diff --git a/website/content/docs/ecs/get-started/install.mdx b/website/content/docs/ecs/get-started/install.mdx index 7cc30e5525..bd860ed7b1 100644 --- a/website/content/docs/ecs/get-started/install.mdx +++ b/website/content/docs/ecs/get-started/install.mdx @@ -11,8 +11,6 @@ Installing Consul on ECS is a multi-part process: 1. [**Terraform:**](#terraform) Your tasks must be specified in Terraform using [`ecs_task_definition`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) and [`ecs_service`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) resources. -1. [**Consul Server:**](#consul-server) You must deploy the Consul server onto the cluster using the [`dev-server` module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/dev-server). -1. [**Task IAM Role:**](#task-iam-role) Modify task IAM role to add `ecs:ListTasks` and `ecs:DescribeTasks` permissions. 1. [**Task Module:**](#task-module) You can then take your `ecs_task_definition` resources and copy their configuration into a new [`mesh-task` module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task) resource that will add the necessary containers to the task definition. 1. [**Routing:**](#routing) With your tasks as part of the mesh, you must specify their upstream @@ -72,136 +70,6 @@ resource "aws_ecs_service" "my_task" { } ``` -## Consul Server - -With your tasks defined in Terraform, you're ready to run the Consul server -on ECS. - --> **NOTE:** This is a development-only Consul server. It has no persistent -storage and so will lose any data when it restarts. This should only be -used for test workloads. In the future, we will support Consul servers -running in HashiCorp Cloud Platform and on EC2 VMs for production workloads. - -In order to deploy the Consul server, use the `dev-server` module: - -```hcl -module "dev_consul_server" { - source = "hashicorp/consul/aws-ecs//modules/dev-server" - version = "" - - ecs_cluster_arn = var.ecs_cluster_arn - subnet_ids = var.subnet_ids - lb_vpc_id = var.vpc_id - load_balancer_enabled = true - lb_subnets = var.lb_subnet_ids - lb_ingress_rule_cidr_blocks = var.lb_ingress_rule_cidr_blocks - log_configuration = { - logDriver = "awslogs" - options = { - awslogs-group = aws_cloudwatch_log_group.log_group.name - awslogs-region = var.region - awslogs-stream-prefix = "consul-server" - } - } -} - -data "aws_security_group" "vpc_default" { - name = "default" - vpc_id = var.vpc_id -} - -resource "aws_security_group_rule" "ingress_from_server_alb_to_ecs" { - type = "ingress" - from_port = 8500 - to_port = 8500 - protocol = "tcp" - source_security_group_id = module.dev_consul_server.lb_security_group_id - security_group_id = data.aws_security_group.vpc_default.id -} - -output "consul_server_url" { - value = "http://${module.dev_consul_server.lb_dns_name}:8500" -} -``` - --> **NOTE:** The documentation for all possible inputs can be found in the [module reference -docs](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/dev-server?tab=inputs). - -The example code above will create a Consul server ECS task and Application Load -Balancer for the Consul UI. You can then use the output `consul_server_url` as -the URL to the Consul server. - -## Task IAM Role - -Your tasks must have an IAM role that allows them to list and describe -other tasks. This is required in order for the tasks to find the IP -address of the Consul server. - -The specific permissions needed are: - -1. `ecs:ListTasks` on resource `*`. -1. `ecs:DescribeTasks` on all tasks in this account and region. You can either - use `*` for simplicity or scope it to the region and account, e.g. `arn:aws:ecs:us-east-1:1111111111111:task/*`. If - your account is configured to use the new, [longer ECS task ARN format](https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-account-settings.html#ecs-resource-ids) - then you can further scope `ecs:DescribeTasks` down to tasks in a specific cluster, e.g. `arn:aws:ecs:us-east-1:1111111111111:task/MY_CLUSTER_NAME/*`. - -The IAM role's ARN will be passed into the `mesh-task` module in the next step -via the `task_role_arn` input. - --> **NOTE:** There are two IAM roles needed by ECS Tasks: Execution roles and -Task roles. Here we are referring to the Task role, not the Execution role. -The Execution role is used by ECS itself whereas the Task role defines the -permissions for the containers running in the task. - -Terraform for creating the IAM role might look like: - -```hcl -data "aws_caller_identity" "this" {} - -resource "aws_iam_role" "this_task" { - name = "this_task" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - Service = "ecs-tasks.amazonaws.com" - } - }, - ] - }) - - inline_policy { - name = "this_task" - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "ecs:ListTasks", - ] - Resource = "*" - }, - { - Effect = "Allow" - Action = [ - "ecs:DescribeTasks" - ] - Resource = [ - "arn:aws:ecs:${var.region}:${data.aws_caller_identity.this.account_id}:task/*", - ] - } - ] - }) - } -} - -``` - ## Task Module In order to add the necessary sidecar containers for your task to join the mesh, diff --git a/website/content/docs/ecs/get-started/requirements.mdx b/website/content/docs/ecs/get-started/requirements.mdx index eae69f257d..33f1ab4591 100644 --- a/website/content/docs/ecs/get-started/requirements.mdx +++ b/website/content/docs/ecs/get-started/requirements.mdx @@ -7,16 +7,10 @@ description: >- # Requirements -Currently, the following requirements must be met in order to install Consul on ECS: +The following requirements must be met in order to install Consul on ECS: 1. **Terraform:** The tasks that you want to add to the service mesh must first be modeled in Terraform. -1. **Launch Type:** Only the Fargate launch type is currently supported. +1. **Launch Type:** Fargate and EC2 launch types are supported. 1. **Subnets:** ECS Tasks can run in private or public subnets. Tasks must have [network access](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-pull-container-api-error-ecr/) to Amazon ECR to pull images. -1. **Consul Servers:** Currently, Consul servers must run inside ECS on Fargate using the `dev-server` Terraform module. This is a development/testing only server that does not support persistent storage. In the future, we will support production-ready Consul servers running in HashiCorp Cloud Platform and on EC2 VMs. - -## Future Improvements - -- Support EC2 launch type. -- Support production-ready Consul servers running outside of ECS in HashiCorp Cloud Platform or EC2. -- Support Consul TLS, ACLs, and Gossip Encryption. -- Support Consul service health checks. +1. **Consul Servers:** You can use your own Consul servers or run servers inside ECS on Fargate using the `dev-server` Terraform module. The is a development/testing only server that does not support persistent storage. +1. **ACL Controller:** If you are running a secure Consul installation, configure the ACL controller. diff --git a/website/content/docs/ecs/index.mdx b/website/content/docs/ecs/index.mdx index e3518beb3e..67c20c589f 100644 --- a/website/content/docs/ecs/index.mdx +++ b/website/content/docs/ecs/index.mdx @@ -8,8 +8,8 @@ description: >- # AWS ECS --> **Tech Preview:** This functionality is currently in Tech Preview and is -not yet ready for production use. +-> **Beta:** This functionality is currently in beta and is +not recommended for use in production environments. Refer to the [consul-ecs-project road map](https://github.com/hashicorp/consul-ecs/projects/1) for information about upcoming features and enhancements. Consul can be deployed on [AWS ECS](https://aws.amazon.com/ecs/) (Elastic Container Service) using our official Terraform modules. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 5b27cffc1f..15838d9da8 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -556,7 +556,7 @@ ] }, { - "title": "AWS ECS Tech Preview", + "title": "AWS ECS BETA", "routes": [ { "title": "Overview",