Deploy an ECS cluster using Fargate
To illustrate automated scanning, we will now deploy a sample ECS cluster that scales using Fargate. For the purposes of the lab this will consist of this sample PHP application running in a Docker Compose environment - https://hub.docker.com/r/amazon/amazon-ecs-sample.
Create a cluster configuration and create a cluster
ecs-cli configure --cluster tutorial --default-launch-type FARGATE --config-name tutorial --region us-east-1 ecs-cli up --cluster-config tutorial --ecs-profile tutorial-profileThe output should show a VPC and two Subnets have been created:-
INFO[0000] Created cluster cluster=tutorial region=us-east-1 INFO[0000] Waiting for your cluster resources to be created... INFO[0000] Cloudformation stack status stackStatus=CREATE_IN_PROGRESS INFO[0060] Cloudformation stack status stackStatus=CREATE_IN_PROGRESS VPC created: vpc-046ed77edcd796e19 Subnet created: subnet-045df8f58a51b2291 Subnet created: subnet-0e4623283c4907ea7 Cluster creation succeeded.We will use a bash script to create our ECS cluster. So first lets instantiate the script by copying and pasting the following commands
cd /home/ec2-user/environment curl -s https://gist.githubusercontent.com/johnfitzpatrick/d55097212d9bb4e1442383a5e3339b01/raw/98953d9472edf4e023e00e28e28353687f9e726e/deploy-amazon-ecs-sample.sh > deploy-amazon-ecs-sample.sh chmod +x deploy-amazon-ecs-sample.shNow run the script
deploy-amazon-ecs-sample.sh, copying and pasting the VPC & Subnet values from the above out when prompted./deploy-amazon-ecs-sample.shNote You can subsequently get the VPC and Subnet details requested from the ‘Resources’ tab on CloudFormation UI
The
deploy-amazon-ecs-sample.shscript willRetrieve the id of the default security group for the VPC created, and allows inbound access on port 80
Create a
ecs-params.ymlfile using the subnets and security group already retrieved. This file should look as followsversion: 1 task_definition: task_execution_role: ecsTaskExecutionRole ecs_network_mode: awsvpc task_size: mem_limit: 0.5GB cpu_limit: 256 run_params: network_configuration: awsvpc_configuration: subnets: - "subnet-045df8f58a51b2291" - "subnet-0e4623283c4907ea7" security_groups: - "sg-3a1f94b6" assign_public_ip: ENABLEDCreate a
docker-compose.yamlto instantiate the imagequay.io/awsdemosec/amazon-ecs-sample. This file looks as followsversion: '3' services: web: image: quay.io/awsdemosec/amazon-ecs-sample ports: - "80:80" logging: driver: awslogs options: awslogs-group: tutorial awslogs-region: us-east-1 awslogs-stream-prefix: webOptionally, for details of this script you can run the following command
cat ./deploy-amazon-ecs-sample.sh
Once the script has completed you can see details of of the ECS cluster on the Amazon ECS UI
Optional/Troubleshooting
You can check of the ECS state by running
ecs-cli psName State Ports TaskDefinition Health tutorial/7c81f4d640b84a58a1b4ddf4dbaa0bb5/web RUNNING 3.221.149.218:80->80/tcp tutorial:1 UNKNOWNCheck the deployed images with
ecs-cli imagesREPOSITORY NAME TAG IMAGE DIGEST PUSHED AT SIZE aws-workshop latest sha256:b9901958776c9c9881c1f7ba0e4c57f9715909eb7d78387a9481a4300585aab3 12 minutes ago 239MBBrowse to the sample application using the details in
ecs-cli psoutput (e.g. 3.221.149.218:80)
Obtain VPC & Subnet Info
You can execute the following to obtain the VPC & Subnet information
STACKNAME=amazon-ecs-cli-setup-tutorial
for resource in Vpc PubSubnetAz1 PubSubnetAz2
do
aws cloudformation describe-stack-resources --stack-name $STACKNAME --query 'StackResources[?LogicalResourceId=='"'$resource'"'].PhysicalResourceId' --output text
done