diff --git a/.changelog/13782.txt b/.changelog/13782.txt new file mode 100644 index 0000000000..1c426e29fc --- /dev/null +++ b/.changelog/13782.txt @@ -0,0 +1,3 @@ +```release-note:feature +deps: update to latest go-discover to provide ECS auto-discover capabilities. +``` \ No newline at end of file diff --git a/go.mod b/go.mod index fc759226ea..75c3c43ed7 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( github.com/hashicorp/go-checkpoint v0.5.0 github.com/hashicorp/go-cleanhttp v0.5.1 github.com/hashicorp/go-connlimit v0.3.0 - github.com/hashicorp/go-discover v0.0.0-20220411141802-20db45f7f0f9 + github.com/hashicorp/go-discover v0.0.0-20220714221025-1c234a67149a github.com/hashicorp/go-hclog v1.2.1 github.com/hashicorp/go-immutable-radix v1.3.0 github.com/hashicorp/go-memdb v1.3.4 diff --git a/go.sum b/go.sum index cfcbfe8ae4..a4c25106da 100644 --- a/go.sum +++ b/go.sum @@ -469,8 +469,8 @@ github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVo github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-connlimit v0.3.0 h1:oAojHGjFxUTTTA8c5XXnDqWJ2HLuWbDiBPTpWvNzvqM= github.com/hashicorp/go-connlimit v0.3.0/go.mod h1:OUj9FGL1tPIhl/2RCfzYHrIiWj+VVPGNyVPnUX8AqS0= -github.com/hashicorp/go-discover v0.0.0-20220411141802-20db45f7f0f9 h1:2GsEkBZf1q4LKZjtd4cO+V0xd85xGCMolX3ebC2+xd4= -github.com/hashicorp/go-discover v0.0.0-20220411141802-20db45f7f0f9/go.mod h1:1xfdKvc3pe5WKxfUUHHOGaKMk7NLGhHY1jkyhKo6098= +github.com/hashicorp/go-discover v0.0.0-20220714221025-1c234a67149a h1:xeDSq/xo0CfnSZnPUkNH/00Qy8Q8ySJW0Ij2u/pH680= +github.com/hashicorp/go-discover v0.0.0-20220714221025-1c234a67149a/go.mod h1:1xfdKvc3pe5WKxfUUHHOGaKMk7NLGhHY1jkyhKo6098= github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= github.com/hashicorp/go-hclog v0.9.1/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= diff --git a/website/content/docs/install/cloud-auto-join.mdx b/website/content/docs/install/cloud-auto-join.mdx index 006e3114c3..efc0239960 100644 --- a/website/content/docs/install/cloud-auto-join.mdx +++ b/website/content/docs/install/cloud-auto-join.mdx @@ -106,7 +106,7 @@ In order to use discovery behind a proxy, you will need to set The following sections give the options specific to each supported cloud provider. -### Amazon EC2 +### Amazon EC2 and ECS This returns the first private IP address of all servers in the given region which have the given `tag_key` and `tag_value`. @@ -128,6 +128,10 @@ $ consul agent -retry-join "provider=aws tag_key=... tag_value=..." - `addr_type` (optional) - the type of address to discover: `private_v4`, `public_v4`, `public_v6`. Default is `private_v4`. (>= 1.0) - `access_key_id` (optional) - the AWS access key for authentication (see below for more information about authenticating). - `secret_access_key` (optional) - the AWS secret access key for authentication (see below for more information about authenticating). +- `service` (optional) - String value that specifies which AWS service to filter. You can specify either `ec2` or `ecs`. Default is `ec2`. +- `ecs_cluster` (optional) - String value that limits searches to a specific AWS ECS cluster name or full ARN. By default, Consul searches all clusters with the specified tag values. +- `ecs_family` (optional) - String value limits searches to a AWS ECS task definition family. By default, Consul searches all task definition families with the specified tags. +- `endpoint` (optional) - String value that specifies the endpoint URL of the AWS service to use. If not set, the AWS client sets the value, which defaults to the public DNS name for the service in the specified region. #### Authentication & Precedence @@ -137,12 +141,19 @@ $ consul agent -retry-join "provider=aws tag_key=... tag_value=..." - ECS task role metadata (container-specific). - EC2 instance role metadata. -The only required IAM permission is `ec2:DescribeInstances`, and it is -recommended that you make a dedicated key used only to auto-join the datacenter. If the -region is omitted it will be discovered through the local instance's [EC2 -metadata +The only IAM permission required for discovering EC2 consul-servers is `ec2:DescribeInstances`. +We recommend that you make a dedicated key used only to auto-join the datacenter. +If the region is omitted it will be discovered through the local instance's [EC2 metadata endpoint](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html). +The AWS ECS task role associated with the service attempting to discover the `consul-server` must have the following IAM permissions: +- `ecs:ListClusters` (only used when `ecs_cluster` is not provided) +- `ecs:ListServices` (only used when `ecs_cluster` is not provided) +- `ecs:DescribeServices` (only used when `ecs_cluster` is not provided) +- `ecs:ListTasks` +- `ecs:DescribeTasks` +If the region is omitted from the configuration, Consul obtains it from the local instance's [ECS V4 metadata endpoint](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html). + ### Microsoft Azure This returns the first private IP address of all servers in the given region