https://pulumi.com logo
#getting-started
Title
# getting-started
m

magnificent-soccer-44287

09/27/2023, 7:27 AM
Is there documentation / examples of healthCheck for "awsx.ecs.FargateService" somewhere I can't find? For example:
Copy code
const service = new awsx.ecs.FargateService("service", {
        containers: {
            yourAppHere: {
                healthCheck: {
                    interval: 15,
                    command: ["ps", "x", "|", "grep", "puma", "|", "grep", "0.0.0.0:3000"]
                },
            }
        },
    },
});
Given the above, does it run the following command inside the container?
Copy code
ps x | grep | puma | grep | 0.0.0.0:3000
and pass if 0, fail if 1?
d

dry-keyboard-94795

09/27/2023, 7:35 AM
It's pretty much the same as
HEALTHCHECK
in docker. Some useful docs for you for ECS specifics: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-healthcheck.html I think with pipes, you'll need to use the
CMD-SHELL
varient
And yes, pass is 0, fail is non-zero
m

magnificent-soccer-44287

09/27/2023, 7:37 AM
gotcha, so it seems that whereas now i use:
Copy code
command: ["ps", "x", "|", "grep", "puma", "|", "grep", "0.0.0.0:3000"]
what I mean to use is:
Copy code
command: ["CMD-SHELL", "ps", "x", "|", "grep", "puma", "|", "grep", "0.0.0.0:3000"]
?
d

dry-keyboard-94795

09/27/2023, 7:37 AM
Not quite, with CMD-SHELL, the whole command is kept together instead of being split into an array
So 2 items in the list
m

magnificent-soccer-44287

09/27/2023, 7:39 AM
whoops, read the article wrong. been trying to get some stuff on aws to work with pulumi for 10 hours now 😓 ty. Is it a safe assumption that most of the pulumi arguments that are not explicitly documented map to the AWS docs and can just be found there?
d

dry-keyboard-94795

09/27/2023, 7:41 AM
For the awsx package, there might be more abstractions. But yes it should map well. I find looking at terraform and API examples useful for reference, too
m

magnificent-soccer-44287

09/27/2023, 7:41 AM
that helps a bunch; thank you.
d

dry-keyboard-94795

09/27/2023, 7:42 AM
Also, I linked the cloudformation docs instead of the ecs api docs. Shows how similar things can be 😂 https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_HealthCheck.html
m

magnificent-soccer-44287

09/27/2023, 7:43 AM
this is a shot in the dark but I've got an old legacy app that i have the misfortune of migrating from heroku to aws - i put a ruby docker image into ecs fargate; it appears to be sending SIGKILL or SIGTERM to the container every few minutes
I've used k8 / ec2 before but not fargate - would you happen to know anything off the top of your head?
d

dry-keyboard-94795

09/27/2023, 7:45 AM
Been a while since I've done ecs. It could be memory limits, or healthchecks failing on the load balancer/target group
m

magnificent-soccer-44287

09/27/2023, 7:45 AM
AWS LBs and Target Groups have their own checks?
my first time trying to use aws native stuff instead of k8/envoy/istio/etc
d

dry-keyboard-94795

09/27/2023, 7:46 AM
Metrics + logs should help for checking for a memory issue. You can check the target groups in the ec2 dashboard, which will tell you their status
m

magnificent-soccer-44287

09/27/2023, 7:46 AM
trying to do a setup this startup will be able to self-manage and it seems actually harder lol
wait... do target groups have their own checks?
d

dry-keyboard-94795

09/27/2023, 7:48 AM
They can do
m

magnificent-soccer-44287

09/27/2023, 7:49 AM
Copy code
const pmbMainLB = new awsx.lb.ApplicationLoadBalancer("pmb-main-alb", {
    name: "pmb-main-web-traffic-alb",
    defaultTargetGroup: {
        port: 3000
    },
    listener: {
        port: 80
    },
});
^ That's my pulumi ALB config, with this in "awsx.ecs.FargateService":
Copy code
portMappings: [{
                    targetGroup: pmbMainLB.defaultTargetGroup,
                    containerPort: 3000,
                    hostPort: 3000
                }],
Will AWS terminate a fargate instance if its' corresponding target group fails?
the problem is this legacy ruby application takes A HOT MINUTE to load the first time - like 230sec. i have a feeling the ALB is timing it out and dropping before
seems like the fargate container receives sigint or sigkill the second an ALB timeout happens
d

dry-keyboard-94795

09/27/2023, 7:51 AM
There should be a way to set the grace period somewhere
m

magnificent-soccer-44287

09/27/2023, 7:51 AM
found
Copy code
/**
     * The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type `application`. Default: 60.
     */
    idleTimeout?: pulumi.Input<number>;
in ApplicationLoadBalancerArgs, will try
for the "awsx.ecs.FargateService" i already set a 360sec health check grace
d

dry-keyboard-94795

09/27/2023, 7:54 AM
From what I remember, using the fargate healthcheck (as you're setting up before) will defer the target group healthchecks
idleTimeout is to do with connections after the service is running. You don't want that too high
m

magnificent-soccer-44287

09/27/2023, 7:58 AM
gotcha. i think you are right, in AWS console the Target Group is showing unhealthy: 1 even before the containers' grace period
Copy code
const pmbMainLB = new awsx.lb.ApplicationLoadBalancer("name", {
    defaultTargetGroup: {
        healthCheck: {
            enabled: false
        }
});
^ found that, will try
d

dry-keyboard-94795

09/27/2023, 8:15 AM
Try the ecs healthcheck first, see if it still terminates and if the TG eventually becomes healthy
m

magnificent-soccer-44287

09/27/2023, 8:44 AM
well, i managed to finally get to the app server itself haha
idleTimeout on the ALB was it, kept dropping connections before app server replied. now im sleuthing around on how to set up security so fargate can connect to rds
d

dry-keyboard-94795

09/27/2023, 8:59 AM
So requests normally take longer than a minute?
m

magnificent-soccer-44287

09/27/2023, 9:01 AM
no - just the first one that is cold before the legacy ruby app caches stuff
it kept failing the first cold hit and terminating the fargate container
d

dry-keyboard-94795

09/27/2023, 9:03 AM
Oof. I've worked on a rails app like that before. Load up without the cache, that's 15 minutes for the homepage while the taxonomy builds
m

magnificent-soccer-44287

09/27/2023, 9:03 AM
yup..... 🥲
going to aws native networking/security from istio/envoy makes me feel like ET trying to phone home in the stone age
d

dry-keyboard-94795

09/27/2023, 9:07 AM
It's not too bad. For what you need, it should be attaching a security group to the rds, and adding an ingress rule that lets your ecs security group through
m

magnificent-soccer-44287

09/27/2023, 9:07 AM
yup, just figured that out recently
how dumb of a rule is this?
Copy code
ingress : [{
        protocol : "tcp",
        fromPort : 5432,
        toPort : 5432,
        cidrBlocks : [vpc.vpc.cidrBlock],
    }],
wondering if there may be a more appropriate way to do least access
d

dry-keyboard-94795

09/27/2023, 9:08 AM
I think that let's everything in the vpc connect, probably not a good idea
Instead of cidrBlocks, you can use the
securityGroups
option
m

magnificent-soccer-44287

09/27/2023, 9:12 AM
ty!
is the principle of a security group basically that any two resources with the same group can access each other?
d

dry-keyboard-94795

09/27/2023, 9:13 AM
nope, it's that you can define a rule to let other security groups through
like firewall rules, but extended to account for things not having static IPs. I found it easier to think of SGs as representing a service, and the rules let services talk to each other
m

magnificent-soccer-44287

09/27/2023, 10:00 AM
gotcha; appreciate the help and the convo
here's a wild one - is there a way to create a client VPN endpoint and peer it with a VPC programatically? given the whole cert generation parts
d

dry-keyboard-94795

09/27/2023, 10:02 AM
hmm, the example in the docs are a little broken, as it's using the Terraform references. When you see something like
aws_acm_certificate
, then it'll usually be under pulumi as
aws.acm.Certificate