Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 健康检查失败-Terraform-ECS群集-动态端口映射健康检查在2个端口中的1个端口上失败?

Amazon web services 健康检查失败-Terraform-ECS群集-动态端口映射健康检查在2个端口中的1个端口上失败?

amazon-web-services terraform

Amazon web services 健康检查失败-Terraform-ECS群集-动态端口映射健康检查在2个端口中的1个端口上失败?,amazon-web-services,terraform,amazon-ecs,aws-alb,Amazon Web Services,Terraform,Amazon Ecs,Aws Alb,我使用Terraform进行了环境设置。我们的一个SecOps团队需要安装SONARQUE,用于自动扫描、气味和vuln检查。因此,我让它在AWS中运行,通过我们的VPN,DNS解析为面向内部的ALB,该ALB将流量指向构成ECS群集的目标实例组。还有一个启动配置和自动缩放组。当前,每个主机仅运行一个容器会在某个时候将其设置为2-4 我遇到的问题是,实例同时在容器端口9000和动态临时端口32768上注册到目标组。对动态端口的运行状况检查工作正常,但对端口9000的运行状况检查失败。这会导致实例

我使用Terraform进行了环境设置。我们的一个SecOps团队需要安装SONARQUE,用于自动扫描、气味和vuln检查。因此,我让它在AWS中运行,通过我们的VPN,DNS解析为面向内部的ALB,该ALB将流量指向构成ECS群集的目标实例组。还有一个启动配置和自动缩放组。当前,每个主机仅运行一个容器会在某个时候将其设置为2-4

我遇到的问题是,实例同时在容器端口9000和动态临时端口32768上注册到目标组。对动态端口的运行状况检查工作正常,但对端口9000的运行状况检查失败。这会导致实例在初始、不正常和终止之间反复循环。除了这个恼人的问题,应用程序运行良好。RDS连接,我们可以使用声纳,一切都会好的

我已经尝试删除Terraform中对容器端口的引用,我还将声明这是一个非常安全的环境。来自任何VPC的所有出口流量都通过McAffee云代理应用程序过滤掉。当我第一次在一个沙箱帐户中建立这个时,出口为0.0.0.0/0,一切都很好。我已经花了几个小时在这个问题上,在我搔头的时候

希望其他人也来过这里,并分享他们的见解。明天毕竟是新的一天。救命啊

ERROR Message when I remove the port from the target group
aws_lb_target_group.ecs: port should be set when target type is instance

iam.tf
资源“aws_iam_角色”“iam_角色”{
name=“${var.name}-ecs角色”

假设_role_policy=如果您使用的是临时端口,那么它并不真正关心您在containerPort中指定的内容。在我的Terraform中,我使用端口9000作为定义的containerPort,只是因为它需要一个值,而hostPort被指定为0。创建安全组是为了说明临时端口和运行状况chec的使用情况k似乎在使用/和trafficPort时按预期工作。
如果您使用的是临时端口,那么它并不真正关心您在containerPort中指定的内容。在我的Terraform中,我使用端口9000作为定义的containerPort,只是因为它需要一个值,并且hostPort被指定为0。已创建安全组来说明u使用/和trafficPort,se of Epheral和运行状况检查似乎能按预期工作。
您说,如果删除端口9000上的运行状况检查,则会出现错误。是否可以编辑您的问题以共享确切的错误?如果您是指目标组运行状况检查?未指定,仅使用默认值。我手动删除了运行状况检查n通过从目标组中删除端口9000上的实例来访问控制台,该实例将保持服务状态。如果您指的是目标组端口设置9000,则在使用目标类型实例时必须指定端口值(默认值)。这就是我删除目标组端口参数时TF抛出的错误。我读到的所有内容似乎都表明应该排除端口以使用动态端口映射,但TF的错误表明不是这样。哪个错误?我仍然没有在您的问题中看到错误消息我将错误输出添加到原始问题中。它们是代码块中还提到了lso作为注释。您说,如果删除端口9000上的运行状况检查,则会出现错误。是否可以编辑您的问题以共享确切的错误?如果您指的是目标组运行状况检查?它没有指定,只是使用默认值。我在控制台中通过删除端口9000上的实例手动删除了运行状况检查来自目标组的端口9000,实例保持服务状态。如果您指的是目标组端口设置9000,则在使用目标类型实例时必须指定端口值(默认值)。这就是我删除目标组端口参数时TF抛出的错误。我读到的所有内容似乎都表明应该排除端口以使用动态端口映射,但TF的错误表明不是这样。哪个错误?我仍然没有在您的问题中看到错误消息我将错误输出添加到原始问题中。它们是lso也在代码块中作为注释提到

ERROR Message when I set the port to 0

aws_ecs_service.ecs: InvalidParameterException: The container sonarqube did not have a container port 0 defined.



ERROR Message when I set the container port to 0 in the taskdef.

aws_ecs_task_definition.task: ClientException: Invalid 'containerPort' setting for container 'sonarqube'
ecs-taskdef.tf

resource "aws_ecs_task_definition" "task" {
  family             = "${var.name}-${var.env}"
  network_mode       = "bridge"
  cpu                = 8192
  memory             = 16384
  execution_role_arn = "${var.ecs-exec-role}"

  container_definitions = <<DEFINITION
[
    {
        "name": "${var.name}",
        "image":"${var.image}",
        "logConfiguration": {
            "logDriver": "awslogs",
            "options": {
                "awslogs-group": "/ecs/${var.cluster_name}-${var.name}",
                "awslogs-region": "${var.region}",
                "awslogs-stream-prefix": "ecs"
            }
        },
        "portMappings": [
            {
                "containerPort": 9000
            }
        ],
        "environment": [
            {
            "name": "sonar.jdbc.password",
            "value": "${var.password}"
            },
            {
            "name": "sonar.jdbc.url",
            "value": "jdbc:mysql://${var.rds_url}:${var.port}/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance"
            },
            {
            "name": "sonar.jdbc.username",
            "value": "${var.username}"
            }
        ]  
    }
]
DEFINITION
}

resource "aws_ecs_service" "ecs" {
  name                = "${var.name}-${var.env}"
  cluster             = "${var.cluster_name}"
  task_definition     = "${aws_ecs_task_definition.task.arn}"
  scheduling_strategy = "DAEMON"

  lifecycle {
    ignore_changes = ["desired_count"]
  }

  load_balancer {
    target_group_arn = "${aws_lb_target_group.ecs.arn}"
    container_name   = "${var.name}"
    container_port   = 9000 #Removed & Terraform complains with an error.
  }
}






elb.tf

resource "aws_lb" "ecs" {
  name               = "${var.name_prefix}-${var.name}-tf"
  internal           = true
  load_balancer_type = "application"

  security_groups            = ["${var.security_groups}"]
  subnets                    = ["${var.subnets}"]
  enable_deletion_protection = false

  tags = "${merge(var.tags, map("Name", "${var.name_prefix}-${var.name}-elb"))}"
}

resource "aws_lb_listener" "ecs" {
  load_balancer_arn = "${aws_lb.ecs.arn}"
  port              = 80
  protocol          = "HTTP"

  default_action {
    type = "redirect"
    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb_listener" "ssl" {
  load_balancer_arn = "${aws_lb.ecs.arn}"
  port              = 443
  protocol          = "HTTPS"

  lifecycle {
    create_before_destroy = true
  }

  ssl_policy = "ELBSecurityPolicy-2016-08"

  certificate_arn = "arn:aws:acm:REDACTED"

  default_action {
    type             = "forward"
    target_group_arn = "${aws_lb_target_group.ecs.arn}"
  }
}

resource "aws_lb_target_group" "ecs" {
  name     = "${var.cluster_name}"
  protocol = "HTTP"

  port   = 9000 #must be here or TF errors instance type must have port
  vpc_id = "${var.vpc_id}"

  lifecycle {
    create_before_destroy = true
  }
}




ec2.tf

resource "aws_autoscaling_group" "asg" {
  availability_zones        = ["${var.region}a", "${var.region}b", "${var.region}d"]
  name                      = "${var.name}-${var.env}-asg"
  max_size                  = "${var.min_size}"
  min_size                  = "${var.max_size}"
  health_check_grace_period = 300
  health_check_type         = "ELB"
  desired_capacity          = "${var.desired_size}"
  launch_configuration      = "${aws_launch_configuration.alc.name}"
  vpc_zone_identifier       = ["${var.subnet_ids}"]

  target_group_arns = ["${var.target_arn}"]

  lifecycle {
    create_before_destroy = true
  }

  tag {
    key                 = "Environment"
    value               = "${var.name}"
    propagate_at_launch = true
  }

  tag {
    key                 = "Name"
    value               = "${var.name_prefix}-${var.name}.ecs"
    propagate_at_launch = true
  }
}

resource "aws_launch_configuration" "alc" {
  name_prefix          = "${var.name_prefix}.ecs"
  image_id             = "${lookup(var.ecs-images, var.region)}"
  instance_type        = "${var.instance_type}"
  iam_instance_profile = "${aws_iam_instance_profile.ecs-instance-profile.arn}"
  user_data            = "${data.template_file.userdata.rendered}"
  key_name             = "${var.key_name}"

  security_groups = ["${var.security_groups}"]

  lifecycle {
    create_before_destroy = true
  }

  root_block_device {
    volume_type = "io1"
    iops        = "1000"
    volume_size = "${var.volume_size}"
  }
}

data "template_file" "userdata" {
  template = "${file("${path.module}/userdata/ecs-instances.sh")}"

  vars {
    cluster-name = "${aws_ecs_cluster.cluster.name}"
  }
}

resource "aws_security_group" "allow_all_from_cluster" {
  name        = "${var.name_prefix}-${var.name}-ecs-cluster"
  description = "Allow traffic from cluster"
  vpc_id      = "${var.vpc_id}"
  tags        = "${merge(var.tags, map("Name", "${var.name_prefix}-${var.name}-sg"))}"

  lifecycle {
    create_before_destroy = true
  }

  ingress { #open to VPC IP's
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["172.27.160.0/22"]
  }

  ingress { #open to corp network redirected to 443
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]
  }

  ingress { #http access for corp users
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]
  }

  egress { #open to VPC IP's
    from_port   = 0                   
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["172.27.160.0/22"]
  }

  egress { #ephemeral response to corp users
    from_port   = 32768
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/8"]
  }
}



iam.tf

resource "aws_iam_role" "iam_role" {
  name = "${var.name}-ecs-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


EOF
}

resource "aws_iam_policy" "efs-policy" {
  name        = "${var.env}-efs-access-policy"
  path        = "/"
  description = "Allow ${var.env} cluster access to EFS"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "elasticfilesystem:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "ecs-service-role" {
  role       = "${aws_iam_role.iam_role.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
}

resource "aws_iam_role_policy_attachment" "ecs-service-for-ec2-role" {
  role       = "${aws_iam_role.iam_role.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
}

resource "aws_iam_role_policy_attachment" "ssm-service-role" {
  role       = "${aws_iam_role.iam_role.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

resource "aws_iam_role_policy_attachment" "efs-for-ec2-role" {
  role       = "${aws_iam_role.iam_role.name}"
  policy_arn = "${aws_iam_policy.efs-policy.arn}"
}

resource "aws_iam_instance_profile" "ecs-instance-profile" {
  name = "${var.env}-ecs"
  role = "${aws_iam_role.iam_role.name}"
}