AWS ECS Plugin

AWS ECS integration is achieved via a simple but powerful tagging system on ECS clusters. Tags are paired with AWS role/policy allowing connector instances to discover resources we want to expose via sockets.

For this example we will assume our AWS datacenter is us-west-2(Oregon)

The YAML configuration:

AWS settings

we expand the “connector” section to include the region and/or profile

connector:
   name: "my-awesome-connector"
   aws-region: "us-west-2"
   aws-profile: "prod"

Using the region and/or profile settings, the connector will use the well known places to find the AWS credentials. I will use these credentials to do the discovery and to connect.

Groups

Create plugin specific “aws_ecs_ssm” section containing our discovery group name with access definitions

aws_ecs_ssm:
    - group: infra_team
      policies: [my-connector-policy]

It's also possible to filter on tasks/service or specific containers, you can do that by specifying these optional parameters:

aws_ecs_ssm:
    - group: infra_team
      policies: [my-connector-policy]
      aws_ecs_tasks:
      - taskA
      aws_ecs_services:
      - serviceB
      aws_ecs_containers:
      - backend
      - frontend

The aws_ecs_tasks parameter filters out all tasks where the name don't starts with one the listed tasks, the aws_ecs_services and aws_ecs_containers uses an exact match.

Tags

Add tags to ECS clusters with following format:

Key

Key: border0_someName

The Key must start with “border0” and can be followed by any alphanumeric set of characters, eg: border0_http, border0_server01, border01

Value

Value: group=infra_team/name=ecs-cluster

The tag value represents a slash (/) separated parameters.

  • group : the name of group defined in the YAML
  • name : the socket name, by default it will use the cluster name
Complete tag with value will look like this:

Key: border0_ecs
Value: group=infra_team

Once created it should appear like this in the AWS ECS console:

Aws permissions

We need to give the connector instance access to read from AWS API.

This can be achieved in multiple ways and will be dependent on your deployment and type of infrastructure you run. One of the methods is an AMI role attached to a connector instance.

Sample AWS policy allowing ECS describe to the connector code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "ecs:DescribeClusters",
                "ecs:ListClusters",
                "ssm:StartSession",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        }
    ]
}