Created
July 6, 2017 16:59
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWS ECS setup | |
1. Create VPC | |
VPC Dashboard > Start VPC Wizard > VPC with a Single Public Subnet | |
- CIRD: 10.0.0.0/16 | |
- VPC name: <project>-<environment> | |
- Public Subnet: 10.0.0.0/24 | |
- Availiability Zone: us-east-1a | |
- Subnet name: Public subnet | |
- Tenancy: Default | |
2. Create Subnets | |
- Public Subnets | |
- CIRD: 10.0.0.0/24 Availability Zone: us-east-1a | |
- CIRD: 10.0.1.0/24 Availability Zone: us-east-1b | |
- CIRD: 10.0.2.0/24 Availability Zone: us-east-1d | |
- CIRD: 10.0.3.0/24 Availability Zone: us-east-1e | |
Route Table: | |
- Destination: 10.0.0.0/16 Target: local | |
- Destination: 0.0.0.0/0 Target: igw (Internet Gateway Attached to VPC) | |
- Private Subnets | |
- CIRD: 10.0.10.0/24 Availability Zone: us-east-1a | |
- CIRD: 10.0.11.0/24 Availability Zone: us-east-1b | |
- CIRD: 10.0.12.0/24 Availability Zone: us-east-1d | |
- CIRD: 10.0.13.0/24 Availability Zone: us-east-1e | |
Route Table: | |
- Destination: 10.0.0.0/16 Target: local | |
- Destination: 0.0.0.0/0 Target: nat (NAT Gateway Attached to VPC) | |
3. Create Security Groups | |
- Create ECS Container Instance security group | |
Group Name: <project>-<environment>-ecs-ci | |
Description: <project> <environment> ECS Container Instance | |
- Public Subnet: | |
Attach to VPC: <project>-<environment> | |
Inbound Rules: | |
SSH (22) TCP 22 0.0.0.0/0 | |
HTTP (80) TCP 80 0.0.0.0/0 | |
HTTPS (443) TCP 443 0.0.0.0/0 | |
Outbound Rules: | |
ALL Traffic ALL ALL 0.0.0.0/0 | |
- Private Subnet: | |
Attach to VPC: <project>-<environment> | |
Inbound Rules: | |
SSH (22) TCP 22 gateway-security-group | |
Custom TCP TCP 8000 loadbalancer-security-group | |
Custom TCP TCP 8001 loadbalancer-security-group | |
Custom TCP TCP 8002 loadbalancer-security-group | |
Outbound Rules: | |
ALL Traffic ALL ALL 0.0.0.0/0 | |
- Create DB security group | |
Group Name: <project>-<environment>-db | |
Description: <project> <environment> DB security group | |
Attach to VPC: <project>-<environment> | |
Inbound Rules: | |
PostgreSQL (5432) TCP 5432 ecs-container-instance-security-group | |
Outbound Rules: | |
ALL Traffic ALL ALL 0.0.0.0/0 | |
- Create Cache security group | |
Group Name: <project>-<environment>-cache | |
Description: <project> <environment> Cache security group | |
Attach to VPC: <project>-<environment> | |
Inbound Rules: | |
Custom TCP Rule TCP (6) 6379 ecs-container-instance-security-group | |
Outbound Rules: | |
ALL Traffic ALL ALL 0.0.0.0/0 | |
- Create Load Balancer security group | |
Group Name: <project>-<environment>-lb | |
Description: <project> <environment> Load Balancer security group | |
Attach to VPC: <project>-<environment> | |
Inbound Rules: | |
HTTP (80) TCP 80 0.0.0.0/0 | |
HTTPS (443) TCP 443 0.0.0.0/0 | |
Outbound Rules: | |
ALL Traffic ALL ALL 0.0.0.0/0 | |
4. Create IAM role with policies | |
ecsInstanceRole | |
- Policy: AmazonS3ReadOnlyAccess | |
- Policy: AmazonEC2ContainerServiceforEC2Role | |
ecsServiceRole | |
- Policy: AmazonEC2ContainerServiceRole | |
- Trust Relationship: | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "ecs.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
5. Create ECS Cluster | |
Amazon ECS > Clusters > Create Cluster | |
Cluster name: <project>-<environment> | |
6.0. Create IAM Admin User | |
- Name: admin | |
- Policy: AdministratorAccess | |
Generate keys: | |
- Access Key ID | |
- Secret Access Key | |
Install aws cli and configure: | |
$ pip install awscli | |
$ aws configure --profile <project> | |
AWS Access Key ID [None]: <ACCESS_KEY_ID> | |
AWS Secret Access Key [None]: <SECRET_ACCESS_KEY> | |
Default region name [None]: us-east-1 | |
Default output format [None]: json | |
6.1 Create S3 Environment Policy | |
Policy Name: AmazonS3<Project><Environment>Uploads | |
Description: Provides full access to <project>-<environment>-uploads bucket | |
Policy Document: | |
{ | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:*" | |
], | |
"Resource": [ | |
"arn:aws:s3:::<project>-<environment>-uploads/*" | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"s3:ListBucket" | |
], | |
"Resource": [ | |
"arn:aws:s3:::<project>-<environment>-uploads" | |
] | |
} | |
] | |
} | |
6.2 Create IAM Application User | |
- Name: <project>-<environment> | |
- Policies: | |
- AmazonSNSFullAccess | |
- AmazonSESFullAccess | |
- AmazonS3<Project><Environment>Uploads | |
7. Create Bucket and ecs.config file | |
- Create a Bucket | |
Bucket Name: <project>-<environment>-config | |
- Create ecs.config file | |
$ echo "ECS_CLUSTER=<project>-<environment>" > ecs.config | |
- Copy ecs.config to Bucket using aws cli | |
$ aws s3 cp ecs.config s3://<project>-<environment>-config/ecs.config --profile <aws-profile> | |
8. Create EC2 Instance | |
- Import Key Pair | |
Key pair name: <user> | |
- Launch Instance | |
Search community AMIs: amzn-ami-2016.09.a-amazon-ecs-optimized - http://goo.gl/RntyOV | |
Network: <project-environment> VPC | |
Subnet: Public Subnet | |
Auto-assign Public IP: Enable | |
IAM role: ecs-instance-role | |
Enable termination protection: True | |
Tenancy: Shared | |
Advanced Details: | |
User Data (As text): | |
#!/bin/bash | |
yum install -y aws-cli | |
aws s3 cp s3://<project-environment>-config/ecs.config /etc/ecs/ecs.config | |
Tags: | |
Name: <project>-<environment>-ecs-ci-1 | |
Project: <project> | |
Environment: <environment> | |
Security Group: <project>-<environment>-ecs-ci | |
- Check if instance registred in <project>-<environment> ECS cluster | |
9. Create Record Set Route 53 (DNS) | |
- Type A: <project>-<environment>-ecs-ci-1 | |
10. Create Repository ECS | |
Get EC2 Container Registry repository name: | |
- <project>-api | |
- <project>-admin | |
Get Container Register name: XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com | |
11. Create IAM circleci User | |
- Name: circleci | |
- Policy: AmazonEC2ContainerRegistryPowerUser | |
- Policy: AmazonEC2ContainerServiceDeployRole | |
Description: ECS Deploy Role | |
Policy Document: | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "Stmt1452877700000", | |
"Effect": "Allow", | |
"Action": [ | |
"ecs:CreateService", | |
"ecs:DescribeClusters", | |
"ecs:DescribeContainerInstances", | |
"ecs:DescribeServices", | |
"ecs:DescribeTaskDefinition", | |
"ecs:DescribeTasks", | |
"ecs:ListClusters", | |
"ecs:ListContainerInstances", | |
"ecs:ListServices", | |
"ecs:ListTaskDefinitions", | |
"ecs:ListTasks", | |
"ecs:RegisterTaskDefinition", | |
"ecs:RunTask", | |
"ecs:StartTask", | |
"ecs:StopTask", | |
"ecs:SubmitContainerStateChange", | |
"ecs:SubmitTaskStateChange", | |
"ecs:UpdateService" | |
], | |
"Resource": [ | |
"*" | |
] | |
} | |
] | |
} | |
- Policy: AmazonECSServicePassRole | |
Description: ECS Service PassRole | |
Policy Document: | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"iam:PassRole" | |
], | |
"Resource": [ | |
"arn:aws:iam::694376113521:role/ecs-service-role" | |
] | |
} | |
] | |
} | |
Trust Relationship: | |
{ | |
"Version": "2008-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "ecs.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
================================================================================== | |
Service Load Balancing | |
0. Create IAM role with policies | |
ecs-service-role | |
- Policy: AmazonEC2ContainerServiceRole | |
- Trust Relationships: | |
{ | |
"Version": "2008-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "ecs.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
1. Create Security Groups | |
- Create LB security group | |
Group Name: <project>-<environment>-lb | |
Description: <project> <environment> LB security group | |
Inbound Rules: | |
HTTP (80) TCP 80 0.0.0.0/0 | |
HTTPS (443) TCP 443 0.0.0.0/0 | |
Outbound Rules: | |
ALL Traffic ALL ALL 0.0.0.0/0 | |
Attach to VPC: <project>-<environment> | |
2. Upload SSL Certificates | |
$ aws iam upload-server-certificate --server-certificate-name <cert-name> \ | |
--certificate-body file://cert.pem --private-key file://key.pem \ | |
--certificate-chain file://fullchain.pem --profile <profile> | |
3. Create Load Balancer | |
LB Name: <project>-<environment>-<service> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment