Showing posts with label ECS. Show all posts
Showing posts with label ECS. Show all posts

Friday, December 23, 2022

ECS: Running Tasks and Task Definitions

Yay, Friday night, personal learning time!  

I'm starting to look into next steps of "how would I deploy new versions of my Spring Boot Application to ECS"?

Initial thoughts would be to do the following:

  1. Update Spring Boot App
  2. Test locally
  3. Commit/push changes to GitHub
  4. Create new local Docker Image
  5. Push new Docker Image to ECR as a new version in the existing Repo
  6. Create a new Revision of Task Definition (currently at Revision 1)
  7. Stop current Running Task
  8. Run Task using new version of Task Definition

First, taking a look at what I have running now in my ECS Cluster:

Here is the details of that cluster (when I click on the cluster-name link):


Finally, putting it all together from my previous posts, here are the details of the Task when I click on the ARN of the Task.  



And note: public IP Address of the Task is 54.237.231.47

Here is me testing that I can hit my Spring Boot App on this public IP Address:

http://54.237.231.47:8080/hello-world?name=philip






Sunday, December 18, 2022

AWS Run Task Definition in Cluster

Finally, putting everything together, we now have an Image in ECR, a Cluster in ECS, and a Task Definition.

From the Task Definition, choose Deploy -> Run task



This brought me to a page with a number of sections about the Task to run. The first 2 were not collapsable, the other 4 were. 
  • Environment 
  • Deployment Configuration
  • Networking (collapsed)
  • Task Overrides (collapsed)
  • Container Overrides (collapsed)
  • Tags - optional (collapsed)
Environment
I changed from FARGATE to FARGATE_SPOT. If I were running an actual Production Application, I would have used FARGATE. However, my understanding is that this is going to run on spare/deprioritized AWS Capacity and cost about 70% less.

Deployment Configuration


Networking


Saturday, December 17, 2022

AWS ECS Task Definition

 Now that I have an ECR Image (built locally and pushed up from Docker Desktop) and an ECS Cluster Created, next step is to create a Task Definition.


I provided the Container Port of 8080 (same as the one I exposed in the Dockerfile of the Image). 


Here, we are going absolute minimum on CPU and Memory since it is a test app.
Note: In order to actually create Task Def and Containers, I had to go back as the Root User and create Inline Policy that contained the following IAM Actions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}
Otherwise you will see error messages like this, since AWS is trying to create a Role for running your task.

AWS ECS Cluster Creation

I created a cluster using AWS "New ECS Experience" today.  Here is the entry point:




It looks great.  I found it to be much easier and less confusing to navigate than the previous ECS interface.  

On the networking section, they had 6 subnets initially selected, and they recommend at least 3 for production.

Since this is my weekend cloud study/learning project, I don't need to distribute across multiple availability zones for high availability, so I just chose 1 subnet.





























One of the big changes is that they are more explicit about letting you know that selecting EC2 instances is in addition to Fargate, not in-lieu of Fargate, as seen by the fact that AWS Fargate is checked and disabled (cannot be unselected). 

Sunday, December 11, 2022

AWS IAM User/Group/Policies

Next step in my weekend AWS / Container / Spring Boot experimentation is to try and actually get my Docker Image pushed up to ECR.  

It runs fine in my local Docker Desktop, but I want to get it running as a service in AWS ECS.  

In following AWS best practices:

"We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User."

Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html?icmpid=docs_iam_console

I created a new IAM user called java-demo and Policy called ECR-PushImages that should allow this IAM user to push to any ECR Repository.  

If I were working in an enterprise environment, I would restrict resources, but since this is home studies, I'm leaving it open.


I'm also creating a Group called java-group, adding the IAM java-demo to this Group, and assigned ECR-PushImages (and some other out-of-box AWS IAM Policies) to this Group.

Next, I installed the AWS CLI v2 (latest) and configured it using aws configure

It asked me for 4 items:

  • AWS Access Key ID: <access key for java-demo IAM user>
  • AWS Secret Access Key: <secret access key for java-demo IAM user>
  • Default region name: us-east-1
  • Default output format: json
Once this was done, I confirmed that I could connect via CLI to ECR:
 
C:\>aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin **********.dkr.ecr.us-east-1.amazonaws.com
Login Succeeded