AWS ECS Plugin
AWS ECS integration is achieved via a simple but powerful tagging system on ECS clusters. Tags are paired with AWS role/policy allowing connector instances to discover resources we want to expose via sockets.
For this example we will assume our AWS datacenter is us-west-2(Oregon)
The YAML configuration:
AWS settings
we expand the “connector” section to include the region and/or profile
connector:
name: "my-awesome-connector"
aws-region: "us-west-2"
aws-profile: "prod"
Using the region and/or profile settings, the connector will use the well known places to find the AWS credentials. I will use these credentials to do the discovery and to connect.
Groups
Create plugin specific “aws_ecs_ssm” section containing our discovery group name with access definitions
aws_ecs_ssm:
- group: infra_team
policies: [my-connector-policy]
It's also possible to filter on tasks/service or specific containers, you can do that by specifying these optional parameters:
aws_ecs_ssm:
- group: infra_team
policies: [my-connector-policy]
aws_ecs_tasks:
- taskA
aws_ecs_services:
- serviceB
aws_ecs_containers:
- backend
- frontend
The aws_ecs_tasks
parameter filters out all tasks where the name don't starts with one the listed tasks, the aws_ecs_services
and aws_ecs_containers
uses an exact match.
Tags
Add tags to ECS clusters with following format:
Key
Key: border0_someName
The Key must start with “border0” and can be followed by any alphanumeric set of characters, eg: border0_http, border0_server01, border01
Value
Value: group=infra_team/name=ecs-cluster
The tag value represents a slash (/
) separated parameters.
- group : the name of group defined in the YAML
- name : the socket name, by default it will use the cluster name
Complete tag with value will look like this:
Key: border0_ecs
Value: group=infra_team
Once created it should appear like this in the AWS ECS console:
Aws permissions
We need to give the connector instance access to read from AWS API.
This can be achieved in multiple ways and will be dependent on your deployment and type of infrastructure you run. One of the methods is an AMI role attached to a connector instance.
Sample AWS policy allowing ECS describe to the connector code:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:DescribeClusters",
"ecs:ListClusters",
"ssm:StartSession",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}
Updated about 1 month ago