search

hashicorp / terraform-aws-consul-ecs

Consul Service Mesh on AWS ECS (Elastic Container Service)
https://www.consul.io/docs/ecs
Mozilla Public License 2.0
52 stars 30 forks source link

Inability to Modify Consul Connect Command #22

Open reskin89 opened 3 years ago

reskin89 commented 3 years ago

I wanted to use this module to deploy a terminating Gateway in ECS, however since I'm unable to modify the consul connect command in any way, I can't use this module to do so.

I believe some type of optional variable for this would be very helpful to take full advantage of envoy

pglass commented 3 years ago

Hi @reskin89!

Consul on ECS is in tech preview and does not support deploying a terminating gateway on ECS. I can't commit to a date yet, but it is on our roadmap.

In general, I'm not sure if the current mesh-task module is the right place for gateway support, since mesh-task is designed to run an application container within the mesh which is a bit different.

For the time being, you'll need to construct your own task definition to deploy a terminating gateway. You should be able to use a similar approach as the mesh-task module, which I think would roughly involve:

  1. run a consul container to execute consul connect envoy -bootstrap -gateway=terminating ... to write the necessary Envoy bootstrap config file to a mounted volume, and
  2. subsequently starting the Envoy container pointed at the bootstrap config
reskin89 commented 2 years ago

This has come up again since the new release of consul ECS stuff. I may make a pr for a "mesh-task-gateway" module.

pglass commented 2 years ago

Hi @reskin89,

If you do make a PR to support running terminating gateways, please see the new gateway-task module. This supports mesh gateways initially. We intend for this module to support other gateway types (and will gladly accept a PR).

A couple of quick pointers to start out:

The gateway-task module supports (optionally) configuring an NLB for ingress to the gateway. Would that work for you, or would you need a different form of ingress to the gateway (like public IPs)?

reskin89 commented 2 years ago

I'll check that out! luckily a terminating gateway doesn't really need a true form of ingress since its registered on the service mesh, and using the envoy capabilities, as long as it registers with an IP that's reachable it should be fine.