Created by: henriquemenezes
- Create VPC
VPC Dashboard > Start VPC Wizard > VPC with a Single Public Subnet
- CIRD: 10.0.0.0/16
- VPC name: -
- Public Subnet: 10.0.0.0/24
- Availiability Zone: us-east-1a
- Subnet name: Public subnet
- Tenancy: Default
- Create Subnets
-
Public Subnets
- CIRD: 10.0.0.0/24 Availability Zone: us-east-1a
- CIRD: 10.0.1.0/24 Availability Zone: us-east-1b
- CIRD: 10.0.2.0/24 Availability Zone: us-east-1d
- CIRD: 10.0.3.0/24 Availability Zone: us-east-1e
Route Table:
- Destination: 10.0.0.0/16 Target: local
- Destination: 0.0.0.0/0 Target: igw (Internet Gateway Attached to VPC)
-
Private Subnets
- CIRD: 10.0.10.0/24 Availability Zone: us-east-1a
- CIRD: 10.0.11.0/24 Availability Zone: us-east-1b
- CIRD: 10.0.12.0/24 Availability Zone: us-east-1d
- CIRD: 10.0.13.0/24 Availability Zone: us-east-1e
Route Table:
- Destination: 10.0.0.0/16 Target: local
- Destination: 0.0.0.0/0 Target: nat (NAT Gateway Attached to VPC)
- Create Security Groups
-
Create ECS Container Instance security group
Group Name: --ecs-ci Description: ECS Container Instance
-
Public Subnet:
Attach to VPC: -
Inbound Rules: SSH (22) TCP 22 0.0.0.0/0 HTTP (80) TCP 80 0.0.0.0/0 HTTPS (443) TCP 443 0.0.0.0/0
Outbound Rules: ALL Traffic ALL ALL 0.0.0.0/0
-
Private Subnet:
Attach to VPC: -
Inbound Rules: SSH (22) TCP 22 gateway-security-group Custom TCP TCP 8000 loadbalancer-security-group Custom TCP TCP 8001 loadbalancer-security-group Custom TCP TCP 8002 loadbalancer-security-group
Outbound Rules: ALL Traffic ALL ALL 0.0.0.0/0
-
-
Create DB security group
Group Name: --db Description: DB security group
Attach to VPC: -
Inbound Rules: PostgreSQL (5432) TCP 5432 ecs-container-instance-security-group
Outbound Rules: ALL Traffic ALL ALL 0.0.0.0/0
-
Create Cache security group
Group Name: --cache Description: Cache security group
Attach to VPC: -
Inbound Rules: Custom TCP Rule TCP (6) 6379 ecs-container-instance-security-group
Outbound Rules: ALL Traffic ALL ALL 0.0.0.0/0
-
Create Load Balancer security group
Group Name: --lb Description: Load Balancer security group
Attach to VPC: -
Inbound Rules: HTTP (80) TCP 80 0.0.0.0/0 HTTPS (443) TCP 443 0.0.0.0/0
Outbound Rules: ALL Traffic ALL ALL 0.0.0.0/0
- Create IAM role with policies
ecsInstanceRole
- Policy: AmazonS3ReadOnlyAccess
- Policy: AmazonEC2ContainerServiceforEC2Role
ecsServiceRole
- Policy: AmazonEC2ContainerServiceRole
- Trust Relationship: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
- Create ECS Cluster
Amazon ECS > Clusters > Create Cluster
Cluster name: -
6.0. Create IAM Admin User
- Name: admin
- Policy: AdministratorAccess
Generate keys: - Access Key ID - Secret Access Key
Install aws cli and configure:
$ pip install awscli
$ aws configure --profile <project>
AWS Access Key ID [None]: <ACCESS_KEY_ID>
AWS Secret Access Key [None]: <SECRET_ACCESS_KEY>
Default region name [None]: us-east-1
Default output format [None]: json
6.1 Create S3 Environment Policy
Policy Name: AmazonS3Uploads Description: Provides full access to --uploads bucket Policy Document: { "Statement": [ { "Effect": "Allow", "Action": [ "s3:" ], "Resource": [ "arn:aws:s3:::--uploads/" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::--uploads" ] } ] }
6.2 Create IAM Application User
-
Name: -
-
Policies:
- AmazonSNSFullAccess
- AmazonSESFullAccess
- AmazonS3Uploads
- Create Bucket and ecs.config file
-
Create a Bucket
Bucket Name: --config
-
Create ecs.config file
$ echo "ECS_CLUSTER=-" > ecs.config
-
Copy ecs.config to Bucket using aws cli
$ aws s3 cp ecs.config s3://--config/ecs.config --profile
- Create EC2 Instance
-
Import Key Pair
Key pair name:
-
Launch Instance
Search community AMIs: amzn-ami-2016.09.a-amazon-ecs-optimized - http://goo.gl/RntyOV Network: VPC Subnet: Public Subnet Auto-assign Public IP: Enable IAM role: ecs-instance-role Enable termination protection: True Tenancy: Shared
Advanced Details: User Data (As text):
#!/bin/bash yum install -y aws-cli aws s3 cp s3://-config/ecs.config /etc/ecs/ecs.config
Tags: Name: --ecs-ci-1 Project: Environment:
Security Group: --ecs-ci
- Check if instance registred in - ECS cluster
- Create Record Set Route 53 (DNS)
- Type A: --ecs-ci-1
- Create Repository ECS
Get EC2 Container Registry repository name: - -api - -admin
Get Container Register name: XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com
- Create IAM circleci User
- Name: circleci
- Policy: AmazonEC2ContainerRegistryPowerUser
- Policy: AmazonEC2ContainerServiceDeployRole Description: ECS Deploy Role Policy Document: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1452877700000", "Effect": "Allow", "Action": [ "ecs:CreateService", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListServices", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:RegisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", "ecs:UpdateService" ], "Resource": [ "*" ] } ] }
- Policy: AmazonECSServicePassRole Description: ECS Service PassRole Policy Document: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::683171944334:role/ecsServiceRole" ] } ] } Trust Relationship: { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
==================================================================================
Service Load Balancing
- Create IAM role with policies
ecs-service-role
- Policy: AmazonEC2ContainerServiceRole
- Trust Relationships: { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
- Create Security Groups
-
Create LB security group
Group Name: --lb Description: LB security group
Inbound Rules: HTTP (80) TCP 80 0.0.0.0/0 HTTPS (443) TCP 443 0.0.0.0/0 Outbound Rules: ALL Traffic ALL ALL 0.0.0.0/0 Attach to VPC: -
- Upload SSL Certificates
$ aws iam upload-server-certificate --server-certificate-name
--certificate-body file://cert.pem --private-key file://key.pem
--certificate-chain file://fullchain.pem --profile
- Create Load Balancer
LB Name: --