Attention
We highly recommend for production workloads to create the ECS Cluster outside of ECS Compose-X and use the Lookup feature.
x-cluster ¶
x-cluster:
Properties: {}
Lookup: {}
MacroParameters: {}
Allows to create / lookup an ECS cluster that will be used to deploy services into.
Properties ¶
Refer to the AWS CFN reference for ECS Cluster
x-cluster:
Properties:
CapacityProviders:
- FARGATE
- FARGATE_SPOT
ClusterName: FargateOnly
DefaultCapacityProviderStrategy:
- CapacityProvider: FARGATE_SPOT
Weight: 4
Base: 2
- CapacityProvider: FARGATE
Weight: 1
Lookup ¶
Allows you to enter the name of an existing ECS Cluster that you want to deploy your services to.
x-cluster:
Lookup:
Tags:
- name: clusterabcd
- costcentre: lambda
Attention
If the cluster name is not found, by default, a new cluster will be created with the default settings.
Secure your cluster and ECS Execution commands ¶
With the release of the ECS Execute Command feature, comes the need to implement logging to trace and track who and what commands are executed remotely. The ECS Cluster Properties allow for you to define S3 Bucket, CW Logs and KMS Key to use in order to encrypt remote execution and log activities. However, these settings can be tricky to setup for someone new to AWS.
Enable it with new KMS key, S3 bucket and log group. ¶
So to simplify that, we implemented some parameters that will allow you to enable these automatically.
MacroParameters:
CreateExecLoggingKmsKey: bool
AllowKmsKeyReuse: bool
CreateExecLoggingBucket: bool
CreateExecLoggingLogGroup: bool
CreateExecLoggingKmsKey ¶
Will create a new KMS key that will be used to encrypt the execution and its logs.
AllowKmsKeyReuse ¶
Only valid if
CreateExecLoggingKmsKey
is set to
True
, this will change the KMS Key policy to allow more service
and IAM resources in the account to use the KMS key, which therefore can be re-used with other ECS Clusters.
CreateExecLoggingBucket ¶
Will create a new S3 bucket to store the ECS Execute command logs into. If a KMS key is set (or
CreateExecLoggingKmsKey
True
)
it will use that to encrypt the bucket with.
CreateExecLoggingLogGroup ¶
Similar to CreateExecLoggingBucket but this time, for a CloudWatch log group. This might allow you to parse commands in real-time and detect rogue executions or dangerous ones.
Enable it using existing resources ¶
Warning
If you are using existing resources that use KMS key, it is your responsibility to ensure the key policy is set correctly.
x-cluster:
Properties:
Configuration:
ExecuteCommandConfiguration:
KmsKeyId: x-kms::<key, i.e. existing-key>
LogConfiguration:
CloudWatchEncryptionEnabled: boolean (True (if KmsKeyId is set))
CloudWatchLogGroupName: String
S3BucketName: String # x-s3::<bucket, i.e logging-bucket> to use an existing bucket
S3EncryptionEnabled: boolean # (True (if KmsKeyId is set))
S3KeyPrefix: String # Set to whatever value
Logging: OVERRIDE
x-s3:
logging-bucket:
Lookup: {}
x-kms:
existing-key:
Lookup: {}
When using x-cluster.Lookup ¶
When using x-cluster.Lookup, all of these settings will be automatically detected and the appropriate permissions will be automatically created.
JSON Schema ¶
Model ¶
x-cluster ¶
x-cluster.spec.json |
||||
x-cluster specification for ECS Cluster |
||||
type |
object |
|||
properties |
||||
|
oneOf |
type |
string |
|
type |
object |
|||
properties |
||||
|
type |
string |
||
|
x-resources.common.spec.json#/definitions/Lookup/properties/RoleArn |
|||
|
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-cluster.html |
|||
type |
object |
|||
|
type |
object |
||
properties |
||||
|
Define whether Compose-X should create a CW LogGroup to log exec commands |
|||
type |
boolean |
|||
|
type |
number |
||
default |
120 |
|||
|
Define whether Compose-X should create a new S3 bucket to log exec commands |
|||
type |
boolean |
|||
|
Define whether Compose-X should create a new KMS Key to encrypt log exec commands |
|||
type |
boolean |
|||
|
Whether the KMS Key should by default allow AWS Logs use the key for any log group |
|||
type |
boolean |
|||
default |
False |
|||
dependencies |
||||
|
CreateExecLoggingKmsKey |
|||
additionalProperties |
False |
|||
oneOf |
type |
object |
||
type |
object |
Definition ¶
{
"$schema": "http://json-schema.org/draft-07/schema#",
"id": "x-cluster.spec.json",
"$id": "x-cluster.spec.json",
"title": "x-cluster",
"description": "x-cluster specification for ECS Cluster",
"type": "object",
"additionalProperties": false,
"properties": {
"Lookup": {
"oneOf": [
{
"type": "string"
},
{
"type": "object",
"required": [
"ClusterName"
],
"properties": {
"ClusterName": {
"type": "string"
},
"RoleArn": {
"$ref": "x-resources.common.spec.json#/definitions/Lookup/properties/RoleArn"
}
}
}
]
},
"Properties": {
"type": "object",
"description": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-cluster.html"
},
"MacroParameters": {
"type": "object",
"dependencies": {
"AllowKmsKeyReuse": [
"CreateExecLoggingKmsKey"
]
},
"properties": {
"CreateExecLoggingLogGroup": {
"description": "Define whether Compose-X should create a CW LogGroup to log exec commands",
"type": "boolean"
},
"LogGroupRetentionInDays": {
"type": "number",
"default": 120
},
"CreateExecLoggingBucket": {
"description": "Define whether Compose-X should create a new S3 bucket to log exec commands",
"type": "boolean"
},
"CreateExecLoggingKmsKey": {
"description": "Define whether Compose-X should create a new KMS Key to encrypt log exec commands",
"type": "boolean"
},
"AllowKmsKeyReuse": {
"type": "boolean",
"description": "Whether the KMS Key should by default allow AWS Logs use the key for any log group",
"default": false
}
}
}
},
"oneOf": [
{
"type": "object",
"required": [
"Lookup"
]
},
{
"type": "object",
"required": [
"Properties"
]
}
]
}