Channels
#general
Title
b
bitter-insurance-72016
07/08/2023, 4:38 PMHello house,
I built and pushed a docker image using ECR, fargate ECS and load balancer aws resources...but I am not able to access the application through the browser using the load balancer DNS. Please I need help. Thank you.
e
elegant-gigabyte-8733
07/09/2023, 12:05 AMCan you share some code?
b
bitter-insurance-72016
07/09/2023, 11:09 PM Copy code
import pulumi
import pulumi_docker as docker
import pulumi_aws as aws
import json
from pulumi import export, ResourceOptions
from pulumi_aws import ecr
from pulumi_docker import Image
import base64
# Create an ECS cluster
cluster = aws.ecs.Cluster('cogito-cluster')
# Create an ECR repository
repo = aws.ecr.Repository('cogito-repo')
app = 'src/web'
# Create a new VPC
vpc = aws.ec2.Vpc(
"cogito-vpc",
cidr_block="10.0.0.0/16",
enable_dns_support=True,
enable_dns_hostnames=True,
tags={"Name": "cogito-vpc"},
)
# Create a subnets within the VPC
subnet1 = aws.ec2.Subnet(
"cogito-subnet1",
vpc_id=vpc.id,
cidr_block="10.0.0.0/24",
availability_zone="us-east-1a",
tags={"Name": "cogito-subnet1"},
)
subnet2 = aws.ec2.Subnet(
"cogito-subnet2",
vpc_id=vpc.id,
cidr_block="10.0.1.0/24",
availability_zone="us-east-1b",
tags={"Name": "cogito-subnet2"},
)
# Create an internet gateway for the VPC
gateway = aws.ec2.InternetGateway(
"cogito-internet-gateway",
vpc_id=vpc.id,
tags={"Name": "cogito-internet-gateway"},
)
# Create a route table for the VPC
route_table = aws.ec2.RouteTable(
"cogito-route-table",
vpc_id=vpc.id,
routes=[aws.ec2.RouteTableRouteArgs(
cidr_block="0.0.0.0/0",
gateway_id=gateway.id,
)],
tags={"Name": "cogito-route-table"},
)
# Create security group
group = aws.ec2.SecurityGroup('cogitoapp-secgrp',
vpc_id=vpc.id,
description='Enable HTTP access for cogito app',
ingress=[aws.ec2.SecurityGroupIngressArgs(
protocol='tcp',
from_port=80,
to_port=80,
cidr_blocks=['0.0.0.0/0'],
)],
egress=[aws.ec2.SecurityGroupEgressArgs(
protocol='-1',
from_port=0,
to_port=0,
cidr_blocks=['0.0.0.0/0'],
)],
tags={"Name": "cogito-sg"},
)
# Create external load balancer
alb = aws.lb.LoadBalancer('cogitoapp-lb',
security_groups=[group.id],
subnets=[subnet1.id, subnet2.id],
enable_deletion_protection=False,
tags={"Name": "cogito-lb"},
)
# Create target group
atg = aws.lb.TargetGroup('cogitoapp-tg',
port=80,
protocol='HTTP',
target_type='ip',
vpc_id=vpc.id,
)
# Create load balancer listener
wl = aws.lb.Listener('cogitoweb-listener',
load_balancer_arn=alb.arn,
port=80,
default_actions=[aws.lb.ListenerDefaultActionArgs(
type='forward',
target_group_arn=atg.arn,
)],
)
def create_image_registry(rid):
creds = ecr.get_credentials(rid)
decoded = base64.b64decode(creds.authorization_token).decode('utf-8')
username, password = decoded.split(':')
return docker.ImageRegistry(creds.proxy_endpoint, username, password)
# Get credentials and create an ImageRegistry from the credentials
registry = repo.registry_id.apply(lambda rid: create_image_registry(rid))
# Create image
image = docker.Image(app,
image_name=pulumi.Output.concat(repo.repository_url, ':', '1.0'),
build=docker.DockerBuild(context=f'./{app}'),
registry=registry
)
# Create an IAM role that can be used by our service's task.
role = aws.iam.Role('task-exec-role',
assume_role_policy=json.dumps({
'Version': '2008-10-17',
'Statement': [{
'Sid': '',
'Effect': 'Allow',
'Principal': {
'Service': '<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>'
},
'Action': 'sts:AssumeRole',
}]
}),
)
# Attach IAM to service's task
rpa = aws.iam.RolePolicyAttachment('task-exec-policy',
role=role.name,
policy_arn='arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy',
)
task_definition = aws.ecs.TaskDefinition('cogitoapp-task',
family='fargate-task-definition',
cpu='256',
memory='512',
network_mode='awsvpc',
requires_compatibilities=['FARGATE'],
execution_role_arn=role.arn,
container_definitions=json.dumps([{
'name': 'cogito-app',
'image': 'repo.repository_url',
'portMappings': [{
'containerPort': 80,
'hostPort': 80,
'protocol': 'tcp'
}]
}])
)
# Create ECS service
service = aws.ecs.Service('cogitoapp-svc',
cluster=cluster.arn,
desired_count=3,
launch_type='FARGATE',
task_definition=task_definition.arn,
network_configuration=aws.ecs.ServiceNetworkConfigurationArgs(
assign_public_ip=True,
subnets=[subnet1.id, subnet2.id],
security_groups=[group.id],
),
load_balancers=[aws.ecs.ServiceLoadBalancerArgs(
target_group_arn=atg.arn,
container_name='cogito-app',
container_port=80,
)],
opts=ResourceOptions(depends_on=[wl]),
)
# Export the necessary values
pulumi.export('lburl', alb.dns_name)
pulumi.export("vpc_id", vpc.id)
pulumi.export("repo_url", repo.repository_url)e
elegant-gigabyte-8733
07/10/2023, 12:49 AMCan you reach the IP and port of your container?
b
bitter-insurance-72016
07/10/2023, 7:46 AMI don't understand
g
glamorous-father-12267
07/10/2023, 9:11 PMHi Solomon
Please check few things:
• Does your subnets has a default route pointing towards IGW?
• The ALB you created is of type Public?
• Check the health status of fargate instances in ALB target group
Not related to the above problem, but I can see you are using single layer of subnets for ur web and application. Although technically it will work, but from best practices pov please keep ur application related stuff like ecs/fargate/dbs/ec2 etc in a separate subnet which is private. Also, try using separate security group for ur ALB and ECS. In this case, ECS is practically exposed to the internet.
Cheers and Best wishes
b
bitter-insurance-72016
07/11/2023, 6:14 PMThanks you @Dinesh Sharma...I will look into that