Amazon ECS

In the Amazon ECS cloud provider, an Account maps to a Spinnaker AWS account, which itself is able to authenticate against a given AWS account.

Prerequisites

Amazon ECS cluster

You need to create an Amazon ECS cluster. If using the ‘EC2’ launch type, this cluster must have enough EC2 instance capacity in it to deploy your containers. If using the ‘Fargate’ launch type, you don’t need to add any capacity to this cluster.

Networking

If using the ‘awsvpc’ networking mode (required for the ‘Fargate’ launch type), you need a VPC with at least one subnet group and security group visible in Spinnaker.

If using other networking modes like ‘bridge’, you don’t need to setup any further networking. The cluster’s networking configuration will be passed from your cluster’s EC2 instances to your containers.

Spinnaker Clouddriver role

The role that Clouddriver assumes for your Amazon ECS account needs to have the trust relationship below for your Spinnaker IAM assumed role. For information on how to set up the role Clouddriver assumes, see the AWS documentation For information on how to modify IAM roles in the AWS console, see the AWS documentation

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
                "Service": [
                  "ecs.amazonaws.com",
                  "application-autoscaling.amazonaws.com"
                ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Optional: IAM Roles for Tasks

You can create IAM roles that have the ecs-tasks.amazonaws.com trust relationship so that your containers have an IAM role associated to them. For information on how to modify IAM roles in the AWS console, see the AWS documentation

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Optional: Service Auto Scaling

You can configure your Amazon ECS services to use Service Auto Scaling. Service Auto Scaling policies adjust your Amazon ECS service’s desired count up or down in response to CloudWatch alarms (e.g. tracking the CPU utilization of an Amazon ECS service, or tracking a custom metric) or on a schedule (e.g. scale up on Monday, scale down on Friday).

Configure scaling policies on your Amazon ECS services using the Application Auto Scaling APIs or in the Amazon ECS console, outside of Spinnaker. When deploying a new server group in Spinnaker, you can copy these scaling policies from the previous service group by enabling the “copy the previous server group’s autoscaling policies” option.

Halyard

Example command:

hal config provider ecs account add ecs-account-name --aws-account aws-account-name

In the above example, ecs-account-name is the name of the Amazon ECS account, and aws-account-name is the name of a previously added, valid AWS account. Do note that the Amazon ECS account will use credentials from the corresponding AWS account.

Enable ECS Provider

Make sure that the AWS Provider is already enabled. Proceed to enable the ECS Provider with halyard

hal config provider ecs enable

Clouddriver yaml properties

If you are not using Halyard, then you must declare Amazon ECS accounts and map them to a given AWS account by its name. Below is an example snippet you can put in clouddriver.yml or clouddriver-local.yml:

aws:
  enabled: true

  accounts:
    - name: aws-account-name
      accountId: "123456789012"
      regions:
        - name: us-east-1
  defaultAssumeRole: role/SpinnakerManaged

ecs:
  enabled: true
  accounts:
    - name: ecs-account-name
      awsAccount: aws-account-name

Next steps

Optionally, you can set up another cloud provider, but otherwise you’re ready to choose an environment in which to install Spinnaker.