aws-ia / ecs-blueprints Goto Github PK

Is your feature request related to a problem? Please describe

We should provide an easy way for users to change creation specifications like Region name, vpc cidr.. by providing variables with sane default

also the core-infra by default creation name is not meaningful enough, maybe have a default to ecs-blueprint-code-infra ?

Is your feature request related to a problem? Please describe

Today the examples for ECS/EC2 utilize AL2. This would create an example that uses Bottlerocket

Describe the solution you'd like

The ability to provision an ECS Cluster and corresponding data plane using BR.

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]: there is no tag yet, however this is the commit: b317923

• Terraform version: Terraform v1.4.0 on darwin_arm64

• Provider version(s): provider registry.terraform.io/hashicorp/aws v4.58.0

Reproduction Code [Required]

Steps to reproduce the behavior:

Expected behavior

The command cp terraform.tfvars.example terraform.tfvars to work

Actual behavior

cd ecs-blueprints/examples/core-infra/

terraform init

cp terraform.tfvars.example terraform.tfvars
# exit code 1

Terminal Output Screenshot(s)

cd ecs-blueprints/examples/core-infra
terraform init

cp terraform.tfvars.example terraform.tfvars
cp: terraform.tfvars.example: No such file or directory

Additional context

the only terraform.tfvars.example I found was in the backstage folder

Description

Tried deploying the terraform/backstage example and received the following 2 errors:

│ Error: creating RDS Cluster (backstage-db): DBSubnetGroupNotFoundFault: DB subnet group 'backstage-db' does not exist.
│       status code: 404, request id: 3e1d882a-5a14-45f2-ad01-17bff9f33a03
│ 
│   with module.aurora_postgresdb.aws_rds_cluster.this[0],
│   on .terraform/modules/aurora_postgresdb/main.tf line 39, in resource "aws_rds_cluster" "this":
│   39: resource "aws_rds_cluster" "this" {
│ 
╵
╷
│ Error: creating S3 Bucket (codepipeline-us-east-1-20240416185721255000000008) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: X33SEHZFNBEKADPK, HostID: +ucmEDDvw5gcnspNZlPlSTcZaua4WnMFeR+gm8b9o8J6T8ZNRotiDLoVLJGyn1TlqEJ9SD1BoRc=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│ 
│   with module.codepipeline_s3_bucket.aws_s3_bucket_acl.this[0],
│   on .terraform/modules/codepipeline_s3_bucket/main.tf line 45, in resource "aws_s3_bucket_acl" "this":
│   45: resource "aws_s3_bucket_acl" "this" {

If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]:

• Terraform version:

• Provider version(s):

Terraform v1.8.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.45.0
+ provider registry.terraform.io/hashicorp/random v3.6.1

Reproduction Code [Required]

terraform/fargate-examples/backstage

Steps to reproduce the behavior:

Expected behavior

complete successfully

Actual behavior

│ Error: creating RDS Cluster (backstage-db): DBSubnetGroupNotFoundFault: DB subnet group 'backstage-db' does not exist.
│       status code: 404, request id: 3e1d882a-5a14-45f2-ad01-17bff9f33a03
│ 
│   with module.aurora_postgresdb.aws_rds_cluster.this[0],
│   on .terraform/modules/aurora_postgresdb/main.tf line 39, in resource "aws_rds_cluster" "this":
│   39: resource "aws_rds_cluster" "this" {
│ 
╵
╷
│ Error: creating S3 Bucket (codepipeline-us-east-1-20240416185721255000000008) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: X33SEHZFNBEKADPK, HostID: +ucmEDDvw5gcnspNZlPlSTcZaua4WnMFeR+gm8b9o8J6T8ZNRotiDLoVLJGyn1TlqEJ9SD1BoRc=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│ 
│   with module.codepipeline_s3_bucket.aws_s3_bucket_acl.this[0],
│   on .terraform/modules/codepipeline_s3_bucket/main.tf line 45, in resource "aws_s3_bucket_acl" "this":
│   45: resource "aws_s3_bucket_acl" "this" {

Terminal Output Screenshot(s)

Additional context

Is your feature request related to a problem? Please describe

ECS Blueprints for CDK(Python) uses distutils.util.strtobool and this package is to be removed in Python 3.12.

Describe the solution you'd like

An alternative is to use str2bool from PyPI:

Description

When following the workshop with nothing already installed, doing a cdk ls provide the following error:

Traceback (most recent call last):
  File "/home/ubuntu/environment/ecs/terraform/ecs-blueprints/cdk/examples/generative_ai_service/app.py", line 79, in <module>
    gen_ai_stack_props.sd_namespace = [
                                      ^
IndexError: list index out of range

Subprocess exited with error 1

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]:

• Terraform version:

• Provider version(s):

Reproduction Code [Required]

Steps to reproduce the behavior:

Expected behavior

Actual behavior

Terminal Output Screenshot(s)

Additional context

Please describe your question here

As someone perusing and evaluating this very helpful repository and its suggested solutions, I've seen that there are some references to AWS CodeStar in the infrastructure code. After going to the docs, I see that it's changing in July: What Is AWS CodeStar? - AWS CodeStar

On July 31, 2024, Amazon Web Services (AWS) will discontinue support for creating and viewing AWS CodeStar projects. After July 31, 2024, you will no longer be able to access the AWS CodeStar console or create new projects. However, the AWS resources created by AWS CodeStar, including your source repositories, pipelines, and builds, will be unaffected by this change and will continue to function. AWS CodeStar Connections will not be impacted by this discontinuation.

Will the examples continue to work after then? If not, what are the expected workarounds?

Provide link to the example related to the question

• https://github.com/aws-ia/ecs-blueprints/blob/main/terraform/modules/codepipeline/main.tf#L44
• https://github.com/aws-ia/ecs-blueprints/blob/main/terraform/fargate-examples/backstage/codepipeline.tf#L55
• https://github.com/aws-ia/ecs-blueprints/blob/main/terraform/fargate-examples/graviton/codepipeline.tf#L57
• https://github.com/aws-ia/ecs-blueprints/blob/main/terraform/fargate-examples/queue-processing/codepipeline.tf#L54

• Yes, I have checked the repo for existing issues before raising this question

Is your feature request related to a problem? Please describe

We should allow users to connect into ECS tasks by providing configuration to for ecs exec

Describe the solution you'd like

Configure the bucket s3 that will securely store the commands executed in ecs tasks

Is your feature request related to a problem? Please describe

When running the TF on a new account with no CodeStar service link roles enabled the following error appears on creating sns notification

│ Error: error creating codestar notification rule: ConfigurationException: AWS CodeStar Notifications could not create the AWS CloudWatch Events managed rule in your AWS account. If this is your first time creating a notification rule, the service-linked role for AWS CodeStar Notifications might not yet exist. Creation of this role might take up to 15 minutes. Until it exists, notification rule creation will fail. Wait 15 minutes, and then try again. If this is is not the first time you are creating a notification rule, there might be a problem with a network connection, or one or more AWS services might be experiencing issues. Verify your network connection and check to see if there are any issues with AWS services in your AWS Region before trying again.
│ 
│   with module.codepipeline_ci_cd.aws_codestarnotifications_notification_rule.this,
│   on ../../modules/codepipeline/main.tf line 76, in resource "aws_codestarnotifications_notification_rule" "this":
│   76: resource "aws_codestarnotifications_notification_rule" "this" {

Describe the solution you'd like

Suggest updating the README.md documentation under
https://github.com/aws-ia/terraform-aws-ecs-blueprints/tree/main/examples/lb-service
to mention/warn of this error and to redo terraform apply - or enable a wait mechanism or create service link role prior to notification creation.

Describe alternatives you've considered

Re-do terraform apply

Additional context

Add any other context or screenshots about the feature request here.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role

Is your feature request related to a problem? Please describe

Account level security access control

Describe the solution you'd like

Customers commonly use multiple accounts for e.g. -/ one account for CI/CD shared services -/ account for test/staging cluster -/ production account. This blueprint will define multi-account setup to use for running containers on ECS. Following is the desired account structure:

1. CI/CD and associated services in one account
2. an account with test cluster and test ECR images
3. an account with production cluster and production ECR images

Make the blueprint flexible so that it is easier for customer to add more accounts for e.g. staging, Q/A etc. The designer should review AWS Control Tower, AWS Organization and landing zone best practices to align with the latest well-architected for multi-account setup.

Is your feature request related to a problem? Please describe

• Document creation of AWS CodeStart Notifications service-linked role. If users do not have this role in their account already, they will face an error like the one shown below. Reference https://docs.aws.amazon.com/dtconsole/latest/userguide/using-service-linked-roles.html#slr-permissions

AWS CodeStar Notifications could not create the AWS CloudWatch Events managed rule in your AWS account. 
If this is your first time creating a notification rule, the service-linked role for AWS CodeStar Notifications might not yet exist.
Creation of this role might take up to 15 minutes. Until it exists, notification rule creation will fail.

Is your feature request related to a problem? Please describe

Primary container in the ECS Service module only supports 1 port/protocol.

Describe the solution you'd like

ECS Service module support port_mappings map. This will allow multiple ports to be exposed on the primary container.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.
N/A

Additional context

Add any other context or screenshots about the feature request here.

Description

Following quick-start step by step I'm unable to plan nor apply the lb-service of the terraform blueprint.

Plan: 7 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid function argument
│ 
│   on main.tf line 139, in module "ecs_service_definition":
│  139:   task_exec_iam_role_arn = one(data.aws_iam_roles.ecs_core_infra_exec_role.arns)
│     ├────────────────
│     │ while calling one(list)
│     │ data.aws_iam_roles.ecs_core_infra_exec_role.arns is set of string with 2 elements
│ 
│ Invalid value for "list" parameter: must be a list, set, or tuple value with either zero or one elements.
╵
╷
│ Error: multiple EC2 VPCs matched; use additional constraints to reduce matches to a single EC2 VPC
│ 
│   with data.aws_vpc.vpc,
│   on main.tf line 169, in data "aws_vpc" "vpc":
│  169: data "aws_vpc" "vpc" {
│ 

If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]:
  {"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"ecs_service_definition","Source":"registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service","Version":"5.0.1","Dir":".terraform/modules/ecs_service_definition/modules/service"},{"Key":"ecs_service_definition.container_definition","Source":"../container-definition","Dir":".terraform/modules/ecs_service_definition/modules/container-definition"},{"Key":"service_alb","Source":"registry.terraform.io/terraform-aws-modules/alb/aws","Version":"8.6.0","Dir":".terraform/modules/service_alb"}]}%

• Terraform version: 1.4.6

• Provider version(s): registry.terraform.io/hashicorp/aws v4.65.0

Reproduction Code [Required]

Steps to reproduce the behavior:

• Followed quick-start step by step.
• cd lb-service
• terraform init
• terraform plan

Expected behavior

Terraform plan should plan the set of actions to be reproduced

Actual behavior

Below described error messages

Terminal Output Screenshot(s)

Plan: 7 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid function argument
│ 
│   on main.tf line 139, in module "ecs_service_definition":
│  139:   task_exec_iam_role_arn = one(data.aws_iam_roles.ecs_core_infra_exec_role.arns)
│     ├────────────────
│     │ while calling one(list)
│     │ data.aws_iam_roles.ecs_core_infra_exec_role.arns is set of string with 2 elements
│ 
│ Invalid value for "list" parameter: must be a list, set, or tuple value with either zero or one elements.
╵
╷
│ Error: multiple EC2 VPCs matched; use additional constraints to reduce matches to a single EC2 VPC
│ 
│   with data.aws_vpc.vpc,
│   on main.tf line 169, in data "aws_vpc" "vpc":
│  169: data "aws_vpc" "vpc" {
│ 

Is your feature request related to a problem? Please describe

When microservices needs to talk to each others, the new recommend way to do it is usung ECS service connect.

Describe the solution you'd like

I would like a pattern that shows how to best implement ECS service connect in terraform

Description

Running "lb-service" example after successfully deploying "core-infra" I run into docker build issue

If your request is for a new feature, please use the Feature request template.

• [x ] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]:
  $ cat .terraform/modules/modules.json | jq
  {
  "Modules": [
  {
  "Key": "codepipeline_ci_cd",
  "Source": "../../modules/codepipeline",
  "Dir": "../../modules/codepipeline"
  },
  {
  "Key": "codepipeline_s3_bucket",
  "Source": "registry.terraform.io/terraform-aws-modules/s3-bucket/aws",
  "Version": "3.4.0",
  "Dir": ".terraform/modules/codepipeline_s3_bucket"
  },
  {
  "Key": "container_image_ecr",
  "Source": "registry.terraform.io/terraform-aws-modules/ecr/aws",
  "Version": "1.4.0",
  "Dir": ".terraform/modules/container_image_ecr"
  },
  {
  "Key": "ecs_service_definition",
  "Source": "../../modules/ecs-service",
  "Dir": "../../modules/ecs-service"
  },
  {
  "Key": "ecs_service_definition.task_main_app_container",
  "Source": "../ecs-container-definition",
  "Dir": "../../modules/ecs-container-definition"
  },
  {
  "Key": "service_alb",
  "Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
  "Version": "7.0.0",
  "Dir": ".terraform/modules/service_alb"
  },
  {
  "Key": "service_alb_security_group",
  "Source": "registry.terraform.io/terraform-aws-modules/security-group/aws",
  "Version": "4.13.1",
  "Dir": ".terraform/modules/service_alb_security_group"
  },
  {
  "Key": "codebuild_ci",
  "Source": "../../modules/codebuild",
  "Dir": "../../modules/codebuild"
  },
  {
  "Key": "ecs_service_definition.task_sidecar_containers",
  "Source": "../ecs-container-definition",
  "Dir": "../../modules/ecs-container-definition"
  },
  {
  "Key": "service_task_security_group",
  "Source": "registry.terraform.io/terraform-aws-modules/security-group/aws",
  "Version": "4.13.1",
  "Dir": ".terraform/modules/service_task_security_group"
  },
  {
  "Key": "",
  "Source": "",
  "Dir": "."
  }
  ]
  }

• Terraform version: 1.2.4

• Provider version(s):

Terraform v1.2.4
on linux_amd64

• provider registry.terraform.io/hashicorp/aws v4.36.1
• provider registry.terraform.io/hashicorp/random v3.4.3

Reproduction Code [Required]

Steps to reproduce the behavior:

terraform init
teraform plan
terraform apply -auto-aprove

local "docker build ." in directory "terraform-aws-ecs-blueprints/application-code/ecsdemo-frontend" gave same docker build error

Expected behavior

Successful docker build, docker push and container image in ECR registry, which can be used for ECS service

Terminal Output Screenshot(s)

CodeBuild -> Build Logs
...
nokogiri-1.13.9-x86_64-linux requires ruby version < 3.2.dev, >= 2.6, which is
incompatible with the current version, ruby 2.5.9p229

The command '/bin/sh -c apt-get update && apt-get -y install iproute2 curl jq libgmp3-dev ruby-dev build-essential sqlite libsqlite3-dev python3 python3-pip && gem install bundler:1.17.3 && bundle install && pip3 install awscli netaddr && apt-get autoremove -y --purge && apt-get remove -y --auto-remove --purge ruby-dev libgmp3-dev build-essential libsqlite3-dev && apt-get clean && rm -rvf /root/* /root/.gem* /var/cache/*' returned a non-zero code: 5

[Container] 2022/10/24 13:19:52 Command did not exit successfully docker build -t $REPO_URL $FOLDER_PATH exit status 5

Is your feature request related to a problem? Please describe

• Document the GitHub permissions required for the personal access token for users
• Also, how can users use GitHub app auth instead of personal access tokens - https://docs.aws.amazon.com/codepipeline/latest/userguide/update-github-action-connections.html ?

Is your feature request related to a problem? Please describe

The IAM role for the Lambda function of the queue-processing example, lambda_role, is allowed to perform the actions as per below:

      "sqs:ChangeMessageVisibility",
      "sqs:ChangeMessageVisibilityBatch",
      "sqs:SendMessage",
      "sqs:DeleteMessage",
      "sqs:DeleteMessageBatch",
      "sqs:GetQueueAttributes",
      "sqs:GetQueueUrl",
      "sqs:ReceiveMessage"

These actions certainly apply to the task role, and they are allowed for it, but are not expected for the Lambda function itself.

Describe the solution you'd like

In line with the principle of least privilege, the list of allowed actions for the Lambda function should only contain:

      "sqs:GetQueueAttributes",

Is your feature request related to a problem? Please describe

With recent changes to how AWS charges for IPv4 addresses, it would be useful to have a clear example in ECS Blueprints that demonstrates an architecture that minimizes the need for public IPv4 addresses and emphasizes private subnets, ideally with ipv6.

Describe the solution you'd like

Given that ECS/F requires dual stack ipv6 today, we could show provisioning a VPC with an ipv6 range enabled and how it works with tasks? Fuzzy on how exactly this should work but emphasizing ipv6, and de-emphasizing ipv4 where possible.

This is for tracking only:

• Validate ECS service connect functionality
• Validate changes are properly ignored when integrating with a load balancer (target group ARNs)
• Validate changes are properly ignored when updating task definition externally (Terraform should still be able to update the task definition but will not revert the changes made externally)
• Validate changes are properly ignored when using CodeDeploy blue/green deployment (task definition will be ignored entirely in this scenario)

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

• ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]:

    {
      "Key": "codepipeline_s3_bucket",
      "Source": "registry.terraform.io/terraform-aws-modules/s3-bucket/aws",
      "Version": "3.13.0",
      "Dir": ".terraform/modules/codepipeline_s3_bucket"
    },
    {
      "Key": "ecs_service_definition_arm64.container_definition",
      "Source": "../container-definition",
      "Dir": ".terraform/modules/ecs_service_definition_arm64/modules/container-definition"
    },
    {
      "Key": "service_alb_amd64",
      "Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
      "Version": "8.6.1",
      "Dir": ".terraform/modules/service_alb_amd64"
    },
    {
      "Key": "codebuild_ci_amd64",
      "Source": "../../modules/codebuild",
      "Dir": "../../modules/codebuild"
    },
    {
      "Key": "service_alb_arm64",
      "Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
      "Version": "8.6.1",
      "Dir": ".terraform/modules/service_alb_arm64"
    },
    {
      "Key": "ecs_service_definition_amd64.container_definition",
      "Source": "../container-definition",
      "Dir": ".terraform/modules/ecs_service_definition_amd64/modules/container-definition"
    },
    {
      "Key": "",
      "Source": "",
      "Dir": "."
    },
    {
      "Key": "ecs_service_definition_arm64",
      "Source": "registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service",
      "Version": "5.2.0",
      "Dir": ".terraform/modules/ecs_service_definition_arm64/modules/service"
    },
    {
      "Key": "codepipeline_ci_cd",
      "Source": "../../modules/codepipeline",
      "Dir": "../../modules/codepipeline"
    },
    {
      "Key": "container_image_ecr",
      "Source": "registry.terraform.io/terraform-aws-modules/ecr/aws",
      "Version": "1.6.0",
      "Dir": ".terraform/modules/container_image_ecr"
    },
    {
      "Key": "ecs_service_definition_amd64",
      "Source": "registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service",
      "Version": "5.2.0",
      "Dir": ".terraform/modules/ecs_service_definition_amd64/modules/service"
    },
    {
      "Key": "codebuild_ci_manifest",
      "Source": "../../modules/codebuild",
      "Dir": "../../modules/codebuild"
    },
    {
      "Key": "codebuild_ci_arm64",
      "Source": "../../modules/codebuild",
      "Dir": "../../modules/codebuild"
    }

• Terraform version: Terraform v1.3.9 on darwin_arm64

• Provider version(s):
  • registry.terraform.io/hashicorp/aws v4.67.0
  • provider registry.terraform.io/hashicorp/random v3.5.1

Reproduction Code [Required]

Steps to reproduce the behavior:
After installing core-infra and creating github token, deploy Graviton and Multi-architecture Container Images.

cd ecs-blueprints/terraform/fargate-examples/graviton
terraform init
terraform plan
terraform apply -auto-approve

Expected behavior

ECS service with graviton deployed.

Actual behavior

Cannot deploy the infra because of the recent change in S3 bucket ACL (link)

Terminal Output Screenshot(s)

Additional context

https://aws.amazon.com/ko/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
https://stackoverflow.com/questions/76049290/error-accesscontrollistnotsupported-when-trying-to-create-a-bucket-acl-in-aws