diff --git a/ecs/architecture.md b/ecs/architecture.md new file mode 100644 index 000000000..f85616719 --- /dev/null +++ b/ecs/architecture.md @@ -0,0 +1,68 @@ +# Architecture + +ECS integration relies on CloudFormation to manage AWS resrouces as an atomic operation. +This document describes the mapping between compose application model and AWS components + +## Overview + +This diagram shows compose model and on same line AWS components that get created as equivalent resources + +``` ++----------+ +-------------+ +-------------------+ +| Project | | Cluster | | LoadBalancer | ++-+--------+ +-------------+ +-------------------+ + | + | +----------+ +-------------+ +----------------+ +-------------------+ + +----+ Service | | Service | | TaskDefinition | | TargetGroup | + | +--+-------+ +-------------+ +----------------+ +-------------------+ + | | +----------------+ + | | x-aws-role, x-aws-policies | TaskRole | + | | +----------------+ + | | +---------+ +-------------+ +-------------------+ + | +--+ Ports | | IngressRule | | Listener | + | | +---------+ +-------------+ +-------------------+ + | | + | | +---------+ +---------------+ +------------------+ + | +--+ Secrets | | InitContainer | |TaskExecutionRole | + | | +---------+ +---------------+ +------------+-----+ + | | | + | | +---------+ | + | +--+ Volumes | | + | | +---------+ | + | | | + | | +---------------+ | +------------------------------------------+ + | +--+ DeviceRequest | | | CapacityProvider || AutoscalingGroup | + | +---------------+ | +------------------------------------------+ + | | | LaunchConfiguration | + | +------------+ +---------------+ | +---------------------+ + +---+ Networks | | SecurityGroup | | + | +------------+ +---------------+ | + | | + | +------------+ +---------------+ | + +---+ Secret | | Secret +--------------+ + +------------+ +---------------+ +``` + +Each compose application service is mapped to an ECS `Service`. A `TaksDefinition` is created according to compose definition. +Actual mapping is constrained by both Cloud platform and Fargate limitations. Such a `TaskDefinition` is set with a single container, +according to the compose model which doesn't offer a syntax to support sidecar containers. + +An IAM Role is created and configured as `TaskRole` to grant service access to additional AWS resources when required. For this +purpose, user can set `x-aws-policies` or define a fine grained `x-aws-role` IAM role document. + +Service's ports get mapped into security group's `IngressRule`s and load balancer `Listener`s. +Compose application whith HTTP services only (using ports 80/443 or `x-aws-protocol` set to `http`) get an Application Load Balancer +created, otherwise a Network Load Balancer is used. + +A `TargetGroup` is created per service to dispatch traffic by load balancer to the matching containers + +Secrets bound to a service get translated into an `InitContainer` added to the service's `TaskDefinition`. This init container is +responsible to create a `/run/secrets` file for secret to match docker secret model and make application code portable. +A `TaskExecutionRole` is also created per service, and is updated to grant access to bound secrets. + +Services using a GPU (`DeviceRequest`) get the `Cluster` extended with an EC2 `CapacityProvider`, using an `AutoscalingGroup` to manage +EC2 resources allocation based on a `LaunchConfiguration`. The latter uses ECS recommended AMI and machine type for GPU. + + + +