Add enable_service_execution config in the app environment configs
Update the service layer to conditionally enable ECS Exec as a container definition attribute
Update the service layer to conditionally set root file system to not read-only
Required to use the Session Manager plugin
Update the network layer to conditionally create a VPC endpoint for ssmmessages
Required when using interface Amazon VPC endpoints with Amazon ECS
Only created for networks that have an environment with enable_service_execution set to true
Add accompanying documentation
Context for reviewers
Testing instructions, background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.
Sometimes it's really useful to be able to create a shell into the running container as deployed to AWS. This can be critical for debugging, especially debugging third-party containers. It can also be really useful to be able to access the RDS database.
AWS ECS Exec is AWS's equivalent to running docker compose exec or docker run. This PR adds that support to the infrastructure template.
Testing
Provide evidence that the code works as expected. Explain what was done for testing and the results of the test plan. Include screenshots, GIF demos, shell commands or output to help show the changes working as expected. ProTip: you can drag and drop or paste images into this textbox.
Testing that was performed
Tested by deploying this branch to my local version of https://github.com/navapbc/platform-test and then deploying necessary resources (account, network, build repository, service) to my AWS account. Demo here:
Testing steps
You can re-create this test by doing the following setup:
Clone the test repo: git clone git@github.com:navapbc/platform-test.git
Change to the test repo: cd platform-test
Install this branch: make -f platform-test.mak install-infra BRANCH=rocket/add-ecs-exec
Configure the infra repo as usual (project-config, app-config). Be sure not to set project_name to platform-test as that will cause S3 bucket name issues. See #520
Modify /infra/app-config/dev.tf and set enable_service_execution = true
Configure the following resources as usual:
AWS account
Network for NETWORK_NAME=dev
Build repository for APP_NAME=app
Database for APP_NAME=app ENVIRONMENT=dev
Service for APP_NAME=app ENVIRONMENT=dev
Test your deployment by:
In AWS Console, verify that VPC > Endpoints includes a VPC endopint for com.amazonaws.us-east-1.ssmmessages
In AWS Console, go to ECS > Clusters > app-dev > Services > app-dev > Tasks
You can verify that the VPC endpoint is only created for networks that contain an app with enable_service_execution=true by deploying the prod network and checking in the AWS Console.
Ticket
Resolves #148
Changes
enable_service_execution
config in the app environment configsssmmessages
enable_service_execution
set totrue
Context for reviewers
Sometimes it's really useful to be able to create a shell into the running container as deployed to AWS. This can be critical for debugging, especially debugging third-party containers. It can also be really useful to be able to access the RDS database.
AWS ECS Exec is AWS's equivalent to running
docker compose exec
ordocker run
. This PR adds that support to the infrastructure template.Testing
Testing that was performed
Tested by deploying this branch to my local version of https://github.com/navapbc/platform-test and then deploying necessary resources (account, network, build repository, service) to my AWS account. Demo here:
Testing steps
You can re-create this test by doing the following setup:
git clone git@github.com:navapbc/platform-test.git
cd platform-test
make -f platform-test.mak install-infra BRANCH=rocket/add-ecs-exec
project_name
toplatform-test
as that will cause S3 bucket name issues. See #520/infra/app-config/dev.tf
and setenable_service_execution = true
NETWORK_NAME=dev
APP_NAME=app
APP_NAME=app ENVIRONMENT=dev
APP_NAME=app ENVIRONMENT=dev
Test your deployment by:
com.amazonaws.us-east-1.ssmmessages
You can verify that the VPC endpoint is only created for networks that contain an app with
enable_service_execution=true
by deploying theprod
network and checking in the AWS Console.