|
||||||
via the `task_role_arn` input.
|
|
||||||
|
|
||||||
-> **NOTE:** There are two IAM roles needed by ECS Tasks: Execution roles and
|
|
||||||
Task roles. Here we are referring to the Task role, not the Execution role.
|
|
||||||
The Execution role is used by ECS itself whereas the Task role defines the
|
|
||||||
permissions for the containers running in the task.
|
|
||||||
|
|
||||||
Terraform for creating the IAM role might look like:
|
|
||||||
|
|
||||||
```hcl
|
|
||||||
data "aws_caller_identity" "this" {}
|
|
||||||
|
|
||||||
resource "aws_iam_role" "this_task" {
|
|
||||||
name = "this_task"
|
|
||||||
assume_role_policy = jsonencode({
|
|
||||||
Version = "2012-10-17"
|
|
||||||
Statement = [
|
|
||||||
{
|
|
||||||
Action = "sts:AssumeRole"
|
|
||||||
Effect = "Allow"
|
|
||||||
Sid = ""
|
|
||||||
Principal = {
|
|
||||||
Service = "ecs-tasks.amazonaws.com"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
]
|
|
||||||
})
|
|
||||||
|
|
||||||
inline_policy {
|
|
||||||
name = "this_task"
|
|
||||||
policy = jsonencode({
|
|
||||||
Version = "2012-10-17"
|
|
||||||
Statement = [
|
|
||||||
{
|
|
||||||
Effect = "Allow"
|
|
||||||
Action = [
|
|
||||||
"ecs:ListTasks",
|
|
||||||
]
|
|
||||||
Resource = "*"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
Effect = "Allow"
|
|
||||||
Action = [
|
|
||||||
"ecs:DescribeTasks"
|
|
||||||
]
|
|
||||||
Resource = [
|
|
||||||
"arn:aws:ecs:${var.region}:${data.aws_caller_identity.this.account_id}:task/*",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
## Task Module
|
## Task Module
|
||||||
|
|
||||||
In order to add the necessary sidecar containers for your task to join the mesh,
|
In order to add the necessary sidecar containers for your task to join the mesh,
|
||||||
@ -218,8 +84,6 @@ module "my_task" {
|
|||||||
version = "<latest version>"
|
version = "<latest version>"
|
||||||
|
|
||||||
family = "my_task"
|
family = "my_task"
|
||||||
execution_role_arn = "arn:aws:iam::111111111111:role/execution-role"
|
|
||||||
task_role_arn = "arn:aws:iam::111111111111:role/task-role"
|
|
||||||
container_definitions = [
|
container_definitions = [
|
||||||
{
|
{
|
||||||
name = "example-client-app"
|
name = "example-client-app"
|
||||||
@ -239,7 +103,7 @@ module "my_task" {
|
|||||||
]
|
]
|
||||||
|
|
||||||
port = "9090"
|
port = "9090"
|
||||||
consul_server_service_name = module.dev_consul_server.ecs_service_name
|
retry_join = "<address of the Consul server>"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -7,16 +7,10 @@ description: >-
|
|||||||
|
|
||||||
# Requirements
|
# Requirements
|
||||||
|
|
||||||
Currently, the following requirements must be met in order to install Consul on ECS:
|
The following requirements must be met in order to install Consul on ECS:
|
||||||
|
|
||||||
1. **Terraform:** The tasks that you want to add to the service mesh must first be modeled in Terraform.
|
1. **Terraform:** The tasks that you want to add to the service mesh must first be modeled in Terraform.
|
||||||
1. **Launch Type:** Only the Fargate launch type is currently supported.
|
1. **Launch Type:** Fargate and EC2 launch types are supported.
|
||||||
1. **Subnets:** ECS Tasks can run in private or public subnets. Tasks must have [network access](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-pull-container-api-error-ecr/) to Amazon ECR to pull images.
|
1. **Subnets:** ECS Tasks can run in private or public subnets. Tasks must have [network access](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-pull-container-api-error-ecr/) to Amazon ECR or other public container registries to pull images.
|
||||||
1. **Consul Servers:** Currently, Consul servers must run inside ECS on Fargate using the `dev-server` Terraform module. This is a development/testing only server that does not support persistent storage. In the future, we will support production-ready Consul servers running in HashiCorp Cloud Platform and on EC2 VMs.
|
1. **Consul Servers:** You can use your own Consul servers (VM) or use HCP Consul. For development purposes or testing, you may use the `dev-server` [Terraform module](https://github.com/hashicorp/terraform-aws-consul-ecs/tree/main). The `dev-server` does not support persistent storage.
|
||||||
|
1. **ACL Controller:** If you are running a secure Consul installation, configure the ACL controller.
|
||||||
## Future Improvements
|
|
||||||
|
|
||||||
- Support EC2 launch type.
|
|
||||||
- Support production-ready Consul servers running outside of ECS in HashiCorp Cloud Platform or EC2.
|
|
||||||
- Support Consul TLS, ACLs, and Gossip Encryption.
|
|
||||||
- Support Consul service health checks.
|
|
||||||
|
@ -8,8 +8,8 @@ description: >-
|
|||||||
|
|
||||||
# AWS ECS
|
# AWS ECS
|
||||||
|
|
||||||
-> **Tech Preview:** This functionality is currently in Tech Preview and is
|
-> **Beta:** This functionality is currently in beta and is
|
||||||
not yet ready for production use.
|
not recommended for use in production environments. Refer to the [consul-ecs-project road map](https://github.com/hashicorp/consul-ecs/projects/1) for information about upcoming features and enhancements.
|
||||||
|
|
||||||
Consul can be deployed on [AWS ECS](https://aws.amazon.com/ecs/) (Elastic Container Service) using our official
|
Consul can be deployed on [AWS ECS](https://aws.amazon.com/ecs/) (Elastic Container Service) using our official
|
||||||
Terraform modules.
|
Terraform modules.
|
||||||
|
@ -556,7 +556,7 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"title": "AWS ECS <sup>Tech Preview</sup>",
|
"title": "AWS ECS <sup>BETA</sup>",
|
||||||
"routes": [
|
"routes": [
|
||||||
{
|
{
|
||||||
"title": "Overview",
|
"title": "Overview",
|
||||||
|
Loading…
x
Reference in New Issue
Block a user