I'm trying to bring up a CloudFormation stack to run an ECS service on EC2. My stack creation fails upon creation of the Auto Scaling group and the error in the console Activity tab shows:
Status: Failed
Description: Launching a new EC2 instance. Status Reason: The requested configuration is currently not supported. Please check the documentation for supported configurations. Launching EC2 instance failed.
Cause: At
2020-10-26T23:47:46Za user request update of AutoScalingGroup constraints to min: 1, max: 1, desired: 1 changing the desired capacity from 0 to 1. At2020-10-26T23:47:48Zan instance was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 1.
I have tried to play around with my CFT but with no luck so far.
AWSTemplateFormatVersion: '2010-09-09'
Description: Hhhhhhhhh Feed Services Containers
Parameters:
VpcId:
Type: String
SubnetId:
Type: String
ECSCluster:
Type: String
Default: dev-ecs
EcsSecurityGroup:
Type: String
Default: sg-74cb7b0c
FeedServicesSecurityGroup:
Type: String
Default: sg-0a695957eec3371bc
DesiredCount:
Type: Number
Default: '1'
EC2InstanceAMI:
Type: String
Default: 'ami-0dba2cb6798deb6d8'
InstanceType:
Type: String
Default: c6g.4xlarge
KeyName:
Type: String
Default: devops
Color:
Type: String
AllowedValues: ['blue', 'green']
Description: The deployment color
Default: 'blue'
XxxRouteTableId:
Type: String
Default: rtb-03eeb623aac1c1ccf
Resources:
YyyXxxLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['-', [/ecs/feed-services-Yyy-Xxx, !Ref Color]]
YyyStableLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['-', [/ecs/feed-services-Yyy-stable, !Ref Color]]
ZzzXxxLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['-', [/ecs/feed-services-Zzz-Xxx, !Ref Color]]
ZzzStableLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['-', [/ecs/feed-services-Zzz-stable, !Ref Color]]
WwwXxxLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['-', [/ecs/feed-services-Www-Xxx, !Ref Color]]
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: feed-services
ExecutionRoleArn: arn:aws:iam::xxxxxxxxx:role/ecs-task-execution-role
TaskRoleArn: !Ref FeedServicesRole
ContainerDefinitions:
- Name: feed-services-Yyy-Xxx
Image: xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/feed-services/feed-services-Yyy-Xxx
Essential: True
Memory: 512
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref YyyXxxLogsGroup
awslogs-region: us-east-1
awslogs-stream-prefix: ecs
- Name: feed-services-Yyy-stable
Image: xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/feed-services/feed-services-Yyy-stable
Essential: True
Memory: 512
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref YyyStableLogsGroup
awslogs-region: us-east-1
awslogs-stream-prefix: ecs
- Name: feed-services-Zzz-Xxx
Image: xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/feed-services/feed-services-Zzz-Xxx
Essential: True
Memory: 8192
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref ZzzXxxLogsGroup
awslogs-region: us-east-1
awslogs-stream-prefix: ecs
- Name: feed-services-Zzz-stable
Image: xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/feed-services/feed-services-Zzz-stable
Essential: True
Memory: 512
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref ZzzStableLogsGroup
awslogs-region: us-east-1
awslogs-stream-prefix: ecs
- Name: feed-services-Www-Xxx
Image: xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/feed-services/feed-services-Www-Xxx
Essential: True
Memory: 512
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref WwwXxxLogsGroup
awslogs-region: us-east-1
awslogs-stream-prefix: ecs
NetworkMode: awsvpc
FeedServicesRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ['ec2.amazonaws.com']
Action: ['sts:AssumeRole']
Policies:
- PolicyName: !Join ['-', [feed-services, !Ref Color, read-secrets]]
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'secretsmanager:ListSecrets'
- 'secretsmanager:DescribeSecret'
- 'secretsmanager:GetRandomPassword'
- 'secretsmanager:GetResourcePolicy'
- 'secretsmanager:GetSecretValue'
- 'secretsmanager:ListSecretVersionIds'
Resource: ['arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:prod/feed-services']
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
VPCZoneIdentifier: [!Ref SubnetId]
LaunchConfigurationName: !Ref ContainerInstances
MinSize: '1'
MaxSize: '1'
DesiredCapacity: '1'
CreationPolicy:
ResourceSignal:
Timeout: PT15M
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: 'true'
ContainerInstances:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
LaunchConfigurationName: !Join ['-', [feed-services, !Ref Color, launch-configuration]]
AssociatePublicIpAddress: True
ImageId: !Ref EC2InstanceAMI
SecurityGroups: [!Ref FeedServicesSecurityGroup]
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref EC2InstanceProfile
PlacementTenancy: default
KeyName: !Ref KeyName
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
FeedServices:
Type: AWS::ECS::Service
Properties:
Cluster: !Ref ECSCluster
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
DesiredCount: !Ref DesiredCount
LaunchType: EC2
NetworkConfiguration:
AwsVpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups: [!Ref FeedServicesSecurityGroup]
Subnets: [!Ref SubnetId]
ServiceName: !Join ['-', [feed-services, !Ref Color]]
TaskDefinition: !Ref TaskDefinition
ServiceScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
DependsOn: FeedServices
Properties:
MaxCapacity: 1
MinCapacity: 1
ResourceId: !Join [ '', [ feed-services/, !Ref 'ECSCluster', /, !GetAtt [ FeedServices, Name ] ] ]
RoleARN: !GetAtt [ AutoscalingRole, Arn ]
ScalableDimension: ecs:service:DesiredCount
ServiceNamespace: ecs
EC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ ec2.amazonaws.com ]
Action: [ 'sts:AssumeRole' ]
Path: /
Policies:
- PolicyName: !Join ['-', [feed-services, !Ref Color, ecs-role]]
PolicyDocument:
Statement:
- Effect: Allow
Action: [ 'ecs:CreateCluster', 'ecs:DeregisterContainerInstance', 'ecs:DiscoverPollEndpoint',
'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession',
'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents' ]
Resource: '*'
AutoscalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ application-autoscaling.amazonaws.com ]
Action: [ 'sts:AssumeRole' ]
Path: /
Policies:
- PolicyName: !Join ['-', [feed-services, !Ref Color, autoscaling-role]]
PolicyDocument:
Statement:
- Effect: Allow
Action: [ 'application-autoscaling:*', 'cloudwatch:DescribeAlarms', 'cloudwatch:PutMetricAlarm',
'ecs:DescribeServices', 'ecs:UpdateService' ]
Resource: '*'
SubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref XxxRouteTableId
SubnetId: !Ref SubnetId
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles: [ !Ref 'EC2Role' ]
Outputs:
feedservices:
Value: !Ref FeedServices
taskdefinition:
Value: !Ref TaskDefinition
