To illustrate automated scanning, we will now deploy a sample ECS cluster that scales using Fargate. For the purposes of the lab this will consist of this sample PHP application running in a Docker Compose environment - https://hub.docker.com/r/amazon/amazon-ecs-sample.
Create a cluster configuration and create a cluster
ecs-cli configure --cluster tutorial --default-launch-type FARGATE --config-name tutorial --region us-east-1
ecs-cli up --cluster-config tutorial --ecs-profile tutorial-profile
The output should show a VPC and two Subnets have been created:-
INFO[0000] Created cluster cluster=tutorial region=us-east-1
INFO[0000] Waiting for your cluster resources to be created...
INFO[0000] Cloudformation stack status stackStatus=CREATE_IN_PROGRESS
INFO[0060] Cloudformation stack status stackStatus=CREATE_IN_PROGRESS
VPC created: vpc-046ed77edcd796e19
Subnet created: subnet-045df8f58a51b2291
Subnet created: subnet-0e4623283c4907ea7
Cluster creation succeeded.
We will use a bash script to create our ECS cluster. So first lets instantiate the script by copying and pasting the following commands
cd /home/ec2-user/environment
curl -s https://gist.githubusercontent.com/johnfitzpatrick/d55097212d9bb4e1442383a5e3339b01/raw/98953d9472edf4e023e00e28e28353687f9e726e/deploy-amazon-ecs-sample.sh > deploy-amazon-ecs-sample.sh
chmod +x deploy-amazon-ecs-sample.sh
Now run the script deploy-amazon-ecs-sample.sh
, copying and pasting the VPC & Subnet values from the above out when prompted
./deploy-amazon-ecs-sample.sh
Note You can subsequently get the VPC and Subnet details requested from the ‘Resources’ tab on CloudFormation UI
The deploy-amazon-ecs-sample.sh
script will
Retrieve the id of the default security group for the VPC created, and allows inbound access on port 80
Create a ecs-params.yml
file using the subnets and security group already retrieved. This file should look as follows
version: 1
task_definition:
task_execution_role: ecsTaskExecutionRole
ecs_network_mode: awsvpc
task_size:
mem_limit: 0.5GB
cpu_limit: 256
run_params:
network_configuration:
awsvpc_configuration:
subnets:
- "subnet-045df8f58a51b2291"
- "subnet-0e4623283c4907ea7"
security_groups:
- "sg-3a1f94b6"
assign_public_ip: ENABLED
Create a docker-compose.yaml
to instantiate the image quay.io/awsdemosec/amazon-ecs-sample
. This file looks as follows
version: '3'
services:
web:
image: quay.io/awsdemosec/amazon-ecs-sample
ports:
- "80:80"
logging:
driver: awslogs
options:
awslogs-group: tutorial
awslogs-region: us-east-1
awslogs-stream-prefix: web
Optionally, for details of this script you can run the following command
cat ./deploy-amazon-ecs-sample.sh
Once the script has completed you can see details of of the ECS cluster on the Amazon ECS UI
You can check of the ECS state by running ecs-cli ps
Name State Ports TaskDefinition Health
tutorial/7c81f4d640b84a58a1b4ddf4dbaa0bb5/web RUNNING 3.221.149.218:80->80/tcp tutorial:1 UNKNOWN
Check the deployed images with ecs-cli images
REPOSITORY NAME TAG IMAGE DIGEST PUSHED AT SIZE
aws-workshop latest sha256:b9901958776c9c9881c1f7ba0e4c57f9715909eb7d78387a9481a4300585aab3 12 minutes ago 239MB
Browse to the sample application using the details in ecs-cli ps
output (e.g. 3.221.149.218:80)
You can execute the following to obtain the VPC & Subnet information
STACKNAME=amazon-ecs-cli-setup-tutorial
for resource in Vpc PubSubnetAz1 PubSubnetAz2
do
aws cloudformation describe-stack-resources --stack-name $STACKNAME --query 'StackResources[?LogicalResourceId=='"'$resource'"'].PhysicalResourceId' --output text
done