Initial commit

Author: viesti

.gitignore

@@ -0,0 +1 @@
+.terraform

README.md

@@ -0,0 +1,24 @@
+# Testing ECS Exec
+
+Run `terraform apply` to create the sample infra, and then test running a command inside the container:
+
+
+```
+0% aws ecs describe-services --cluster main --services ecs-exec | grep task
+            "taskDefinition": "arn:aws:ecs:eu-west-1:262355063596:task-definition/ecs-exec:6",
+                    "taskDefinition": "arn:aws:ecs:eu-west-1:262355063596:task-definition/ecs-exec:6",
+                    "message": "(service ecs-exec) has started 1 tasks: (task 501baa96db6e41c2be390bf7d631aeba)."
+0% aws ecs execute-command --cluster main \
+    --task 501baa96db6e41c2be390bf7d631aeba \
+    --container amazon-linux \
+    --interactive \
+    --command "/bin/sh"
+
+The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
+
+
+Starting session with SessionId: ecs-execute-command-044e1413fda145ea9
+sh-4.2# uname -a
+Linux ip-172-31-4-218.eu-west-1.compute.internal 4.14.252-195.483.amzn2.x86_64 #1 SMP Mon Nov 1 20:58:46 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
+sh-4.2#
+```

main.tf

@@ -0,0 +1,110 @@
+resource "aws_ecs_cluster" "main" {
+  name = "main"
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+resource "aws_iam_role" "ecs-exec" {
+  name = "ecs-exec"
+  assume_role_policy = jsonencode(
+    {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Principal =  {
+            Service = [
+              "ecs-tasks.amazonaws.com"
+            ]
+          }
+         Action = "sts:AssumeRole"
+        }
+      ]
+    })
+
+  inline_policy {
+    name = "ecs_exec"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Action = [
+            "ssmmessages:CreateControlChannel",
+            "ssmmessages:CreateDataChannel",
+            "ssmmessages:OpenControlChannel",
+            "ssmmessages:OpenDataChannel"
+          ],
+          Resource = "*"
+        }]})
+  }
+}
+
+resource "aws_ecs_task_definition" "ecs-exec" {
+  family = "ecs-exec"
+  task_role_arn = aws_iam_role.ecs-exec.arn
+  network_mode = "awsvpc"
+  requires_compatibilities = [
+    "EC2",
+    "FARGATE"
+  ]
+  cpu = ".25 vcpu"
+  memory = ".5 gb"
+  container_definitions = jsonencode ([
+    {
+      name = "amazon-linux"
+      image = "amazonlinux:latest"
+      essential = true
+      command = ["sleep","3600"]
+      linuxParameters = {
+        initProcessEnabled = true
+      }
+    }
+  ])
+}
+
+resource "aws_ecs_service" "ecs-exec" {
+  name = "ecs-exec"
+  cluster = aws_ecs_cluster.main.arn
+
+  depends_on = [aws_iam_role.ecs-exec]
+
+  task_definition = aws_ecs_task_definition.ecs-exec.arn
+  desired_count = 1
+  launch_type = "FARGATE"
+  enable_execute_command = true
+
+  network_configuration {
+    subnets = data.aws_subnets.default.ids
+    security_groups = [aws_security_group.ecs-exec.id]
+    assign_public_ip = true
+  }
+}
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnets" "default" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+}
+
+resource "aws_security_group" "ecs-exec" {
+  name = "ecs-exec"
+  vpc_id = data.aws_vpc.default.id
+
+  egress {
+    description = "Outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+}

setup.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "eu-west-1"
+}