diff --git a/docs/roles/deploy_container.md b/docs/roles/deploy_container.md index 9970dc39..8152cedc 100644 --- a/docs/roles/deploy_container.md +++ b/docs/roles/deploy_container.md @@ -66,17 +66,20 @@ deploy_container: aws_profile: example2 # might not be the same account vpc_name: example #vpc_id: vpc-XXXXXXX # optionally specify VPC ID to use - subnets: # list of public subnet names - - example-dev-a - - example-dev-b security_groups: [] # list of security groups, accepts names or IDs cluster_name: example-cluster family_name: example-task-definition task_definition_revision: "" # integer, but must be presented as a string for Jinja2 task_definition_force_create: false # creates a task definition revision every time if set to true + task_execution_role_arn: "arn:aws:iam::000000000000:role/ecsTaskExecutionRole" # ARN of the IAM role to run the task as, must have access to the ECR repository if applicable + #task_role_arn: "" # required if you set service_enable_ssm to true task_count: 1 task_minimum_count: 1 task_maximum_count: 4 + # These subnets are usually the subnets created by ce-provision when you made your ECS cluster and must have a NAT gateway for ECR access. + service_subnets: # list of private subnet names + - example-cluster-dev-a + - example-cluster-dev-b # See docs for values: https://docs.aws.amazon.com/autoscaling/application/APIReference/API_TargetTrackingScalingPolicyConfiguration.html service_autoscale_metric_type: ECSServiceAverageCPUUtilization service_autoscale_up_cooldown: 120 @@ -85,7 +88,6 @@ deploy_container: service_public_container_ip: false # set to true to make containers appear on an EIP - more details: https://stackoverflow.com/a/66802973 service_enable_ssm: false # set to true to allow arbitrary command execution on containers via the AWS API service_force_refresh: false # forces a refresh of all containers if set to true - execution_role_arn: "arn:aws:iam::000000000000:role/ecsTaskExecutionRole" # ARN of the IAM role to run the task as, must have access to the ECR repository if applicable containers: # list of container definitions, see docs: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-containers - name: example-container essential: true @@ -122,6 +124,9 @@ deploy_container: extra_domains: [] # list of Subject Alternative Name domains and zones ssl_certificate_ARN: "" # optional SSL cert ARN if you imported one into AWS Certificate Manager elb_security_groups: [] # default SG is used if none provided - module supports names or IDs + elb_subnets: # must be public subnets for public facing applications + - example-dev-a + - example-dev-b elb_http_port: 80 elb_https_port: 443 elb_ssl_policy: ELBSecurityPolicy-TLS13-1-2-2021-06 # see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies diff --git a/roles/deploy_container/README.md b/roles/deploy_container/README.md index 9970dc39..8152cedc 100644 --- a/roles/deploy_container/README.md +++ b/roles/deploy_container/README.md @@ -66,17 +66,20 @@ deploy_container: aws_profile: example2 # might not be the same account vpc_name: example #vpc_id: vpc-XXXXXXX # optionally specify VPC ID to use - subnets: # list of public subnet names - - example-dev-a - - example-dev-b security_groups: [] # list of security groups, accepts names or IDs cluster_name: example-cluster family_name: example-task-definition task_definition_revision: "" # integer, but must be presented as a string for Jinja2 task_definition_force_create: false # creates a task definition revision every time if set to true + task_execution_role_arn: "arn:aws:iam::000000000000:role/ecsTaskExecutionRole" # ARN of the IAM role to run the task as, must have access to the ECR repository if applicable + #task_role_arn: "" # required if you set service_enable_ssm to true task_count: 1 task_minimum_count: 1 task_maximum_count: 4 + # These subnets are usually the subnets created by ce-provision when you made your ECS cluster and must have a NAT gateway for ECR access. + service_subnets: # list of private subnet names + - example-cluster-dev-a + - example-cluster-dev-b # See docs for values: https://docs.aws.amazon.com/autoscaling/application/APIReference/API_TargetTrackingScalingPolicyConfiguration.html service_autoscale_metric_type: ECSServiceAverageCPUUtilization service_autoscale_up_cooldown: 120 @@ -85,7 +88,6 @@ deploy_container: service_public_container_ip: false # set to true to make containers appear on an EIP - more details: https://stackoverflow.com/a/66802973 service_enable_ssm: false # set to true to allow arbitrary command execution on containers via the AWS API service_force_refresh: false # forces a refresh of all containers if set to true - execution_role_arn: "arn:aws:iam::000000000000:role/ecsTaskExecutionRole" # ARN of the IAM role to run the task as, must have access to the ECR repository if applicable containers: # list of container definitions, see docs: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-containers - name: example-container essential: true @@ -122,6 +124,9 @@ deploy_container: extra_domains: [] # list of Subject Alternative Name domains and zones ssl_certificate_ARN: "" # optional SSL cert ARN if you imported one into AWS Certificate Manager elb_security_groups: [] # default SG is used if none provided - module supports names or IDs + elb_subnets: # must be public subnets for public facing applications + - example-dev-a + - example-dev-b elb_http_port: 80 elb_https_port: 443 elb_ssl_policy: ELBSecurityPolicy-TLS13-1-2-2021-06 # see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies diff --git a/roles/deploy_container/defaults/main.yml b/roles/deploy_container/defaults/main.yml index a9b7e9d9..be178aca 100644 --- a/roles/deploy_container/defaults/main.yml +++ b/roles/deploy_container/defaults/main.yml @@ -28,17 +28,20 @@ deploy_container: aws_profile: example2 # might not be the same account vpc_name: example #vpc_id: vpc-XXXXXXX # optionally specify VPC ID to use - subnets: # list of public subnet names - - example-dev-a - - example-dev-b security_groups: [] # list of security groups, accepts names or IDs cluster_name: example-cluster family_name: example-task-definition task_definition_revision: "" # integer, but must be presented as a string for Jinja2 task_definition_force_create: false # creates a task definition revision every time if set to true + task_execution_role_arn: "arn:aws:iam::000000000000:role/ecsTaskExecutionRole" # ARN of the IAM role to run the task as, must have access to the ECR repository if applicable + #task_role_arn: "" # required if you set service_enable_ssm to true task_count: 1 task_minimum_count: 1 task_maximum_count: 4 + # These subnets are usually the subnets created by ce-provision when you made your ECS cluster and must have a NAT gateway for ECR access. + service_subnets: # list of private subnet names + - example-cluster-dev-a + - example-cluster-dev-b # See docs for values: https://docs.aws.amazon.com/autoscaling/application/APIReference/API_TargetTrackingScalingPolicyConfiguration.html service_autoscale_metric_type: ECSServiceAverageCPUUtilization service_autoscale_up_cooldown: 120 @@ -47,7 +50,6 @@ deploy_container: service_public_container_ip: false # set to true to make containers appear on an EIP - more details: https://stackoverflow.com/a/66802973 service_enable_ssm: false # set to true to allow arbitrary command execution on containers via the AWS API service_force_refresh: false # forces a refresh of all containers if set to true - execution_role_arn: "arn:aws:iam::000000000000:role/ecsTaskExecutionRole" # ARN of the IAM role to run the task as, must have access to the ECR repository if applicable containers: # list of container definitions, see docs: https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-containers - name: example-container essential: true @@ -84,6 +86,9 @@ deploy_container: extra_domains: [] # list of Subject Alternative Name domains and zones ssl_certificate_ARN: "" # optional SSL cert ARN if you imported one into AWS Certificate Manager elb_security_groups: [] # default SG is used if none provided - module supports names or IDs + elb_subnets: # must be public subnets for public facing applications + - example-dev-a + - example-dev-b elb_http_port: 80 elb_https_port: 443 elb_ssl_policy: ELBSecurityPolicy-TLS13-1-2-2021-06 # see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies diff --git a/roles/deploy_container/tasks/main.yml b/roles/deploy_container/tasks/main.yml index de12e5bc..6c68bebd 100644 --- a/roles/deploy_container/tasks/main.yml +++ b/roles/deploy_container/tasks/main.yml @@ -115,11 +115,19 @@ - name: Reset subnets lists. ansible.builtin.set_fact: _aws_ecs_cluster_public_subnets_ids: [] + _aws_ecs_cluster_private_subnets_ids: [] when: deploy_container.aws_ecs.enabled - name: Construct list of public subnet IDs. - ansible.builtin.include_tasks: subnet.yml - with_items: "{{ deploy_container.aws_ecs.subnets }}" + ansible.builtin.include_tasks: subnet-public.yml + with_items: "{{ deploy_container.aws_ecs.elb_subnets }}" + loop_control: + loop_var: subnet + when: deploy_container.aws_ecs.enabled + +- name: Construct list of private subnet IDs. + ansible.builtin.include_tasks: subnet-private.yml + with_items: "{{ deploy_container.aws_ecs.service_subnets }}" loop_control: loop_var: subnet when: deploy_container.aws_ecs.enabled @@ -130,7 +138,8 @@ region: "{{ deploy_container.aws_ecs.region }}" profile: "{{ deploy_container.aws_ecs.aws_profile }}" family: "{{ deploy_container.aws_ecs.family_name }}" - execution_role_arn: "{{ deploy_container.aws_ecs.execution_role_arn }}" + execution_role_arn: "{{ deploy_container.aws_ecs.task_execution_role_arn }}" + task_role_arn: "{{ deploy_container.aws_ecs.task_role_arn | default(omit) }}" containers: "{{ deploy_container.aws_ecs.containers }}" launch_type: "{{ deploy_container.aws_ecs.launch_type }}" cpu: "{{ deploy_container.aws_ecs.cpu | default(omit) }}" @@ -291,7 +300,7 @@ containerPort: "{{ deploy_container.aws_ecs.target_group_port }}" targetGroupArn: "{{ _aws_ecs_target_group.target_group_arn }}" network_configuration: - subnets: "{{ _aws_ecs_cluster_public_subnets_ids }}" + subnets: "{{ _aws_ecs_cluster_private_subnets_ids }}" # internal private subnet security_groups: "{{ deploy_container.aws_ecs.security_groups }}" assign_public_ip: "{{ deploy_container.aws_ecs.service_public_container_ip }}" tags: "{{ deploy_container.aws_ecs.tags }}" diff --git a/roles/deploy_container/tasks/subnet-private.yml b/roles/deploy_container/tasks/subnet-private.yml new file mode 100644 index 00000000..2335cb89 --- /dev/null +++ b/roles/deploy_container/tasks/subnet-private.yml @@ -0,0 +1,13 @@ +- name: Gather private subnet information. + amazon.aws.ec2_vpc_subnet_info: + profile: "{{ deploy_container.aws_ecs.aws_profile }}" + region: "{{ deploy_container.aws_ecs.region }}" + filters: + vpc-id: "{{ _aws_ecs_cluster_vpc_id }}" + tag:Name: "{{ subnet }}" + register: _aws_ecs_cluster_private_subnet + delegate_to: localhost + +- name: Add private subnet to the list. + ansible.builtin.set_fact: + _aws_ecs_cluster_private_subnets_ids: "{{ _aws_ecs_cluster_private_subnets_ids + [ _aws_ecs_cluster_private_subnet.subnets[0].subnet_id ] }}" diff --git a/roles/deploy_container/tasks/subnet.yml b/roles/deploy_container/tasks/subnet-public.yml similarity index 100% rename from roles/deploy_container/tasks/subnet.yml rename to roles/deploy_container/tasks/subnet-public.yml