From 6f0ba3bac5c3ab305e8e3701dd3001fdd42d65d3 Mon Sep 17 00:00:00 2001 From: Nicolas De Loof Date: Wed, 23 Sep 2020 07:15:55 +0200 Subject: [PATCH] architecture document Signed-off-by: Nicolas De Loof --- ecs/architecture.md | 68 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 ecs/architecture.md diff --git a/ecs/architecture.md b/ecs/architecture.md new file mode 100644 index 000000000..f85616719 --- /dev/null +++ b/ecs/architecture.md @@ -0,0 +1,68 @@ +# Architecture + +ECS integration relies on CloudFormation to manage AWS resrouces as an atomic operation. +This document describes the mapping between compose application model and AWS components + +## Overview + +This diagram shows compose model and on same line AWS components that get created as equivalent resources + +``` ++----------+ +-------------+ +-------------------+ +| Project | | Cluster | | LoadBalancer | ++-+--------+ +-------------+ +-------------------+ + | + | +----------+ +-------------+ +----------------+ +-------------------+ + +----+ Service | | Service | | TaskDefinition | | TargetGroup | + | +--+-------+ +-------------+ +----------------+ +-------------------+ + | | +----------------+ + | | x-aws-role, x-aws-policies | TaskRole | + | | +----------------+ + | | +---------+ +-------------+ +-------------------+ + | +--+ Ports | | IngressRule | | Listener | + | | +---------+ +-------------+ +-------------------+ + | | + | | +---------+ +---------------+ +------------------+ + | +--+ Secrets | | InitContainer | |TaskExecutionRole | + | | +---------+ +---------------+ +------------+-----+ + | | | + | | +---------+ | + | +--+ Volumes | | + | | +---------+ | + | | | + | | +---------------+ | +------------------------------------------+ + | +--+ DeviceRequest | | | CapacityProvider || AutoscalingGroup | + | +---------------+ | +------------------------------------------+ + | | | LaunchConfiguration | + | +------------+ +---------------+ | +---------------------+ + +---+ Networks | | SecurityGroup | | + | +------------+ +---------------+ | + | | + | +------------+ +---------------+ | + +---+ Secret | | Secret +--------------+ + +------------+ +---------------+ +``` + +Each compose application service is mapped to an ECS `Service`. A `TaksDefinition` is created according to compose definition. +Actual mapping is constrained by both Cloud platform and Fargate limitations. Such a `TaskDefinition` is set with a single container, +according to the compose model which doesn't offer a syntax to support sidecar containers. + +An IAM Role is created and configured as `TaskRole` to grant service access to additional AWS resources when required. For this +purpose, user can set `x-aws-policies` or define a fine grained `x-aws-role` IAM role document. + +Service's ports get mapped into security group's `IngressRule`s and load balancer `Listener`s. +Compose application whith HTTP services only (using ports 80/443 or `x-aws-protocol` set to `http`) get an Application Load Balancer +created, otherwise a Network Load Balancer is used. + +A `TargetGroup` is created per service to dispatch traffic by load balancer to the matching containers + +Secrets bound to a service get translated into an `InitContainer` added to the service's `TaskDefinition`. This init container is +responsible to create a `/run/secrets` file for secret to match docker secret model and make application code portable. +A `TaskExecutionRole` is also created per service, and is updated to grant access to bound secrets. + +Services using a GPU (`DeviceRequest`) get the `Cluster` extended with an EC2 `CapacityProvider`, using an `AutoscalingGroup` to manage +EC2 resources allocation based on a `LaunchConfiguration`. The latter uses ECS recommended AMI and machine type for GPU. + + + +