empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e064b58724
fleet/infrastructure/dogfood/terraform/aws/ecs.tf

374 lines
11 KiB
Terraform
Raw Normal View History

refactor terraform to allow bootstrapping (#2662) * refactor to allow bootstrapping* move monitoring into its own package, update readme * add variable for license_key * replication lag alarm less sensitive
2021-11-10 01:14:05 +00:00
data "aws_region" "current" {}
resource "aws_route53_record" "record" {
name = "fleet-alb-${terraform.workspace}"
type = "A"
zone_id = aws_route53_zone.dogfood_fleetdm_com.zone_id
alias {
evaluate_target_health = false
name = aws_alb.main.dns_name
zone_id = aws_alb.main.zone_id
}
}
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
resource "aws_alb" "main" {
First batch of tf security improvements (#4798)
2022-03-30 17:24:30 +00:00
// Exposed to the Internet by design
internal = false #tfsec:ignore:aws-elb-alb-not-public
security_groups = [aws_security_group.lb.id, aws_security_group.backend.id]
subnets = module.vpc.public_subnets
idle_timeout = 120
name = "fleetdm"
Update ecs.tf (#4775) Adding feature to drop invalid headers at LB level. This closes #4774
2022-03-24 19:00:31 +00:00
drop_invalid_header_fields = true
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
}
resource "aws_alb_target_group" "main" {
name = "fleetdm"
protocol = "HTTP"
target_type = "ip"
port = "8080"
vpc_id = module.vpc.vpc_id
deregistration_delay = 30
load_balancing_algorithm_type = "least_outstanding_requests"
health_check {
path = "/healthz"
matcher = "200"
timeout = 10
interval = 15
healthy_threshold = 5
unhealthy_threshold = 5
}
depends_on = [aws_alb.main]
}
resource "aws_alb_listener" "https-fleetdm" {
load_balancer_arn = aws_alb.main.arn
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2019-08"
certificate_arn = aws_acm_certificate_validation.dogfood_fleetdm_com.certificate_arn
default_action {
target_group_arn = aws_alb_target_group.main.arn
type = "forward"
}
}
resource "aws_alb_listener" "http" {
load_balancer_arn = aws_alb.main.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
resource "aws_ecs_cluster" "fleet" {
name = "${var.prefix}-backend"
setting {
name = "containerInsights"
value = "enabled"
}
}
resource "aws_ecs_service" "fleet" {
name = "fleet"
launch_type = "FARGATE"
cluster = aws_ecs_cluster.fleet.id
task_definition = aws_ecs_task_definition.backend.arn
Add infra for loadtest (#2218) * Add infra for loadtest * Move loadtest stuff to a new file and parametrize fleet min/max capacity * wip * wip * wip * wip * wip * wip * wip * Update to be ready for review * Update link and other variables needed * Address review comments and update links
2021-10-14 15:04:27 +00:00
desired_count = 5
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
deployment_minimum_healthy_percent = 100
deployment_maximum_percent = 200
health_check_grace_period_seconds = 30
load_balancer {
target_group_arn = aws_alb_target_group.main.arn
container_name = "fleet"
container_port = 8080
}
Add Cloudwatch monitoring to AWS Terraform configs (#2485) * add support for minio backend file carving * add changes file * rds alarm and sns topic * added cloudwatch alarm documenation * Update docs/01-Using-Fleet/06-Monitoring-Fleet.md * update aws provider version to fix bug in ecs container insights, add more redis alerts Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-10-22 19:38:00 +00:00
// https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service#ignoring-changes-to-desired-count
lifecycle {
ignore_changes = [desired_count]
}
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
network_configuration {
subnets = module.vpc.private_subnets
security_groups = [aws_security_group.backend.id]
}
depends_on = [aws_alb_listener.http, aws_alb_listener.https-fleetdm]
}
First batch of tf security improvements (#4798)
2022-03-30 17:24:30 +00:00
// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
// possibility of providing this capability in the future.
resource "aws_cloudwatch_log_group" "backend" { #tfsec:ignore:aws-cloudwatch-log-group-customer-key:exp:2022-07-01
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
name = "fleetdm"
add tf vars for cloudwatch log retention & rds snapshot backup retention (#6532) * add tf vars for cloudwatch log retention & rds snapshot backup retention, update github workflow to deploy new dogfood configurations for new tf vars * typo and tf fmt
2022-07-11 19:30:36 +00:00
retention_in_days = var.cloudwatch_log_retention
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
}
resource "aws_ecs_task_definition" "backend" {
family = "fleet"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
execution_role_arn = aws_iam_role.main.arn
task_role_arn = aws_iam_role.main.arn
Add infra for loadtest (#2218) * Add infra for loadtest * Move loadtest stuff to a new file and parametrize fleet min/max capacity * wip * wip * wip * wip * wip * wip * wip * Update to be ready for review * Update link and other variables needed * Address review comments and update links
2021-10-14 15:04:27 +00:00
cpu = var.fleet_backend_cpu
memory = var.fleet_backend_mem
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
container_definitions = jsonencode(
[
{
name = "fleet"
Add infra for loadtest (#2218) * Add infra for loadtest * Move loadtest stuff to a new file and parametrize fleet min/max capacity * wip * wip * wip * wip * wip * wip * wip * Update to be ready for review * Update link and other variables needed * Address review comments and update links
2021-10-14 15:04:27 +00:00
image = var.fleet_image
cpu = var.fleet_backend_cpu
memory = var.fleet_backend_mem
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
mountPoints = []
volumesFrom = []
essential = true
portMappings = [
{
# This port is the same that the contained application also uses
containerPort = 8080
protocol = "tcp"
}
]
networkMode = "awsvpc"
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.backend.name
awslogs-region = data.aws_region.current.name
awslogs-stream-prefix = "fleet"
}
},
Configure nofiles ulimit in Terraform ECS task (#3249) The low default ulimit `nofiles` value (`4096`) in Fargate was observed to cause errors when running with a large number of hosts and a small number of servers. Each server should be able to server more than 4096 simultaneous clients.
2021-12-08 23:08:48 +00:00
ulimits = [
{
name = "nofile"
softLimit = 999999
hardLimit = 999999
}
],
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
secrets = [
{
name = "FLEET_MYSQL_PASSWORD"
valueFrom = aws_secretsmanager_secret.database_password_secret.arn
},
{
name = "FLEET_MYSQL_READ_REPLICA_PASSWORD"
valueFrom = aws_secretsmanager_secret.database_password_secret.arn
}
]
environment = [
{
name = "FLEET_MYSQL_USERNAME"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = var.database_user
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
},
{
name = "FLEET_MYSQL_DATABASE"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = var.database_name
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
},
{
name = "FLEET_MYSQL_ADDRESS"
value = "${module.aurora_mysql.rds_cluster_endpoint}:3306"
},
{
name = "FLEET_MYSQL_READ_REPLICA_USERNAME"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = var.database_user
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
},
{
name = "FLEET_MYSQL_READ_REPLICA_DATABASE"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = var.database_name
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
},
{
name = "FLEET_MYSQL_READ_REPLICA_ADDRESS"
value = "${module.aurora_mysql.rds_cluster_reader_endpoint}:3306"
},
{
name = "FLEET_REDIS_ADDRESS"
value = "${aws_elasticache_replication_group.default.primary_endpoint_address}:6379"
},
First batch of tf security improvements (#4798)
2022-03-30 17:24:30 +00:00
{
name = "FLEET_REDIS_USE_TLS"
value = "true"
},
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
{
name = "FLEET_FIREHOSE_STATUS_STREAM"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = aws_kinesis_firehose_delivery_stream.osquery_status.name
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
},
{
name = "FLEET_FIREHOSE_RESULT_STREAM"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = aws_kinesis_firehose_delivery_stream.osquery_results.name
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
},
{
name = "FLEET_FIREHOSE_REGION"
value = data.aws_region.current.name
},
{
name = "FLEET_OSQUERY_STATUS_LOG_PLUGIN"
value = "firehose"
},
{
name = "FLEET_OSQUERY_RESULT_LOG_PLUGIN"
value = "firehose"
},
{
name = "FLEET_SERVER_TLS"
value = "false"
},
{
name = "FLEET_VULNERABILITIES_DATABASES_PATH"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = var.vuln_db_path
add support for minio backend file carving (#2448) * add support for minio backend file carving * add changes file Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-10-12 19:32:06 +00:00
},
Add infra for loadtest (#2218) * Add infra for loadtest * Move loadtest stuff to a new file and parametrize fleet min/max capacity * wip * wip * wip * wip * wip * wip * wip * Update to be ready for review * Update link and other variables needed * Address review comments and update links
2021-10-14 15:04:27 +00:00
{
name = "FLEET_OSQUERY_ENABLE_ASYNC_HOST_PROCESSING"
value = var.async_host_processing
},
{
name = "FLEET_LOGGING_DEBUG"
value = var.logging_debug
},
Add Cloudwatch monitoring to AWS Terraform configs (#2485) * add support for minio backend file carving * add changes file * rds alarm and sns topic * added cloudwatch alarm documenation * Update docs/01-Using-Fleet/06-Monitoring-Fleet.md * update aws provider version to fix bug in ecs container insights, add more redis alerts Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-10-22 19:38:00 +00:00
{
refactor terraform to allow bootstrapping (#2662) * refactor to allow bootstrapping* move monitoring into its own package, update readme * add variable for license_key * replication lag alarm less sensitive
2021-11-10 01:14:05 +00:00
name = "FLEET_LOGGING_JSON"
Add Cloudwatch monitoring to AWS Terraform configs (#2485) * add support for minio backend file carving * add changes file * rds alarm and sns topic * added cloudwatch alarm documenation * Update docs/01-Using-Fleet/06-Monitoring-Fleet.md * update aws provider version to fix bug in ecs container insights, add more redis alerts Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-10-22 19:38:00 +00:00
value = var.logging_json
},
add support for minio backend file carving (#2448) * add support for minio backend file carving * add changes file Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2021-10-12 19:32:06 +00:00
{
name = "FLEET_S3_BUCKET"
value = aws_s3_bucket.osquery-carve.bucket
},
{
name = "FLEET_S3_PREFIX"
value = "carve_results/"
},
refactor terraform to allow bootstrapping (#2662) * refactor to allow bootstrapping* move monitoring into its own package, update readme * add variable for license_key * replication lag alarm less sensitive
2021-11-10 01:14:05 +00:00
{
name = "FLEET_LICENSE_KEY"
value = var.fleet_license
}
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
]
}
])
}
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
resource "aws_ecs_task_definition" "migration" {
family = "fleet-migrate"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
execution_role_arn = aws_iam_role.main.arn
task_role_arn = aws_iam_role.main.arn
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
cpu = var.cpu_migrate
memory = var.mem_migrate
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
container_definitions = jsonencode(
[
{
name = "fleet-prepare-db"
Add infra for loadtest (#2218) * Add infra for loadtest * Move loadtest stuff to a new file and parametrize fleet min/max capacity * wip * wip * wip * wip * wip * wip * wip * Update to be ready for review * Update link and other variables needed * Address review comments and update links
2021-10-14 15:04:27 +00:00
image = var.fleet_image
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
cpu = var.cpu_migrate
memory = var.mem_migrate
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
mountPoints = []
volumesFrom = []
essential = true
portMappings = [
{
# This port is the same that the contained application also uses
containerPort = 8080
protocol = "tcp"
}
]
networkMode = "awsvpc"
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = aws_cloudwatch_log_group.backend.name
awslogs-region = data.aws_region.current.name
awslogs-stream-prefix = "fleet"
}
},
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
command = ["fleet", "prepare", "--no-prompt=true", "db"]
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
secrets = [
{
name = "FLEET_MYSQL_PASSWORD"
valueFrom = aws_secretsmanager_secret.database_password_secret.arn
}
]
environment = [
{
name = "FLEET_MYSQL_USERNAME"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = var.database_user
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
},
{
name = "FLEET_MYSQL_DATABASE"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
value = var.database_name
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
},
{
name = "FLEET_MYSQL_ADDRESS"
value = "${module.aurora_mysql.rds_cluster_endpoint}:3306"
},
{
name = "FLEET_REDIS_ADDRESS"
value = "${aws_elasticache_replication_group.default.primary_endpoint_address}:6379"
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
},
First batch of tf security improvements (#4798)
2022-03-30 17:24:30 +00:00
{
name = "FLEET_REDIS_USE_TLS"
value = "true"
}
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
]
}
])
}
resource "aws_appautoscaling_target" "ecs_target" {
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
max_capacity = var.fleet_max_capacity
min_capacity = var.fleet_min_capacity
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
resource_id = "service/${aws_ecs_cluster.fleet.name}/${aws_ecs_service.fleet.name}"
scalable_dimension = "ecs:service:DesiredCount"
service_namespace = "ecs"
}
resource "aws_appautoscaling_policy" "ecs_policy_memory" {
name = "fleet-memory-autoscaling"
policy_type = "TargetTrackingScaling"
resource_id = aws_appautoscaling_target.ecs_target.resource_id
scalable_dimension = aws_appautoscaling_target.ecs_target.scalable_dimension
service_namespace = aws_appautoscaling_target.ecs_target.service_namespace
target_tracking_scaling_policy_configuration {
predefined_metric_specification {
predefined_metric_type = "ECSServiceAverageMemoryUtilization"
}
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
target_value = var.memory_tracking_target_value
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
}
}
resource "aws_appautoscaling_policy" "ecs_policy_cpu" {
name = "fleet-cpu-autoscaling"
policy_type = "TargetTrackingScaling"
resource_id = aws_appautoscaling_target.ecs_target.resource_id
scalable_dimension = aws_appautoscaling_target.ecs_target.scalable_dimension
service_namespace = aws_appautoscaling_target.ecs_target.service_namespace
target_tracking_scaling_policy_configuration {
predefined_metric_specification {
predefined_metric_type = "ECSServiceAverageCPUUtilization"
}
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
target_value = var.cpu_tracking_target_value
terraform reference arch (#1761) * terraform initial architecture * added ecs autoscaling and https alb listener * add r53 hosted zone, dns cert verification, http -> https redirect * fleet dogfood env dogfood.fleetdm.com now configured, added license key, added readreplica settings, enabled vuln processing * add comment about using RDS serverless option
2021-09-21 18:19:19 +00:00
}
}
Feature/infra updates (#2183) * complete terraform state migration * split firehose results & status streams * extract more variables, with sane defaults * fix fargate configs
2021-09-30 20:22:34 +00:00
output "fleet_ecs_cluster_arn" {
value = aws_ecs_cluster.fleet.arn
}
output "fleet_ecs_cluster_id" {
value = aws_ecs_cluster.fleet.id
Configure nofiles ulimit in Terraform ECS task (#3249) The low default ulimit `nofiles` value (`4096`) in Fargate was observed to cause errors when running with a large number of hosts and a small number of servers. Each server should be able to server more than 4096 simultaneous clients.
2021-12-08 23:08:48 +00:00
}
Reference in New Issue Copy Permalink