1. Answers
  2. Using Flux with Amazon ECS

How Do I Use Flux With Amazon ECS?

Introduction

In this guide, we will walk through the process of integrating Flux with Amazon ECS to automate and manage application deployments. Flux is a GitOps tool that ensures the state of your applications matches the configurations stored in a Git repository. Amazon ECS (Elastic Container Service) is AWS’s fully managed container orchestration service. By the end of this guide, you will have a setup where Flux continuously monitors your Git repository for changes and automatically deploys these changes to your ECS cluster.

Key Components in this Guide

  1. VPC - A Virtual Private Cloud to provide a secured network environment.
  2. ECS Cluster - A cluster to host and manage containerized applications.
  3. IAM Roles - Roles to grant necessary permissions to ECS tasks and services.

Detailed Explanation

This guide will take you through the following steps to achieve the integration:

Step 1: Create a VPC

First, we create a Virtual Private Cloud (VPC) to provide a secure and isolated network environment for our ECS resources.

const main = new aws.ec2.Vpc("main", {cidrBlock: "10.0.0.0/16"});

Step 2: Create Subnets

Next, we create subnets within the VPC to distribute resources across different availability zones.

const available = aws.getAvailabilityZonesOutput({});
const subnets: aws.ec2.Subnet[] = [];
for (const range = {value: 0}; range.value < 2; range.value++) {
    subnets.push(new aws.ec2.Subnet(`subnets-${range.value}`, {
        vpcId: main.id,
        cidrBlock: std.cidrsubnetOutput({
            input: main.cidrBlock,
            newbits: 8,
            netnum: range.value,
        }).apply(invoke => invoke.result),
        availabilityZone: available.apply(available => available.names[range.value]),
    }));
}

Step 3: Set Up the ECS Cluster

We then set up an ECS cluster to manage our containerized applications.

const mainCluster = new aws.ecs.Cluster("main", {name: "my-cluster"});

Step 4: Configure IAM Roles

IAM roles are configured to provide the necessary permissions for ECS tasks and services to interact with other AWS services.

const ecsTaskRole = new aws.iam.Role("ecs_task_role", {
    name: "ecs_task_role",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                Service: "ecs-tasks.amazonaws.com",
            },
            Action: "sts:AssumeRole",
        }],
    }),
});
const ecsTaskPolicy = new aws.iam.RolePolicy("ecs_task_policy", {
    name: "ecs_task_policy",
    role: ecsTaskRole.id,
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
            ],
            Resource: "*",
        }],
    }),
});

Step 5: Deploy the ECS Service with Flux

Finally, we deploy an ECS service using a task definition that includes Flux for managing GitOps processes.

const mainTaskDefinition = new aws.ecs.TaskDefinition("main", {
    family: "flux-task",
    networkMode: "awsvpc",
    requiresCompatibilities: ["FARGATE"],
    cpu: "256",
    memory: "512",
    executionRoleArn: ecsTaskRole.arn,
    taskRoleArn: ecsTaskRole.arn,
    containerDefinitions: JSON.stringify([{
        name: "flux",
        image: "fluxcd/flux:latest",
        cpu: 256,
        memory: 512,
        essential: true,
        environment: [
            {
                name: "GIT_URL",
                value: "https://github.com/your-org/your-repo",
            },
            {
                name: "GIT_BRANCH",
                value: "main",
            },
        ],
        logConfiguration: {
            logDriver: "awslogs",
            options: {
                "awslogs-group": "/ecs/flux",
                "awslogs-region": "us-west-2",
                "awslogs-stream-prefix": "ecs",
            },
        },
    }]),
});
const mainSecurityGroup = new aws.ec2.SecurityGroup("main", {
    name: "ecs-security-group",
    description: "Allow all inbound traffic",
    vpcId: main.id,
    ingress: [{
        fromPort: 0,
        toPort: 0,
        protocol: "-1",
        cidrBlocks: ["0.0.0.0/0"],
    }],
    egress: [{
        fromPort: 0,
        toPort: 0,
        protocol: "-1",
        cidrBlocks: ["0.0.0.0/0"],
    }],
});
const mainService = new aws.ecs.Service("main", {
    name: "flux-service",
    cluster: mainCluster.id,
    taskDefinition: mainTaskDefinition.arn,
    desiredCount: 1,
    launchType: "FARGATE",
    networkConfiguration: {
        subnets: subnets.map(__item => __item.id),
        securityGroups: [mainSecurityGroup.id],
        assignPublicIp: true,
    },
});

Key Points

  • Created a VPC to host the ECS cluster.
  • Set up an ECS cluster to manage containerized services.
  • Configured IAM roles to provide necessary permissions to ECS tasks.
  • Deployed an ECS service that runs Flux, to synchronize with a Git repository.

Summary

In conclusion, we have successfully set up an Amazon ECS cluster with a service that runs Flux. This setup automates the deployment process by continuously monitoring and synchronizing the desired state defined in your Git repository with the actual state of your ECS services. By leveraging GitOps, you ensure consistency and reliability in your application deployments, making it easier to manage changes and updates over time.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up