Requirements¶
AWS Account configuration¶
IAM Permissions to execute ECS Compose-X¶
Since ECS Compose-X adds more and more features, we highly recommend to use the AWS Managed policy arn:aws:iam:aws::policy/ReadOnlyAccess.
Additionally, you will need to use all the features and push your files to S3
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFullCloudFormationAccess",
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"cloudformation:*"
]
},
{
"Sid": "S3BucketObjectsAccess",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${BucketName}/*"
],
"Action": [
"s3:PutObject"
]
},
{
"Sid": "S3BucketAccess",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${BucketName}"
],
"Action": [
"s3:CreateBucket",
"s3:ListBucket"
]
}
]
}
ECS Settings¶
Because of my adhesion to using the Cloud Provider’s tools for monitoring, logging, etc, some features and options are enabled and you would get CloudFormation complain about account level settings not being enabled.
Depending on how you are setting up your AWS account(s) you might have to activate these settings if you haven’t already.
Note
It is important that you enable AWS VPC Trunking to allow each service tasks to run within the same SecurityGroup and use the extended number of ENIs per instance. Reference: Container ENI Announcement: AWS VPC mode
ECS Account settings can be found at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html
ECS - VPC Trunking
ECS Extended logs and monitoring
Tip
You can now simply run ecs-composex init in order to do all of the following and create your default S3 bucket for your CFN templates
ecs-composex init
Deploy manually¶
aws ecs put-account-setting-default --name awsvpcTrunking --value enabled
aws ecs put-account-setting-default --name serviceLongArnFormat --value enabled
aws ecs put-account-setting-default --name taskLongArnFormat --value enabled
aws ecs put-account-setting-default --name containerInstanceLongArnFormat --value enabled
aws ecs put-account-setting-default --name containerInsights --value enabled
Hint
If you want to enable these settings for a specific IAM role you can assume yourself, from CLI you can use aws ecs put-account-setting as opposed to aws ecs put-account-setting-default
aws ecs put-account-setting --name awsvpcTrunking --value enabled
aws ecs put-account-setting --name serviceLongArnFormat --value enabled
aws ecs put-account-setting --name taskLongArnFormat --value enabled
aws ecs put-account-setting --name containerInstanceLongArnFormat --value enabled
aws ecs put-account-setting --name containerInsights --value enabled