tcostam/AWS ECS setup.md

## AWS ECS setup.md

      
    Raw
  

              AWS ECS setup.md
            
          
    AWS ECS setup

Created by: henriquemenezes

Create VPC

VPC Dashboard > Start VPC Wizard > VPC with a Single Public Subnet

CIRD: 10.0.0.0/16
VPC name: -
Public Subnet: 10.0.0.0/24
Availiability Zone: us-east-1a
Subnet name: Public subnet
Tenancy: Default


Create Subnets


Public Subnets

CIRD: 10.0.0.0/24  Availability Zone: us-east-1a
CIRD: 10.0.1.0/24  Availability Zone: us-east-1b
CIRD: 10.0.2.0/24  Availability Zone: us-east-1d
CIRD: 10.0.3.0/24  Availability Zone: us-east-1e

Route Table:

Destination: 10.0.0.0/16   Target: local
Destination: 0.0.0.0/0     Target: igw (Internet Gateway Attached to VPC)


Private Subnets

CIRD: 10.0.10.0/24  Availability Zone: us-east-1a
CIRD: 10.0.11.0/24  Availability Zone: us-east-1b
CIRD: 10.0.12.0/24  Availability Zone: us-east-1d
CIRD: 10.0.13.0/24  Availability Zone: us-east-1e

Route Table:

Destination: 10.0.0.0/16   Target: local
Destination: 0.0.0.0/0     Target: nat (NAT Gateway Attached to VPC)


Create Security Groups


Create ECS Container Instance security group
Group Name: --ecs-ci
Description:   ECS Container Instance


Public Subnet:
Attach to VPC: -
Inbound Rules:
SSH   (22)       TCP 22     0.0.0.0/0
HTTP  (80)       TCP 80     0.0.0.0/0
HTTPS (443)      TCP 443    0.0.0.0/0
Outbound Rules:
ALL Traffic ALL  ALL        0.0.0.0/0


Private Subnet:
Attach to VPC: -
Inbound Rules:
SSH   (22)       TCP 22     gateway-security-group
Custom TCP       TCP 8000   loadbalancer-security-group
Custom TCP       TCP 8001   loadbalancer-security-group
Custom TCP       TCP 8002   loadbalancer-security-group
Outbound Rules:
ALL Traffic ALL  ALL        0.0.0.0/0


Create DB security group
Group Name: --db
Description:   DB security group
Attach to VPC: -
Inbound Rules:
PostgreSQL (5432) TCP 5432 ecs-container-instance-security-group
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0


Create Cache security group
Group Name: --cache
Description:   Cache security group
Attach to VPC: -
Inbound Rules:
Custom TCP Rule TCP (6) 6379 ecs-container-instance-security-group
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0


Create Load Balancer security group
Group Name: --lb
Description:   Load Balancer security group
Attach to VPC: -
Inbound Rules:
HTTP  (80)       TCP 80     0.0.0.0/0
HTTPS (443)      TCP 443    0.0.0.0/0
Outbound Rules:
ALL Traffic ALL  ALL        0.0.0.0/0


Create IAM role with policies

ecsInstanceRole

Policy: AmazonS3ReadOnlyAccess
Policy: AmazonEC2ContainerServiceforEC2Role

ecsServiceRole

Policy: AmazonEC2ContainerServiceRole
Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}


Create ECS Cluster

Amazon ECS > Clusters > Create Cluster
Cluster name: -
6.0. Create IAM Admin User

Name: admin
Policy: AdministratorAccess

Generate keys:
- Access Key ID
- Secret Access Key
Install aws cli and configure:
$ pip install awscli
$ aws configure --profile <project>

AWS Access Key ID [None]: <ACCESS_KEY_ID>
AWS Secret Access Key [None]: <SECRET_ACCESS_KEY>
Default region name [None]: us-east-1
Default output format [None]: json

6.1 Create S3 Environment Policy
Policy Name: AmazonS3Uploads
Description: Provides full access to --uploads bucket
Policy Document:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:"
],
"Resource": [
"arn:aws:s3:::--uploads/"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::--uploads"
]
}
]
}
6.2 Create IAM Application User


Name: -


Policies:

AmazonSNSFullAccess
AmazonSESFullAccess
AmazonS3Uploads


Create Bucket and ecs.config file


Create a Bucket
Bucket Name: --config


Create ecs.config file
$ echo "ECS_CLUSTER=-" > ecs.config


Copy ecs.config to Bucket using aws cli
$ aws s3 cp ecs.config s3://--config/ecs.config --profile 


Create EC2 Instance


Import Key Pair
Key pair name: 


Launch Instance
Search community AMIs: amzn-ami-2016.09.a-amazon-ecs-optimized - http://goo.gl/RntyOV
Network:  VPC
Subnet: Public Subnet
Auto-assign Public IP: Enable
IAM role: ecs-instance-role
Enable termination protection: True
Tenancy: Shared
Advanced Details:
User Data (As text):
#!/bin/bash
yum install -y aws-cli
aws s3 cp s3://-config/ecs.config /etc/ecs/ecs.config
Tags:
Name: --ecs-ci-1
Project: 
Environment: 
Security Group: --ecs-ci

Check if instance registred in - ECS cluster


Create Record Set Route 53 (DNS)


Type A: --ecs-ci-1


Create Repository ECS

Get EC2 Container Registry repository name:
- -api
- -admin
Get Container Register name: XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com

Create IAM circleci User


Name: circleci
Policy: AmazonEC2ContainerRegistryPowerUser
Policy: AmazonEC2ContainerServiceDeployRole
Description: ECS Deploy Role
Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1452877700000",
"Effect": "Allow",
"Action": [
"ecs:CreateService",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"ecs:RegisterTaskDefinition",
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:UpdateService"
],
"Resource": [
"*"
]
}
]
}
Policy: AmazonECSServicePassRole
Description: ECS Service PassRole
Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::683171944334:role/ecsServiceRole"
]
}
]
}
Trust Relationship:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

==================================================================================
Service Load Balancing

Create IAM role with policies

ecs-service-role

Policy: AmazonEC2ContainerServiceRole
Trust Relationships:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}


Create Security Groups


Create LB security group
Group Name: --lb
Description:   LB security group
Inbound Rules:
HTTP  (80)  TCP 80 0.0.0.0/0
HTTPS (443) TCP 443 0.0.0.0/0
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0
Attach to VPC: -


Upload SSL Certificates

$ aws iam upload-server-certificate --server-certificate-name  

--certificate-body file://cert.pem --private-key file://key.pem 

--certificate-chain file://fullchain.pem --profile 

Create Load Balancer

LB Name: --