Requirements

AWS Account configuration

IAM Permissions to execute ECS Compose-X

Since ECS Compose-X adds more and more features, we highly recommend to use the AWS Managed policy arn:aws:iam:aws::policy/ReadOnlyAccess.

Additionally, you will need to use all the features and push your files to S3

ECS Compose-X specific permissions
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowFullCloudFormationAccess",
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Action": [
                "cloudformation:*"
            ]
        },
        {
            "Sid": "S3BucketObjectsAccess",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${BucketName}/*"
            ],
            "Action": [
                "s3:PutObject"
            ]
        },
        {
            "Sid": "S3BucketAccess",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${BucketName}"
            ],
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket"
            ]
        }
    ]
}

ECS Settings

Because of my adhesion to using the Cloud Provider’s tools for monitoring, logging, etc, some features and options are enabled and you would get CloudFormation complain about account level settings not being enabled.

Depending on how you are setting up your AWS account(s) you might have to activate these settings if you haven’t already.

Note

It is important that you enable AWS VPC Trunking to allow each service tasks to run within the same SecurityGroup and use the extended number of ENIs per instance. Reference: Container ENI Announcement: AWS VPC mode

ECS Account settings can be found at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html

  • ECS - VPC Trunking

  • ECS Extended logs and monitoring

Tip

You can now simply run ecs-composex init in order to do all of the following and create your default S3 bucket for your CFN templates

ecs-composex init

Deploy manually

aws ecs put-account-setting-default --name awsvpcTrunking --value enabled
aws ecs put-account-setting-default --name serviceLongArnFormat --value enabled
aws ecs put-account-setting-default --name taskLongArnFormat --value enabled
aws ecs put-account-setting-default --name containerInstanceLongArnFormat --value enabled
aws ecs put-account-setting-default --name containerInsights --value enabled

Hint

If you want to enable these settings for a specific IAM role you can assume yourself, from CLI you can use aws ecs put-account-setting as opposed to aws ecs put-account-setting-default

aws ecs put-account-setting --name awsvpcTrunking --value enabled
aws ecs put-account-setting --name serviceLongArnFormat --value enabled
aws ecs put-account-setting --name taskLongArnFormat --value enabled
aws ecs put-account-setting --name containerInstanceLongArnFormat --value enabled
aws ecs put-account-setting --name containerInsights --value enabled