https://pulumi.com logo
#general
Title
# general
b

bitter-insurance-72016

07/08/2023, 4:38 PM
Hello house, I built and pushed a docker image using ECR, fargate ECS and load balancer aws resources...but I am not able to access the application through the browser using the load balancer DNS. Please I need help. Thank you.
e

elegant-gigabyte-8733

07/09/2023, 12:05 AM
Can you share some code?
b

bitter-insurance-72016

07/09/2023, 11:09 PM
Copy code
import pulumi
 import pulumi_docker as docker
 import pulumi_aws as aws
 import json
 from pulumi import export, ResourceOptions
 from pulumi_aws import ecr
 from pulumi_docker import Image
 import base64
 
 # Create an ECS cluster
 cluster = aws.ecs.Cluster('cogito-cluster')
 
 # Create an ECR repository
 repo = aws.ecr.Repository('cogito-repo')
 
 app = 'src/web'
 
 # Create a new VPC
 vpc = aws.ec2.Vpc(
     "cogito-vpc",
     cidr_block="10.0.0.0/16",
     enable_dns_support=True,
     enable_dns_hostnames=True,
     tags={"Name": "cogito-vpc"},
 )
 
 # Create a subnets within the VPC
 subnet1 = aws.ec2.Subnet(
     "cogito-subnet1",
     vpc_id=vpc.id,
     cidr_block="10.0.0.0/24",
     availability_zone="us-east-1a",
     tags={"Name": "cogito-subnet1"},
 )
 
 subnet2 = aws.ec2.Subnet(
     "cogito-subnet2",
     vpc_id=vpc.id,
     cidr_block="10.0.1.0/24",
     availability_zone="us-east-1b",
     tags={"Name": "cogito-subnet2"},
 )
 
 # Create an internet gateway for the VPC
 gateway = aws.ec2.InternetGateway(
     "cogito-internet-gateway",
     vpc_id=vpc.id,
     tags={"Name": "cogito-internet-gateway"},
 )
 
 # Create a route table for the VPC
 route_table = aws.ec2.RouteTable(
     "cogito-route-table",
     vpc_id=vpc.id,
     routes=[aws.ec2.RouteTableRouteArgs(
         cidr_block="0.0.0.0/0",
         gateway_id=gateway.id,
     )],
     tags={"Name": "cogito-route-table"},
 )
 
 # Create security group
 group = aws.ec2.SecurityGroup('cogitoapp-secgrp',
     vpc_id=vpc.id,
     description='Enable HTTP access for cogito app',
     ingress=[aws.ec2.SecurityGroupIngressArgs(
         protocol='tcp',
         from_port=80,
         to_port=80,
         cidr_blocks=['0.0.0.0/0'],
     )],
     egress=[aws.ec2.SecurityGroupEgressArgs(
         protocol='-1',
         from_port=0,
         to_port=0,
         cidr_blocks=['0.0.0.0/0'],
     )],
     tags={"Name": "cogito-sg"},
 )
 
 # Create external load balancer
 alb = aws.lb.LoadBalancer('cogitoapp-lb',
     security_groups=[group.id],
     subnets=[subnet1.id, subnet2.id],
     enable_deletion_protection=False,
     tags={"Name": "cogito-lb"},
 )
 
 # Create target group
 atg = aws.lb.TargetGroup('cogitoapp-tg',
     port=80,
     protocol='HTTP',
     target_type='ip',
     vpc_id=vpc.id,
 )
 
 # Create load balancer listener
 wl = aws.lb.Listener('cogitoweb-listener',
     load_balancer_arn=alb.arn,
     port=80,
     default_actions=[aws.lb.ListenerDefaultActionArgs(
         type='forward',
         target_group_arn=atg.arn,
     )],
 )
 
 
 def create_image_registry(rid):
     creds = ecr.get_credentials(rid)
     decoded = base64.b64decode(creds.authorization_token).decode('utf-8')
     username, password = decoded.split(':')
     return docker.ImageRegistry(creds.proxy_endpoint, username, password)
 
 # Get credentials and create an ImageRegistry from the credentials
 registry = repo.registry_id.apply(lambda rid: create_image_registry(rid))
 
 
 # Create image
 image = docker.Image(app,
     image_name=pulumi.Output.concat(repo.repository_url, ':', '1.0'),
     build=docker.DockerBuild(context=f'./{app}'),
     registry=registry
 )
 
 
 # Create an IAM role that can be used by our service's task.
 role = aws.iam.Role('task-exec-role',
     assume_role_policy=json.dumps({
         'Version': '2008-10-17',
         'Statement': [{
             'Sid': '',
             'Effect': 'Allow',
             'Principal': {
                 'Service': '<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>'
             },
             'Action': 'sts:AssumeRole',
         }]
     }),
 )
 
 # Attach IAM to service's task
 rpa = aws.iam.RolePolicyAttachment('task-exec-policy',
     role=role.name,
     policy_arn='arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
 )
 
 task_definition = aws.ecs.TaskDefinition('cogitoapp-task',
     family='fargate-task-definition',
     cpu='256',
     memory='512',
     network_mode='awsvpc',
     requires_compatibilities=['FARGATE'],
     execution_role_arn=role.arn,
     container_definitions=json.dumps([{
         'name': 'cogito-app',
         'image': 'repo.repository_url',
         'portMappings': [{
             'containerPort': 80,
             'hostPort': 80,
             'protocol': 'tcp'
         }]
     }])
 )
 
 # Create ECS service
 service = aws.ecs.Service('cogitoapp-svc',
     cluster=cluster.arn,
     desired_count=3,
     launch_type='FARGATE',
     task_definition=task_definition.arn,
     network_configuration=aws.ecs.ServiceNetworkConfigurationArgs(
         assign_public_ip=True,
         subnets=[subnet1.id, subnet2.id],
         security_groups=[group.id],
     ),
     load_balancers=[aws.ecs.ServiceLoadBalancerArgs(
         target_group_arn=atg.arn,
         container_name='cogito-app',
         container_port=80,
     )],
     opts=ResourceOptions(depends_on=[wl]),
 )
 
 
 # Export the necessary values
 pulumi.export('lburl', alb.dns_name)
 pulumi.export("vpc_id", vpc.id)
 pulumi.export("repo_url", repo.repository_url)
e

elegant-gigabyte-8733

07/10/2023, 12:49 AM
Can you reach the IP and port of your container?
b

bitter-insurance-72016

07/10/2023, 7:46 AM
I don't understand
g

glamorous-father-12267

07/10/2023, 9:11 PM
Hi Solomon Please check few things: • Does your subnets has a default route pointing towards IGW? • The ALB you created is of type Public? • Check the health status of fargate instances in ALB target group Not related to the above problem, but I can see you are using single layer of subnets for ur web and application. Although technically it will work, but from best practices pov please keep ur application related stuff like ecs/fargate/dbs/ec2 etc in a separate subnet which is private. Also, try using separate security group for ur ALB and ECS. In this case, ECS is practically exposed to the internet. Cheers and Best wishes
b

bitter-insurance-72016

07/11/2023, 6:14 PM
Thanks you @Dinesh Sharma...I will look into that