forked from hashicorp/microservices-architecture-on-aws
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathecs-task-definitions.tf
297 lines (262 loc) · 10 KB
/
ecs-task-definitions.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
# User Facing Client Task Definition
# --
# This is the container that will serve as the entry point for public facing traffic
module "client" {
source = "hashicorp/consul-ecs/aws//modules/mesh-task"
version = "0.4.1"
family = "${local.project_tag}-client"
requires_compatibilities = ["FARGATE"]
# required for Fargate launch type
memory = 512
cpu = 256
container_definitions = [
{
name = "client"
image = "nicholasjackson/fake-service:v0.23.1"
cpu = 0 # take up proportional cpu
essential = true
portMappings = [
{
containerPort = 9090
hostPort = 9090 # though, access to the ephemeral port range is needed to connect on EC2, the exact port is required on Fargate from a security group standpoint.
protocol = "tcp"
}
]
logConfiguration = local.client_logs_configuration
# Fake Service settings are set via Environment variables
environment = [
{
name = "NAME"
value = "client"
},
{
name = "MESSAGE"
value = "Hello from the client!"
},
{
name = "UPSTREAM_URIS"
value = "http://localhost:1234,http://localhost:1235"
}
]
}
]
# All settings required by the mesh-task module
acls = true
acl_secret_name_prefix = local.project_tag
consul_datacenter = var.consul_dc1_name
consul_server_ca_cert_arn = aws_secretsmanager_secret.consul_root_ca_cert.arn
consul_client_token_secret_arn = module.consul_acl_controller.client_token_secret_arn
gossip_key_secret_arn = aws_secretsmanager_secret.consul_gossip_key.arn
log_configuration = local.client_sidecars_log_configuration
# https://github.com/hashicorp/consul-ecs/blob/main/config/schema.json#L74#
# to tell the proxy and consul-ecs how to contact the service
port = "9090"
tls = true
# the consul-ecs binary takes a large configuration file: https://github.com/hashicorp/consul-ecs/blob/0817f073c665c3933e9455f477b18500616e7c47/config/schema.json
# the variable "consul_ecs_config" lets you specify the entire thing
# however, arguments such as "upstreams" (below) can be used instead to
# target smaller parts of the config without specifying the entire thing: https://github.com/hashicorp/terraform-aws-consul-ecs/blob/3da977ed327ac9bf37a2083854152c2bb4e1ddac/modules/mesh-task/variables.tf#L303-L305
upstreams = [
{
# Name of the CONSUL Service (not to be confused with the ECS Service)
# This is specified by setting the "family" name for mesh task modules
# The "family" will map both to the Consul Service and the ECS Task Definition
# https://github.com/hashicorp/terraform-aws-consul-ecs/blob/main/modules/mesh-task/main.tf#L187
# https://github.com/hashicorp/terraform-aws-consul-ecs/blob/v0.3.0/modules/mesh-task/variables.tf#L6-L10
destinationName = "${local.project_tag}-fruits"
# This is the port that requests to this service will be sent to, and, the port that the proxy will be
# listening on LOCALLY.
# https://github.com/hashicorp/consul-ecs/blob/0817f073c665c3933e9455f477b18500616e7c47/config/schema.json#L326
# the above link is the value this maps to
localBindPort = 1234
},
{
# https://github.com/hashicorp/consul-ecs/blob/85755adb288055df92c1880d30f1861db771ca63/subcommand/mesh-init/command_test.go#L77
# looks like upstreams need different local bind ports, which begs the question of what a localBindPort is even doing
# I guess this is just what the service points to that the envoy listener goes through
destinationName = "${local.project_tag}-vegetables"
localBindPort = 1235
}
]
# join on the private IPs, much like the consul config "retry_join" argument
retry_join = local.server_private_ips
depends_on = [
module.consul_acl_controller
]
}
module "fruits" {
source = "hashicorp/consul-ecs/aws//modules/mesh-task"
version = "0.4.1"
family = "${local.project_tag}-fruits"
requires_compatibilities = ["FARGATE"]
# required for Fargate launch type
memory = 512
cpu = 256
container_definitions = [
{
name = "fruits"
image = "nicholasjackson/fake-service:v0.23.1"
cpu = 0 # take up proportional cpu
essential = true
portMappings = [
{
containerPort = 9090
hostPort = 9090 # though, access to the ephemeral port range is needed to connect on EC2, the exact port is required on Fargate from a security group standpoint.
protocol = "tcp"
}
]
logConfiguration = local.fruits_log_configuration
# Fake Service settings are set via Environment variables
environment = [
{
name = "NAME"
value = "fruits"
},
{
name = "MESSAGE"
value = "Hello from the fruits client!"
},
{
name = "UPSTREAM_URIS"
value = "http://${var.database_private_ip}:27017"
}
]
}
]
acls = true
acl_secret_name_prefix = local.project_tag
consul_datacenter = var.consul_dc1_name
consul_server_ca_cert_arn = aws_secretsmanager_secret.consul_root_ca_cert.arn
consul_client_token_secret_arn = module.consul_acl_controller.client_token_secret_arn
gossip_key_secret_arn = aws_secretsmanager_secret.consul_gossip_key.arn
port = "9090"
log_configuration = local.fruits_sidecars_log_configuration
tls = true
# isn't needed right now, because there is no "database" service that consul is aware of
# upstreams = [
# {
# # this will not work at the moment, because our database
# # isn't set up with consul or registered as a service
# destinationName = "${var.aws_default_tags.Project}-database"
# localBindPort = 1234
# }
# ]
retry_join = local.server_private_ips
depends_on = [
module.consul_acl_controller
]
}
module "fruits_v2" {
source = "hashicorp/consul-ecs/aws//modules/mesh-task"
version = "0.4.1"
family = "${local.project_tag}-fruits-v2"
requires_compatibilities = ["FARGATE"]
# required for Fargate launch type
memory = 512
cpu = 256
container_definitions = [
{
name = "fruits"
image = "nicholasjackson/fake-service:v0.23.1"
cpu = 0 # take up proportional cpu
essential = true
portMappings = [
{
containerPort = 9090
hostPort = 9090 # though, access to the ephemeral port range is needed to connect on EC2, the exact port is required on Fargate from a security group standpoint.
protocol = "tcp"
}
]
logConfiguration = local.fruits_v2_log_configuration
# Fake Service settings are set via Environment variables
environment = [
{
name = "NAME"
value = "fruits"
},
{
name = "MESSAGE"
value = "Hello from the fruits service version 2!"
},
{
name = "UPSTREAM_URIS"
value = "http://${var.database_private_ip}:27017"
}
]
}
]
acls = true
acl_secret_name_prefix = local.project_tag
consul_datacenter = var.consul_dc1_name
consul_server_ca_cert_arn = aws_secretsmanager_secret.consul_root_ca_cert.arn
consul_client_token_secret_arn = module.consul_acl_controller.client_token_secret_arn
gossip_key_secret_arn = aws_secretsmanager_secret.consul_gossip_key.arn
port = "9090"
log_configuration = local.fruits_v2_sidecars_log_configuration
tls = true
retry_join = local.server_private_ips
depends_on = [
module.consul_acl_controller
]
}
module "vegetables" {
source = "hashicorp/consul-ecs/aws//modules/mesh-task"
version = "0.4.1"
family = "${local.project_tag}-vegetables"
requires_compatibilities = ["FARGATE"]
# required for Fargate launch type
memory = 512
cpu = 256
container_definitions = [
{
name = "vegetables"
image = "nicholasjackson/fake-service:v0.23.1"
cpu = 0 # take up proportional cpu
essential = true
portMappings = [
{
containerPort = 9090
hostPort = 9090 # though, access to the ephemeral port range is needed to connect on EC2, the exact port is required on Fargate from a security group standpoint.
protocol = "tcp"
}
]
logConfiguration = local.vegetables_log_configuration
# Fake Service settings are set via Environment variables
environment = [
{
name = "NAME"
value = "vegetables"
},
{
name = "MESSAGE"
value = "Hello from the vegetables client!"
},
{
name = "UPSTREAM_URIS"
value = "http://${var.database_private_ip}:27017"
}
]
}
]
acls = true
acl_secret_name_prefix = local.project_tag
consul_datacenter = var.consul_dc1_name
consul_server_ca_cert_arn = aws_secretsmanager_secret.consul_root_ca_cert.arn
consul_client_token_secret_arn = module.consul_acl_controller.client_token_secret_arn
gossip_key_secret_arn = aws_secretsmanager_secret.consul_gossip_key.arn
log_configuration = local.vegetables_sidecars_log_configuration
port = "9090"
tls = true
# upstreams = [
# {
# # this will not work at the moment, because our database
# # isn't set up with consul or registered as a service
# destinationName = "${var.aws_default_tags.Project}-database"
# localBindPort = 1234
# }
# ]
retry_join = local.server_private_ips
depends_on = [
module.consul_acl_controller
]
}