mirror of https://github.com/status-im/consul.git
120 lines
4.7 KiB
Plaintext
120 lines
4.7 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Secure Configuration - AWS ECS
|
|
description: >-
|
|
Secure Configuration of the Consul Service Mesh on AWS ECS (Elastic Container Service) with Terraform.
|
|
---
|
|
|
|
# Secure Configuration
|
|
|
|
This topic describes how to enable Consul security features for your production workloads. The following overview describes the process:
|
|
|
|
1. Enable the security features on your Consul server cluster per the [Prerequisites](#prerequisites).
|
|
1. Deploy the ACL controller.
|
|
1. Deploy your services.
|
|
|
|
## Prerequisites
|
|
|
|
Implement the following configurations before proceeding:
|
|
|
|
1. [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
|
|
1. [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
|
|
1. [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
|
|
|
|
|
|
## Deploy the ACL controller
|
|
|
|
Before deploying your service, you will need to deploy the [ACL controller](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller) so that it can provision the necessary tokens
|
|
for tasks on the service mesh. To learn more about the ACL Controller, please see [Automatic ACL Token Provisioning](/docs/ecs/architecture#automatic-acl-token-provisioning).
|
|
|
|
To deploy the controller, you will first need to store an ACL token with `acl:write` and `operator:write` privileges,
|
|
and a CA certificate for the Consul server in AWS Secrets Manager.
|
|
|
|
```hcl
|
|
resource "aws_secretsmanager_secret" "bootstrap_token" {
|
|
name = "bootstrap-token"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "bootstrap_token" {
|
|
secret_id = aws_secretsmanager_secret.bootstrap_token.id
|
|
secret_string = "<bootstrap token>"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret" "ca_cert" {
|
|
name = "server-ca-cert"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "ca_cert" {
|
|
secret_id = aws_secretsmanager_secret.ca_cert.id
|
|
secret_string = "<CA certificate for the Consul server's HTTPS endpoint>"
|
|
}
|
|
```
|
|
|
|
Use the [`acl-controller` terraform module](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/acl-controller?tab=inputs) to deploy the controller:
|
|
|
|
```hcl
|
|
module "acl_controller" {
|
|
source = "hashicorp/consul/aws-ecs//modules/acl-controller"
|
|
consul_bootstrap_token_secret_arn = aws_secretsmanager_secret.bootstrap_token.arn
|
|
consul_server_http_addr = "https://consul-server.example.com:8501"
|
|
consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
|
|
ecs_cluster_arn = "arn:aws:ecs:my-region:111111111111:cluster/consul-ecs"
|
|
region = "my-region"
|
|
subnets = ["subnet-abcdef123456789"]
|
|
name_prefix = "consul-ecs"
|
|
}
|
|
```
|
|
|
|
The `name_prefix` parameter is used to prefix any secrets that the ACL controller will
|
|
update in AWS Secrets Manager. The `name_prefix` parameter value must be unique for each ECS cluster where you are deploying this controller.
|
|
|
|
## Deploy your services
|
|
|
|
Follow the instructions described in [Create a task definition](/docs/ecs/terraform/install#create-the-task-definition) to create the basic configuration for the task module. Add the following additional configurations to make the configuration production-ready.
|
|
|
|
### Create an AWS Secrets Manager secret
|
|
|
|
The secret stores the gossip encryption key that the Consul clients will use.
|
|
|
|
<CodeBlock>
|
|
|
|
```hcl
|
|
resource "aws_secretsmanager_secret" "gossip_key" {
|
|
name = "gossip-encryption-key"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "gossip_key" {
|
|
secret_id = aws_secretsmanager_secret.gossip_key.id
|
|
secret_string = "<Gossip encryption key>"
|
|
}
|
|
```
|
|
</CodeBlock>
|
|
|
|
### Enable secure deployment
|
|
|
|
Add the following configurations to enable secure deployment. The `acl_secret_name_prefix`
|
|
should be the same as the `name_prefix` you provide to the ACL controller module.
|
|
|
|
```hcl
|
|
module "my_task" {
|
|
source = "hashicorp/consul/aws-ecs//modules/mesh-task"
|
|
family = "my_task"
|
|
|
|
...
|
|
|
|
tls = true
|
|
consul_server_ca_cert_arn = aws_secretsmanager_secret.ca_cert.arn
|
|
gossip_key_secret_arn = aws_secretsmanager_secret.gossip_key.arn
|
|
|
|
acls = true
|
|
consul_client_token_secret_arn = module.acl_controller.client_token_secret_arn
|
|
acl_secret_name_prefix = "consul-ecs"
|
|
}
|
|
```
|
|
|
|
Complete the following steps described in the Installation with Terraform chapter to deploy and connect your services:
|
|
|
|
1. [Run Terraform](/docs/ecs/terraform/install#run-terraform)
|
|
1. [Configure routes](/docs/ecs/terraform/install#configure-routes)
|
|
1. [Configure the bind address](/docs/ecs/terraform/install#configure-the-bind-address)
|