aws-ia / ecs-blueprints Goto Github PK
View Code? Open in Web Editor NEWConfigure and deploy complete ECS solutions with Terraform or CDK
License: Apache License 2.0
Configure and deploy complete ECS solutions with Terraform or CDK
License: Apache License 2.0
We should provide an easy way for users to change creation specifications like Region name, vpc cidr.. by providing variables with sane default
also the core-infra by default creation name is not meaningful enough, maybe have a default to ecs-blueprint-code-infra ?
Today the examples for ECS/EC2 utilize AL2. This would create an example that uses Bottlerocket
The ability to provision an ECS Cluster and corresponding data plane using BR.
Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/*
directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply
without any further changes.
If your request is for a new feature, please use the Feature request
template.
Before you submit an issue, please perform the following first:
.terraform
directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
terraform init
Module version [Required]: there is no tag yet, however this is the commit: b317923
Terraform version: Terraform v1.4.0 on darwin_arm64
provider registry.terraform.io/hashicorp/aws v4.58.0
Steps to reproduce the behavior:
The command cp terraform.tfvars.example terraform.tfvars
to work
cd ecs-blueprints/examples/core-infra/
terraform init
cp terraform.tfvars.example terraform.tfvars
# exit code 1
cd ecs-blueprints/examples/core-infra
terraform init
cp terraform.tfvars.example terraform.tfvars
cp: terraform.tfvars.example: No such file or directory
the only terraform.tfvars.example
I found was in the backstage
folder
Tried deploying the terraform/backstage example and received the following 2 errors:
│ Error: creating RDS Cluster (backstage-db): DBSubnetGroupNotFoundFault: DB subnet group 'backstage-db' does not exist.
│ status code: 404, request id: 3e1d882a-5a14-45f2-ad01-17bff9f33a03
│
│ with module.aurora_postgresdb.aws_rds_cluster.this[0],
│ on .terraform/modules/aurora_postgresdb/main.tf line 39, in resource "aws_rds_cluster" "this":
│ 39: resource "aws_rds_cluster" "this" {
│
╵
╷
│ Error: creating S3 Bucket (codepipeline-us-east-1-20240416185721255000000008) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: X33SEHZFNBEKADPK, HostID: +ucmEDDvw5gcnspNZlPlSTcZaua4WnMFeR+gm8b9o8J6T8ZNRotiDLoVLJGyn1TlqEJ9SD1BoRc=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│
│ with module.codepipeline_s3_bucket.aws_s3_bucket_acl.this[0],
│ on .terraform/modules/codepipeline_s3_bucket/main.tf line 45, in resource "aws_s3_bucket_acl" "this":
│ 45: resource "aws_s3_bucket_acl" "this" {
If your request is for a new feature, please use the Feature request
template.
Before you submit an issue, please perform the following first:
.terraform
directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
terraform init
Module version [Required]:
Terraform version:
Provider version(s):
Terraform v1.8.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.45.0
+ provider registry.terraform.io/hashicorp/random v3.6.1
terraform/fargate-examples/backstage
Steps to reproduce the behavior:
complete successfully
│ Error: creating RDS Cluster (backstage-db): DBSubnetGroupNotFoundFault: DB subnet group 'backstage-db' does not exist.
│ status code: 404, request id: 3e1d882a-5a14-45f2-ad01-17bff9f33a03
│
│ with module.aurora_postgresdb.aws_rds_cluster.this[0],
│ on .terraform/modules/aurora_postgresdb/main.tf line 39, in resource "aws_rds_cluster" "this":
│ 39: resource "aws_rds_cluster" "this" {
│
╵
╷
│ Error: creating S3 Bucket (codepipeline-us-east-1-20240416185721255000000008) ACL: operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: X33SEHZFNBEKADPK, HostID: +ucmEDDvw5gcnspNZlPlSTcZaua4WnMFeR+gm8b9o8J6T8ZNRotiDLoVLJGyn1TlqEJ9SD1BoRc=, api error AccessControlListNotSupported: The bucket does not allow ACLs
│
│ with module.codepipeline_s3_bucket.aws_s3_bucket_acl.this[0],
│ on .terraform/modules/codepipeline_s3_bucket/main.tf line 45, in resource "aws_s3_bucket_acl" "this":
│ 45: resource "aws_s3_bucket_acl" "this" {
ECS Blueprints for CDK(Python) uses distutils.util.strtobool
and this package is to be removed in Python 3.12.
An alternative is to use str2bool from PyPI:
When following the workshop with nothing already installed, doing a cdk ls provide the following error:
Traceback (most recent call last):
File "/home/ubuntu/environment/ecs/terraform/ecs-blueprints/cdk/examples/generative_ai_service/app.py", line 79, in <module>
gen_ai_stack_props.sd_namespace = [
^
IndexError: list index out of range
Subprocess exited with error 1
Before you submit an issue, please perform the following first:
.terraform
directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
terraform init
Module version [Required]:
Terraform version:
Steps to reproduce the behavior:
As someone perusing and evaluating this very helpful repository and its suggested solutions, I've seen that there are some references to AWS CodeStar in the infrastructure code. After going to the docs, I see that it's changing in July: What Is AWS CodeStar? - AWS CodeStar
On July 31, 2024, Amazon Web Services (AWS) will discontinue support for creating and viewing AWS CodeStar projects. After July 31, 2024, you will no longer be able to access the AWS CodeStar console or create new projects. However, the AWS resources created by AWS CodeStar, including your source repositories, pipelines, and builds, will be unaffected by this change and will continue to function. AWS CodeStar Connections will not be impacted by this discontinuation.
Will the examples continue to work after then? If not, what are the expected workarounds?
We should allow users to connect into ECS tasks by providing configuration to for ecs exec
Configure the bucket s3 that will securely store the commands executed in ecs tasks
When running the TF on a new account with no CodeStar service link roles enabled the following error appears on creating sns notification
│ Error: error creating codestar notification rule: ConfigurationException: AWS CodeStar Notifications could not create the AWS CloudWatch Events managed rule in your AWS account. If this is your first time creating a notification rule, the service-linked role for AWS CodeStar Notifications might not yet exist. Creation of this role might take up to 15 minutes. Until it exists, notification rule creation will fail. Wait 15 minutes, and then try again. If this is is not the first time you are creating a notification rule, there might be a problem with a network connection, or one or more AWS services might be experiencing issues. Verify your network connection and check to see if there are any issues with AWS services in your AWS Region before trying again.
│
│ with module.codepipeline_ci_cd.aws_codestarnotifications_notification_rule.this,
│ on ../../modules/codepipeline/main.tf line 76, in resource "aws_codestarnotifications_notification_rule" "this":
│ 76: resource "aws_codestarnotifications_notification_rule" "this" {
Suggest updating the README.md documentation under
https://github.com/aws-ia/terraform-aws-ecs-blueprints/tree/main/examples/lb-service
to mention/warn of this error and to redo terraform apply - or enable a wait mechanism or create service link role prior to notification creation.
Re-do terraform apply
Add any other context or screenshots about the feature request here.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role
Account level security access control
Customers commonly use multiple accounts for e.g. -/ one account for CI/CD shared services -/ account for test/staging cluster -/ production account. This blueprint will define multi-account setup to use for running containers on ECS. Following is the desired account structure:
Make the blueprint flexible so that it is easier for customer to add more accounts for e.g. staging, Q/A etc. The designer should review AWS Control Tower, AWS Organization and landing zone best practices to align with the latest well-architected for multi-account setup.
AWS CodeStar Notifications could not create the AWS CloudWatch Events managed rule in your AWS account.
If this is your first time creating a notification rule, the service-linked role for AWS CodeStar Notifications might not yet exist.
Creation of this role might take up to 15 minutes. Until it exists, notification rule creation will fail.
Primary container in the ECS Service module only supports 1 port/protocol.
ECS Service module support port_mappings map. This will allow multiple ports to be exposed on the primary container.
A clear and concise description of any alternative solutions or features you've considered.
N/A
Add any other context or screenshots about the feature request here.
Following quick-start step by step I'm unable to plan nor apply the lb-service of the terraform blueprint.
Plan: 7 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid function argument
│
│ on main.tf line 139, in module "ecs_service_definition":
│ 139: task_exec_iam_role_arn = one(data.aws_iam_roles.ecs_core_infra_exec_role.arns)
│ ├────────────────
│ │ while calling one(list)
│ │ data.aws_iam_roles.ecs_core_infra_exec_role.arns is set of string with 2 elements
│
│ Invalid value for "list" parameter: must be a list, set, or tuple value with either zero or one elements.
╵
╷
│ Error: multiple EC2 VPCs matched; use additional constraints to reduce matches to a single EC2 VPC
│
│ with data.aws_vpc.vpc,
│ on main.tf line 169, in data "aws_vpc" "vpc":
│ 169: data "aws_vpc" "vpc" {
│
If your request is for a new feature, please use the Feature request
template.
Module version [Required]:
{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"ecs_service_definition","Source":"registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service","Version":"5.0.1","Dir":".terraform/modules/ecs_service_definition/modules/service"},{"Key":"ecs_service_definition.container_definition","Source":"../container-definition","Dir":".terraform/modules/ecs_service_definition/modules/container-definition"},{"Key":"service_alb","Source":"registry.terraform.io/terraform-aws-modules/alb/aws","Version":"8.6.0","Dir":".terraform/modules/service_alb"}]}%
Terraform version: 1.4.6
Provider version(s): registry.terraform.io/hashicorp/aws v4.65.0
Steps to reproduce the behavior:
Terraform plan should plan the set of actions to be reproduced
Below described error messages
Plan: 7 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid function argument
│
│ on main.tf line 139, in module "ecs_service_definition":
│ 139: task_exec_iam_role_arn = one(data.aws_iam_roles.ecs_core_infra_exec_role.arns)
│ ├────────────────
│ │ while calling one(list)
│ │ data.aws_iam_roles.ecs_core_infra_exec_role.arns is set of string with 2 elements
│
│ Invalid value for "list" parameter: must be a list, set, or tuple value with either zero or one elements.
╵
╷
│ Error: multiple EC2 VPCs matched; use additional constraints to reduce matches to a single EC2 VPC
│
│ with data.aws_vpc.vpc,
│ on main.tf line 169, in data "aws_vpc" "vpc":
│ 169: data "aws_vpc" "vpc" {
│
When microservices needs to talk to each others, the new recommend way to do it is usung ECS service connect.
I would like a pattern that shows how to best implement ECS service connect in terraform
Running "lb-service" example after successfully deploying "core-infra" I run into docker build issue
If your request is for a new feature, please use the Feature request
template.
Module version [Required]:
$ cat .terraform/modules/modules.json | jq
{
"Modules": [
{
"Key": "codepipeline_ci_cd",
"Source": "../../modules/codepipeline",
"Dir": "../../modules/codepipeline"
},
{
"Key": "codepipeline_s3_bucket",
"Source": "registry.terraform.io/terraform-aws-modules/s3-bucket/aws",
"Version": "3.4.0",
"Dir": ".terraform/modules/codepipeline_s3_bucket"
},
{
"Key": "container_image_ecr",
"Source": "registry.terraform.io/terraform-aws-modules/ecr/aws",
"Version": "1.4.0",
"Dir": ".terraform/modules/container_image_ecr"
},
{
"Key": "ecs_service_definition",
"Source": "../../modules/ecs-service",
"Dir": "../../modules/ecs-service"
},
{
"Key": "ecs_service_definition.task_main_app_container",
"Source": "../ecs-container-definition",
"Dir": "../../modules/ecs-container-definition"
},
{
"Key": "service_alb",
"Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
"Version": "7.0.0",
"Dir": ".terraform/modules/service_alb"
},
{
"Key": "service_alb_security_group",
"Source": "registry.terraform.io/terraform-aws-modules/security-group/aws",
"Version": "4.13.1",
"Dir": ".terraform/modules/service_alb_security_group"
},
{
"Key": "codebuild_ci",
"Source": "../../modules/codebuild",
"Dir": "../../modules/codebuild"
},
{
"Key": "ecs_service_definition.task_sidecar_containers",
"Source": "../ecs-container-definition",
"Dir": "../../modules/ecs-container-definition"
},
{
"Key": "service_task_security_group",
"Source": "registry.terraform.io/terraform-aws-modules/security-group/aws",
"Version": "4.13.1",
"Dir": ".terraform/modules/service_task_security_group"
},
{
"Key": "",
"Source": "",
"Dir": "."
}
]
}
Terraform version: 1.2.4
Terraform v1.2.4
on linux_amd64
Steps to reproduce the behavior:
terraform init
teraform plan
terraform apply -auto-aprove
local "docker build ." in directory "terraform-aws-ecs-blueprints/application-code/ecsdemo-frontend" gave same docker build error
Successful docker build, docker push and container image in ECR registry, which can be used for ECS service
CodeBuild -> Build Logs
...
nokogiri-1.13.9-x86_64-linux requires ruby version < 3.2.dev, >= 2.6, which is
incompatible with the current version, ruby 2.5.9p229
The command '/bin/sh -c apt-get update && apt-get -y install iproute2 curl jq libgmp3-dev ruby-dev build-essential sqlite libsqlite3-dev python3 python3-pip && gem install bundler:1.17.3 && bundle install && pip3 install awscli netaddr && apt-get autoremove -y --purge && apt-get remove -y --auto-remove --purge ruby-dev libgmp3-dev build-essential libsqlite3-dev && apt-get clean && rm -rvf /root/* /root/.gem* /var/cache/*' returned a non-zero code: 5
[Container] 2022/10/24 13:19:52 Command did not exit successfully docker build -t $REPO_URL $FOLDER_PATH exit status 5
The IAM role for the Lambda function of the queue-processing example, lambda_role
, is allowed to perform the actions as per below:
"sqs:ChangeMessageVisibility",
"sqs:ChangeMessageVisibilityBatch",
"sqs:SendMessage",
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage"
These actions certainly apply to the task role, and they are allowed for it, but are not expected for the Lambda function itself.
In line with the principle of least privilege, the list of allowed actions for the Lambda function should only contain:
"sqs:GetQueueAttributes",
With recent changes to how AWS charges for IPv4 addresses, it would be useful to have a clear example in ECS Blueprints that demonstrates an architecture that minimizes the need for public IPv4 addresses and emphasizes private subnets, ideally with ipv6.
Given that ECS/F requires dual stack ipv6 today, we could show provisioning a VPC with an ipv6 range enabled and how it works with tasks? Fuzzy on how exactly this should work but emphasizing ipv6, and de-emphasizing ipv4 where possible.
This is for tracking only:
Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/*
directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply
without any further changes.
If your request is for a new feature, please use the Feature request
template.
Before you submit an issue, please perform the following first:
.terraform
directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
terraform init
{
"Key": "codepipeline_s3_bucket",
"Source": "registry.terraform.io/terraform-aws-modules/s3-bucket/aws",
"Version": "3.13.0",
"Dir": ".terraform/modules/codepipeline_s3_bucket"
},
{
"Key": "ecs_service_definition_arm64.container_definition",
"Source": "../container-definition",
"Dir": ".terraform/modules/ecs_service_definition_arm64/modules/container-definition"
},
{
"Key": "service_alb_amd64",
"Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
"Version": "8.6.1",
"Dir": ".terraform/modules/service_alb_amd64"
},
{
"Key": "codebuild_ci_amd64",
"Source": "../../modules/codebuild",
"Dir": "../../modules/codebuild"
},
{
"Key": "service_alb_arm64",
"Source": "registry.terraform.io/terraform-aws-modules/alb/aws",
"Version": "8.6.1",
"Dir": ".terraform/modules/service_alb_arm64"
},
{
"Key": "ecs_service_definition_amd64.container_definition",
"Source": "../container-definition",
"Dir": ".terraform/modules/ecs_service_definition_amd64/modules/container-definition"
},
{
"Key": "",
"Source": "",
"Dir": "."
},
{
"Key": "ecs_service_definition_arm64",
"Source": "registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service",
"Version": "5.2.0",
"Dir": ".terraform/modules/ecs_service_definition_arm64/modules/service"
},
{
"Key": "codepipeline_ci_cd",
"Source": "../../modules/codepipeline",
"Dir": "../../modules/codepipeline"
},
{
"Key": "container_image_ecr",
"Source": "registry.terraform.io/terraform-aws-modules/ecr/aws",
"Version": "1.6.0",
"Dir": ".terraform/modules/container_image_ecr"
},
{
"Key": "ecs_service_definition_amd64",
"Source": "registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service",
"Version": "5.2.0",
"Dir": ".terraform/modules/ecs_service_definition_amd64/modules/service"
},
{
"Key": "codebuild_ci_manifest",
"Source": "../../modules/codebuild",
"Dir": "../../modules/codebuild"
},
{
"Key": "codebuild_ci_arm64",
"Source": "../../modules/codebuild",
"Dir": "../../modules/codebuild"
}
Steps to reproduce the behavior:
After installing core-infra and creating github token, deploy Graviton and Multi-architecture Container Images.
cd ecs-blueprints/terraform/fargate-examples/graviton
terraform init
terraform plan
terraform apply -auto-approve
ECS service with graviton deployed.
Cannot deploy the infra because of the recent change in S3 bucket ACL (link)
https://aws.amazon.com/ko/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
https://stackoverflow.com/questions/76049290/error-accesscontrollistnotsupported-when-trying-to-create-a-bucket-acl-in-aws
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.