在运行terraform apply
时,它正在创建集群,服务和ec2实例。但注册容器实例为0,运行任务计数为0。
我尝试将ecs.amazonaws.com
更改为ec2.amazonaws.com
,但却抛出错误:
aws_ecs_service.nginx:InvalidParameterException:无法承担角色并验证负载均衡器上配置的侦听器。请验证传递的ECS服务角色是否具有适当的权限。
provider "aws" {
region = "us-east-1"
}
resource "aws_ecs_cluster" "demo" {
name = "demo"
}
resource "aws_iam_role" "ecs_elb" {
name = "ecs-elb"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "ecs_elb" {
name = "ecs_elb"
roles = ["${aws_iam_role.ecs_elb.id}"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
}
resource "aws_launch_configuration" "ecs_instance"{
name_prefix = "ecs-instance-"
instance_type = "t2.micro"
image_id = "ami-4fffc834"
}
resource "aws_autoscaling_group" "ecs_cluster_instances"{
availability_zones = ["us-east-1a"]
name = "ecs-cluster-instances"
min_size = 1
max_size = 1
launch_configuration = "${aws_launch_configuration.ecs_instance.name}"
}
resource "aws_ecs_task_definition" "nginx" {
family = "nginx"
container_definitions = <<EOF
[{
"name": "nginx",
"image": "nginx",
"cpu": 1024,
"memory": 768,
"essential": true,
"portMappings": [{"containerPort":80, "hostPort":80}]
}]
EOF
}
resource "aws_ecs_service" "nginx" {
name = "nginx"
cluster = "${aws_ecs_cluster.demo.id}"
task_definition = "${aws_ecs_task_definition.nginx.arn}"
desired_count = 1
iam_role = "${aws_iam_role.ecs_elb.arn}"
load_balancer {
elb_name = "${aws_elb.nginx.id}"
container_name = "nginx"
container_port = 80
}
}
resource "aws_elb" "nginx" {
availability_zones = ["us-east-1a"]
name = "nginx"
listener {
lb_port = 80
lb_protocol = "http"
instance_port = 80
instance_protocol = "http"
}
}
答案 0 :(得分:1)
要解决ecs问题,您可以按照以下步骤操作。
nginx
,检查任何任务是否处于pending
状态。如果你看到这一点,通常会有很多stopped
个任务。这意味着容器不健康。
点击服务名称,事件,检查是否有任何错误事件可帮助您进行故障排除。
如果列表中有任何实例,请单击ECS instances
。如果不是,则表示没有ec2实例成功注册到ECS集群。
如果您使用AWS ECS AMI,则应该没问题。但是如果您使用自己的AMI,则需要添加以下userdata脚本
ECS-userdata.tpl
#!/bin/bash
echo "ECS_CLUSTER=${ecs_cluster_name}" >> /etc/ecs/ecs.config
更新terraform代码:
data "template_file" "ecs_user_data" {
template = "file("ecs-userdata.tpl") }"
vars {
ecs_cluster_name = "${var.ecs_cluster_name}"
}
}
resource "aws_launch_configuration" "demo" {
...
user_data = "${data.template_file.ecs_user_data.rendered}"
...
}
首先添加以下资源。
resource "aws_cloudwatch_log_group" "app_logs" {
name = "demo"
retention_in_days = 14
}
然后将以下代码添加到任务定义中。
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${aws_cloudwatch_log_group.app_logs.name}",
"awslogs-region": "${var.region}"
}
},
应用更改后,转到cloudwatch
,登录以检查是否有任何错误日志。
["ecs.amazonaws.com", "ec2.amazonaws.com"]
"Principal": {
"Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"]
},
希望这些步骤对您有所帮助。 未来阅读:
答案 1 :(得分:0)
这里有一些建议可以登录 AWS Console :
确保您使用的是Amazon ECS-optimized AMIs。
基本上,这些实例一旦以root
登录,它们应该具有start ecs
命令。
Terraform示例:
data "aws_ami" "ecs_ami" {
most_recent = true
owners = ["amazon"]
filter {
name = "name"
values = ["amzn-ami-*-amazon-ecs-optimized"]
}
}
检查EC2是否已启动。
检查ECS代理是否正在EC2实例上运行。
root
登录到EC2实例。docker ps
,并检查ecs-agent
容器是否正在运行。start ecs
或restart ecs
手动启动。 注意:如果您没有docker
,start
或restart
命令,则说明您未使用ECS优化的AMI。
实例终止时。
/etc/ecs/ecs.config
ECS配置文件中。然后启动ECS代理(start ecs
)。tail -f /var/log/ecs/*
)。一旦实例运行了 ECS代理,请确保已将它们分配到正确的集群中。例如
root# cat /etc/ecs/ecs.config
ECS_CLUSTER=demo
请注意正在运行的EC2实例的 IAM角色,然后确保将How do I find the cause of an EC2 autoscaling group "health check" failure? (no load balancer involved)策略附加到该角色。
在该群集角色的 信任关系 选项卡中,确保将对EC2提供程序的访问权限授予该角色。示例角色信任策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Terraform示例:
data "aws_iam_policy_document" "instance" {
provider = "aws.auto-scale-group"
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
请参阅:AmazonEC2ContainerServiceforEC2Role。
您还需要aws_iam_instance_profile
和aws_iam_role
,例如
resource "aws_iam_instance_profile" "instance" {
provider = "aws.auto-scale-group"
name = "myproject-profile-instance"
role = "${aws_iam_role.instance.name}"
lifecycle {
create_before_destroy = true
}
}
resource "aws_iam_role" "instance" {
provider = "aws.auto-scale-group"
name = "myproject-role"
path = "/"
assume_role_policy = "${data.aws_iam_policy_document.instance.json}"
lifecycle {
create_before_destroy = true
}
}
现在,您的集群应该已准备就绪。
相关: