\n
\ud83e\udd14Knowledge Sharing<\/p>\n
An Amazon ECS cluster is created by logically grouping compute tasks or services, running on infrastructure and registered to a cluster. Here, then the infrastructure capacity in your ECS cluster will be facilitated by the AWS Fargate – a serverless infrastructure managed by AWS, a cluster of Amazon EC2 instances managed by you, or a VMs\/On-premises server managed remotely. However, in most cases, therein used Amazon ECS capacity providers for the same.<\/p>\n<\/div>\n
Well, it can be done in two distinct ways as we are using Terraform, such as:<\/span><\/p>\n\n- Provisioning those using Terraform and dynamically associating those to the ECS resources; or<\/span><\/li>\n
- Use an already configured VPC and subnets.<\/span><\/li>\n<\/ul>\n
As you have gone through the prerequisites already, which you definitely have \ud83d\ude1c, we’ll pick the second option.<\/span><\/p>\nAs we are using containers for deploying the application into ECS, we have to push the docker images to a content registry system, like Docker Hub, Elastic Container Register (ECR), Google Container Registry (GCR), etc. But we are using ECR so we’ll push all those images into the ECR<\/span>.<\/p>\nTo do so, we’ll create an ECR repository. Well, whether to keep the repository private or public is totally up to your requirements. Here, we’re going to keep the ECR repository, Private. See below:<\/span><\/p>\n![\"create](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image47.png\")
<\/p>\n
Here, we\u2019ve named the url as \u201cimage_repo_url<\/span><\/span>\u201d above as shown in the image.<\/span><\/p>\nA point to remember! From now on, when we build and push a new image into the ECR, ensure to tag the image. Also, we’ll name every new version tag as the latest <\/span><\/span>with the intention to overwrite the previous image versions.<\/span><\/p>\nNow, all required variables for the ECS cluster creation are ready to use!<\/span><\/p>\n2. provider.tf<\/b> to set up providers<\/b><\/p>\n\n
provider \"aws\" {\r\n region = var.aws_region\r\n}<\/code><\/pre>\n<\/div>\nWhen planning to run CI\/CD terraform effectively, it’s important to log into the AWS account locally. Confirm that, we’ run the following command:<\/span><\/span><\/p>\n\n
$ aws configure<\/span><\/pre>\n<\/div>\n<\/div>\n
\n
Also, refer to this guide to use the AWS CLI effortlessly<\/p>\n<\/div>\n
<\/div>\n
\n
2. ecs.tf to set up resources<\/p>\n<\/div>\n
\n
resource \"aws_ecs_cluster\" \"flask_app_demo\" {\r\n name = \"flask-app-demo\"\r\n}\r\nresource \"aws_ecs_task_definition\" \"flask_app_demo\" {\r\n family = \"flask-app-demo\"\r\n network_mode = \"awsvpc\"\r\n requires_compatibilities = [\"FARGATE\"]\r\n cpu = \"256\"\r\n memory = \"512\"\r\n container_definitions = DEFINITION\r\n[\r\n {\r\n \"name\": \"flask-app-demo\",\r\n \"image\": \"${var.image_repo_url}:${var.image_tag}\",\r\n \"essential\": true,\r\n \"portMappings\": [\r\n {\r\n \"containerPort\": 5000,\r\n \"hostPort\": 5000\r\n }\r\n ],\r\n \"logConfiguration\": {\r\n \"logDriver\": \"awslogs\",\r\n \"options\": {\r\n \"awslogs-group\": \"${aws_cloudwatch_log_group.flask_app_demo.name}\",\r\n \"awslogs-region\": \"${var.aws_region}\",\r\n \"awslogs-stream-prefix\": \"flask-app-demo\"\r\n }\r\n }\r\n }\r\n]\r\nDEFINITION\r\n execution_role_arn = aws_iam_role.task_definition_role.arn\r\n runtime_platform {\r\n operating_system_family = \"LINUX\"\r\n cpu_architecture = \"X86_64\"\r\n }\r\n}\r\nresource \"aws_cloudwatch_log_group\" \"flask_app_demo\" {\r\n name = \"\/ecs\/flask-app-demo\"\r\n}\r\nresource \"aws_ecs_service\" \"flask_app_demo\" {\r\n name = \"flask-app-demo\"\r\n cluster = aws_ecs_cluster.flask_app_demo.id\r\n task_definition = aws_ecs_task_definition.flask_app_demo.arn\r\n desired_count = 1\r\n launch_type = \"FARGATE\"\r\n network_configuration {\r\n subnets = var.subnets\r\n security_groups = [aws_security_group.flask_app_demo.id]\r\n assign_public_ip = true\r\n }\r\n load_balancer {\r\n target_group_arn = aws_lb_target_group.flask_app_demo.arn\r\n container_name = \"flask-app-demo\"\r\n container_port = 5000\r\n }\r\n}\r\nresource \"aws_security_group\" \"flask_app_demo\" {\r\n name = \"flask-app-demo\"\r\n description = \"Allow inbound traffic to flask app\"\r\n vpc_id = var.vpc_id\r\n ingress {\r\n description = \"Allow HTTP from anywhere\"\r\n from_port = 0\r\n to_port = 0\r\n protocol = \"-1\"\r\n cidr_blocks = [\"0.0.0.0\/0\"]\r\n ipv6_cidr_blocks = [\"::\/0\"]\r\n }\r\n egress {\r\n from_port = 0\r\n to_port = 0\r\n protocol = \"-1\"\r\n cidr_blocks = [\"0.0.0.0\/0\"]\r\n ipv6_cidr_blocks = [\"::\/0\"]\r\n }\r\n}\r\nresource \"aws_lb_target_group\" \"flask_app_demo\" {\r\n name = \"flask-app-demo\"\r\n port = 5000\r\n protocol = \"HTTP\"\r\n vpc_id = var.vpc_id\r\n target_type = \"ip\"\r\n health_check {\r\n path = \"\/\"\r\n interval = 30\r\n timeout = 10\r\n healthy_threshold = 2\r\n unhealthy_threshold = 2\r\n }\r\n}\r\nresource \"aws_lb\" \"flask_app_demo\" {\r\n name = \"flask-app-demo\"\r\n internal = false\r\n load_balancer_type = \"application\"\r\n security_groups = [aws_security_group.flask_app_demo.id]\r\n subnets = var.subnets\r\n enable_deletion_protection = false\r\n tags = {\r\n Name = \"flask-app-demo\"\r\n }\r\n}\r\nresource \"aws_lb_listener\" \"flask_app_demo\" {\r\n load_balancer_arn = aws_lb.flask_app_demo.arn\r\n port = \"80\"\r\n protocol = \"HTTP\"\r\n default_action {\r\n type = \"forward\"\r\n target_group_arn = aws_lb_target_group.flask_app_demo.arn\r\n }\r\n}\r\nresource \"aws_lb_listener_rule\" \"flask_app_demo\" {\r\n listener_arn = aws_lb_listener.flask_app_demo.arn\r\n priority = 1\r\n action {\r\n type = \"forward\"\r\n target_group_arn = aws_lb_target_group.flask_app_demo.arn\r\n }\r\n condition {\r\n path_pattern {\r\n values = [\"\/\"]\r\n }\r\n }\r\n}\r\nresource \"aws_iam_role\" \"task_definition_role\" {\r\n name = \"flask_demo_task_definition\"\r\n assume_role_policy = EOF\r\n{\r\n \"Version\": \"2012-10-17\",\r\n \"Statement\": [\r\n {\r\n \"Action\": \"sts:AssumeRole\",\r\n \"Principal\": {\r\n \"Service\": \"ecs-tasks.amazonaws.com\"\r\n },\r\n \"Effect\": \"Allow\",\r\n \"Sid\": \"\"\r\n }\r\n ]\r\n}\r\nEOF\r\n}\r\nresource \"aws_iam_role_policy\" \"task_definition_policy\" {\r\n name = \"flask_demo_task_definition_policy\"\r\n role = aws_iam_role.task_definition_role.id\r\n policy = EOF\r\n{\r\n \"Version\": \"2012-10-17\",\r\n \"Statement\": [\r\n {\r\n \"Effect\": \"Allow\",\r\n \"Action\": [\r\n \"ecr:BatchCheckLayerAvailability\",\r\n \"ecr:GetAuthorizationToken\",\r\n \"ecr:GetDownloadUrlForLayer\",\r\n \"ecr:BatchGetImage\",\r\n \"logs:CreateLogStream\",\r\n \"logs:PutLogEvents\",\r\n \"secretsmanager:GetSecretValue\",\r\n \"ssm:GetParameters\"\r\n ],\r\n \"Resource\": [\r\n \"*\"\r\n ]\r\n }\r\n ]\r\n}\r\nEOF\r\n}\r\n<\/code><\/pre>\n<\/div>\n\n
This block of code contains three types of configurations.<\/p>\n<\/div>\n
<\/div>\n
I.\u00a0 \u00a0A configuration of all resources to create an ECS cluster.<\/b><\/div>\ncovering first 1-58 lines of code, where:<\/span><\/div>\n\n
\n- line 1-3 to create a cluster “flash-app-demo<\/span><\/span>“)<\/span><\/li>\n
- line 4-38 for task definition<\/span><\/li>\n
- line 39-41 to create a CloudWatch log group for cluster monitoring<\/span><\/li>\n
- line 42-58 to create an ECS service<\/span><\/li>\n<\/ol>\n
Here, Amazon ECS service can be used to process and manage specific task definition instances simultaneously inside the cluster.<\/span><\/p>\nIn case of one task failure, the Amazon ECS service scheduler instantly launches another instance for replacing the same.<\/span><\/p>\n\ud83d\udcddNote:<\/b> the <\/span>launch_type<\/span> should be FARGATE to ensure that the build is deployed into the AWS Fargate service. Amongst various reasons, Farget has been chosen for easy management soon as it eliminates much of the overhead for the same.<\/span><\/mark><\/p>\nII.\u00a0 \u00a0Network-based configuration<\/b><\/p>\n
After those lines, L59-125 focuses on the Network configuration. If being too specific, it shows the configuration of the AWS security group using Terraform, and it enables us to limit network boundaries for incoming and outgoing traffic.<\/span><\/p>\nIn addition to that, we’ll also set up load-balancing resources to have a sight on traffic and create a load balancer for the application. For more information, do refer to the <\/span>Terraform guide<\/span><\/a> for the same.<\/span><\/p>\nIII.\u00a0 IAM configuration<\/b><\/p>\n
Now, further, the remaining code lines are for configuring the ECS permission resources that can engage with ECR for logging.<\/span><\/p>\nLet’s do the AWS configuration:<\/span><\/p>\n\n- \n
Initializing the directory: $ terraform init<\/span><\/p>\n<\/li>\n<\/ul>\n![\"provide](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image7.png\")
<\/p>\n
\n- Plan to create the infrastructure: $ terraform plan<\/li>\n<\/ul>\n
![\"](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image11.png\")
<\/p>\n
![\"code\"](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image24.png\")
<\/p>\n<\/div>\n
![\"code](\"https:\/\/Tuvoc.com\/wp-content\/uploads\/2023\/03\/image11.png\")
<\/p>\n
![\"coding\"](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image14.png\")
<\/p>\n
![\"coding\"](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image12.png\")
<\/p>\n
Now, you can see the Terraform generated files:<\/span><\/p>\n![\"Terraform](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image3.png\")
<\/p>\n
Now, it\u2019s time to verify the implementation.<\/span><\/p>\nFor that, go to the Amazon Elastic Container Services page to start with the verification process:<\/span><\/p>\n![\"all](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image23.png\")
<\/p>\n
![\"task](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image32.png\")
<\/p>\n
![\"flask](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image31.png\")
<\/p>\n
Can you see the task definition linked to the appropriate image in the ECR cluster? Yes! Great Job!<\/span><\/p>\nLevel 1 achieved!<\/b> \ud83e\udd73 <\/span><\/p>\nBut note that \ud83d\udcdd, this is still not in its working phase as it is still pending to push the flask application in.<\/span><\/p>\n\ud83d\udea8Be careful of the information you make available.<\/span><\/p>\nWorry not! Let’s move to the next step, which is the deployment stage!<\/span><\/p>\n\n
Bonus \ud83c\udf81:<\/p>\n
In addition to this method, you can also create a backend.tf file to store the Terraform State configuration file on the cloud ecosystem (Amazon S3, to be precise).<\/p>\n<\/div>\n
STEP 2: Configure AWS CodePipeline Using Terraform<\/h3>\n
It’s time to prepare the Flask application and push it into the docket.<\/span><\/p>\nLet’s start with running your mission-critical build locally: $ pip install flask<\/span><\/span>.<\/span><\/p>\nAnd then create a basic Flask app: flask_app\/app.py <\/span><\/p>\n\n
from flask import Flask\r\napp = Flask(__name__)\r\n@app.route(\"\/\")\r\ndef hello():\r\n return \"Yayy, we have the 1st version of our flask application\"\r\nif __name__ == \"__main__\":\r\n app.run(host=\"0.0.0.0\")\r\n<\/code><\/pre>\n<\/div>\nWrite a command to run the app: <\/span>$ python3 flask_app\/app.py<\/span><\/p>\n![\"command](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image43.png\")
<\/p>\n
![\"run](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image5.png\")
<\/p>\n
Now, let\u2019s dockerize the app with the command to <\/span>create a
![\"project](\"https:\/\/Tuvoc.com\/wp-content\/uploads\/2023\/03\/Screenshot_1.png\")
<\/p>\n![\"appealing\"](\"https:\/\/www.tuvoc.com\/wp-content\/uploads\/2023\/03\/image15.png\")
<\/p>\n