AWS ECS Fargate Delegate Install from 0 to Hero

Recently I have been going through our training material and helping supercharge the learning and on-boarding experience. Been putting together some Harness infrastructure with clean slates and my own accounts e.g AWS.

Our ECS Delegate Installation is pretty straight forward. Though what is not straight forward if you are starting from scratch with your first ECS Cluster. There are tunables and permissions to go through for any workload to be placed. We compared the ECS launch types in a blog post in August. We will be using Fargate here to requests resources on our behalf.

If you are green to ECS or AWS in general don’t worry, this guide will get you through an ECS Delegate Install. The first item would be to get or log-in to your AWS Account / Console.

After we will leverage the AWS CLI to install the ECS Task Spec. Once the AWS CLI is installed can run from the command line “aws configure” to wire up your account keys.

A few helpful AWS ECS CLI Commands that we can use throughout:

  • aws ecs describe-clusters
  • aws ecs describe-clusters --cluster CommunityCluster
  • aws ecs list-clusters
  • aws ecs list-services --cluster CommunityCluster
  • aws ecs delete-cluster --cluster CommunityCluster
  • aws ecs list-task-definitions

Prudent Harness Docs:

https://docs.harness.io/category/df9vj316ec-ecs-deployment

Get ECS Ship Done

Let’s go about setting up our ECS Cluster and Identity and Access Management [IAM] Roles. Medium has an excellent article on ECS Concepts if you want to get delve into more granular topics.

Start with the three sets of IAM Roles. Making sure that the following two roles are available so ECS can create EC2 instances on your behalf. Under IAM, can generate three roles based off of the “AmazonEC2ContainerServiceRole”, “AmazonECSTaskExecutionRolePolicy”, and ”AmazonEC2ContainerServiceforEC2Role” which all pre configured policies just needing a role attached.

This is the gotcha! Modify the trust for Fargate by adding/modifying to “ecs-tasks” in the Harness-ECS-Delegate role. This will allow ECS Fargate to assume the role and create items needed.

Can Navigate to the ECS Service Section and create your first cluster: Recommended that to create an AWS EC2 instance type m5.xlarge has 16GB of RAM, 8 for the Delegate and 8 for the remaining operations.

Remember the Role ARNs, this will be populated in the ECS-TASK-JSON later.

  • arn:aws:iam:::role/Harness-ECS-Delegate
  • arn:aws:iam:::role/Harness-Delegate-ECS-Task

For sanity sake, we can create a Security Group for The new ECS Cluster under VPC -> Security Groups.

Make sure to add the in/outbound rules.

Time to install the ECS Cluster!

For the VPC and Subnet Information, suggest using the default if this is your first time using the service.

Though I suggest using a subnet or subnets you are familiar with.

The Harness Goodness

Once you have an awaiting ECS Cluster and AWS CLI, setup is a breeze.

Back in Harness, download the ECS Delegate Task Definition under Setup -> Harness Delegates.

Can give a group name. We will be using Fargate so select “AWS VPC MODE”.

Once you hit submit, some files are auto-generated for you. Inside is the prudent Harness Connection information.

Unzip the TAR

We need to modify the role executing in the task definition per described here: https://docs.harness.io/article/wrm6hpyrjl-harness-ecs-delegate#trust_relationships_and_roles

Adding “executionRoleArn” and “taskRoleArn” to the ecs-task-spec.json.

  • “taskRoleArn”: “arn:aws:iam:::role/Harness-ECS-Delegate”
  • “executionRoleArn”: “arn:aws:iam::iam:role/Harness-Delegate-ECS-Task”,

Since we will leverage Fargate, we also need to enter a placement constrant for Fargate in the ecs-task-spec.json.

Now you are ready to run the AWS ECS CLI command to register the spec: “ aws ecs register-task-definition --cli-input-json file://ecs-task-spec.json”

Let’s edit the second JSON file in that TAR, the “service-spec-for-awsvpc-mode.json”.

We will need to add a few details. We will add the Cluster Name [in this example, CommunityCanary] and the VPC Subnet and VPC Security Group IDs.

Under AWS Console -> VPC -> Subnets

With those Subnet and Security Group IDs, can update the service-spec-for-awsvpc-mode.json.

While in there you can give your ECS Service a name and update the Cluster Name. Change the launchtype to “FARGATE” and remove the placement strategies as Fargate will handle this for us. We will also want to enable a Public IP so there can be two-way communication.

With all of that, you can finally run the last command to create the ECS Service.

aws ecs create-service --cli-input-json file://service-spec-for-awsvpc-mode.json

Can validate that the ECS Service is running in ECS

Validate the connectivity in Harness:

BAM! You are all set.

Add yourself an AWS Cloud Provider

The end goal of all that configuration to now allow Harness to run tasks on AWS. w00t!

Just enter your AWS Access Key / Secret you recieved when setting up your AWS Account / one that was given to you with proper rights.

After entering the goodness, you can see:

And just like that, you are now cooking with Gas with AWS Fargate managing the delegates!