Add support for FARGATE #3
Conversation
|
Hi @neillturner, Thank you for your pull request! Sorry my replies are late, and by the way, I have tried it just now. I haven't tried it yet so far since Fargate is not available in my region (but I've tried it in It seems that there's more modification needed, I'll add my comments soon. |
There was a problem hiding this comment.
Also, I found this blog post is very helpful in decoding AWS error messages. We can also write it somewhere in the README.md.
Thank you for your work. Feel free to fix and try it again in your convenient time.
| @@ -10,7 +10,7 @@ desired_capacity_on_demand = 2 | |||
| ec2_key_name = "key-name" | |||
| instance_type = "t2.micro" | |||
| minimum_healthy_percent_webapp = 50 | |||
|
|
|||
| launch_type = "EC2" # can also be "FARGATE" | |||
There was a problem hiding this comment.
desired_capacity_on_demand, ec2_key_name, and instance_type are also not needed for Fargate.
And also, I guess it makes more sense to use us-east-1 in the aws_region example here (instead of ap-northeast-1).
| launch_type = "FARGATE" | ||
| desired_count = "${var.count_webapp}" | ||
| deployment_minimum_healthy_percent = "${var.minimum_healthy_percent_webapp}" | ||
| iam_role = "${var.ecs_service_role}" |
There was a problem hiding this comment.
With Fargate, we don't need to create ecs_service_role or even pass iam_role here, since Fargate will automatically use service-linked roles for ECS.
You cannot specify an IAM role for services that require a service linked role
See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html
It might be good to put this URL in the README.md, in case someone needs to use custom rule service linked roles.
For now, I think it's a good idea to put launch_type variable in static and we can decide whether we need to create ecs_service_role via count = "${var.launch_type == "FARGATE" ? 1 : 0}".
| network_configuration { | ||
| security_groups = ["${var.sg_webapp_instances_id}"] | ||
| subnets = ["${split(",", var.subnet_ids)}"] | ||
| } |
There was a problem hiding this comment.
For this example, we need to add assign_public_ip = "true" for Fargate (since we don't create NAT). Otherwise, our tasks won't be able to pull Docker image from ECR or public Docker Hub. It will return:
CannotPullContainerError: API error (500): Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
See samuelkarp answer here.
you either need private IP + NAT or a public IP + IGW. In your example, the task that's failing has neither NAT nor a public IP.
Terraform documentation: https://www.terraform.io/docs/providers/aws/r/ecs_service.html#assign_public_ip
| @@ -29,3 +29,4 @@ subnet_ids = "subnet-34567890,subnet-4567890a" | |||
|
|
|||
| ecs_instance_profile = "arn:aws:iam::123456789012:instance-profile/tutorial-test_ecs_instance_profile" | |||
| ecs_service_role = "tutorial-test_ecs_service_role" | |||
| ecs_task_execution_role = "arn:aws:iam::123456789012:role/tutorial-test_ecs_task_execution_role" # only used with launch type FARGATE | |||
There was a problem hiding this comment.
ecs_service_role is not needed for FARGATE.
|
I set it up to run both FARGATE and EC2. there are some IAM entities that are not needed when using FARGATE but needed when using EC2. |
This needs a little more testing. I think i have all the right configuration.