Skip to content

Instantly share code, notes, and snippets.

@thnery
Created July 6, 2017 16:59
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save thnery/5771ab8b6de35821d746fcdb88ccfdb6 to your computer and use it in GitHub Desktop.
AWS ECS setup
1. Create VPC
VPC Dashboard > Start VPC Wizard > VPC with a Single Public Subnet
- CIRD: 10.0.0.0/16
- VPC name: <project>-<environment>
- Public Subnet: 10.0.0.0/24
- Availiability Zone: us-east-1a
- Subnet name: Public subnet
- Tenancy: Default
2. Create Subnets
- Public Subnets
- CIRD: 10.0.0.0/24 Availability Zone: us-east-1a
- CIRD: 10.0.1.0/24 Availability Zone: us-east-1b
- CIRD: 10.0.2.0/24 Availability Zone: us-east-1d
- CIRD: 10.0.3.0/24 Availability Zone: us-east-1e
Route Table:
- Destination: 10.0.0.0/16 Target: local
- Destination: 0.0.0.0/0 Target: igw (Internet Gateway Attached to VPC)
- Private Subnets
- CIRD: 10.0.10.0/24 Availability Zone: us-east-1a
- CIRD: 10.0.11.0/24 Availability Zone: us-east-1b
- CIRD: 10.0.12.0/24 Availability Zone: us-east-1d
- CIRD: 10.0.13.0/24 Availability Zone: us-east-1e
Route Table:
- Destination: 10.0.0.0/16 Target: local
- Destination: 0.0.0.0/0 Target: nat (NAT Gateway Attached to VPC)
3. Create Security Groups
- Create ECS Container Instance security group
Group Name: <project>-<environment>-ecs-ci
Description: <project> <environment> ECS Container Instance
- Public Subnet:
Attach to VPC: <project>-<environment>
Inbound Rules:
SSH (22) TCP 22 0.0.0.0/0
HTTP (80) TCP 80 0.0.0.0/0
HTTPS (443) TCP 443 0.0.0.0/0
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0
- Private Subnet:
Attach to VPC: <project>-<environment>
Inbound Rules:
SSH (22) TCP 22 gateway-security-group
Custom TCP TCP 8000 loadbalancer-security-group
Custom TCP TCP 8001 loadbalancer-security-group
Custom TCP TCP 8002 loadbalancer-security-group
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0
- Create DB security group
Group Name: <project>-<environment>-db
Description: <project> <environment> DB security group
Attach to VPC: <project>-<environment>
Inbound Rules:
PostgreSQL (5432) TCP 5432 ecs-container-instance-security-group
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0
- Create Cache security group
Group Name: <project>-<environment>-cache
Description: <project> <environment> Cache security group
Attach to VPC: <project>-<environment>
Inbound Rules:
Custom TCP Rule TCP (6) 6379 ecs-container-instance-security-group
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0
- Create Load Balancer security group
Group Name: <project>-<environment>-lb
Description: <project> <environment> Load Balancer security group
Attach to VPC: <project>-<environment>
Inbound Rules:
HTTP (80) TCP 80 0.0.0.0/0
HTTPS (443) TCP 443 0.0.0.0/0
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0
4. Create IAM role with policies
ecsInstanceRole
- Policy: AmazonS3ReadOnlyAccess
- Policy: AmazonEC2ContainerServiceforEC2Role
ecsServiceRole
- Policy: AmazonEC2ContainerServiceRole
- Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
5. Create ECS Cluster
Amazon ECS > Clusters > Create Cluster
Cluster name: <project>-<environment>
6.0. Create IAM Admin User
- Name: admin
- Policy: AdministratorAccess
Generate keys:
- Access Key ID
- Secret Access Key
Install aws cli and configure:
$ pip install awscli
$ aws configure --profile <project>
AWS Access Key ID [None]: <ACCESS_KEY_ID>
AWS Secret Access Key [None]: <SECRET_ACCESS_KEY>
Default region name [None]: us-east-1
Default output format [None]: json
6.1 Create S3 Environment Policy
Policy Name: AmazonS3<Project><Environment>Uploads
Description: Provides full access to <project>-<environment>-uploads bucket
Policy Document:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<project>-<environment>-uploads/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<project>-<environment>-uploads"
]
}
]
}
6.2 Create IAM Application User
- Name: <project>-<environment>
- Policies:
- AmazonSNSFullAccess
- AmazonSESFullAccess
- AmazonS3<Project><Environment>Uploads
7. Create Bucket and ecs.config file
- Create a Bucket
Bucket Name: <project>-<environment>-config
- Create ecs.config file
$ echo "ECS_CLUSTER=<project>-<environment>" > ecs.config
- Copy ecs.config to Bucket using aws cli
$ aws s3 cp ecs.config s3://<project>-<environment>-config/ecs.config --profile <aws-profile>
8. Create EC2 Instance
- Import Key Pair
Key pair name: <user>
- Launch Instance
Search community AMIs: amzn-ami-2016.09.a-amazon-ecs-optimized - http://goo.gl/RntyOV
Network: <project-environment> VPC
Subnet: Public Subnet
Auto-assign Public IP: Enable
IAM role: ecs-instance-role
Enable termination protection: True
Tenancy: Shared
Advanced Details:
User Data (As text):
#!/bin/bash
yum install -y aws-cli
aws s3 cp s3://<project-environment>-config/ecs.config /etc/ecs/ecs.config
Tags:
Name: <project>-<environment>-ecs-ci-1
Project: <project>
Environment: <environment>
Security Group: <project>-<environment>-ecs-ci
- Check if instance registred in <project>-<environment> ECS cluster
9. Create Record Set Route 53 (DNS)
- Type A: <project>-<environment>-ecs-ci-1
10. Create Repository ECS
Get EC2 Container Registry repository name:
- <project>-api
- <project>-admin
Get Container Register name: XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com
11. Create IAM circleci User
- Name: circleci
- Policy: AmazonEC2ContainerRegistryPowerUser
- Policy: AmazonEC2ContainerServiceDeployRole
Description: ECS Deploy Role
Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1452877700000",
"Effect": "Allow",
"Action": [
"ecs:CreateService",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"ecs:RegisterTaskDefinition",
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:UpdateService"
],
"Resource": [
"*"
]
}
]
}
- Policy: AmazonECSServicePassRole
Description: ECS Service PassRole
Policy Document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::694376113521:role/ecs-service-role"
]
}
]
}
Trust Relationship:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
==================================================================================
Service Load Balancing
0. Create IAM role with policies
ecs-service-role
- Policy: AmazonEC2ContainerServiceRole
- Trust Relationships:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
1. Create Security Groups
- Create LB security group
Group Name: <project>-<environment>-lb
Description: <project> <environment> LB security group
Inbound Rules:
HTTP (80) TCP 80 0.0.0.0/0
HTTPS (443) TCP 443 0.0.0.0/0
Outbound Rules:
ALL Traffic ALL ALL 0.0.0.0/0
Attach to VPC: <project>-<environment>
2. Upload SSL Certificates
$ aws iam upload-server-certificate --server-certificate-name <cert-name> \
--certificate-body file://cert.pem --private-key file://key.pem \
--certificate-chain file://fullchain.pem --profile <profile>
3. Create Load Balancer
LB Name: <project>-<environment>-<service>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment