Skip to content
/ dockerized-stateless-app Public

Vanila Dockerized App With ECS IaC To Provision and Deployment

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gluzangi/dockerized-stateless-app

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
app
app
 
 
iac
iac
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 

Repository files navigation

DOCKERIZED-APP-IaC : ceros-ski

Usage

The ECR Repository must be created first, and push the dockerized Application image to the repository before provisioning the ECS Environment.

Creating ECR Repository

terraform plan -target="module.ecr"

terraform apply -target="module.ecr"

NOTE

  • To instill best practice, the refactored code implemented official Terraform AWS Provider modules whenever possible
  • The infrastructure provisioning workflow uses targeted module deployment approach into building ECR stack
  • ECR will scan any pushed images on the fly to screen for baked Security vulnerabilities - CVE scanned
  • Docker Images pushed into ECR are set to be immutable and the repository will keep 3 revision of the image all the time
  • The immutable images guarantees version based Application rollbacks are possible
  • Default module variables can be overriden with identical variables defined in a terraform.tfvars file
  • output-1 : aws_iam_user_arn = "arn:aws:iam::<aws_account_id>:user/<iam_sa_account>"
  • output-2 : repository_url = "<aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com/ceros-ski"

Login to ECR

echo $(aws ecr get-login-password --region <aws_region> --profile <iam_sa_account>) | docker login --password-stdin --username AWS <aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com/ceros-ski

Pushing a Ready Tagged Docker Image to prepare for the App deployment

docker push <aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com/ceros-ski:latest

Building the ECS Stack

  • create the service linked role for ECS
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com --profile <iam_sa_account>
  • launch ECS stack
terraform plan

terraform apply

Outputs:
.
..
...
aws_iam_user_arn = "arn:aws:iam::595036287105:user/sa_account"
aws_lb_dns_name = "ceros-ski-production-ecs-2093411846.us-west-2.elb.amazonaws.com"
repository_url = "595036287105.dkr.ecr.us-west-2.amazonaws.com/ceros-ski"
vpc_id = "vpc-01e137e8af320a03a"
vpc_public_subnets = [
  "subnet-0e378c5bbe9bbd3af",
  "subnet-0fdf905782582e80d",
]

TechDebt

  • Current container orchestration mechanism is with ECS using Container Instances (EC2 instances running ECS container Agent)
  • Consider migration into AWS Fargate/EKS automanaged container orchestration framework
  • DNS Record management of the Application
  • TLS/SSL setup to serve the Application over HTTPS

Requirements

Name Version
terraform >= 1.1.0
aws >= 4.0.0

Providers

Name Version
aws >= 4.0.0

Modules

Name Source Version
ecr terraform-aws-modules/ecr/aws 1.1.1
key_pair terraform-aws-modules/key-pair/aws 1.0.1
security_group terraform-aws-modules/security-group/aws 4.9.0
vpc terraform-aws-modules/vpc/aws 3.14.0

Resources

Name Type
aws_autoscaling_group.cluster resource
aws_ecs_cluster.cluster resource
aws_ecs_service.backend resource
aws_ecs_task_definition.backend resource
aws_iam_instance_profile.ecs_agent resource
aws_iam_policy.ecs_agent resource
aws_iam_role.ecs_agent resource
aws_iam_role_policy_attachment.ecs_agent resource
aws_launch_configuration.cluster resource
aws_lb.ecs resource
aws_lb_listener.backend resource
aws_lb_target_group.backend resource
aws_iam_policy_document.ecs_agent data source
aws_iam_policy_document.ecs_agent_assume_role_policy data source
aws_iam_role.ecs_service data source
aws_iam_user.current data source
aws_ssm_parameter.cluster_ami_id data source

Inputs

Name Description Type Default Required
aws_credentials_file File containing AWS credentials string "~/.aws/credentials" no
aws_profile AWS Account Profile/IAM User string "sa_auto" no
aws_region AWS Region To Provision Cloud Resources string "us-west-2" no
environment Name of the Provisoned Environment string "production" no
repository_name Name of the Docker Image Private Registry string "ceros-ski" no
service_account_key Management/Service Account SSH Public Key string "~/.ssh/id_rsa.pub" no
vpc_azs Availability zones for VPC list(string) 
[
  "us-west-2a",
  "us-west-2c"
]
 no
vpc_cidr CIDR block for VPC string "172.0.0.0/16" no
vpc_enable_nat_gateway Enable NAT gateway for VPC bool true no
vpc_name Name of VPC string "vpc-ceros-ski" no
vpc_one_nat_gateway_per_az Enable One NAT gateway per Availability Zone for VPC bool true no
vpc_public_subnets Public subnets for VPC list(string) 
[
  "172.0.1.0/24",
  "172.0.3.0/24"
]
 no
vpc_single_nat_gateway Enable Single NAT gateway for VPC bool true no
vpc_tags Tags for resources in VPC module map(string) 
{
  "Application": "ceros-ski"
}
 no

Outputs

Name Description
aws_iam_user_arn ARN value of current AWS IAM User
aws_lb_dns_name LoadBalancer DNS Name of ECS Cluster
repository_url The URL of the repository
vpc_id ID of the provisioned VPC
vpc_public_subnets IDs of public subnets in the VPC

About

Vanila Dockerized App With ECS IaC To Provision and Deployment

Topics

terraform terraform-module

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages