Attention

We highly recommend for production workloads to create the ECS Cluster outside of ECS Compose-X and use the Lookup feature.

x-cluster

x-cluster:
    Properties: {}
    Lookup: {}
    MacroParameters: {}

Allows to create / lookup an ECS cluster that will be used to deploy services into.

Properties

Refer to the AWS CFN reference for ECS Cluster

Override default settings
x-cluster:
  Properties:
    CapacityProviders:
      - FARGATE
      - FARGATE_SPOT
    ClusterName: FargateOnly
    DefaultCapacityProviderStrategy:
      - CapacityProvider: FARGATE_SPOT
        Weight: 4
        Base: 2
      - CapacityProvider: FARGATE
        Weight: 1

Lookup

Allows you to enter the name of an existing ECS Cluster that you want to deploy your services to.

Lookup existing cluster example.
x-cluster:
  Lookup:
    Tags:
      - name: clusterabcd
      - costcentre: lambda

Attention

If the cluster name is not found, by default, a new cluster will be created with the default settings.

Secure your cluster and ECS Execution commands

With the release of the ECS Execute Command feature, comes the need to implement logging to trace and track who and what commands are executed remotely. The ECS Cluster Properties allow for you to define S3 Bucket, CW Logs and KMS Key to use in order to encrypt remote execution and log activities. However, these settings can be tricky to setup for someone new to AWS.

Enable it with new KMS key, S3 bucket and log group.

So to simplify that, we implemented some parameters that will allow you to enable these automatically.

MacroParameters:
  CreateExecLoggingKmsKey: bool
  AllowKmsKeyReuse: bool
  CreateExecLoggingBucket: bool
  CreateExecLoggingLogGroup: bool

CreateExecLoggingKmsKey

Will create a new KMS key that will be used to encrypt the execution and its logs.

AllowKmsKeyReuse

Only valid if CreateExecLoggingKmsKey is set to True , this will change the KMS Key policy to allow more service and IAM resources in the account to use the KMS key, which therefore can be re-used with other ECS Clusters.

CreateExecLoggingBucket

Will create a new S3 bucket to store the ECS Execute command logs into. If a KMS key is set (or CreateExecLoggingKmsKey True ) it will use that to encrypt the bucket with.

CreateExecLoggingLogGroup

Similar to CreateExecLoggingBucket but this time, for a CloudWatch log group. This might allow you to parse commands in real-time and detect rogue executions or dangerous ones.

Enable it using existing resources

Warning

If you are using existing resources that use KMS key, it is your responsibility to ensure the key policy is set correctly.

Override default settings
x-cluster:
  Properties:
    Configuration:
      ExecuteCommandConfiguration:
        KmsKeyId: x-kms::<key, i.e. existing-key>
        LogConfiguration:
              CloudWatchEncryptionEnabled: boolean (True (if KmsKeyId is set))
              CloudWatchLogGroupName: String
              S3BucketName: String # x-s3::<bucket, i.e logging-bucket> to use an existing bucket
              S3EncryptionEnabled: boolean # (True (if KmsKeyId is set))
              S3KeyPrefix: String # Set to whatever value
        Logging: OVERRIDE

x-s3:
  logging-bucket:
    Lookup: {}

x-kms:
  existing-key:
    Lookup: {}

When using x-cluster.Lookup

When using x-cluster.Lookup, all of these settings will be automatically detected and the appropriate permissions will be automatically created.

JSON Schema

Model

x-cluster

x-cluster.spec.json

x-cluster specification for ECS Cluster

type

object

properties

  • Lookup

oneOf

type

string

type

object

properties

  • ClusterName

type

string

  • RoleArn

x-resources.common.spec.json#/definitions/Lookup/properties/RoleArn

  • Properties

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-cluster.html

type

object

  • MacroParameters

type

object

properties

  • CreateExecLoggingLogGroup

Define whether Compose-X should create a CW LogGroup to log exec commands

type

boolean

  • LogGroupRetentionInDays

type

number

default

120

  • CreateExecLoggingBucket

Define whether Compose-X should create a new S3 bucket to log exec commands

type

boolean

  • CreateExecLoggingKmsKey

Define whether Compose-X should create a new KMS Key to encrypt log exec commands

type

boolean

  • AllowKmsKeyReuse

Whether the KMS Key should by default allow AWS Logs use the key for any log group

type

boolean

default

False

dependencies

  • AllowKmsKeyReuse

CreateExecLoggingKmsKey

additionalProperties

False

oneOf

type

object

type

object

Definition

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "id": "x-cluster.spec.json",
  "$id": "x-cluster.spec.json",
  "title": "x-cluster",
  "description": "x-cluster specification for ECS Cluster",
  "type": "object",
  "additionalProperties": false,
  "properties": {
    "Lookup": {
      "oneOf": [
        {
          "type": "string"
        },
        {
          "type": "object",
          "required": [
            "ClusterName"
          ],
          "properties": {
            "ClusterName": {
              "type": "string"
            },
            "RoleArn": {
              "$ref": "x-resources.common.spec.json#/definitions/Lookup/properties/RoleArn"
            }
          }
        }
      ]
    },
    "Properties": {
      "type": "object",
      "description": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-cluster.html"
    },
    "MacroParameters": {
      "type": "object",
      "dependencies": {
        "AllowKmsKeyReuse": [
          "CreateExecLoggingKmsKey"
        ]
      },
      "properties": {
        "CreateExecLoggingLogGroup": {
          "description": "Define whether Compose-X should create a CW LogGroup to log exec commands",
          "type": "boolean"
        },
        "LogGroupRetentionInDays": {
          "type": "number",
          "default": 120
        },
        "CreateExecLoggingBucket": {
          "description": "Define whether Compose-X should create a new S3 bucket to log exec commands",
          "type": "boolean"
        },
        "CreateExecLoggingKmsKey": {
          "description": "Define whether Compose-X should create a new KMS Key to encrypt log exec commands",
          "type": "boolean"
        },
        "AllowKmsKeyReuse": {
          "type": "boolean",
          "description": "Whether the KMS Key should by default allow AWS Logs use the key for any log group",
          "default": false
        }
      }
    }
  },
  "oneOf": [
    {
      "type": "object",
      "required": [
        "Lookup"
      ]
    },
    {
      "type": "object",
      "required": [
        "Properties"
      ]
    }
  ]
}