feat: ecs exec

ceramicnetwork · Apr 20, 2022 · 4ce0f36 · 4ce0f36
1 parent 60f1306
commit 4ce0f36
Show file tree

Hide file tree

Showing 8 changed files with 97 additions and 14 deletions.
diff --git a/modules/ecs/ceramic/iam.tf b/modules/ecs/ceramic/iam.tf
@@ -34,6 +34,12 @@ resource "aws_iam_policy" "s3_ceramic_node_state_store" {
   })
 }
 
+resource "aws_iam_policy" "ecs_exec_policy" {
+  name = "ECSExecPermissions-${local.namespace}"
+
+  policy = file("${path.module}/templates/ecs_exec_policy.json")
+}
+
 module "ecs_efs_task_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
   version = "2.22.0"
@@ -48,7 +54,8 @@ module "ecs_efs_task_role" {
   role_requires_mfa = false
 
   custom_role_policy_arns = [
-    "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess"
+    "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess",
+    aws_iam_policy.ecs_exec_policy.arn
   ]
 
   tags = local.default_tags

diff --git a/modules/ecs/ceramic/main.tf b/modules/ecs/ceramic/main.tf
@@ -1,10 +1,11 @@
 resource "aws_ecs_service" "main" {
-  platform_version = "1.4.0"
-  name             = var.ecs_service_name
-  cluster          = var.ecs_cluster_name
-  task_definition  = aws_ecs_task_definition.main.arn
-  desired_count    = var.ecs_count
-  launch_type      = "FARGATE"
+  platform_version       = "1.4.0"
+  name                   = var.ecs_service_name
+  cluster                = var.ecs_cluster_name
+  task_definition        = aws_ecs_task_definition.main.arn
+  desired_count          = var.ecs_count
+  launch_type            = "FARGATE"
+  enable_execute_command = true
 
   network_configuration {
     security_groups = [

diff --git a/modules/ecs/ceramic/templates/container_definitions.json.tpl b/modules/ecs/ceramic/templates/container_definitions.json.tpl
@@ -4,6 +4,9 @@
         "image": "${ceramic_image}",
         "cpu": ${cpu},
         "memory": ${memory},
+        "linuxParameters": {
+            "initProcessEnabled": true
+        },
         "ulimits": [
             {
                 "name": "nofile",

diff --git a/modules/ecs/ceramic/templates/ecs_exec_policy.json b/modules/ecs/ceramic/templates/ecs_exec_policy.json
@@ -0,0 +1,26 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel",
+        "ssm:UpdateInstanceInformation"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
diff --git a/modules/ecs/ipfs/iam.tf b/modules/ecs/ipfs/iam.tf
@@ -32,6 +32,13 @@ resource "aws_iam_policy" "main" {
   })
 }
 
+resource "aws_iam_policy" "ecs_exec_policy" {
+  name = "ECSExecPermissions-${local.namespace}"
+
+  policy = file("${path.module}/templates/ecs_exec_policy.json")
+}
+
+
 module "ecs_ipfs_task_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
   version = "2.22.0"
@@ -47,7 +54,8 @@ module "ecs_ipfs_task_role" {
 
   custom_role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess",
-    aws_iam_policy.main.arn
+    aws_iam_policy.main.arn,
+    aws_iam_policy.ecs_exec_policy.arn
   ]
 
   tags = local.default_tags

diff --git a/modules/ecs/ipfs/main.tf b/modules/ecs/ipfs/main.tf
@@ -1,10 +1,11 @@
 resource "aws_ecs_service" "main" {
-  platform_version = "1.4.0"
-  name             = var.ecs_service_name
-  cluster          = var.ecs_cluster_name
-  task_definition  = aws_ecs_task_definition.main.arn
-  desired_count    = var.ecs_count
-  launch_type      = "FARGATE"
+  platform_version       = "1.4.0"
+  name                   = var.ecs_service_name
+  cluster                = var.ecs_cluster_name
+  task_definition        = aws_ecs_task_definition.main.arn
+  desired_count          = var.ecs_count
+  launch_type            = "FARGATE"
+  enable_execute_command = true
 
   network_configuration {
     security_groups = [

diff --git a/modules/ecs/ipfs/templates/container_definitions.json.tpl b/modules/ecs/ipfs/templates/container_definitions.json.tpl
@@ -4,6 +4,9 @@
         "image": "${image}",
         "cpu": ${cpu},
         "memory": ${memory},
+        "linuxParameters": {
+            "initProcessEnabled": true
+        },
         "ulimits": [
             {
                 "name": "nofile",
@@ -39,6 +42,10 @@
                 "name": "IPFS_LOGGING",
                 "value": "${default_log_level}"
             },
+            {
+                "name": "IPFS_ANNOUNCE_ADDRESS_LIST",
+                "value": "${announce_address_list}"
+            },
             {
                 "name": "IPFS_API_PORT",
                 "value": "${api_port}"
@@ -55,6 +62,10 @@
                 "name": "IPFS_ENABLE_HEALTHCHECK",
                 "value": "true"
             },
+            {
+                "name": "IPFS_ENABLE_S3",
+                "value": "${use_s3_blockstore}"
+            },
             {
                 "name": "IPFS_GATEWAY_PORT",
                 "value": "${gateway_port}"

diff --git a/modules/ecs/ipfs/templates/ecs_exec_policy.json b/modules/ecs/ipfs/templates/ecs_exec_policy.json
@@ -0,0 +1,26 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssmmessages:CreateControlChannel",
+        "ssmmessages:CreateDataChannel",
+        "ssmmessages:OpenControlChannel",
+        "ssmmessages:OpenDataChannel",
+        "ssm:UpdateInstanceInformation"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams"
+      ],
+      "Resource": "*"
+    }
+  ]
+}