Skip to content

theonestack/hl-component-ecs-service

Repository files navigation

ecs-service CfHighlander component

Creates the resources required to set up and serve a ECS service

kurgan add ecs-service

Parameters

Name Use Default Global Type Allowed Values
EnvironmentName Tagging dev true string
EnvironmentType Tagging development true string ['development','production']
EcsCluster ECS cluster to run the service in - false string
VPCId Id of the vpc required for creating a target group and security group - false AWS::EC2::VPC::Id
TargetGroup pass through an existing target group ARN - false string
Listener listener to attach the generated target group too - false string
LoadBalancer Deprecated - false string
DesiredCount desired count of ECS tasks to run for the service 1 false string
MinimumHealthyPercent minimum percentage of healthy tasks to retain during a deployment 100 false string
MaximumPercent maximum percentage of tasks to scale up to during a deployment 200 false string
SubnetIds list of subnet ids to run your tasks in if using aws-vpc networking - false comma delimited string
SecurityGroupBackplane pass through an existing security group id to the ECS service - false string
EnableFargate set to true to run the ECS service in Fargate false false string ['true','false']
DisableLaunchType set to false to disable setting the ECS service property LaunchType to specify custom default providers false false string ['true','false']
PlatformVersion set the fargate platform version - false string
NamespaceId set a service discovery namespace id - false string

Configuration

Logging

By default the component setups cloudwatch logging by creating a log group and adding the config to the task definition. To change the log retention in the log group set log_retention. Defaults to 7 days

loggroup_name: 'myapp'
log_retention: 7

Task Level CPU and Memory

This will set hard resource limits for the service, this is required for fargate services but can be set for services on EC2

cpu: 256
memory: 256

Task Definition

Multiple task definitions can be defined under the task_definition key

task_definition:
  task-1:
    ...
  task-2:
    ...

This is the fulls et of config options for the task definition.

task_definition:
  task-1:
    repo: public.ecr.aws
    image: my/app
    tag: latest
    tag_param: MyAppTag
    memory: 1024
    memory_hard: 1024
    cpu: 1024
    ports:
    - 8080
    - 8081:8888
    not_essential: false
    env_vars:
      KEY: value
    secrets:
      ssm:
        API_KEY: /nginx/${EnvironmentName}/api/key
        API_SECRET: /nginx/${EnvironmentName}/api/secret
      secretsmanager:
        DB_PASSWORD: /db/${EnvironmentName}/password
    ulimits:
    - HardLimit: 65000
      Name: nofile
      SoftLimit: 65000
    cap_add: 
      - ALL
    cap_drop: 
      - MKNOD
    init: true
    memory_swap: 10
    shm_size: 10
    memory_swappiness: 10
    entrypoint:
    - entrypoint.sh
    command:
    - run.sh
    healthcheck:
      Command: 
      - check.sh
      Interval: 30
      Retries: 3
      StartPeriod: 300
      Timeout: 5
    working_dir: /src
    privileged: false
    user: appuser
    extra_hosts:
    - Hostname: example.com
      IpAddress: 127.0.0.1
    depends_on:
      task-2: START
    links:
      - task-2:task-2

see bellow for details on these options

Container Image

Define the container image details such as repo, image name and tag

task_definition:
  task-1:
    repo: public.ecr.aws
    image: my/app
    tag: latest

The tag can also be setup to pass through as a cloudformation runtime parameter by using the tag_param key instead of tag.

task_definition:
  task-1:
    repo: public.ecr.aws
    image: my/app
    tag_param: MyAppTag

Container CPU and Memory

Container level resources can be defined with memory being a soft limit that can be breached and memory_hard being a hard limit.

task_definition:
  task-1:
    memory: 1024
    memory_hard: 1024
    cpu: 1024

Ports

Port mappings allow containers to access ports on the host container instance to send or receive traffic. ContainerPort:HostPort

task_definition:
  task-1:
    ports:
    - 8080
    - 8081:8888

Not Essential

if the container doesn't need to run like a data container then not_essential can be set to false to when it stops it doesn't kill the whole task.

task_definition:
  task-1:
    not_essential: true

Environment Variables

to pass through environment variables use env_vars with key:value pairs

task_definition:
  task-1:
    env_vars:
      KEY: value

Secrets

pass though secrets to the container as environment variables. Supports both ssm parameter store and secrets manager.

task_definition:
  task-1:
    secrets:
      ssm:
        API_KEY: /nginx/${EnvironmentName}/api/key
        API_SECRET: /nginx/${EnvironmentName}/api/secret
      secretsmanager:
        DB_PASSWORD: /db/${EnvironmentName}/password

Not required, but you can also specify a secrets policy to be attached to the execution role, so ECS can retrieve it. If not specified, the secret above is added, but if you want to add a wildcard, you can do so with:

  secrets_policy:
    envNameHere:
      action:
        - secretsmanager:GetSecretValue
        - kms:*
      resource:
        - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${EnvironmentName}/sneaky/allthesecrets*

ulimits

task_definition:
  task-1:
    ulimits:
    - HardLimit: 65000
      Name: nofile
      SoftLimit: 65000

Linux Parameters

Specifies Linux-specific options that are applied to the container, such as Linux KernelCapabilities.

task_definition:
  task-1:
    cap_add: 
    - ALL
    cap_drop: 
    - MKNOD
    init: true
    memory_swap: 10
    shm_size: 10
    memory_swappiness: 10

Extrypoint and Command

The entry point and command that is passed to the container.

task_definition:
  task-1:
    entrypoint:
    - entrypoint.sh
    command:
    - run.sh

Container Health Check

The container health check command and associated configuration parameters for the container. If the health check fails the task is terminated

task_definition:
  task-1:
    healthcheck:
      Command: 
      - check.sh
      Interval: 30
      Retries: 3
      StartPeriod: 300
      Timeout: 5

Working Directory

The working directory in which to run commands inside the container.

task_definition:
  task-1:
    working_dir: /src

Privileged

When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user). NOTE: not recommended ...

task_definition:
  task-1:
    privileged: false

Container User

The user to use inside the container.

task_definition:
  task-1:
    user: appuser

Extra Hosts

A list of hostnames and IP address mappings to append to the /etc/hosts file on the container.

task_definition:
  task-1:
    extra_hosts:
    - Hostname: example.com
      IpAddress: 127.0.0.1

Depends On

specifies the dependencies defined for container startup and shutdown.

task_definition:
  task-1:
    depends_on:
      task-2: START

Links

The links parameter allows containers to communicate with each other without the need for port mappings. This parameter is only supported if the network mode of a task definition is bridge.

task_definition:
  task-1:
    links:
    - task-2:task-2

Exports

to change the export name incase of naming conflicts you can override it using the export key. The default is the component name.

export: myapp

Daemon tasks

Run a daemon task on all ECS instances in the cluster

scheduling_strategy: DAEMON

Resources

TaskRole

Type: AWS::IAM::Role

Condition: if iam_policies config contains policies

IAM permissions for the ECS service tasks runtime

ExecutionRole

Type: AWS::IAM::Role

Condition: if iam_policies config contains policies

IAM permissions or the ECS agent to make AWS API calls on your behalf such as retrieve secrets. Default managed policy uses arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

Role

Type: AWS::IAM::Role

IAM permissions for the ECS service such as add and remove tasks from a target group. Default managed policy uses arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole

Task

Type: AWS::ECS::TaskDefinition

Service

Type: AWS::ECS::TaskDefinition

LogGroup

Type: AWS::Logs::LogGroup

Cloudwatch log group for the tasks to send logs too

TargetGroup

Type: AWS::ElasticLoadBalancingV2::TargetGroup

Condition: if target_groups config contains a list of target groups

Creates a target group resource per target group defined in the config

ListenerRule

Type: AWS::ElasticLoadBalancingV2::ListenerRule

Condition: if target_groups config contains a target groups with rules

Creates a listener rule for the supplied listener for each rule defined on the target group

ServiceSecurityGroup

Type: AWS::EC2::SecurityGroup

Condition: if security_group_rules config contains rules

Creates a security group with defined rules and attaches it to the ECS task if using aws-vpc networking

ServiceRegistry

Type: AWS::ServiceDiscovery::Service

Condition: if service_discovery config is defined

Outputs

Name Value Export
SecurityGroup Security group name ${EnvironmentName}-ecs-service-SecurityGroup
ServiceName ECS service name ${EnvironmentName}-ecs-service-ServiceName