ecs-deploy is a continuous deployment platform for AWS ECS. It automates deploys based a simple json/yaml file which can be integrated in your CI/CD
ECS Deploy is a REST API server written in Go that can be used to deploy services on ECS from anywhere. It typically is executed as part of your deployment pipeline. Continuous Integration software (like Jenkins, CircleCI, Bitbucket or others) often don't have proper integration with ECS. This API server can be deployed on ECS and will be used to provide continuous deployment on ECS.
You can bootstrap a new ECS cluster using ecs-deploy. It'll setup a autoscaling group, ALB, IAM roles, and the ECS cluster.
./ecs-deploy --bootstrap \ --alb-security-groups sg-123456 \ --cloudwatch-logs-enabled \ --cloudwatch-logs-prefix mycompany \ --cluster-name mycluster \ --ecs-desired-size 1 \ --ecs-max-size 1 \ --ecs-min-size 1 \ --ecs-security-groups sg-123456 \ --ecs-subnets subnet-123456 \ --environment staging \ --instance-type t2.micro \ --key-name mykey \ --loadbalancer-domain cluster.in4it.io \ --paramstore-enabled \ --paramstore-kms-arn aws:arn:kms:region:accountid:key/1234 \ --paramstore-prefix mycompany \ --profile your-aws-profile \ --region your-aws-region
You'll need to setup the security groups and VPC/subnets first. The ALB security group should allow port 80 and 443 incoming, the ECS security group should allow 32768:61000 from the ALB.
If you no longer need the cluster, you can remove it by specifying --delete-cluster instead of --bootstrap
Alternatively you can use terraform to deploy the ecs cluster. See terraform/README.md for a terraform module that spins up an ecs cluster.
To deploy the examples (an nginx server and a echoserver), use ecs-client:
./ecs-client login --url http://yourdomain/ecs-cluster
Login with environment variables:
ECS_DEPLOY_LOGIN=deploy ECS_DEPLOY_PASSWORD=password ./ecs-client login --url http://yourdomain/ecs-cluster
./ecs-client deploy -f examples/services/multiple-services/multiple-services.yaml
These will be used when deploying services
SAML can be enabled using the following environment variables * SAML_ENABLED=yes * SAML_ACS_URL=https://mycompany.com/url-prefix * SAML_CERTIFICATE=contents of your certificate * SAML_PRIVATE_KEY=contents of your private key * SAML_METADATA_URL=https://identity-provider/metadata.xml
To create a new key and certificate, the following openssl command can be used:
openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 3650 -nodes -subj "/CN=myservice.mycompany.com"
The defaults are set for the most common use cases, but can be changed by setting environment variables:
| Environment variable | Default value | Description | | --------------------- | ------------- | ----------- | | PARAMSTORE_ENABLED | no | Use "yes" to enable the parameter store. | | PARAMSTORE_PREFIX | "" | Prefix to use for the parameter store. mycompany will result in /mycompany/servicename/variable | | PARAMSTORE_KMS_ARN | "" | Specify a KMS ARN to encrypt/decrypt variables | | PARAMSTORE_INJECT | no | Use "Yes" to enable injection of secrets into the task definition | | AUTOSCALING_STRATEGIES | LargestContainerUp,LargestContainerDown | List of autoscaling strategies to apply. See below for different types | | AUTOSCALING_DOWN_STRATEGY | gracefully | Only gracefully supported now (uses interval and period before executing the scaling down operation) | | AUTOSCALING_UP_STRATEGY | immediately | Scale up strategy (immediatey, gracefully) | | AUTOSCALING_DOWN_COOLDOWN | 5 | Cooldown period after scaling down | | AUTOSCALING_DOWN_INTERVAL | 60 | Seconds between intervals to check resource usage before scaling, after a scaling down operation is detected | | AUTOSCALING_DOWN_PERIOD | 5 | Periods to check before scaling | | AUTOSCALING_UP_COOLDOWN | 5 | Cooldown period after scaling up | | AUTOSCALING_UP_INTERVAL | 60 | Seconds between intervals to check resource usage before scaling, after a scaling up operation is detected | | AUTOSCALING_UP_PERIOD | 5 | Periods to check before scaling | | SERVICE_DISCOVERY_TTL | 60 | TTL for service discovery records | | SERVICEDISCOVERYFAILURETHRESHOLD | 3 | Failure threshold for service discovery records | | AWS_RESOURCE_CREATION_ENABLED | yes | Let ecs-deploy create AWS IAM resources for you | | SLACK_WEBHOOKS | "" | Comma seperated Slack webhooks, optionally with a channel (format: url1:#channel,url2:#channel) | | SLACK_USERNAME | ecs-deploy | Slack username | | ECS_TASK_ROLE_PERMISSION_BOUNDARY_ARN | "" | permission boundary for ecs task roles | | ECR_SCAN_ON_PUSH | false | Enable ECR image scanning |
| Strategy | Description | | ---------------| ----------- | | LargestContainerUp | Scale when the largest container (+buffer) in the cluster cannot be scheduled anymore on a node | | LargestContainerDown | Scale down when there is enough capacity to schedule the largest container (buffer) after a node is removed | | Polling | Poll all services every minute to check if a task can't be scheduled due to resource constraints (10 services per api call, only 1 call per second) |