Terraform ECS Fargate basic template
To deploy these Terraform ECS Fargate templates and in addition to other requirements for AWS environments (for example, secret key has been uploaded to AWS Secrets Manager), the following additional resources require provisioning within the AWS environment:
It is expected that users who choose to use Terraform over the equivalent CloudFormation template will have working knowledge of Infrastructure as Code using Terraform in AWS. Users should familiarise themselves with the official documentation before continuing:
- AWS official documentation for using Terraform.
- HashiCorpcorp official documentation for using Terraform on AWS.
Terraform template files can be found in the Downloads section of this article.
The template provides a blueprint for installation that you may use verbatim, but you may need to modify it to suit your own needs and rules governing your cloud infrastructure.
Created Resources
This template will create the following resources in your AWS account:
- ECS Task Definition
- ECS Fargate Cluster
Prerequisites
Edit the template
Users should inspect the template in a text editor and ensure the values are as-expected before proceeding. In particular, the PLATFORM_WEBSOCKET_ENDPOINT environment variable should be edited to match the expected endpoint and region. See Environment Variables for more information.
Resources
The basic template assumes you have certain resources already set up in your AWS stack. You will also be required to provide details on these resources such as names, paths and ARNs.
- Subnet and security group within a customer private cloud with outbound access.
- CloudWatch log group for container log ingestion.
- S3 bucket for data ingestion.
- Secrets Manager entries for your Platform Key and database passwords.
- IAM Roles with permissions for the following:
- Task Roles to your S3 bucket, ECS, EC2 and Secrets Manager (see "Task IAM Role" section).
- Task Execution Roles to pull from ECR Public repositories (see "Task Execution IAM Role" section).
User Access
You as a user are also expected to have access to certain details and permissions:
- Access to a valid Terraform installation.
- Access to the Hub and Data Loader.
- Streaming agent environment variables (generated in Data Loader when creating a new agent).
- Data Loader platform key (generated once per Data Loader account the first time you make an agent).
- Access to AWS with the ability to create a stack on a billable account. You may require an administrator from your organization to either give access or perform this process with you.
Task Execution IAM Role
A basic template requires users to have a IAM Role configured for task execution with permissions to pull from ECR Public repositories. You should know the ARN for this IAM Role as it is required in the ExecutionRoleArn field during stack creation. A sample policy is provided below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ECRAndCloudWatch"
}
]
}
Task IAM Role
IAM task role, with S3 Bucket permissions and access to the private key secret. Note that you will need to replace the ARNs with your own.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name",
"Sid": "S3List"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name/*",
"Sid": "S3Use"
},
{
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:eu-west-1:0000000000:platform-key-name",
"Sid": "SecretsManagerPerms"
}
]
}