正如标题所示,我正在尝试在 AWS ECS 上部署的服务上设置保管库代理 sidecar。 我想将服务环境变量存储在保管库中,并使用保管库生成证书。 我也在使用 terraform 来部署它。
我的金库是通过 Hashicorp 平台专用的。
我无法弄清楚如何编写任务定义的设置以及Vault代理的配置文件。
这是我目前拥有的,尽管我还没有尝试实现证书的 pki 引擎。
ecs服务资源:
resource "aws_ecs_task_definition" "task" {
family = var.service_name
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = var.cpu
memory = var.memory
task_role_arn = var.ecs_task_role_arn
execution_role_arn = var.ecs_task_execution_role_arn
container_definitions = <<DEFINITION
[
{
"image": "${var.container_image}",
"name": "${var.service_name}",
"readonlyRootFilesystem": false,
"networkMode": "awsvpc",
"environmentFiles": [
{
"value": "/etc/secrets/env_vars",
"type" : "s3"
}
],
"portMappings": [
{
"name": "http",
"containerPort": ${var.port1},
"hostPort": ${var.port1},
"protocol": "tcp",
"appProtocol": "http"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${var.service_name}",
"awslogs-region": "${var.region}",
"awslogs-stream-prefix": "${var.environment}",
"awslogs-create-group": "true"
}
},
"mountPoints": [
{
"sourceVolume": "vault-secrets",
"containerPath": "/etc/secrets"
}
]
},
{
"name" : "${var.service_name}-datadog-agent",
"image" : "public.ecr.aws/datadog/agent:latest",
"cpu" : 100,
"memory" : 512,
"essential" : true,
"portMappings" : [
{
"hostPort" : 8126,
"protocol" : "tcp",
"containerPort" : 8126
}
],
"environment" : [
{
"name" : "ECS_FARGATE",
"value" : "true"
}
}
]
},
{
"name" : "vault-agent",
"image" : "hashicorp/vault-agent:latest",
"cpu" : 50,
"memory" : 128,
"essential" : false,
"command" : ["vault", "agent", "-config=/vault/config/${var.service_name}-vault-agent-config.hcl"],
"mountPoints" : [
{
"sourceVolume": "vault-secrets",
"containerPath": "/vault/secrets"
},
{
"sourceVolume": "vault-config",
"containerPath": "/vault/config"
}
],
"environment" : [
{
"name": "VAULT_ADDR",
"value": "${var.vault_address}"
}
]
}
]
DEFINITION
volume {
name = "vault-secrets"
docker_volume_configuration {
scope = "shared"
}
}
volume {
name = "vault-config"
docker_volume_configuration {
scope = "shared"
}
}
}
这是我的保管库代理配置模板:
pid_file = "/tmp/vault-agent-pid"
auto_auth {
method "aws" {
mount_path = "auth/aws"
config = {
type = "iam"
role = "${iam_role}"
}
}
sink "file" {
config = {
path = "/vault/secrets/env_vars"
}
}
}
vault {
address = "${vault_address}"
}
template {
source = "/vault/templates/env.ctmpl"
destination = "/vault/secrets/env_vars"
}
尝试通过 terraform 部署时遇到的错误是:
Error: creating ECS Task Definition (test): operation error ECS: RegisterTaskDefinition, https response error StatusCode: 400, RequestID: f612cedb-f65a-4a9c-adb3-998a1fbc5f54, ClientException: Invalid arn syntax.
with module.ecs_service.aws_ecs_task_definition.task
on ecs/main.tf line 2, in resource "aws_ecs_task_definition" "task":
resource "aws_ecs_task_definition" "task" {
“无效的 ARN 语法”表示
task_role_arn
或 execution_role_arn
的 ARN 存在问题。
确保这些 ARN 遵循正确的格式 (
arn:aws:iam::<account-id>:role/<role-name>
),并且变量 var.ecs_task_role_arn
和 var.ecs_task_execution_role_arn
已正确定义并传入。
您还应该从跑步中获得更多见解
terraform plan
。使用它来检查 ARN 是否正确插值,或使用 TF_LOG=DEBUG terraform apply
启用调试以获得更详细的输出。