Channels
#general
Title
f
full-dress-10026
12/11/2018, 1:43 AMAlso tried setting
associatePublicIpAddress: truelaunchConfigurationArgscreateAndAddAutoScalingGroupb
big-piano-35669
12/11/2018, 1:45 AM
@lemon-spoon-91807 Any ideas on this?
f
full-dress-10026
12/11/2018, 1:50 AMNot sure if this is relevant but according to [1], the valid values for
assignPublicIP"ENABLED" | "DISABLED"b
big-piano-35669
12/11/2018, 1:54 AM
I just looked at the underlying implementation, and it definitely looks like boolean is correct. I wonder if we're not passing it down to the underlying ECS resource definition.
f
full-dress-10026
12/11/2018, 1:58 AMPerhaps. Where is the ECS resource defined?
l
lemon-spoon-91807
12/11/2018, 2:03 AMit's in: experimental/ecs/Service.ts
Still no change to the Auto-assign public IP field.
what are you looking at that is showing that data?
f
full-dress-10026
12/11/2018, 2:04 AMECS console.
l
lemon-spoon-91807
12/11/2018, 2:04 AMcan you show me specifically?
f
full-dress-10026
12/11/2018, 2:04 AMFrom the ECS console
l
lemon-spoon-91807
12/11/2018, 2:06 AMthat's currently something set on hte loadbalancer
that code is currently in experimental/ecs/loadBalancer.ts
f
full-dress-10026
12/11/2018, 2:07 AMI don't have a load balancer.
l
lemon-spoon-91807
12/11/2018, 2:07 AM(but i'm rewriting it all in tihs milestone)
can you link me to a gist of your code?
f
full-dress-10026
12/11/2018, 2:08 AMl
lemon-spoon-91807
12/11/2018, 2:09 AMso, what is likely happening is that we are using your default network and using that for the networkconfiguration piece
or, this is just hardcoded as:
Copy code
networkConfiguration: {
assignPublicIp: false,
securityGroups: cluster.securityGroups.map(g => g.instance.id),
subnets: cluster.network.subnetIds,
},f
full-dress-10026
12/11/2018, 2:11 AMIt is using the default network. All subnets in are set to auto assign a public IP.
l
lemon-spoon-91807
12/11/2018, 2:12 AMthis comes from how we originally did things in pulumi-cloud:
Copy code
networkConfiguration: {
assignPublicIp: config.useFargate && !network.usePrivateSubnets,
securityGroups: securityGroups,
subnets: network.subnetIds,
},f
full-dress-10026
12/11/2018, 2:12 AMThis is the cluster def:
Copy code
const cluster = new infra.x.ecs.Cluster("fibonacci", {
name: "fibonacci",
});l
lemon-spoon-91807
12/11/2018, 2:12 AMwill have to update this to allow you to pass in this info, or to base it entirely off the network
f
full-dress-10026
12/11/2018, 2:13 AMSo right now it is basing it on the cluster's
networkl
lemon-spoon-91807
12/11/2018, 2:13 AMright now it's explicitly passing in 'false'
it's hardcoded as:
Copy code
networkConfiguration: {
assignPublicIp: false,
securityGroups: cluster.securityGroups.map(g => g.instance.id),
subnets: cluster.network.subnetIds,
},f
full-dress-10026
12/11/2018, 2:14 AMGotcha.
l
lemon-spoon-91807
12/11/2018, 2:14 AMfor fargate we base this on hte network. for ec2 we just set it to false
no good reason for us to do that though
(it's just how the code moved down from 'cloud' to here)
i'll update it to allow you to pass your own config
f
full-dress-10026
12/11/2018, 2:15 AMGreat, thanks! How are you going to allow it to be passed in?
l
lemon-spoon-91807
12/11/2018, 2:15 AMlike how your gist shows it
👌 1
cheers!
f
full-dress-10026
12/11/2018, 5:26 PMAnyway we could get a dev release of aws-infra?
l
lemon-spoon-91807
12/11/2018, 5:45 PMLet me see what it would take to get that!
oh... there should be a dev release of it
we're making both dev and normal builds
f
full-dress-10026
12/11/2018, 5:58 PMLooks like the last dev release was 8 days ago. No?
l
lemon-spoon-91807
12/11/2018, 5:58 PMah. you mean a more recent drop
gotcha!
let me see why my latest cahnge didn't go make one
f
full-dress-10026
12/11/2018, 5:59 PMWith the changes from this PR https://github.com/pulumi/pulumi-aws-infra/pull/67
l
lemon-spoon-91807
12/11/2018, 5:59 PMsuper strange!
that should have automatically made a new drop
have to go investigate 🙂
infrastructure is hard 😄
f
full-dress-10026
12/11/2018, 5:59 PMTrue that
l
lemon-spoon-91807
12/11/2018, 6:00 PMsomeone needs to make infrastructure easier
😆 1
f
full-dress-10026
12/11/2018, 7:16 PMI checked out the code locally for the time being. I am getting this exception when running `pulumi up`:
Copy code
updating urn:pulumi:fibonacci-dev::fibonacci::awsinfra:x:ecs:EC2Service$aws:ecs/service:Service::datadog-daemon: InvalidParameterException: Assign public IP is not supported for this launch type.l
lemon-spoon-91807
12/11/2018, 7:17 PMi mean... is that something aws supports?
f
full-dress-10026
12/11/2018, 7:18 PMNo idea. ECS design decisions continue to confuse me.
Any idea if there is another way to give ECS containers access to the internet? I see lots of people suggesting NATs but that doesn't make sense to me. Why would I need to deploy 3 NATs (one per AZ) for my containers to connect to the internet when my ECS EC2 nodes can connect just fine?
Yikes [1] :
The awsvpc network mode does not provide task elastic network interfaces with public IP addresses for tasks that use the EC2 launch type. To access the internet, tasks that use the EC2 launch type must be launched in a private subnet that is configured to use a NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. Inbound network access must be from within the VPC using the private IP address or DNS hostname, or routed through a load balancer from within the VPC. Tasks launched within public subnets do not have outbound network access.[1] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
l
lemon-spoon-91807
12/11/2018, 7:25 PMtrying to read up on i now
but i'm in a similar boat that i find AWS super confusing here 🙂
but this sounds like this simply may be by-design on their part
if you figure things out, let me know 🙂
btw, any reason not to use fargate?
it seems like the simpler "get me out of this complexity hell" approach that AWS is offering.
f
full-dress-10026
12/11/2018, 7:29 PMYou cannot use Datadog's APM service.
Datadog APM requires access to the docker sock.
l
lemon-spoon-91807
12/11/2018, 7:30 PMinteresting
does DD recommend how you set things up?
f
full-dress-10026
12/11/2018, 7:30 PMHere's the ECS setup instructions: https://docs.datadoghq.com/integrations/amazon_ecs/?tab=nodejs#overview
l
lemon-spoon-91807
12/11/2018, 7:30 PMdo they have a walkthrough on the appropraite way to configure the service to work on ec2 in a way that is also public?
f
full-dress-10026
12/11/2018, 7:31 PMI think they leave the public part for you to figure out on your own. Does seem a bit strange.
l
lemon-spoon-91807
12/11/2018, 7:31 PMThis documentation assume you already have a working EC2 Container Service cluster configured. If not, review the Getting Started section in the ECS documentation.
yeah... great 😕
yeah, everything i run into mentions 'nat', with zero extra information
it's all so vague
f
full-dress-10026
12/11/2018, 7:35 PMRight... It's so weird that there isn't more info on this. I'd imagine almost all production services require access to the internet...
l
lemon-spoon-91807
12/11/2018, 7:36 PMmy understanding is this is why you have an LB
the LB faces the internet
and the LB is configured to hit your containers.
f
full-dress-10026
12/11/2018, 7:37 PMRight but most internal services require access to the internet for doing 3rd party operations.
l
lemon-spoon-91807
12/11/2018, 7:39 PMi think this is by-design on their part. your stuff is isolated. and if you want thins to be able to talk to internet, you need to set upthe appropriate mechanisms to allow this.
f
full-dress-10026
12/11/2018, 7:41 PMWhich is fair but that makes the cost of running an ECS cluster higher -- you need to pay for 3 NATs in addition to your ECS instances.