WIP Terraform infrastructure #84
Conversation
|
I have used this method for injecting credentials into the environment and it is very convenient and you get to see pretty easily what the environment looks like without getting into the docker environment. We might not be comfortable with that as it almost feels like we are just leaving credentials around but I don't see a huge problem with it as long as we have our ducks in a row. There are a ton of ways to get ENV vars in there though. I've heard of people storing the creds in a secure s3 bucket that only the ecs service has access to and the base docker image they use runs a script on startup to fetch them. Or we could just bake them into the docker image itself. I'm sure there are more ways but none are as easy as just throwing them in the task definition I think. We could also experiment with no credentials at all. I haven't messed with it at all but RDS supports using IAM users/roles as actual database users. (announcement) |
|
@tskinn do you think its better to bake them into the docker image and have different images for different environments? or to leave them as env variables? or something else? |
|
I tried baking them into images but I liked adding them as env vars in the task definition better. One of the reasons for that was if there is a mistake in the env var then redploying doesn't involve baking a new image or something it just a config change that can be made and deployed in a minute. |
|
@tskinn does my current approach here allow for all that? |
|
@RobAWilkinson yep! |
|
bump |
|
Added some notes on how to run a one off command as a single task within ecs, and how to view cloudwatch logs. Infrastructure is all created and loaded |
Background
In order to deploy this to AWS we need to have some infrastructure set up, this PR includes infra to create a fargate cluster a task definition and an RDS DB that it can talk too
Issue Resolved
Issue #36
Definition of Done
I have tested this with an nginx image and it is publicly accessible via the ALB.
TODO