为什么我的ECS无法从ECR中拉取镜像?

问题描述 投票:0回答:1

我使用 terraform 启动 ECS 和 ECR,并成功将我的镜像推送到 ECR 中。但是当我的ECS尝试从ECR中拉取镜像时,它似乎报告了与网络相关的问题。

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.ap-southeast-1.amazonaws.com/": dial tcp xx.xxx.xxx.xxx:443: i/o timeout. Please check your task network configuration.

这是我的

network.tf

resource "aws_security_group" "myProject" {
  name   = "${terraform.workspace}-myProject"
  vpc_id = var.vpc_id
}

resource "aws_security_group" "openSearch" {
  name   = "${terraform.workspace}-opensearch"
  vpc_id = var.vpc_id
}

# ssh
resource "aws_security_group_rule" "ssh_ingress" {
  security_group_id = aws_security_group.myProject.id
  type              = "ingress"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
}

# OpenSearch
resource "aws_security_group_rule" "myProject_ingress_opensearch" {
  type                     = "ingress"
  from_port                = 443 
  to_port                  = 443
  protocol                 = "tcp"
  security_group_id        = aws_security_group.myProject.id
  source_security_group_id = aws_security_group.opensearch.id
}

# 
resource "aws_security_group_rule" "myProject_egress" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.myProject.id
}

我错过了什么吗?我是terraform和aws的新手,请帮助我,谢谢大家。

如何编写正确的network.tf

amazon-web-services networking terraform amazon-ecs
1个回答
0
投票

您的子网似乎有问题。您的ECS集群部署在私有子网中。因此,要从私有子网访问 ECR,您有 2 个选择:为私有子网添加 NAT 网关或将 VPC 端点 添加到 ECR。

vpc_with_nat.tf
的示例。

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_subnet" "public" {
  vpc_id     = aws_vpc.main.id
  cidr_block = "10.0.1.0/24"
}

resource "aws_subnet" "private" {
  vpc_id     = aws_vpc.main.id
  cidr_block = "10.0.2.0/24"
}

resource "aws_internet_gateway" "gw" {
  vpc_id = aws_vpc.main.id
}

resource "aws_route_table" "public" {
  vpc_id = aws_vpc.main.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.gw.id
  }
}

resource "aws_route_table_association" "public" {
  subnet_id      = aws_subnet.public.id
  route_table_id = aws_route_table.public.id
}

resource "aws_eip" "nat" {
  vpc = true
}

resource "aws_nat_gateway" "nat" {
  allocation_id = aws_eip.nat.id
  subnet_id     = aws_subnet.public.id
}

resource "aws_route_table" "private" {
  vpc_id = aws_vpc.main.id

  route {
    cidr_block     = "0.0.0.0/0"
    nat_gateway_id = aws_nat_gateway.nat.id
  }
}

resource "aws_route_table_association" "private" {
  subnet_id      = aws_subnet.private.id
  route_table_id = aws_route_table.private.id
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.