Requirements ¶
To use ECS Compose-X, you must use python3.6+ and have an AWS Account. To run commands locally, you will need permissions to validate the templates with AWS CloudFormation, along with more features, such as Lookup.
AWS Account configuration ¶
We recommend to have your local profile (if running in EC2/Codebuild, set the IAM role accordingly), as described below.
IAM Permissions to use ECS Compose-X Lookup ¶
To perform Lookup on your resources, such as VPC, ECS Cluster, RDS etc, and to use all the functionalities
in ECS Compose-X, we highly recommend to use the managed policy
arn:aws:iam:aws::policy/ReadOnlyAccess
which will
Allow
do List, Describe resources and their settings.
Hint
Although most resources Lookup depend on tagging, some resources needed discovery with their native API. Some other resources, when supported, will use the Cloud Control API to retrieve their properties.
For cloudformation deployments, we recommend to use an IAM role on the stack that would have
PowerUser
policy.
See an example of the
IAM roles we recommend for CICD here.
Permissions to upload files to S3 ¶
Given that nested stacks need their own templates to be stored in S3, when using
ecs-compose-x
commands
up
,
plan
,
create
,
you will need to have permissions to upload the files into a S3 bucket. You can specify an existing bucket with
-b/--bucket
on the
command line.
Tip
If you run
ecs-compose-x
init
, a new S3 bucket will automatically be created and used when running subsequent
compose-x commands.
AWS ECS Settings ¶
In order to use all features, especially using the
awsvpc
networking mode, required with Fargate(and recommended for EC2),
you need to enable these settings in your account.
Note
It is important that you enable AWS VPC Trunking to allow each service tasks to run within the same SecurityGroup and use the extended number of ENIs per instance. Reference: Container ENI Announcement: AWS VPC mode
ECS Account settings can be found at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html
-
ECS - VPC Trunking
-
ECS Extended logs and monitoring
Tip
You can now simply run ecs-composex init in order to do all of the following and create your default S3 bucket for your CFN templates
ecs-composex init
Deploy manually ¶
aws ecs put-account-setting-default --name awsvpcTrunking --value enabled
aws ecs put-account-setting-default --name serviceLongArnFormat --value enabled
aws ecs put-account-setting-default --name taskLongArnFormat --value enabled
aws ecs put-account-setting-default --name containerInstanceLongArnFormat --value enabled
aws ecs put-account-setting-default --name containerInsights --value enabled
Hint
If you want to enable these settings for a specific IAM role you can assume yourself, from CLI you can use
aws
ecs
put-account-setting
as opposed to
aws
ecs
put-account-setting-default
aws ecs put-account-setting --name awsvpcTrunking --value enabled
aws ecs put-account-setting --name serviceLongArnFormat --value enabled
aws ecs put-account-setting --name taskLongArnFormat --value enabled
aws ecs put-account-setting --name containerInstanceLongArnFormat --value enabled
aws ecs put-account-setting --name containerInsights --value enabled