Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-ecs-patterns): ECS Exec Support #15197

Closed
ghost opened this issue Jun 18, 2021 · 9 comments
Closed

(aws-ecs-patterns): ECS Exec Support #15197

ghost opened this issue Jun 18, 2021 · 9 comments
Assignees
@uttarasridhar @SoManyHs
Labels
@aws-cdk/aws-ecs-patterns Related to ecs-patterns library effort/small Small work item – less than a day of effort feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. feature-request A feature should be added or improved. p1

Comments

@ghost
Copy link

ghost commented Jun 18, 2021
edited by ghost
Loading

Add ECS Exec Support to the higher level constructs in ecs-patterns

Use Case

As a user, I want to set the flag enableExecuteCommand: true in my aws-ecs-patterns.ApplicationLoadBalancedFargateService construct.

Proposed Solution

This is currently possible with the ecs module but not the ecs-patterns (see https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ecs-readme.html#ecs-exec-command)

Relevant PRs: #13618
#14670

Solution would be to enable this flag in the higher level ecs-patterns constructs as well.

This is a 🚀 Feature Request
@ghost ghost added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jun 18, 2021
@github-actions github-actions bot added the @aws-cdk/aws-ecs Related to Amazon Elastic Container label Jun 18, 2021
@github-actions github-actions bot added the @aws-cdk/aws-ecs-patterns Related to ecs-patterns library label Jun 18, 2021
@ghost
Copy link
Author

ghost commented Jun 18, 2021

FYI, I found a workaround using Escape Hatches https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html

My workaround is (Python) :

cfn_service = self.web_service.service.node.default_child
cfn_service.add_override("Properties.EnableExecuteCommand", True)

@peterwoodworth peterwoodworth added effort/small Small work item – less than a day of effort p2 feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. and removed @aws-cdk/aws-ecs Related to Amazon Elastic Container needs-triage This issue or PR still needs to be triaged. labels Jun 18, 2021
@madeline-k madeline-k removed their assignment Jun 23, 2021
@danwiltshire
Copy link
Contributor

@xavierbuspatrol Did you create other resources manually such as the IAM policy for ssmmessages, etc?

@richardnagle
Copy link

richardnagle commented Jun 28, 2021
edited
Loading

@danwiltshire I've got this, it's C# but hopefully will help:

        private static void EnableECSExec(ApplicationLoadBalancedFargateService service)
        {
            ((IConstruct) service.Service).Node.Children.OfType<CfnService>().First().EnableExecuteCommand = true;

            Permissions.ForRole(service.TaskDefinition.TaskRole)
                .GrantForAllResource("ssmmessages:CreateControlChannel")
                .GrantForAllResource("ssmmessages:CreateDataChannel")
                .GrantForAllResource("ssmmessages:OpenControlChannel")
                .GrantForAllResource("ssmmessages:OpenDataChannel");
        }

        private void EnableECSExecLogging(ApplicationLoadBalancedFargateService service)
        {
            var execLogs = new LogGroup(this, "ECSExecLogs", new LogGroupProps
            {
                LogGroupName = "ECS-Execute-Logs",
                Retention = RetentionDays.TWO_YEARS
            });

            service.Cluster.Node.Children.OfType<CfnCluster>().First().Configuration = new CfnCluster.ClusterConfigurationProperty
            {
                ExecuteCommandConfiguration = new CfnCluster.ExecuteCommandConfigurationProperty
                {
                    Logging = "OVERRIDE",
                    LogConfiguration = new CfnCluster.ExecuteCommandLogConfigurationProperty
                    {
                        CloudWatchLogGroupName = execLogs.LogGroupName
                    }
                }
            };
            
           Permissions.ForRole(service.TaskDefinition.TaskRole)
                .GrantForAllResource("logs:DescribeLogGroups")
                .Grant("logs:CreateLogStream", execLogs.LogGroupArn)
                .Grant("logs:DescribeLogStreams", execLogs.LogGroupArn)
                .Grant("logs:PutLogEvents", execLogs.LogGroupArn);
        }

@mzizzi mzizzi mentioned this issue Jul 11, 2021
Closed
@mzizzi
Copy link

mzizzi commented Jul 11, 2021
edited
Loading

Working on this one in #15497

Apologies for not giving a heads up ahead of time. I found this issue after working on a patch.

@camharris
Copy link

Here's how I handled this in typescript, maybe it's helpful for others. I added the AWS managed police for ssmmessages.

        const ecsDeployment = new ecs_patterns.ApplicationLoadBalancedFargateService(this, 'EcsPattern', {
          ....
        });

        // Add need policy for EnabledExecuteCommand
        ecsDeployment.taskDefinition.taskRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'))

        // Use escape hatch to add EnabledExecuteCommand to cf template
        const cfnService = ecsDeployment.service.node.defaultChild as ecs.CfnService;
        cfnService.addPropertyOverride('EnableExecuteCommand', true)

@wyjiao
Copy link

wyjiao commented Aug 27, 2021

Here's how I handled this in typescript, maybe it's helpful for others. I added the AWS managed police for ssmmessages.

        const ecsDeployment = new ecs_patterns.ApplicationLoadBalancedFargateService(this, 'EcsPattern', {
          ....
        });

        // Add need policy for EnabledExecuteCommand
        ecsDeployment.taskDefinition.taskRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'))

        // Use escape hatch to add EnabledExecuteCommand to cf template
        const cfnService = ecsDeployment.service.node.defaultChild as ecs.CfnService;
        cfnService.addPropertyOverride('EnableExecuteCommand', true)

You can do "cfnService.enableExecuteCommand = true;" instead of addPropertyOverride since CloudFormation already supports the feature. This gives more type safety.

@kpeters-cbsi
Copy link

I tried this with QueueProcessingFargateService and got TypeError: Cannot set property 'enableExecuteCommand' of undefined

b0rked code:

   const service = new QueueProcessingFargateService(this, 'Service', {
       ....
   });
   // Kludge to enable execute command on this service
   const cfnService = service.node.defaultChild as CfnService
   cfnService.addPropertyOverride('EnableExecuteCommand', true) // barfs; cfnService is undefined

What I ended up having to do was find the FargateService instance and do node.defaultChild on that. Viz:

    const service = new QueueProcessingFargateService(this, 'Service', {
        ....
    });
    // Kludge to enable execute command on this service
    const fargateService = service.node.children.filter(
      (child) => child.constructor.name === 'FargateService'
    )[0] as FargateService
    const cfnService = fargateService.node.defaultChild as CfnService
    cfnService.enableExecuteCommand = true

@LukvonStrom LukvonStrom mentioned this issue Jan 26, 2022
Merged
@rix0rrr rix0rrr added p1 and removed p2 labels Mar 16, 2022
mergify bot pushed a commit that referenced this issue Jun 13, 2022
@LukvonStrom
feat(ecs-patterns): add ecs exec support (#18663)
23ee450 
Fixes #15769, #15197
Supersedes #15497 by implementing the change for all patterns.
This PR implements support for ECS Exec in all ecs-patterns services.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@TheRealAmazonKendra
Copy link
Contributor

Closed by #18663.

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

daschaa pushed a commit to daschaa/aws-cdk that referenced this issue Jul 9, 2022
@LukvonStrom @daschaa
feat(ecs-patterns): add ecs exec support (aws#18663)
a3b46a9 
Fixes aws#15769, aws#15197
Supersedes aws#15497 by implementing the change for all patterns.
This PR implements support for ECS Exec in all ecs-patterns services.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uttarasridhar uttarasridhar

@SoManyHs SoManyHs

Labels
@aws-cdk/aws-ecs-patterns Related to ecs-patterns library effort/small Small work item – less than a day of effort feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests