The latest articles on Forem by Muhammad Ahmad Khan (@muhammad_ahmad_khan). https://forem.com/muhammad_ahmad_khan https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F741875%2Fc1ba7bc1-8f83-420d-ae48-71a09d71357c.jpg https://forem.com/muhammad_ahmad_khan en Muhammad Ahmad Khan Sun, 02 Feb 2025 20:53:27 +0000 https://forem.com/muhammad_ahmad_khan/monitoring-alerting-for-aws-eks-using-grafana-prometheus-alertmanager-with-sns-integration-5593 https://forem.com/muhammad_ahmad_khan/monitoring-alerting-for-aws-eks-using-grafana-prometheus-alertmanager-with-sns-integration-5593 <p>In this blog post, we'll walk through setting up a robust monitoring and alerting system for a Kubernetes cluster on AWS EKS. We'll use the <code>kube-prometheus-stack</code> to deploy Prometheus and Grafana, configure an ALB Ingress for external access, and set up Amazon SNS as the receiver for Alertmanager to handle alerts.</p> <p>Using Amazon SNS as the alert receiver is particularly useful when an organization does not use Slack or wants a centralized way to distribute alerts via email. While Alertmanager supports email notifications, setting up email as a direct receiver requires configuring an SMTP configuration resulting in administrative overhead. With SNS, you can subscribe multiple email addresses to a single topic without additional SMTP setup, making it a simpler and more scalable solution.</p> <p>However, it's important to note that SNS has limitations when handling HTML content. Alerts sent via SNS will be received as plain text rather than formatted HTML, which may impact readability.</p> <h2> Prerequisites </h2> <p>Before we begin, ensure you have the following:</p> <ol> <li>An AWS account with a running EKS cluster.</li> <li> <code>kubectl</code> and <code>helm</code> installed on your local machine.</li> <li>AWS CLI configured with the necessary credentials.</li> <li>AWS Load Balancer Controller installed in the EKS cluster.</li> <li> <code>kubectl</code> pointing to the correct cluster context.</li> </ol> <h2> Step 1: Install the <code>kube-prometheus-stack</code> Using Helm </h2> <p>The <code>kube-prometheus-stack</code> is a collection of Kubernetes manifests, Grafana dashboards, and Prometheus rules that provide easy deployment and management of Prometheus and Grafana on Kubernetes.</p> <h3> 1.1 Add the Prometheus Community Helm Repository </h3> <p>First, add the Prometheus Community Helm repository and update it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update </code></pre> </div> <h3> 1.2 Deploy the <code>kube-prometheus-stack</code> </h3> <p>Create a <code>prom-operator-values.yaml</code> file to customize the deployment. For example, set up the Grafana admin password, some custom dashboards, grafana ingress and other configurations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">grafana</span><span class="pi">:</span> <span class="na">adminPassword</span><span class="pi">:</span> <span class="s2">"</span><span class="s">your-secure-password"</span> <span class="c1">### Provision grafana-dashboards-kubernetes ###</span> <span class="na">dashboardProviders</span><span class="pi">:</span> <span class="na">dashboardproviders.yaml</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="m">1</span> <span class="na">providers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">grafana-dashboards-kubernetes'</span> <span class="na">orgId</span><span class="pi">:</span> <span class="m">1</span> <span class="na">folder</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Kubernetes'</span> <span class="na">type</span><span class="pi">:</span> <span class="s">file</span> <span class="na">disableDeletion</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">editable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">options</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/var/lib/grafana/dashboards/grafana-dashboards-kubernetes</span> <span class="na">dashboards</span><span class="pi">:</span> <span class="na">grafana-dashboards-kubernetes</span><span class="pi">:</span> <span class="na">k8s-system-api-server</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-api-server.json</span> <span class="na">token</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">k8s-system-coredns</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-coredns.json</span> <span class="na">token</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">k8s-views-global</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-global.json</span> <span class="na">token</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">k8s-views-namespaces</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-namespaces.json</span> <span class="na">token</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">k8s-views-nodes</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-nodes.json</span> <span class="na">token</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">k8s-views-pods</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json</span> <span class="na">token</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">kubernetes.io/ingress.class</span><span class="pi">:</span> <span class="s">alb</span> <span class="na">alb.ingress.kubernetes.io/load-balancer-name</span><span class="pi">:</span> <span class="s">grafana-alb</span> <span class="na">alb.ingress.kubernetes.io/scheme</span><span class="pi">:</span> <span class="s">internet-facing</span> <span class="na">alb.ingress.kubernetes.io/target-type</span><span class="pi">:</span> <span class="s">ip</span> <span class="na">alb.ingress.kubernetes.io/listen-ports</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"HTTP":</span><span class="nv"> </span><span class="s">80},</span><span class="nv"> </span><span class="s">{"HTTPS":</span><span class="nv"> </span><span class="s">443}]'</span> <span class="na">alb.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s1">'</span><span class="s">443'</span> <span class="na">alb.ingress.kubernetes.io/certificate-arn</span><span class="pi">:</span> <span class="s">arn:aws:acm:&lt;AWS_REGION&gt;:&lt;ACCOUNT_ID&gt;:certificate/a0ff498e-62fd-4397-8d4a-626360465d32</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">grafana-test.apps.xyz-company.com</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> </code></pre> </div> <p>Deploy the <code>kube-prometheus-stack</code> using Helm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> k-prom-stack prometheus-community/kube-prometheus-stack <span class="se">\</span> <span class="nt">--namespace</span> monitoring <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--values</span> prom-operator-values.yaml </code></pre> </div> <p>This command installs Prometheus, Grafana, and Alertmanager in the <code>monitoring</code> namespace.</p> <h3> 1.3 Access Prometheus and Alertmanager UIs </h3> <p>To access the Prometheus and Alertmanager web UIs, use <code>kubectl port-forward</code>:</p> <ul> <li> <strong>Prometheus UI:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl port-forward svc/prometheus-operated 9090:9090 <span class="nt">--namespace</span> monitoring </code></pre> </div> <p>Open your browser and go to <code>http://localhost:9090</code>.</p> <ul> <li> <strong>Alertmanager UI:</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl port-forward svc/alertmanager-operated 9093:9093 <span class="nt">--namespace</span> monitoring </code></pre> </div> <p>Open your browser and go to <code>http://localhost:9093</code>.</p> <p><strong>To access the Grafana web UI:</strong></p> <ul> <li><p>Create a DNS entry mapping the domain define in ingress with created loadbalancer url.</p></li> <li><p>Use <code>admin</code> as the username and the password defined in <code>prom-operator-values.yaml</code> to log in to Grafana.</p></li> </ul> <h2> Step 2: Set Up Amazon SNS for Alertmanager </h2> <p>To receive alerts via email or other channels, we'll configure Amazon SNS as the receiver for Alertmanager.</p> <h3> 2.1 Create an SNS Topic </h3> <p>Create an SNS topic to receive alerts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sns create-topic <span class="nt">--name</span> alertTopic </code></pre> </div> <p>Note the ARN (Amazon Resource Name) from the output, as it will be needed in later steps.</p> <h3> 2.2 Create an Email Subscription for SNS </h3> <p>Subscribe your email to the SNS topic to receive notifications:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sns subscribe <span class="se">\</span> <span class="nt">--topic-arn</span> arn:aws:sns:&lt;AWS_REGION&gt;:&lt;ACCOUNT_ID&gt;:alertTopic <span class="se">\</span> <span class="nt">--protocol</span> email <span class="se">\</span> <span class="nt">--notification-endpoint</span> &lt;your-email@example.com&gt; </code></pre> </div> <p>Check your email inbox for a confirmation message and click the link to activate the subscription.</p> <h3> 2.3 Create a New IAM Role for EKS Node Group to Assume and Publish to SNS </h3> <h4> 2.3.1 Create a Trust Relationship </h4> <p>Create a trust relationship policy to allow the EKS node group role to assume the new role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; trust-policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::&lt;ACCOUNT_ID&gt;:role/eks-node-group-role" }, "Action": "sts:AssumeRole" } ] } </span><span class="no">EOF </span></code></pre> </div> <p>Create the IAM role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws iam create-role <span class="se">\</span> <span class="nt">--role-name</span> alertmanager_role <span class="se">\</span> <span class="nt">--assume-role-policy-document</span> file://trust-policy.json </code></pre> </div> <h4> 2.3.2 Attach Permissions to Publish to SNS </h4> <p>Create a policy to allow the role to publish messages to the SNS topic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; sns-policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sns:Publish", "Resource": "arn:aws:sns:&lt;AWS_REGION&gt;:&lt;ACCOUNT_ID&gt;:alertTopic" } ] } </span><span class="no">EOF </span></code></pre> </div> <p>Attach the policy to the new role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws iam put-role-policy <span class="se">\</span> <span class="nt">--role-name</span> alertmanager_role <span class="se">\</span> <span class="nt">--policy-name</span> SNSPublishPolicy <span class="se">\</span> <span class="nt">--policy-document</span> file://sns-policy.json </code></pre> </div> <h3> 2.4 Create a Resource-Based Policy for SNS </h3> <p>Allow this new role named <code>alertmanager_role</code> to publish alerts to the SNS topic by attaching a resource-based policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; sns-resource-policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::&lt;ACCOUNT_ID&gt;:role/alertmanager_role" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:&lt;AWS_REGION&gt;:&lt;ACCOUNT_ID&gt;:alertTopic" } ] } </span><span class="no">EOF </span></code></pre> </div> <p>Apply the policy to the SNS topic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sns set-topic-attributes <span class="se">\</span> <span class="nt">--topic-arn</span> arn:aws:sns:&lt;AWS_REGION&gt;:&lt;ACCOUNT_ID&gt;:alertTopic <span class="se">\</span> <span class="nt">--attribute-name</span> Policy <span class="se">\</span> <span class="nt">--attribute-value</span> file://sns-resource-policy.json </code></pre> </div> <h3> 2.5 Update the IAM Role for the EKS Node Group </h3> <p>Allow the EKS node group to assume this new role named <code>alertmanager_role</code> by attaching a policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; eks-assume-policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::&lt;ACCOUNT_ID&gt;:role/alertmanager_role" } ] } </span><span class="no">EOF </span></code></pre> </div> <p>Attach the policy to the EKS node group role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws iam put-role-policy <span class="se">\</span> <span class="nt">--role-name</span> eks-node-group-role <span class="se">\</span> <span class="nt">--policy-name</span> assume_alertmanager_role_policy <span class="se">\</span> <span class="nt">--policy-document</span> file://eks-assume-policy.json </code></pre> </div> <p><strong>Note:</strong> </p> <ul> <li>your EKS node Group role might be different than mine e.g. <code>eks-node-group-role</code> </li> </ul> <h2> Step 3: Configure Alertmanager to Send Alerts to SNS </h2> <p>Update the <code>alertmanager.yml</code> configuration to send alerts to the SNS topic in same helm values file named as <code>prom-operator-values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">alertmanager</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">global</span><span class="pi">:</span> <span class="na">resolve_timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">route</span><span class="pi">:</span> <span class="na">group_by</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">job'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">alertname'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">priority'</span><span class="pi">]</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">group_interval</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">12h</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s1">'</span><span class="s">sns-receivers'</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">null'</span> <span class="c1"># Add this to your config as well</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sns-receivers</span> <span class="na">sns_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">api_url</span><span class="pi">:</span> <span class="s">https://sns.&lt;AWS_REGION&gt;.amazonaws.com</span> <span class="na">topic_arn</span><span class="pi">:</span> <span class="s">arn:aws:sns:&lt;AWS_REGION&gt;:&lt;ACCOUNT_ID&gt;:alertTopic</span> <span class="na">sigv4</span><span class="pi">:</span> <span class="na">region</span><span class="pi">:</span> <span class="s">&lt;AWS_REGION&gt;</span> <span class="na">role_arn</span><span class="pi">:</span> <span class="s">arn:aws:iam::&lt;ACCOUNT_ID&gt;:role/alertmanager_role</span> <span class="na">subject</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{{</span><span class="nv"> </span><span class="s">.Status</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">toUpper</span><span class="nv"> </span><span class="s">}}{{</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">eq</span><span class="nv"> </span><span class="s">.Status</span><span class="nv"> </span><span class="s">"firing"</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">.Alerts.Firing</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">len</span><span class="nv"> </span><span class="s">}}{{</span><span class="nv"> </span><span class="s">end</span><span class="nv"> </span><span class="s">}}]'</span> <span class="na">message</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">{{ if gt (len .Alerts.Firing) 0 }}</span> <span class="s">Alerts Firing:</span> <span class="s">{{ template "__text_alert_list_markdown" .Alerts.Firing }}</span> <span class="s">{{ end }}</span> <span class="s">{{ if gt (len .Alerts.Resolved) 0 }}</span> <span class="s">Alerts Resolved:</span> <span class="s">{{ template "__text_alert_list_markdown" .Alerts.Resolved }}</span> <span class="s">{{ end }}</span> <span class="na">send_resolved</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Sends notification when alert is resolved</span> </code></pre> </div> <p>Apply the updated configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> k-prom-stack prometheus-community/kube-prometheus-stack <span class="se">\</span> <span class="nt">--namespace</span> monitoring <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--values</span> prom-operator-values.yaml </code></pre> </div> <h2> Step 4: Configure custom rules for custom alerts </h2> <p>Update the <code>prom-operator-values.yaml</code> to add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">additionalPrometheusRulesMap</span><span class="pi">:</span> <span class="na">custom-rules</span><span class="pi">:</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">customGroupA.rules</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">Custom-Alert Instance High CPU Utilization</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">CPU usage had been over 75% for 5 minutes | Current usage is {{ $value | printf "%.2f" }}%</span> <span class="na">summary</span><span class="pi">:</span> <span class="s">CPU usage is over 75% (instance {{ $labels.instance }})</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) &gt; </span><span class="m">75</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">Custom-Alert Instance High Memory Utilization</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Memory usage had been over 75% for 5 minutes | Current usage is {{ $value | printf "%.2f" }}%</span> <span class="na">summary</span><span class="pi">:</span> <span class="s">Memory usage is over 75% (instance {{ $labels.instance }})</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">100 - (sum by(instance) (node_memory_MemAvailable_bytes) / sum by(instance) (node_memory_MemTotal_bytes) * 100) &gt; </span><span class="m">75</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> </code></pre> </div> <p>Apply the updated configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> k-prom-stack prometheus-community/kube-prometheus-stack <span class="se">\</span> <span class="nt">--namespace</span> monitoring <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--values</span> prom-operator-values.yaml </code></pre> </div> <p>The complete helm values file can be found on GitHub <a href="https://github.com/muhammad-ahmad-khan/EKS-Monitoring-Solution/blob/main/EKS-Monitoring-With-SNS/prom-operator-values.yaml" rel="noopener noreferrer">here</a> </p> <h2> Conclusion </h2> <p>In this blog post, we set up a comprehensive monitoring and alerting system for a Kubernetes cluster running on AWS EKS. We deployed Prometheus and Grafana using the <code>kube-prometheus-stack</code>, configured an ALB Ingress for external access to Grafana, and set up Amazon SNS as the receiver for Alertmanager to receive alerts.</p> <p>With this setup, you can now monitor your Kubernetes cluster, visualize metrics using Grafana, and receive alerts via Alertmanager and SNS. This ensures that your cluster is both observable and resilient to issues.</p> devops aws eks monitoring Muhammad Ahmad Khan Sat, 25 Jan 2025 02:22:52 +0000 https://forem.com/muhammad_ahmad_khan/rapidly-deploy-ecs-infrastructure-on-aws-with-aws-cdk-typescript-1fpk https://forem.com/muhammad_ahmad_khan/rapidly-deploy-ecs-infrastructure-on-aws-with-aws-cdk-typescript-1fpk <p>When building and deploying containerized applications on AWS, Amazon ECS (Elastic Container Service) provides a powerful and flexible solution. AWS CDK (Cloud Development Kit) simplifies the process of creating ECS infrastructure by providing a programmatic approach to define cloud resources in code. This blog post walks through how to rapidly deploy ECS infrastructure using the <code>aws-cdk-lib/aws-ecs-patterns</code> module, which abstracts complex tasks like load balancing, service management, and autoscaling.</p> <p>We’ll cover how to create an ECS Fargate service, set up an Application Load Balancer (ALB), enable auto-scaling, and integrate AWS Secrets Manager for securely managing sensitive data, all with just a few lines of TypeScript code.</p> <h2> Prerequisites </h2> <p>Before getting started, make sure you have the following:</p> <ol> <li> <strong>Node.js</strong> and <strong>npm</strong> installed.</li> <li> <strong>AWS CLI</strong> configured with appropriate permissions to create resources. You can configure it with: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws configure </code></pre> </div> <ol> <li> <strong>AWS CDK</strong> installed globally: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npm <span class="nb">install</span> <span class="nt">-g</span> aws-cdk </code></pre> </div> <ol> <li> <strong>Docker</strong> installed (optional but useful for container builds).</li> </ol> <h2> Setting Up the Project </h2> <p>To begin, create a new directory for your CDK project and initialize it with TypeScript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>ecs-fargate <span class="nb">cd </span>ecs-fargate cdk init app <span class="nt">--language</span> typescript </code></pre> </div> <p>This will generate the basic project structure for an AWS CDK application. Next, install the necessary dependencies for ECS, VPC, ECR, and other related services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @aws-cdk/aws-ec2 @aws-cdk/aws-ecs @aws-cdk/aws-ecr @aws-cdk/aws-ecs-patterns @aws-cdk/aws-iam @aws-cdk/aws-elasticloadbalancingv2 @aws-cdk/aws-certificatemanager @aws-cdk/aws-secretsmanager </code></pre> </div> <p>Now you're ready to start defining your infrastructure!</p> <h2> Using <code>aws-cdk-lib/aws-ecs-patterns</code> </h2> <p>The <code>aws-cdk-lib/aws-ecs-patterns</code> module simplifies ECS service setup by providing high-level abstractions for common ECS patterns. It includes constructs for easy configuration of services like Application Load Balanced Fargate services, which handle the complexity of setting up load balancers, auto-scaling, and other integrations.</p> <p>For example, the <code>ApplicationLoadBalancedFargateService</code> construct automatically creates an ECS Fargate service with an Application Load Balancer (ALB) in front of it, managing much of the networking and routing for you.</p> <p>Here’s a quick look at some key benefits of using the <code>ApplicationLoadBalancedFargateService</code> construct from the <code>aws-cdk-lib/aws-ecs-patterns</code> module:</p> <ul> <li> <strong>Simplified Infrastructure Setup</strong>: You don't need to manually define an Application Load Balancer or its target group—everything is handled for you.</li> <li> <strong>Built-in Auto-Scaling</strong>: Easily configure auto-scaling for your Fargate tasks based on CPU or memory usage.</li> <li> <strong>HTTPS Setup</strong>: You can easily set up SSL certificates via ACM (AWS Certificate Manager) and configure the load balancer to use HTTPS.</li> </ul> <p>For more details on other architectural patterns, you can refer to the official <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs_patterns-readme.html" rel="noopener noreferrer">AWS CDK ECS Patterns Documentation</a>.</p> <h2> Defining the ECS Fargate Infrastructure </h2> <p>Here’s an example that demonstrates how to quickly deploy ECS infrastructure with AWS CDK using TypeScript.</p> <h3> Example: ECS Fargate Service with Application Load Balancer </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Construct</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">constructs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ecs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ecs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ecr</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ecr</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ecs_patterns</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-ecs-patterns</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">elbv2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-elasticloadbalancingv2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">acm</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-certificatemanager</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">secretsmanager</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-secretsmanager</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">EcsFargateStackProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">vpcId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// VPC Id</span> <span class="nl">ecrRepositoryName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// ECR repository name</span> <span class="nl">acmCertificateArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// ACM certificate ARN for HTTPS</span> <span class="nl">demoServiceSecretArn</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// Secret ARN for demoService</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">EcsFargateStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">EcsFargateStackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Lookup existing VPC using VPC ID from props</span> <span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EcsVpc</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Reference the existing ECR repository</span> <span class="kd">const</span> <span class="nx">ecrRepo</span> <span class="o">=</span> <span class="nx">ecr</span><span class="p">.</span><span class="nx">Repository</span><span class="p">.</span><span class="nf">fromRepositoryName</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ExistingEcrRepository</span><span class="dl">'</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">ecrRepositoryName</span><span class="p">);</span> <span class="c1">// ECS Cluster</span> <span class="kd">const</span> <span class="nx">cluster</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">Cluster</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EcsCluster</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">clusterName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">demo-service-EcsFargateCluster</span><span class="dl">'</span><span class="p">,</span> <span class="nx">vpc</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Task Definition</span> <span class="kd">const</span> <span class="nx">taskDefinition</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs</span><span class="p">.</span><span class="nc">FargateTaskDefinition</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">FargateTaskDef</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">memoryLimitMiB</span><span class="p">:</span> <span class="mi">512</span><span class="p">,</span> <span class="na">cpu</span><span class="p">:</span> <span class="mi">256</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Reference the secret from AWS Secrets Manager</span> <span class="kd">const</span> <span class="nx">taskSecret</span> <span class="o">=</span> <span class="nx">secretsmanager</span><span class="p">.</span><span class="nx">Secret</span><span class="p">.</span><span class="nf">fromSecretCompleteArn</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">FargateTaskSecret</span><span class="dl">'</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">demoServiceSecretArn</span><span class="p">);</span> <span class="c1">// Add a container to the task definition</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nx">taskDefinition</span><span class="p">.</span><span class="nf">addContainer</span><span class="p">(</span><span class="dl">'</span><span class="s1">AppContainer</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">image</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">ContainerImage</span><span class="p">.</span><span class="nf">fromEcrRepository</span><span class="p">(</span><span class="nx">ecrRepo</span><span class="p">,</span> <span class="dl">'</span><span class="s1">latest</span><span class="dl">'</span><span class="p">),</span> <span class="na">logging</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">LogDriver</span><span class="p">.</span><span class="nf">awsLogs</span><span class="p">({</span> <span class="na">streamPrefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ecs-app</span><span class="dl">'</span> <span class="p">}),</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">DEBUG</span><span class="p">:</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Simple environment variable</span> <span class="p">},</span> <span class="na">secrets</span><span class="p">:</span> <span class="p">{</span> <span class="na">SECRET_KEY</span><span class="p">:</span> <span class="nx">ecs</span><span class="p">.</span><span class="nx">Secret</span><span class="p">.</span><span class="nf">fromSecretsManager</span><span class="p">(</span><span class="nx">taskSecret</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SECRET_KEY</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// Referencing secret for SECRET_KEY</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">container</span><span class="p">.</span><span class="nf">addPortMappings</span><span class="p">({</span> <span class="na">containerPort</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="c1">// Container runs on port 5000</span> <span class="p">});</span> <span class="c1">// ACM Certificate for HTTPS</span> <span class="kd">const</span> <span class="nx">certificate</span> <span class="o">=</span> <span class="nx">acm</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">.</span><span class="nf">fromCertificateArn</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">AcmCertificate</span><span class="dl">'</span><span class="p">,</span> <span class="nx">props</span><span class="p">.</span><span class="nx">acmCertificateArn</span><span class="p">);</span> <span class="c1">// Application Load Balanced Fargate Service</span> <span class="kd">const</span> <span class="nx">fargateService</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ecs_patterns</span><span class="p">.</span><span class="nc">ApplicationLoadBalancedFargateService</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">FargateService</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">cluster</span><span class="p">,</span> <span class="nx">taskDefinition</span><span class="p">,</span> <span class="na">enableExecuteCommand</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Enable execute command</span> <span class="nx">certificate</span><span class="p">,</span> <span class="na">publicLoadBalancer</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">loadBalancerName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">demo-service-alb</span><span class="dl">'</span><span class="p">,</span> <span class="na">sslPolicy</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">SslPolicy</span><span class="p">.</span><span class="nx">RECOMMENDED</span><span class="p">,</span> <span class="na">serviceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">demo-service-EcsFargateService</span><span class="dl">'</span><span class="p">,</span> <span class="na">redirectHTTP</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">ApplicationProtocol</span><span class="p">.</span><span class="nx">HTTPS</span><span class="p">,</span> <span class="c1">// Default HTTPS</span> <span class="p">});</span> <span class="c1">// Adjust target group port to match the container port</span> <span class="nx">fargateService</span><span class="p">.</span><span class="nx">targetGroup</span><span class="p">.</span><span class="nf">configureHealthCheck</span><span class="p">({</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="dl">'</span><span class="s1">5000</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Health check targets container port 5000</span> <span class="p">});</span> <span class="c1">// Autoscaling</span> <span class="kd">const</span> <span class="nx">scaling</span> <span class="o">=</span> <span class="nx">fargateService</span><span class="p">.</span><span class="nx">service</span><span class="p">.</span><span class="nf">autoScaleTaskCount</span><span class="p">({</span> <span class="na">minCapacity</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">maxCapacity</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="p">});</span> <span class="nx">scaling</span><span class="p">.</span><span class="nf">scaleOnCpuUtilization</span><span class="p">(</span><span class="dl">'</span><span class="s1">CpuScaling</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">targetUtilizationPercent</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="p">});</span> <span class="nx">scaling</span><span class="p">.</span><span class="nf">scaleOnMemoryUtilization</span><span class="p">(</span><span class="dl">'</span><span class="s1">MemoryScaling</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">targetUtilizationPercent</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Outputs</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ClusterName</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">cluster</span><span class="p">.</span><span class="nx">clusterName</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ECS Cluster Name</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ServiceName</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">fargateService</span><span class="p">.</span><span class="nx">service</span><span class="p">.</span><span class="nx">serviceName</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ECS Service Name</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Breakdown of the Code: </h3> <ol> <li><p><strong>VPC and ECS Cluster</strong>: We use <code>ec2.Vpc.fromLookup()</code> to reference an existing VPC based on the VPC ID passed in as a parameter, and create an ECS cluster within that VPC.</p></li> <li><p><strong>ECR Repository</strong>: The Docker image for the application is stored in an existing ECR repository. We reference this repository using <code>ecr.Repository.fromRepositoryName()</code>.</p></li> <li><p><strong>Task Definition</strong>: We define an ECS Fargate task with specified memory and CPU limits, referencing a Docker image from ECR. We also integrate environment variables and sensitive data from AWS Secrets Manager.</p></li> <li><p><strong>Load Balancer and HTTPS</strong>: The <code>ApplicationLoadBalancedFargateService</code> construct from <code>aws-cdk-lib/aws-ecs-patterns</code> automatically provisions an ALB, configuring SSL termination using an ACM certificate for HTTPS.</p></li> <li><p><strong>Auto-Scaling</strong>: We configure auto-scaling for the Fargate service based on CPU and memory utilization, ensuring the service can dynamically adjust to demand.</p></li> <li><p><strong>Outputs</strong>: Finally, we output the ECS cluster name and service name, so they can be easily referenced.</p></li> </ol> <h2> Deploying the Stack </h2> <h3> Step 1: Install Dependencies </h3> <p>Ensure that all dependencies are installed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> </code></pre> </div> <h3> Step 2: Bootstrap the CDK Environment </h3> <p>Run the bootstrap command to prepare your AWS account for CDK:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk bootstrap <span class="nt">--profile</span> your-aws-profile </code></pre> </div> <h3> Step 3: Synthesize the Stack </h3> <p>Synthesize the CloudFormation template to verify the stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk synth <span class="nt">--context</span> <span class="nv">vpcId</span><span class="o">=</span>vpc-xxxxxxxx <span class="nt">--context</span> <span class="nv">ecrRepositoryName</span><span class="o">=</span>demo-service <span class="nt">--context</span> <span class="nv">acmCertificateArn</span><span class="o">=</span>arn:aws:acm:region:account-id:certificate/certificate-id <span class="nt">--context</span> <span class="nv">demoServiceSecretArn</span><span class="o">=</span>arn:aws:secretsmanager:region:account-id:secret:secret-id <span class="nt">--profile</span> your-aws-profile </code></pre> </div> <h3> Step 4: Deploy the Stack </h3> <p>Deploy the ECS Fargate stack to AWS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy <span class="nt">--context</span> <span class="nv">vpcId</span><span class="o">=</span>vpc-xxxxxxxx <span class="nt">--context</span> <span class="nv">ecrRepositoryName</span><span class="o">=</span>demo-service <span class="nt">--context</span> <span class="nv">acmCertificateArn</span><span class="o">=</span>arn:aws:acm:region:account-id:certificate/certificate-id <span class="nt">--context</span> <span class="nv">demoServiceSecretArn</span><span class="o">=</span>arn:aws:secretsmanager:region:account-id:secret:secret-id <span class="nt">--profile</span> your-aws-profile </code></pre> </div> <h3> Step 4: Verify the Deployment </h3> <p>After the stack is successfully deployed, AWS will automatically provision the ECS service, ALB, and other necessary resources. You can access the service via the load balancer’s public endpoint.</p> <h2> Conclusion </h2> <p>In this guide, we’ve rapidly provisioned ECS infrastructure using AWS CDK and TypeScript. By leveraging the <code>ApplicationLoadBalancedFargateService</code> construct from <code>aws-cdk-lib/aws-ecs-patterns</code>, we were able to simplify the creation of a fully managed ECS service that includes an ALB, auto-scaling, and HTTPS support. </p> <p>This approach significantly reduces the complexity of deploying containerized applications on AWS, allowing you to focus on developing your application instead of managing infrastructure.</p> <p>For more detailed information, check out the official <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs_patterns.ApplicationLoadBalancedFargateService.html" rel="noopener noreferrer">AWS CDK ECS Patterns Documentation</a>.</p> <h3> GitHub Repository </h3> <p>You can find the complete code for this deployment in my <a href="https://github.com/muhammad-ahmad-khan/AWS-CDK-ECS-Infra" rel="noopener noreferrer">GitHub repository</a>.</p> devops aws ecs cdk Muhammad Ahmad Khan Tue, 26 Mar 2024 19:49:52 +0000 https://forem.com/muhammad_ahmad_khan/integrating-multiple-eks-clusters-with-argocd-for-simplifying-kubernetes-operations-nja https://forem.com/muhammad_ahmad_khan/integrating-multiple-eks-clusters-with-argocd-for-simplifying-kubernetes-operations-nja <p>In the rapidly evolving landscape of cloud-native technologies, Kubernetes has emerged as the de facto standard for container orchestration. As organizations scale their infrastructure, managing multiple Kubernetes clusters becomes inevitable. With this growth comes the challenge of ensuring consistency, reliability, and efficiency across all clusters. Enter ArgoCD, a powerful tool for continuous delivery and GitOps workflows in Kubernetes. In this blog post, we'll explore why integrating multiple clusters in ArgoCD is essential and how we can integrate multiple AWS EKS clusters in ArgoCD.</p> <h2> Why Integration is Required </h2> <ul> <li> <strong>Centralized Management:</strong> Managing multiple Kubernetes clusters manually can be daunting and error-prone. Integrating them with ArgoCD provides a centralized platform for managing and deploying applications across all clusters, streamlining operations and reducing complexity.</li> <li> <strong>Consistency and Standardization:</strong> Different clusters may have varying configurations, making it difficult to maintain consistency in deployments. ArgoCD ensures that configurations and deployments are standardized across all clusters, promoting best practices and ensuring uniformity.</li> <li> <strong>Scalability:</strong> As organizations grow, they often adopt a multi-cluster strategy to distribute workloads and improve fault tolerance. Integrating these clusters with ArgoCD enables seamless scaling of applications across clusters, allowing organizations to leverage resources efficiently.</li> <li> <strong>Monitoring [Health Checks and Logging]:</strong> ArgoCD offers insights into the deployment status and health of applications across clusters through its user interface and API. By integrating multiple clusters, organizations gain centralized visibility and can monitor the status of applications across all clusters from a single dashboard.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fboz3fp10s8eigg383fpw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fboz3fp10s8eigg383fpw.png" alt="Image description" width="800" height="344"></a></p> <h2> How to Integrate Multiple AWS EKS Clusters in ArgoCD </h2> <p>Let's say we have AWS accounts as follows:</p> <ul> <li>Account <code>A</code> with account id: <code>111111111111</code> </li> <li>Account <code>B</code> with account id: <code>222222222222</code> </li> <li>Account <code>C</code> with account id: <code>333333333333</code> </li> </ul> <p>Account <code>A</code> is where ArgoCD runs.</p> <p>To authenticate and access the external cluster we need to add the configuration as follows:</p> <p>In Account <code>A</code>:</p> <ul> <li>Create an IAM role named <code>argocd-manager</code>.</li> <li>Create a role policy named <code>argocd-role-policy</code> and attach it to a role named <code>argocd-manager</code> having the assume role policy given below</li> </ul> <p>RolePolicyDocument<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cat &gt;argocd-role-policy.json &lt;&lt;EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] } EOF </code></pre> </div> <p>AssumeRolePolicyDocument<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::111111111111:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": [ "system:serviceaccount:argocd:argocd-server", "system:serviceaccount:argocd:argocd-application-controller" ] "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:aud": "sts.amazonaws.com" } } } ] } </code></pre> </div> <p>Now In Account <code>B</code>:</p> <ul> <li>Create an IAM role named <code>deployer</code> having trust relationship as follows: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::11111111111:role/argocd-manager" }, "Action": "sts:AssumeRole" } ] } </code></pre> </div> <ul> <li>Map this role in aws <code>auth-config</code> configmap Kubernetes object in Account <code>B</code> EKS cluster </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl edit -n kube-system configmap/aws-auth # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 data: mapRoles: | - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::222222222222:role/my-role username: system:node:{{EC2PrivateDNSName}} - groups: - system:masters rolearn: arn:aws:iam::222222222222:role/deployer # deployer role arn username: deployer mapUsers: | - groups: - system:masters userarn: arn:aws:iam::222222222222:user/admin username: admin - groups: - system:masters userarn: arn:aws:iam::222222222222:user/alpha-user username: my-user </code></pre> </div> <p>Follow the same procedure in Account <code>C</code> as we have followed in Account <code>B</code>.</p> <p>In Account <code>A</code> (where argocd is installed), add the following configuration in argocd helm chart values</p> <p><strong>Note:</strong> IAM role <code>deployer</code> must be created first in Account <code>B</code> or <code>C</code></p> <ul> <li><code>arn:aws:iam::222222222222:role/deployer</code></li> <li> <code>arn:aws:iam::333333333333:role/deployer</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>global: securityContext: # Set deployments securityContext/fsGroup to 999 so that the user of the docker image can use IAM Authenticator. We need this because the IAM Authenticator will try to mount a secret on /var/run/secrets/eks.amazonaws.com/serviceaccount/token. If the correct fsGroup (999 corresponds to the argocd user) isn’t set, this will fail. runAsGroup: 999 fsGroup: 999 controller: serviceAccount: create: true name: argocd-application-controller annotations: {eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/argocd-manager} # Account A - IAM role service account automountServiceAccountToken: true server: serviceAccount: create: true name: argocd-server annotations: {eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/argocd-manager} # Account A - IAM role service account automountServiceAccountToken: true configs: # -- Provide one or multiple [external cluster credentials] # @default -- `[]` (See [values.yaml]) ## Ref: ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters ## - https://argo-cd.readthedocs.io/en/stable/operator-manual/security/#external-cluster-credentials ## - https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#project-scoped-repositories-and-clusters clusterCredentials: - name: development server: https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.abc.region.eks.amazonaws.com # EKS cluster API server endpoint of Account B config: awsAuthConfig: clusterName: eks-development roleARN: arn:aws:iam::222222222222:role/deployer # Deployer role arn of Account B tlsClientConfig: # Base64 encoded PEM-encoded bytes (typically read from a client certificate file). caData: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx........==" # EKS cluster certificate authority - name: staging server: https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.abc.region.eks.amazonaws.com # EKS cluster API server endpoint of Account C config: awsAuthConfig: clusterName: eks-staging roleARN: arn:aws:iam::333333333333:role/deployer # Deployer role arn of Account C tlsClientConfig: # Base64 encoded PEM-encoded bytes (typically read from a client certificate file). caData: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx........==" # EKS cluster certificate authority </code></pre> </div> <p>Obtain the EKS certificate of the respective cluster using AWS CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws eks describe-cluster \ --region=${AWS_DEFAULT_REGION} \ --name=${CLUSTER_NAME} \ --output=text \ --query 'cluster.{certificateAuthorityData: certificateAuthority.data}' | base64 -D </code></pre> </div> <p>The important thing to note is that we need to set deployments <code>securityContext/fsGroup</code> to <code>999</code> so that the user of the docker image can use IAM Authenticator. We need this because the IAM Authenticator will try to mount a secret on <code>/var/run/secrets/eks.amazonaws.com/serviceaccount/token</code>. If the correct fsGroup (999 corresponds to the argocd user) isn’t set, this will fail.</p> devops aws eks argocd Muhammad Ahmad Khan Sat, 23 Mar 2024 21:22:21 +0000 https://forem.com/muhammad_ahmad_khan/upgrading-eks-version-with-zero-downtime-incorporating-custom-blue-green-methodology-3eop https://forem.com/muhammad_ahmad_khan/upgrading-eks-version-with-zero-downtime-incorporating-custom-blue-green-methodology-3eop <p>One of the most significant operational overheads of EKS is its version upgrade, which we have to tackle each quarter. Although AWS has announced extended support for older versions of EKS, the cost of extended support is something you do not want to incur. AWS maintains its standard support and extended support timeline in the following documentation: <a href="https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar" rel="noopener noreferrer">Kubernetes Release Calendar.</a></p> <p>Keeping EKS clusters up to date with the latest versions is essential for security, performance, and access to new features. However, upgrading Kubernetes clusters can be challenging, especially in production environments where downtime is not an option. In this blog post, we'll explore how you can leverage the custom blue-green methodology to perform version upgrades on AWS EKS clusters seamlessly and with minimal disruption.</p> <p>The blue-green deployment strategy is a technique used to reduce downtime and risk when deploying updates to applications or infrastructure. In the context of AWS EKS version upgrades, the traditional blue-green methodology involves creating a new cluster with the updated Kubernetes version (green), migrating workloads from the old cluster (blue) to the new one, and then decommissioning the old cluster. However, in our case, we will maintain a blue cluster only to serve traffic when we plan to upgrade our original cluster (green). This means that our original cluster will always remain green (before and after the EKS upgrade), and traffic will only shift from the green to the blue cluster while we perform upgrades on the original cluster. After the successful upgrade, traffic will shift back from the blue cluster to the original cluster (green).</p> <p><strong>Steps to Perform EKS Version Upgrade using Custom Blue-Green Methodology:</strong></p> <ol> <li> <strong>Prepare for Upgrade:</strong> Before initiating the upgrade process, thoroughly review the release notes for the new Kubernetes version to understand any changes or potential compatibility issues with your workloads. This includes checking deprecated resources and APIs, whether in your self-maintained application chart or in some open-source community chart. If you are using an open-source community chart, please ensure that the EKS version you are upgrading to has been tested with your installed chart.</li> <li> <strong>Create a New Blue Cluster or Upgrade the Already Created Blue Cluster:</strong> Using AWS EKS, provision a new Kubernetes cluster with the desired version. Ensure that the cluster configuration, including node groups, networking, and IAM roles, aligns with your requirements. If you have created a new EKS cluster, make sure to configure DNS and Load Balancers by updating DNS records or adjusting load balancer settings to direct traffic to the new cluster gradually when workloads are migrated. If your cluster is large and you have many Kubernetes Ops tools installed in Kubernetes using Helm charts, it is a good idea to maintain this separate cluster for each upgrade cycle to save time. If you are already maintaining the cluster, then you have to prepare this cluster for upgrade by performing the following tasks: <ul> <li>Upgrade the EKS control plane from the console.</li> <li>Upgrade each EKS Node group by setting the right update config as per the priority from the console and using Force Update.</li> <li>Upgrade add-ons from the console.</li> </ul> </li> <li> <strong>Deploy/Update Workloads:</strong> Utilize Kubernetes tools such as kubectl or Helm charts to deploy workloads onto the new blue cluster or update in the existing blue cluster. Monitor performance and functionality to ensure a smooth transition.</li> <li> <strong>Validate and Test:</strong> Conduct thorough testing on this new/upgraded blue cluster to verify that all workloads and applications function as expected. Use automated testing tools and perform manual checks to validate performance, scalability, and reliability.</li> <li> <strong>Cut Over Traffic:</strong> Once validation is complete, gradually shift production traffic from the old cluster to the new upgraded one using weighted routing. Monitor logs, pod scaling, and AWS Load Balancer metrics such as RequestCount as traffic increases. Monitor closely for any anomalies or performance issues during the transition.</li> <li> <strong>Upgrade Original Cluster:</strong> Now perform the same process for the original cluster, including upgrading the EKS control plane, node groups, add-ons, as well as Kubernetes workloads. Verify if everything is working fine and transition traffic gradually back from the blue cluster to this original one after the full upgrade.</li> <li> <strong>Decommission/Scale Down Blue Cluster:</strong> After confirming that the original cluster is handling all traffic effectively, decommission/scale down all node groups of the blue cluster to release resources and reduce operational overhead.</li> </ol> <p><strong>Best Practices for EKS Version Upgrades:</strong></p> <ul> <li>Automate wherever possible to streamline the upgrade process and reduce manual errors.</li> <li>Implement monitoring and alerting to detect and respond to any issues promptly.</li> <li>Maintain clear communication with stakeholders throughout the upgrade process to manage expectations and address concerns proactively.</li> </ul> <p>AWS EKS provides a robust platform for managing Kubernetes clusters, and staying current with the latest versions is crucial for leveraging new features and ensuring security and performance. By adopting the blue-green methodology for version upgrades, organizations can minimize downtime, reduce risks, and maintain a seamless experience for end-users. By following best practices and leveraging automation and monitoring capabilities, you can confidently navigate EKS version upgrades and keep your Kubernetes infrastructure up to date with minimal disruption.</p> <p>References: <a href="https://kubernetes.io/docs/reference/using-api/deprecation-guide/#removed-apis-by-release" rel="noopener noreferrer">Kubernetes Deprecation Guide.</a></p> devops aws eks Muhammad Ahmad Khan Mon, 21 Nov 2022 14:47:55 +0000 https://forem.com/muhammad_ahmad_khan/distributing-restricted-static-content-through-cloudfront-using-signed-cookies-20hp https://forem.com/muhammad_ahmad_khan/distributing-restricted-static-content-through-cloudfront-using-signed-cookies-20hp <p>Many times it's a business requirement that the content you share over the internet through your application including documents, business data, or media streams is intended to be consumed by selected users, for example, users who have paid a fee. Suppose that you have a similar situation and you are using an AWS CloudFront distribution (CDN) to distribute the static content including documents, images, and videos. But you want a restriction that this content is accessible through your app only to a set of selected users. Then we can use <strong>signed URLs</strong> and <strong>signed cookies</strong>.<br> CloudFront signed URLs and signed cookies provide the same basic functionality. They allow you to control who can access your content but both are beneficial in entirely different situations based on different requirements. <br> E.g.</p> <ul> <li>Using signed URLs is beneficial when you want to restrict access to individual files, for example, an installation download for your application.</li> <li>Using signed cookies is beneficial when you want to provide access to multiple restricted files, and don't want to change your current URLs.</li> </ul> <p>In this blog, we will discuss about using signed cookies to grant access to your private content to the relevant user using CloudFront.<br> Signed URLs take precedence over signed cookies if you use both signed URLs and signed cookies to control access to your content.</p> <p><strong>How signed cookies works?</strong><br> Here is an overview of how signed cookies work.</p> <ol> <li>In your CloudFront distribution, specify one or more trusted key groups, which contain the public keys that CloudFront can use to verify the URL signature. You use the corresponding private keys to sign the URLs. Since you use private keys to sign the URLs you must store them somewhere and we will store them in <strong>AWS Secrets Manager</strong>. To create a KeyPair and to add a signer (trusted key group) in CloudFront distribution see the procedure <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html" rel="noopener noreferrer">here</a>.</li> <li>You develop your application to determine whether a user should have access to your content and if so, to send <strong>three Set-Cookie headers</strong> to the viewer. (Each Set-Cookie header can contain only one name-value pair, and a CloudFront signed cookie requires three name-value pairs.) You must send the Set-Cookie headers to the viewer before the viewer requests your private content. Typically, your CloudFront distribution will have at least two cache behaviors, one that doesn't require authentication and one that does. The error page for the secure portion of the site includes a redirector or a link to a login page. If you configure your distribution to cache files based on cookies, CloudFront doesn't cache separate files based on the attributes in signed cookies.</li> <li>A user signs in to your website and either pays for content or meets some other requirement for access.</li> <li>Your application returns the Set-Cookie headers in the response, and the viewer stores the name-value pairs.</li> <li>The user requests a file. The user's browser or other viewer gets the name-value pairs from step 4 and adds them to the request in a Cookie header. This is the signed cookie.</li> <li>CloudFront uses the public key to validate the signature in the signed cookie and to confirm that the cookie hasn't been tampered with. If the signature is invalid, the request is rejected. If the signature in the cookie is valid, CloudFront looks at the policy statement in the cookie (or constructs one if you're using a canned policy) to confirm that the request is still valid. If the request meets the requirements in the policy statement, CloudFront serves your content as it does for content that isn't restricted: it determines whether the file is already in the edge cache, forwards the request to the origin if necessary, and returns the file to the user.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckxycdb0cqiuh5jdem0f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckxycdb0cqiuh5jdem0f.png" alt="CloudFront Sign cookies solution flow" width="800" height="472"></a></p> <p>There are two kinds of policies used for signed cookies</p> <ul> <li>Canned policies </li> <li>Custom policies</li> </ul> <p>When you create a signed cookie, you write a policy statement in JSON format that specifies the restrictions on the signed cookie, for example, how long the cookie is valid. You can use canned policies or custom policies. <br> Canned policies allow you to specify an <strong>expiration date</strong> only. Custom policies allow more complex restrictions.</p> <p><strong>Canned policy example</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"base URL or stream name"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"DateLessThan"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:EpochTime"</span><span class="p">:</span><span class="w"> </span><span class="err">ending</span><span class="w"> </span><span class="err">date</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">time</span><span class="w"> </span><span class="err">in</span><span class="w"> </span><span class="err">Unix</span><span class="w"> </span><span class="err">time</span><span class="w"> </span><span class="err">format</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">UTC</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Custom policy example</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"URL of the file"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"DateLessThan"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:EpochTime"</span><span class="p">:</span><span class="err">required</span><span class="w"> </span><span class="err">ending</span><span class="w"> </span><span class="err">date</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">time</span><span class="w"> </span><span class="err">in</span><span class="w"> </span><span class="err">Unix</span><span class="w"> </span><span class="err">time</span><span class="w"> </span><span class="err">format</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">UTC</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"DateGreaterThan"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:EpochTime"</span><span class="p">:</span><span class="err">optional</span><span class="w"> </span><span class="err">beginning</span><span class="w"> </span><span class="err">date</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">time</span><span class="w"> </span><span class="err">in</span><span class="w"> </span><span class="err">Unix</span><span class="w"> </span><span class="err">time</span><span class="w"> </span><span class="err">format</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">UTC</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"IpAddress"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:SourceIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"optional IP address"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Since we want to give access to all of the files located on a certain path of our CloudFront URL using wildcard <code>*</code> therefore we will use a custom policy.<br> For example, we want to give access to all of the files located on this URL: <code>https://content.mysite.com/private-content/*</code><br> Here is the simple code in PHP for creating signed cookies using custom policy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="k">require</span> <span class="s1">'vendor/autoload.php'</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Aws\Credentials\Credentials</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Aws\SecretsManager\SecretsManagerClient</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Aws\CloudFront\CloudFrontClient</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Aws\Exception\AwsException</span><span class="p">;</span> <span class="c1">// Check if user is login or check if user is paid the fee</span> <span class="c1">// Initialize AWS credentials from IAM role</span> <span class="nv">$credentials_uri</span> <span class="o">=</span> <span class="nb">getenv</span><span class="p">(</span><span class="s1">'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'</span><span class="p">);</span> <span class="nv">$credentials_url</span> <span class="o">=</span> <span class="s1">'http://169.254.170.2'</span> <span class="mf">.</span> <span class="nv">$credentials_uri</span><span class="p">;</span> <span class="nv">$get_credentials</span> <span class="o">=</span> <span class="nb">file_get_contents</span><span class="p">(</span><span class="nv">$credentials_url</span><span class="p">);</span> <span class="nv">$credentials_array</span> <span class="o">=</span> <span class="nb">json_decode</span><span class="p">(</span><span class="nv">$get_credentials</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="nv">$credentials</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Credentials</span><span class="p">(</span><span class="nv">$credentials_array</span><span class="p">[</span><span class="s2">"AccessKeyId"</span><span class="p">],</span> <span class="nv">$credentials_array</span><span class="p">[</span><span class="s2">"SecretAccessKey"</span><span class="p">],</span> <span class="nv">$credentials_array</span><span class="p">[</span><span class="s2">"Token"</span><span class="p">],</span> <span class="nb">strtotime</span><span class="p">(</span><span class="nv">$credentials_array</span><span class="p">[</span><span class="s2">"Expiration"</span><span class="p">]));</span> <span class="c1">// Create a Secrets Manager Client</span> <span class="nv">$secretManagerClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretsManagerClient</span><span class="p">([</span> <span class="s1">'credentials'</span> <span class="o">=&gt;</span> <span class="nv">$credentials</span><span class="p">,</span> <span class="s1">'version'</span> <span class="o">=&gt;</span> <span class="s1">'2017-10-17'</span><span class="p">,</span> <span class="s1">'region'</span> <span class="o">=&gt;</span> <span class="s1">'us-east-1'</span><span class="p">,</span> <span class="p">]);</span> <span class="nv">$secretName</span> <span class="o">=</span> <span class="s1">'private-content-access-key'</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nv">$secretResult</span> <span class="o">=</span> <span class="nv">$secretManagerClient</span><span class="o">-&gt;</span><span class="nf">getSecretValue</span><span class="p">([</span> <span class="s1">'SecretId'</span> <span class="o">=&gt;</span> <span class="nv">$secretName</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nc">AwsException</span> <span class="nv">$e</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// output error message if fails</span> <span class="k">echo</span> <span class="nv">$e</span><span class="o">-&gt;</span><span class="nf">getAwsErrorMessage</span><span class="p">();</span> <span class="k">echo</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">;</span> <span class="p">}</span> <span class="k">function</span> <span class="n">signCookie</span><span class="p">(</span><span class="nv">$cloudFrontClient</span><span class="p">,</span> <span class="nv">$policy</span><span class="p">,</span> <span class="nv">$privateKey</span><span class="p">,</span> <span class="nv">$keyPairId</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nv">$result</span> <span class="o">=</span> <span class="nv">$cloudFrontClient</span><span class="o">-&gt;</span><span class="nf">getSignedCookie</span><span class="p">([</span> <span class="s1">'policy'</span> <span class="o">=&gt;</span> <span class="nv">$policy</span><span class="p">,</span> <span class="s1">'private_key'</span> <span class="o">=&gt;</span> <span class="nv">$privateKey</span><span class="p">,</span> <span class="s1">'key_pair_id'</span> <span class="o">=&gt;</span> <span class="nv">$keyPairId</span> <span class="p">]);</span> <span class="k">return</span> <span class="nv">$result</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nc">AwsException</span> <span class="nv">$e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span><span class="s1">'Error'</span> <span class="o">=&gt;</span> <span class="nv">$e</span><span class="o">-&gt;</span><span class="nf">getAwsErrorMessage</span><span class="p">()];</span> <span class="p">}</span> <span class="p">}</span> <span class="k">function</span> <span class="n">signACookie</span><span class="p">(</span><span class="nv">$privateKey</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$resourcePath</span> <span class="o">=</span> <span class="s1">'https://content.mysite.com/private-content/*'</span><span class="p">;</span> <span class="nv">$expires</span> <span class="o">=</span> <span class="nb">time</span><span class="p">()</span> <span class="o">+</span> <span class="mi">3600</span><span class="p">;</span> <span class="c1">// 60 minutes (60 * 60 seconds) from now.</span> <span class="nv">$keyPairId</span> <span class="o">=</span> <span class="s1">'ABCDWXYZ'</span><span class="p">;</span> <span class="nv">$policy</span> <span class="o">=</span> <span class="s1">'{'</span><span class="mf">.</span> <span class="s1">'"Statement":['</span><span class="mf">.</span> <span class="s1">'{'</span><span class="mf">.</span> <span class="s1">'"Resource":"'</span><span class="mf">.</span> <span class="nv">$resourcePath</span> <span class="mf">.</span> <span class="s1">'",'</span><span class="mf">.</span> <span class="s1">'"Condition":{'</span><span class="mf">.</span> <span class="s1">'"DateLessThan":{"AWS:EpochTime":'</span> <span class="mf">.</span> <span class="nv">$expires</span> <span class="mf">.</span> <span class="s1">'}'</span><span class="mf">.</span> <span class="s1">'}'</span><span class="mf">.</span> <span class="s1">'}'</span><span class="mf">.</span> <span class="s1">']'</span> <span class="mf">.</span> <span class="s1">'}'</span><span class="p">;</span> <span class="nv">$cloudFrontClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CloudFrontClient</span><span class="p">([</span> <span class="s1">'credentials'</span> <span class="o">=&gt;</span> <span class="nv">$credentials</span><span class="p">,</span> <span class="s1">'version'</span> <span class="o">=&gt;</span> <span class="s1">'2014-11-06'</span><span class="p">,</span> <span class="s1">'region'</span> <span class="o">=&gt;</span> <span class="s1">'us-east-1'</span> <span class="p">]);</span> <span class="nv">$result</span> <span class="o">=</span> <span class="nf">signCookie</span><span class="p">(</span> <span class="nv">$cloudFrontClient</span><span class="p">,</span> <span class="nv">$policy</span><span class="p">,</span> <span class="nv">$privateKey</span><span class="p">,</span> <span class="nv">$keyPairId</span> <span class="p">);</span> <span class="nv">$cookies</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$result</span> <span class="k">as</span> <span class="nv">$key</span> <span class="o">=&gt;</span> <span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="nb">array_push</span><span class="p">(</span> <span class="nv">$cookies</span><span class="p">,</span> <span class="k">array</span><span class="p">(</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$key</span><span class="p">,</span> <span class="s1">'value'</span> <span class="o">=&gt;</span> <span class="nv">$value</span><span class="p">,</span> <span class="s1">'expires'</span> <span class="o">=&gt;</span> <span class="nv">$expires</span><span class="p">,</span> <span class="s1">'path'</span> <span class="o">=&gt;</span> <span class="s1">'/'</span><span class="p">,</span> <span class="s1">'domain'</span> <span class="o">=&gt;</span> <span class="s2">".mysite.com"</span><span class="p">,</span> <span class="s1">'secure'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="s1">'httpOnly'</span> <span class="o">=&gt;</span> <span class="kc">true</span> <span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$cookies</span> <span class="k">as</span> <span class="nv">$cookie</span><span class="p">)</span> <span class="p">{</span> <span class="nb">setcookie</span> <span class="p">(</span> <span class="nv">$cookie</span><span class="p">[</span><span class="s1">'name'</span><span class="p">],</span> <span class="nv">$cookie</span><span class="p">[</span><span class="s1">'value'</span><span class="p">],</span> <span class="nv">$cookie</span><span class="p">[</span><span class="s1">'expires'</span><span class="p">],</span> <span class="nv">$cookie</span><span class="p">[</span><span class="s1">'path'</span><span class="p">],</span> <span class="nv">$cookie</span><span class="p">[</span><span class="s1">'domain'</span><span class="p">],</span> <span class="nv">$cookie</span><span class="p">[</span><span class="s1">'secure'</span><span class="p">],</span> <span class="nv">$cookie</span><span class="p">[</span><span class="s1">'httpOnly'</span><span class="p">]</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$secretResult</span><span class="p">[</span><span class="s1">'SecretString'</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$privateKey</span> <span class="o">=</span> <span class="nv">$secretResult</span><span class="p">[</span><span class="s1">'SecretString'</span><span class="p">];</span> <span class="nf">signACookie</span><span class="p">(</span><span class="nv">$privateKey</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Give access to the content e.g https://content.mysite.com/private-content/doc.pdf</span> </code></pre> </div> <p>You can easily write similar code in Node.js (Javascript).<br> The most important function to consider from the CloudFront client is <strong>getSignedCookie()</strong> which takes three parameters: policy, private key, and key pair id (this is not key group Id).<br> This function returns a response with the following values.</p> <ul> <li>CloudFront-Policy=base64 encoded version of the policy statement;</li> <li>CloudFront-Signature=hashed and signed version of the policy statement; </li> <li>CloudFront-Key-Pair-Id=public key ID for the CloudFront public key whose corresponding private key you're using to generate the signature;</li> </ul> <p>Finally, we will set the cookies by using values returned in the response.</p> learning Muhammad Ahmad Khan Sun, 20 Nov 2022 21:20:10 +0000 https://forem.com/muhammad_ahmad_khan/sqs-depth-based-ecs-task-auto-scaling-using-step-scaling-3l8m https://forem.com/muhammad_ahmad_khan/sqs-depth-based-ecs-task-auto-scaling-using-step-scaling-3l8m <p>As mentioned in a previous blog post <a href="https://dev.to/muhammad_ahmad_khan/ecs-auto-scaling-based-on-amazon-mq-for-rabbitmqs-queue-depth-4m5b">here</a>, we can easily apply scaling using step scaling on SQS queue depth.</p> <p>Step scaling policies increase or decrease the current capacity of a scalable target based on a set of scaling adjustments, known as <strong>step adjustments</strong>. The adjustments vary based on the size of the alarm breach. All alarms that are breached are evaluated by Application Auto Scaling as it receives the alarm messages.</p> <p>With step scaling, you choose scaling metrics and threshold values for the CloudWatch alarms that trigger the scaling process and thus it requires you to create CloudWatch alarms.</p> <p>When you create a step scaling policy, you add one or more step adjustments that enable you to scale based on the size of the alarm breach. Each step adjustment specifies the following:</p> <ul> <li>A lower bound for the metric value</li> <li>An upper bound for the metric value</li> <li>The amount by which to scale, based on the scaling adjustment type</li> </ul> <p>Application Auto Scaling supports the following adjustment types for step scaling policies:</p> <p><strong>ChangeInCapacity</strong>—Increase or decrease the current capacity of the scalable target by the specified value. A positive value increases the capacity and a negative value decreases the capacity. For example: If the current capacity is 3 and the adjustment is 5, then Application Auto Scaling adds 5 to the capacity for a total of 8.</p> <p><strong>ExactCapacity</strong>—Change the current capacity of the scalable target to the specified value. Specify a positive value with this adjustment type. For example: If the current capacity is 3 and the adjustment is 5, then Application Auto Scaling changes the capacity to 5.</p> <p><strong>PercentChangeInCapacity</strong>—Increase or decrease the current capacity of the scalable target by the specified percentage. A positive value increases the capacity and a negative value decreases the capacity. For example: If the current capacity is 10 and the adjustment is 10 percent, then Application Auto Scaling adds 1 to the capacity for a total of 11.</p> <p>Below is the CloudFormation template with the implementation of step scaling with SQS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s">2010-09-09</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Creates a fargate based auto-scaling environment that processes work from an SQS queue</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">DockerImageUrl</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">DockerContainerName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">consumer-service</span> <span class="na">EnvironmentName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">Memory</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">8GB</span> <span class="na">Cpu</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">2048</span> <span class="c1"># 2 vCPU</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">HealthCheckPath</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">http://localhost:3000/check</span> <span class="na">FaragateScalingEnvSSM</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SSM::Parameter::Value&lt;String&gt;</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/config/ecs/FARGATE_SCALING_ENV"</span> <span class="na">QueueDepthScaleOutAlarmThresholdSSM</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SSM::Parameter::Value&lt;String&gt;</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/config/ecs/consumer-service/QUEUE_DEPTH_SCALE_OUT_ALARM_THRESHOLD"</span> <span class="na">CpuUtilizationScaleInAlarmThresholdSSM</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SSM::Parameter::Value&lt;String&gt;</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/config/ecs/consumer-service/CPU_UTILIZATION_SCALE_IN_ALARM_THRESHOLD"</span> <span class="na">CpuUtilizationNoComputeOrScaleInAlarmEvaluationPeriodsSSM</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SSM::Parameter::Value&lt;String&gt;</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/config/ecs/consumer-service/CPU_UTILIZATION_NO_COMPUTE_OR_SCALE_IN_ALARM_EVALUATION_PERIODS"</span> <span class="na">ComputeAutoScalingTargetMaxCapacitySSM</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SSM::Parameter::Value&lt;String&gt;</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/config/ecs/consumer-service/AUTO_SCALING_TARGET_MAX_CAPACITY"</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="na">CreateNonProdResources</span><span class="pi">:</span> <span class="kt">!Equals</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">FaragateScalingEnvSSM</span><span class="pi">,</span> <span class="s1">'</span><span class="s">non-prod'</span><span class="pi">]</span> <span class="na">CreateProdResources</span><span class="pi">:</span> <span class="kt">!Equals</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">FaragateScalingEnvSSM</span><span class="pi">,</span> <span class="s1">'</span><span class="s">prod'</span><span class="pi">]</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">SQSQueue</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::SQS::Queue'</span> <span class="c1"># Properties:</span> <span class="c1"># ReceiveMessageWaitTimeSeconds: 20</span> <span class="c1"># VisibilityTimeout: 1200 # 20 minutes</span> <span class="c1"># MessageRetentionPeriod: 1209600 # 14 Days</span> <span class="na">QueueUrlParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::SSM::Parameter'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">'</span> <span class="pi">-</span> <span class="pi">-</span> <span class="s">/</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">EnvironmentName</span> <span class="pi">-</span> <span class="s">/services/</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">DockerContainerName</span> <span class="pi">-</span> <span class="s">/SQS_QUEUE_URL</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SQSQueue</span> <span class="na">ComputeTaskLogGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::Logs::LogGroup'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">LogGroupName</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s">/</span> <span class="pi">-</span> <span class="pi">-</span> <span class="s">/x-org</span> <span class="pi">-</span> <span class="s">ecs</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}'</span> <span class="pi">-</span> <span class="s">logs</span> <span class="na">ComputeTaskRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::Role'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ecs-tasks.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">sts:AssumeRole'</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">Required_Access</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">sqs:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">secretsmanager:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ssm:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">logs:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">dynamodb:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">s3:*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">ecs:*'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'</span> <span class="na">ComputeTaskDefinition</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ECS::TaskDefinition'</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">ComputeTaskLogGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">TaskRoleArn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ComputeTaskRole.Arn</span> <span class="na">ExecutionRoleArn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ComputeTaskRole.Arn</span> <span class="na">RequiresCompatibilities</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FARGATE</span> <span class="na">NetworkMode</span><span class="pi">:</span> <span class="s">awsvpc</span> <span class="na">Cpu</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">Cpu</span> <span class="na">Memory</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">Memory</span> <span class="na">ContainerDefinitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::StackName}'</span> <span class="na">Image</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DockerImageUrl</span> <span class="na">LogConfiguration</span><span class="pi">:</span> <span class="na">LogDriver</span><span class="pi">:</span> <span class="s">awslogs</span> <span class="na">Options</span><span class="pi">:</span> <span class="na">awslogs-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">awslogs-group</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ComputeTaskLogGroup</span> <span class="na">awslogs-stream-prefix</span><span class="pi">:</span> <span class="s">ecs</span> <span class="na">HealthCheck</span><span class="pi">:</span> <span class="na">Command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CMD-SHELL</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">curl</span><span class="nv"> </span><span class="s">-f</span><span class="nv"> </span><span class="s">${HealthCheckPath}</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">exit</span><span class="nv"> </span><span class="s">1'</span> <span class="na">Interval</span><span class="pi">:</span> <span class="m">30</span> <span class="na">Retries</span><span class="pi">:</span> <span class="m">3</span> <span class="na">StartPeriod</span><span class="pi">:</span> <span class="m">300</span> <span class="na">PortMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerPort</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">Environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">EnvironmentName</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">EnvironmentName</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">SQS_QUEUE_URL</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SQSQueue</span> <span class="na">ComputeCluster</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ECS::Cluster'</span> <span class="c1"># Properties:</span> <span class="c1"># ClusterName: !Join ['-', [!Ref DockerContainerName, cluster]]</span> <span class="na">NonProdComputeService</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ECS::Service'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateNonProdResources</span> <span class="c1"># only create if it is NonProd env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Cluster</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ComputeCluster</span> <span class="na">TaskDefinition</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ComputeTaskDefinition</span> <span class="na">DeploymentConfiguration</span><span class="pi">:</span> <span class="na">MinimumHealthyPercent</span><span class="pi">:</span> <span class="m">100</span> <span class="na">MaximumPercent</span><span class="pi">:</span> <span class="m">200</span> <span class="c1"># Desired count should be 0; Otherwise the Task Scheduler will restart number of desired containers once they are stopped</span> <span class="na">DesiredCount</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># This may need to be adjusted if the container takes a while to start up</span> <span class="c1"># HealthCheckGracePeriodSeconds: 30</span> <span class="na">LaunchType</span><span class="pi">:</span> <span class="s">FARGATE</span> <span class="na">NetworkConfiguration</span><span class="pi">:</span> <span class="na">AwsvpcConfiguration</span><span class="pi">:</span> <span class="c1"># Change it to DISABLED if you're using private subnets that have access to a NAT gateway</span> <span class="na">AssignPublicIp</span><span class="pi">:</span> <span class="s">ENABLED</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="s">ComputeSubnetA</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="s">ComputeSubnetB</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="s">ComputeSubnetC</span> <span class="na">SecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="s">ComputeSecurityGroup</span> <span class="na">ProdComputeService</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ECS::Service'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateProdResources</span> <span class="c1"># only create if it is Prod env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Cluster</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ComputeCluster</span> <span class="na">TaskDefinition</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ComputeTaskDefinition</span> <span class="na">DeploymentConfiguration</span><span class="pi">:</span> <span class="na">MinimumHealthyPercent</span><span class="pi">:</span> <span class="m">100</span> <span class="na">MaximumPercent</span><span class="pi">:</span> <span class="m">200</span> <span class="na">DesiredCount</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># This may need to be adjusted if the container takes a while to start up</span> <span class="c1"># HealthCheckGracePeriodSeconds: 30</span> <span class="na">LaunchType</span><span class="pi">:</span> <span class="s">FARGATE</span> <span class="na">NetworkConfiguration</span><span class="pi">:</span> <span class="na">AwsvpcConfiguration</span><span class="pi">:</span> <span class="c1"># Change it to DISABLED if you're using private subnets that have access to a NAT gateway</span> <span class="na">AssignPublicIp</span><span class="pi">:</span> <span class="s">ENABLED</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="s">ComputeSubnetA</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="s">ComputeSubnetB</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="s">ComputeSubnetC</span> <span class="na">SecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="s">ComputeSecurityGroup</span> <span class="na">ComputeAutoScalingRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::Role'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ecs-tasks.amazonaws.com</span> <span class="pi">-</span> <span class="s">application-autoscaling.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">sts:AssumeRole'</span> <span class="na">Path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/"</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-ECSAutoScalingRole</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ecs:UpdateService</span> <span class="pi">-</span> <span class="s">ecs:DescribeServices</span> <span class="pi">-</span> <span class="s">application-autoscaling:*</span> <span class="pi">-</span> <span class="s">cloudwatch:DescribeAlarms</span> <span class="pi">-</span> <span class="s">cloudwatch:GetMetricStatistics</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole'</span> <span class="na">NonProdComputeAutoScalingTarget</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ApplicationAutoScaling::ScalableTarget'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateNonProdResources</span> <span class="c1"># only create if it is NonProd env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">MinCapacity</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># As desired task can be 0</span> <span class="na">MaxCapacity</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ComputeAutoScalingTargetMaxCapacitySSM</span> <span class="na">ResourceId</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">/'</span> <span class="pi">-</span> <span class="pi">-</span> <span class="s">service</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">ComputeCluster</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="s">NonProdComputeService.Name</span> <span class="na">ScalableDimension</span><span class="pi">:</span> <span class="s">ecs:service:DesiredCount</span> <span class="na">ServiceNamespace</span><span class="pi">:</span> <span class="s">ecs</span> <span class="na">RoleARN</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ComputeAutoScalingRole.Arn</span> <span class="na">ProdComputeAutoScalingTarget</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ApplicationAutoScaling::ScalableTarget'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateProdResources</span> <span class="c1"># only create if it is Prod env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">MinCapacity</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># As desired task can be 1 but not 0</span> <span class="na">MaxCapacity</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ComputeAutoScalingTargetMaxCapacitySSM</span> <span class="na">ResourceId</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">/'</span> <span class="pi">-</span> <span class="pi">-</span> <span class="s">service</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">ComputeCluster</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="s">ProdComputeService.Name</span> <span class="na">ScalableDimension</span><span class="pi">:</span> <span class="s">ecs:service:DesiredCount</span> <span class="na">ServiceNamespace</span><span class="pi">:</span> <span class="s">ecs</span> <span class="na">RoleARN</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ComputeAutoScalingRole.Arn</span> <span class="c1"># https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html</span> <span class="na">NonProdNoComputeAutoScalingPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ApplicationAutoScaling::ScalingPolicy'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateNonProdResources</span> <span class="c1"># only create if it is NonProd env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-NonProdNoComputeAutoScalingPolicy</span> <span class="na">PolicyType</span><span class="pi">:</span> <span class="s">StepScaling</span> <span class="na">ScalingTargetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">NonProdComputeAutoScalingTarget</span> <span class="na">ScalableDimension</span><span class="pi">:</span> <span class="s">ecs:service:DesiredCount</span> <span class="na">ServiceNamespace</span><span class="pi">:</span> <span class="s">ecs</span> <span class="na">StepScalingPolicyConfiguration</span><span class="pi">:</span> <span class="na">AdjustmentType</span><span class="pi">:</span> <span class="s">ExactCapacity</span> <span class="c1"># Can use PercentChangeInCapacity but then need to come up with configuration including some estimated change in percent</span> <span class="na">Cooldown</span><span class="pi">:</span> <span class="m">60</span> <span class="na">MetricAggregationType</span><span class="pi">:</span> <span class="s">Average</span> <span class="c1"># Valid values are Minimum, Maximum, and Average. If the aggregation type is null, the value is treated as Average. </span> <span class="na">StepAdjustments</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::NoValue</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">0</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html</span> <span class="na">NonProdInitialComputeAutoScalingPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ApplicationAutoScaling::ScalingPolicy'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateNonProdResources</span> <span class="c1"># only create if it is NonProd env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-NonProdInitialComputeAutoScalingPolicy</span> <span class="na">PolicyType</span><span class="pi">:</span> <span class="s">StepScaling</span> <span class="na">ScalingTargetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">NonProdComputeAutoScalingTarget</span> <span class="na">ScalableDimension</span><span class="pi">:</span> <span class="s">ecs:service:DesiredCount</span> <span class="na">ServiceNamespace</span><span class="pi">:</span> <span class="s">ecs</span> <span class="na">StepScalingPolicyConfiguration</span><span class="pi">:</span> <span class="na">AdjustmentType</span><span class="pi">:</span> <span class="s">ChangeInCapacity</span> <span class="c1"># ChangeInCapacity —&gt; Increase or decrease the current capacity of the scalable target by the specified value</span> <span class="na">Cooldown</span><span class="pi">:</span> <span class="m">60</span> <span class="c1"># 1 min delay </span> <span class="na">MetricAggregationType</span><span class="pi">:</span> <span class="s">Minimum</span> <span class="c1"># Valid values are Minimum, Maximum, and Average. If the aggregation type is null, the value is treated as Average.</span> <span class="na">StepAdjustments</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">0</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::NoValue</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># scaling up by 1 container when the alarm is greater than or equal to the Metric Threshold</span> <span class="c1"># https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html</span> <span class="na">NonProdComputeAutoScalingScaleOutPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ApplicationAutoScaling::ScalingPolicy'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateNonProdResources</span> <span class="c1"># only create if it is NonProd env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-NonProdComputeAutoScalingScaleOutPolicy</span> <span class="na">PolicyType</span><span class="pi">:</span> <span class="s">StepScaling</span> <span class="na">ScalingTargetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">NonProdComputeAutoScalingTarget</span> <span class="na">ScalableDimension</span><span class="pi">:</span> <span class="s">ecs:service:DesiredCount</span> <span class="na">ServiceNamespace</span><span class="pi">:</span> <span class="s">ecs</span> <span class="na">StepScalingPolicyConfiguration</span><span class="pi">:</span> <span class="na">AdjustmentType</span><span class="pi">:</span> <span class="s">ChangeInCapacity</span> <span class="c1"># ChangeInCapacity —&gt; Increase or decrease the current capacity of the scalable target by the specified value</span> <span class="na">Cooldown</span><span class="pi">:</span> <span class="m">60</span> <span class="c1"># 1 min delay</span> <span class="na">MetricAggregationType</span><span class="pi">:</span> <span class="s">Minimum</span> <span class="c1"># Valid values are Minimum, Maximum, and Average. If the aggregation type is null, the value is treated as Average. </span> <span class="na">StepAdjustments</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># 0 means exactly equal to Metric Threshold which is 10 defined using SSM parameter</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">15</span> <span class="c1"># [Metrice Threshold + 15]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">15</span> <span class="c1"># [Metrice Threshold + 15]</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">25</span> <span class="c1"># [Metrice Threshold + 25]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">25</span> <span class="c1"># [Metrice Threshold + 25]</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">35</span> <span class="c1"># [Metrice Threshold + 35]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">35</span> <span class="c1"># [Metrice Threshold + 35]</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">45</span> <span class="c1"># [Metrice Threshold + 45]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">45</span> <span class="c1"># [Metrice Threshold + 45]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html</span> <span class="na">ProdComputeAutoScalingScaleInPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ApplicationAutoScaling::ScalingPolicy'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateProdResources</span> <span class="c1"># only create if it is Prod env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-ProdComputeAutoScalingScaleInPolicy</span> <span class="na">PolicyType</span><span class="pi">:</span> <span class="s">StepScaling</span> <span class="na">ScalingTargetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ProdComputeAutoScalingTarget</span> <span class="na">ScalableDimension</span><span class="pi">:</span> <span class="s">ecs:service:DesiredCount</span> <span class="na">ServiceNamespace</span><span class="pi">:</span> <span class="s">ecs</span> <span class="na">StepScalingPolicyConfiguration</span><span class="pi">:</span> <span class="na">AdjustmentType</span><span class="pi">:</span> <span class="s">ExactCapacity</span> <span class="c1"># Can use PercentChangeInCapacity but then need to come up with configuration including some estimated change in percent</span> <span class="na">Cooldown</span><span class="pi">:</span> <span class="m">60</span> <span class="na">MetricAggregationType</span><span class="pi">:</span> <span class="s">Average</span> <span class="c1"># Valid values are Minimum, Maximum, and Average. If the aggregation type is null, the value is treated as Average.</span> <span class="na">StepAdjustments</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::NoValue</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">0</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-step-scaling-policies.html</span> <span class="na">ProdComputeAutoScalingScaleOutPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::ApplicationAutoScaling::ScalingPolicy'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateProdResources</span> <span class="c1"># only create if it is Prod env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-ProdComputeAutoScalingScaleOutPolicy</span> <span class="na">PolicyType</span><span class="pi">:</span> <span class="s">StepScaling</span> <span class="na">ScalingTargetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ProdComputeAutoScalingTarget</span> <span class="na">ScalableDimension</span><span class="pi">:</span> <span class="s">ecs:service:DesiredCount</span> <span class="na">ServiceNamespace</span><span class="pi">:</span> <span class="s">ecs</span> <span class="na">StepScalingPolicyConfiguration</span><span class="pi">:</span> <span class="na">AdjustmentType</span><span class="pi">:</span> <span class="s">ChangeInCapacity</span> <span class="c1"># ChangeInCapacity —&gt; Increase or decrease the current capacity of the scalable target by the specified value</span> <span class="na">Cooldown</span><span class="pi">:</span> <span class="m">60</span> <span class="c1"># 1 min delay</span> <span class="na">MetricAggregationType</span><span class="pi">:</span> <span class="s">Minimum</span> <span class="c1"># Valid values are Minimum, Maximum, and Average. If the aggregation type is null, the value is treated as Average.</span> <span class="na">StepAdjustments</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># 0 means exactly equal to Metric Threshold which is 10 defined using SSM parameter</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">15</span> <span class="c1"># [Metrice Threshold + 15]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">15</span> <span class="c1"># [Metrice Threshold + 15]</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">25</span> <span class="c1"># [Metrice Threshold + 25]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">25</span> <span class="c1"># [Metrice Threshold + 25]</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">35</span> <span class="c1"># [Metrice Threshold + 35]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">35</span> <span class="c1"># [Metrice Threshold + 35]</span> <span class="na">MetricIntervalUpperBound</span><span class="pi">:</span> <span class="m">45</span> <span class="c1"># [Metrice Threshold + 45]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">MetricIntervalLowerBound</span><span class="pi">:</span> <span class="m">45</span> <span class="c1"># [Metrice Threshold + 45]</span> <span class="na">ScalingAdjustment</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># ######### https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cloudwatch-metrics.html #########</span> <span class="c1"># (Total CPU units used by tasks in service) x 100</span> <span class="c1"># Service CPU utilization = ----------------------------------------------------------------------------</span> <span class="c1"># (Total CPU units specified in task definition) x (number of tasks in service)</span> <span class="na">NonProdCPUNoComputeAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateNonProdResources</span> <span class="c1"># only create alarm if it is NonProd env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-NonProdCPUNoComputeAlarm</span> <span class="na">AlarmDescription</span><span class="pi">:</span> <span class="s">Alarm if container utilize low CPU based on specified threshold!</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/ECS</span> <span class="c1"># AWS::CloudWatch::Alarm.Period &gt;= 60 for metrics in the AWS/ namespace</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">CPUUtilization</span> <span class="na">Dimensions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">ServiceName</span> <span class="na">Value</span><span class="pi">:</span> <span class="na">Fn::GetAtt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NonProdComputeService</span> <span class="pi">-</span> <span class="s">Name</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">ClusterName</span> <span class="na">Value</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">ComputeCluster</span> <span class="na">Statistic</span><span class="pi">:</span> <span class="s">Average</span> <span class="c1"># Not using Sum since the metric is CPUUtilization</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">60</span> <span class="c1"># 60 seconds ( Period must be 10, 30 or a multiple of 60 but 10 and 30 can not be used with namespaces with the following prefix: AWS/ )</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CpuUtilizationNoComputeOrScaleInAlarmEvaluationPeriodsSSM</span> <span class="c1"># setting evaluation period 3 because when there is no task at all usually cpu starts with 0 (this way first evaluation period will already hit even before the task start doing anything) &amp; 2 more as part of taking extra precautions! Change it to 2 if needed but not 1</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CpuUtilizationScaleInAlarmThresholdSSM</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">LessThanOrEqualToThreshold</span> <span class="na">AlarmActions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">NonProdNoComputeAutoScalingPolicy</span> <span class="na">NonProdInitialQueueDepthAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateNonProdResources</span> <span class="c1"># only create alarm if it is NonProd env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-NonProdInitialQueueDepthAlarm</span> <span class="na">AlarmDescription</span><span class="pi">:</span> <span class="s">Alarm if queue depth grows beyond specified threshold!</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/SQS</span> <span class="c1"># AWS::CloudWatch::Alarm.Period &gt;= 60 for metrics in the AWS/ namespace</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">ApproximateNumberOfMessagesVisible</span> <span class="na">Dimensions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">QueueName</span> <span class="na">Value </span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">SQSQueue.QueueName</span> <span class="na">Statistic</span><span class="pi">:</span> <span class="s">Sum</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">60</span> <span class="c1"># 60 seconds ( Period must be 10, 30 or a multiple of 60 but 10 and 30 can not be used with namespaces with the following prefix: AWS/ )</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="m">1</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># Threshold is 1 for initial depth</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">GreaterThanOrEqualToThreshold</span> <span class="na">AlarmActions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">NonProdInitialComputeAutoScalingPolicy</span> <span class="na">NonProdQueueDepthScaleOutAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateNonProdResources</span> <span class="c1"># only create alarm if it is NonProd env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-NonProdQueueDepthScaleOutAlarm</span> <span class="na">AlarmDescription</span><span class="pi">:</span> <span class="s">Alarm if queue depth grows beyond specified threshold!</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/SQS</span> <span class="c1"># AWS::CloudWatch::Alarm.Period &gt;= 60 for metrics in the AWS/ namespace</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">ApproximateNumberOfMessagesVisible</span> <span class="na">Dimensions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">QueueName</span> <span class="na">Value </span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">SQSQueue.QueueName</span> <span class="na">Statistic</span><span class="pi">:</span> <span class="s">Sum</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">120</span> <span class="c1"># 120 seconds ( Period must be 10, 30 or a multiple of 60 but 10 and 30 can not be used with namespaces with the following prefix: AWS/ )</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="m">1</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">QueueDepthScaleOutAlarmThresholdSSM</span> <span class="c1"># change this as needed</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">GreaterThanOrEqualToThreshold</span> <span class="na">AlarmActions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">NonProdComputeAutoScalingScaleOutPolicy</span> <span class="na">ProdCPUScaleInAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateProdResources</span> <span class="c1"># only create alarm if it is Prod env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-ProdCPUScaleInAlarm</span> <span class="na">AlarmDescription</span><span class="pi">:</span> <span class="s">Alarm if container utilize low cpu based on specified threshold!</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/ECS</span> <span class="c1"># AWS::CloudWatch::Alarm.Period &gt;= 60 for metrics in the AWS/ namespace</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">CPUUtilization</span> <span class="na">Dimensions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">ServiceName</span> <span class="na">Value</span><span class="pi">:</span> <span class="na">Fn::GetAtt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ProdComputeService</span> <span class="pi">-</span> <span class="s">Name</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">ClusterName</span> <span class="na">Value</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">ComputeCluster</span> <span class="na">Statistic</span><span class="pi">:</span> <span class="s">Average</span> <span class="c1"># Not using Sum since the metric is CPUUtilization</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">60</span> <span class="c1"># 60 seconds ( Period must be 10, 30 or a multiple of 60 but 10 and 30 can not be used with namespaces with the following prefix: AWS/ )</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CpuUtilizationNoComputeOrScaleInAlarmEvaluationPeriodsSSM</span> <span class="c1"># setting this 3 as part of taking extra precautions! Change it to 1 if needed</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CpuUtilizationScaleInAlarmThresholdSSM</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">LessThanOrEqualToThreshold</span> <span class="na">AlarmActions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">ProdComputeAutoScalingScaleInPolicy</span> <span class="na">ProdQueueDepthScaleOutAlarm</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudWatch::Alarm</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CreateProdResources</span> <span class="c1"># only create alarm if it is Prod env</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AlarmName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${DockerContainerName}-ProdQueueDepthScaleOutAlarm</span> <span class="na">AlarmDescription</span><span class="pi">:</span> <span class="s">Alarm if queue depth grows beyond specified threshold!</span> <span class="na">Namespace</span><span class="pi">:</span> <span class="s">AWS/SQS</span> <span class="c1"># AWS::CloudWatch::Alarm.Period &gt;= 60 for metrics in the AWS/ namespace</span> <span class="na">MetricName</span><span class="pi">:</span> <span class="s">ApproximateNumberOfMessagesVisible</span> <span class="na">Dimensions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">QueueName</span> <span class="na">Value </span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">SQSQueue.QueueName</span> <span class="na">Statistic</span><span class="pi">:</span> <span class="s">Sum</span> <span class="na">Period</span><span class="pi">:</span> <span class="m">120</span> <span class="c1"># 120 seconds ( Period must be 10, 30 or a multiple of 60 but 10 and 30 can not be used with namespaces with the following prefix: AWS/ )</span> <span class="na">EvaluationPeriods</span><span class="pi">:</span> <span class="m">1</span> <span class="na">Threshold</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">QueueDepthScaleOutAlarmThresholdSSM</span> <span class="c1"># change this as needed</span> <span class="na">ComparisonOperator</span><span class="pi">:</span> <span class="s">GreaterThanOrEqualToThreshold</span> <span class="na">AlarmActions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">ProdComputeAutoScalingScaleOutPolicy</span> </code></pre> </div> <p>In the above template, I have created two sets of resources <strong>NonProd</strong> and <strong>Prod</strong>. In lower environments, the <strong>DesiredCount</strong> of ECS service is set as <strong>zero</strong> to save cost. Since CloudWatch Alarm takes at least one minute to respond to scaling events and in prod we do not want any delay that's why the <strong>DesiredCount</strong> is set as <strong>one</strong> in prod.<br> One more thing to note is that the <strong>scale-out</strong> is based on <strong>queue depth</strong> but <strong>scale-in</strong> is based on <strong>CPU utilization</strong> because the consumer-service consumes a message which can take several minutes to finish and I don't want Application Auto-Scaling to reduce tasks when the queue is empty and they are still processing something. In this regard, EC2 has something called <br> <strong>instance scale-in protection</strong> which allows you to have control over which queue workers are terminated when your Auto Scaling group scales in. It was not available for Fargate based ECS clusters but AWS just recently introduced a new feature for ECS called <strong>task scale-in protection</strong>. You can see the blog post <a href="https://aws.amazon.com/blogs/containers/announcing-amazon-ecs-task-scale-in-protection/" rel="noopener noreferrer">here</a>.</p> <p>Here is the bash script for creating SSM parameters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="k">while</span> <span class="o">((</span><span class="nv">$# </span><span class="o">&gt;</span> 1<span class="o">))</span><span class="p">;</span> <span class="k">do case</span> <span class="nv">$1</span> <span class="k">in</span> <span class="nt">--profile</span><span class="p">)</span> <span class="nv">PROFILE</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="p">;;</span> <span class="k">*</span><span class="p">)</span> <span class="nb">break</span> <span class="p">;;</span> <span class="k">esac</span> <span class="nb">shift </span>2 <span class="k">done </span><span class="nb">echo</span> <span class="s2">"Deleting Parameters..."</span> aws ssm delete-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--name</span> <span class="s2">"/</span><span class="nv">$PROFILE</span><span class="s2">/services/consumer-service/AWS_REGION"</span> aws ssm delete-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--name</span> <span class="s2">"/config/ecs/FARGATE_SCALING_ENV"</span> aws ssm delete-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--name</span> <span class="s2">"/config/ecs/consumer-service/QUEUE_DEPTH_SCALE_OUT_ALARM_THRESHOLD"</span> aws ssm delete-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--name</span> <span class="s2">"/config/ecs/consumer-service/CPU_UTILIZATION_SCALE_IN_ALARM_THRESHOLD"</span> aws ssm delete-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--name</span> <span class="s2">"/config/ecs/consumer-service/CPU_UTILIZATION_NO_COMPUTE_OR_SCALE_IN_ALARM_EVALUATION_PERIODS"</span> aws ssm delete-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--name</span> <span class="s2">"/config/ecs/consumer-service/AUTO_SCALING_TARGET_MAX_CAPACITY"</span> <span class="nb">echo</span> <span class="s2">"Creating parameters..."</span> aws ssm put-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--overwrite</span> <span class="nt">--cli-input-json</span> <span class="s1">'{"Type": "String", "Name": "/'</span><span class="nv">$PROFILE</span><span class="s1">'/services/consumer-service/AWS_REGION", "Value": "us-east-1"}'</span> aws ssm put-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--overwrite</span> <span class="nt">--cli-input-json</span> <span class="s1">'{"Type": "String", "Name": "/config/ecs/FARGATE_SCALING_ENV", "Value": "non-prod"}'</span> <span class="c"># valid values are: non-prod or prod</span> aws ssm put-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--overwrite</span> <span class="nt">--cli-input-json</span> <span class="s1">'{"Type": "String", "Name": "/config/ecs/consumer-service/QUEUE_DEPTH_SCALE_OUT_ALARM_THRESHOLD", "Value": "10"}'</span> <span class="c"># if you are increasing this then make sure you are also adjusting step scaling criteria</span> aws ssm put-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--overwrite</span> <span class="nt">--cli-input-json</span> <span class="s1">'{"Type": "String", "Name": "/config/ecs/consumer-service/CPU_UTILIZATION_SCALE_IN_ALARM_THRESHOLD", "Value": "2"}'</span> <span class="c"># 2% </span> aws ssm put-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--overwrite</span> <span class="nt">--cli-input-json</span> <span class="s1">'{"Type": "String", "Name": "/config/ecs/consumer-service/CPU_UTILIZATION_NO_COMPUTE_OR_SCALE_IN_ALARM_EVALUATION_PERIODS", "Value": "3"}'</span> <span class="c"># do not set this as 1 in non-prod</span> aws ssm put-parameter <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--overwrite</span> <span class="nt">--cli-input-json</span> <span class="s1">'{"Type": "String", "Name": "/config/ecs/consumer-service/AUTO_SCALING_TARGET_MAX_CAPACITY", "Value": "6"}'</span> <span class="c"># put 1 if you want to disable autoscaling at all</span> </code></pre> </div> devops aws ecs autoscaling Muhammad Ahmad Khan Tue, 01 Nov 2022 15:15:40 +0000 https://forem.com/muhammad_ahmad_khan/ecs-auto-scaling-based-on-amazon-mq-for-rabbitmqs-queue-depth-4m5b https://forem.com/muhammad_ahmad_khan/ecs-auto-scaling-based-on-amazon-mq-for-rabbitmqs-queue-depth-4m5b <p>There is a very common use case in the industry about scaling the application based on queue depth. In this regard, AWS itself has published the documentation which can be found <a href="https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-using-sqs-queue.html" rel="noopener noreferrer">here</a>.</p> <p>In this blog post we will discuss about ECS auto-scaling based on queue depth through the use of AWS application auto-scaling.</p> <p>There are three solutions you can use with AWS application auto-scaling.</p> <ul> <li>Target Tracking (Policy)</li> <li>Step Scaling (Policy)</li> <li>Scheduled scaling (Action)</li> </ul> <p>Here we will discuss about first two only.</p> <h2> Target Tracking Scaling Policies: </h2> <p>Target tracking scaling policy increases or decreases the number of tasks that your service runs based on a target value for a specific CloudWatch metric (predefined or customized).<br> Target tracking scaling policy assumes that it should scale out your ECS tasks when the specified metric is above the target value and scale in when it is below the target value.<br> In short, in target tracking scaling policies, Amazon ECS creates and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the CloudWatch metric and the target value that you specify. With target tracking, AWS controls the scaling adjustments automatically based on your target specified.</p> <h2> Step Scaling Policies: </h2> <p>Step scaling policy increases or decreases the number of tasks that your service runs by considering the set of scaling adjustments, known as step adjustments, which means you can set multiple actions to vary the scaling depending on the size of the alarm breach.<br> In short, step scaling policies increase or decrease current capacity based on a set of scaling adjustments (known as step adjustments) that you specify. With step scaling, you control the scaling adjustments.</p> <p>When working with both policies, it must be noted that you can easily scale your application based on queue depth using step scaling but not with target scaling because target scaling will only allow these three predefined metrics in ECS.</p> <ul> <li>ALBRequestCountPerTarget (load balancer metric)</li> <li>ECSServiceAverageCPUUtilization</li> <li>ECSServiceAverageMemoryUtilization</li> </ul> <p>Further, since in target scaling AWS itself create CloudWatch Alarm and manage its scaling therefore you do not have the autonomy to set your desired metric for scaling without creating a custom metric. Thus you need to make a custom metric as described in AWS <a href="https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-using-sqs-queue.html" rel="noopener noreferrer">documentation</a>.</p> <p>In order to monitor the number of unconsumed message with SQS we can use metric named as <strong>ApproximateNumberOfMessagesVisible</strong> and if we want to monitor messages from Amazon MQ for RabbitMQ we can use metric named as <strong>MessageReadyCount</strong>.<br> One more problem with using a CloudWatch SQS metric like <strong>ApproximateNumberOfMessagesVisible</strong> for target tracking is that the number of messages in the queue might not change proportionally to the number of tasks within a service that processes messages from the queue. That's because the number of messages in your SQS queue does not solely define the number of tasks needed. The number of tasks in your ECS service can be driven by multiple factors, including how long it takes to process a message and the acceptable amount of latency (queue delay).<br> AWS proposes a solution to this problem by introducing a backlog per instance metric with the target value being the acceptable backlog per instance.</p> <p>In AWS documentation, it has stated that:<br> “<em><strong>Backlog per instance</strong>: To calculate your backlog per instance, start with the ApproximateNumberOfMessages queue attribute to determine the length of the SQS queue (number of messages available for retrieval from the queue). Divide that number by the fleet's running capacity, which for an Auto Scaling group is the number of instances in the InService state, to get the backlog per instance.<br> <strong>Acceptable backlog per instance</strong>: To calculate your target value, first determine what your application can accept in terms of latency. Then, take the acceptable latency value and divide it by the average time that an EC2 instance takes to process a message.</em>”</p> <p>In other words, backlog per instance is the value obtained by dividing the number of messages yet to be consumed within the queue with the total number of tasks running at the moment.<br> Similarly, acceptable backlog per instance is the target value that we use in our scaling policy, and it is the acceptable latency value divided by the average time that an ECS task takes to process a message.<br> This acceptable backlog per instance (target value) varies from application to application and use case to use case.</p> <p>Example from AWS documentation:<br> “<em>As an example, let's say that you currently have an Auto Scaling group with 10 instances and the number of visible messages in the queue (ApproximateNumberOfMessages) is 1500. If the average processing time is 0.1 seconds for each message and the longest acceptable latency is 10 seconds, then the acceptable backlog per instance is 10 / 0.1, which equals 100 messages. This means that 100 is the target value for your target tracking policy. When the backlog per instance reaches the target value, a scale-out event will happen. Because the backlog per instance is already 150 messages (1500 messages / 10 instances), your group scales out, and it scales out by five instances to maintain proportion to the target value.</em>”</p> <p>Following the AWS documentation, I have created a lambda that creates a custom metric in a custom namespace named as “<strong>Queue Based Scaling Metrics</strong>”. But in this scenario, our application is using AmazonMQ for RabbitMQ rather than SQS.</p> <p>See the simple flow of architecture in the below diagram.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7sk84r1bqhcj75u9i031.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7sk84r1bqhcj75u9i031.png" alt="Architectural flow diagram" width="800" height="634"></a></p> <p>In our lambda, we will calculate all the values for our custom metric including backlog per instance as well as acceptable backlog per instance as mentioned in AWS documentation.<br> For this purpose, we need to set two parameter values (acceptable_latency, time_process_per_message) as mentioned above and these parameters will vary from application to application. In my scenario, I have set these values as follows:</p> <ul> <li>acceptable latency = 250</li> <li>time process per message = 0.8</li> </ul> <p>Here is the lambda code for all the calculations:</p> <p>              <code>src/app.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">dateutil</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">date</span><span class="p">,</span> <span class="n">timedelta</span><span class="p">,</span> <span class="n">datetime</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">cw_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">cloudwatch</span><span class="sh">'</span><span class="p">)</span> <span class="n">ecs_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ecs</span><span class="sh">'</span><span class="p">)</span> <span class="n">cluster_name</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">cluster_name</span><span class="sh">"</span><span class="p">]</span> <span class="n">service_name</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">service_name</span><span class="sh">'</span><span class="p">]</span> <span class="n">mq_cluster_name</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">mq_cluster_name</span><span class="sh">"</span><span class="p">]</span> <span class="n">mq_queue_name</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">mq_queue_name</span><span class="sh">"</span><span class="p">]</span> <span class="n">acceptable_latency</span> <span class="o">=</span> <span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">acceptable_latency</span><span class="sh">"</span><span class="p">])</span> <span class="n">time_process_per_message</span> <span class="o">=</span> <span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">time_process_per_message</span><span class="sh">"</span><span class="p">])</span> <span class="nf">queue_attribute_calculation</span><span class="p">(</span><span class="n">cw_client</span><span class="p">,</span> <span class="n">ecs_client</span><span class="p">,</span> <span class="n">cluster_name</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">mq_cluster_name</span><span class="p">,</span> <span class="n">mq_queue_name</span><span class="p">,</span> <span class="n">acceptable_latency</span><span class="p">,</span> <span class="n">time_process_per_message</span><span class="p">)</span> <span class="k">def</span> <span class="nf">queue_attribute_calculation</span><span class="p">(</span><span class="n">cw_client</span><span class="p">,</span> <span class="n">ecs_client</span><span class="p">,</span> <span class="n">cluster_name</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">mq_cluster_name</span><span class="p">,</span> <span class="n">mq_queue_name</span><span class="p">,</span> <span class="n">acceptable_latency</span><span class="p">,</span> <span class="n">time_process_per_message</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="n">ecs_client</span><span class="p">.</span><span class="nf">describe_services</span><span class="p">(</span><span class="n">cluster</span><span class="o">=</span><span class="n">cluster_name</span><span class="p">,</span> <span class="n">services</span><span class="o">=</span><span class="p">[</span><span class="n">service_name</span><span class="p">])</span> <span class="n">running_task_count</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">services</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">runningCount</span><span class="sh">'</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Running Task: </span><span class="sh">"</span> <span class="o">+</span> <span class="nf">str</span><span class="p">(</span><span class="n">running_task_count</span><span class="p">))</span> <span class="n">yesterday</span><span class="o">=</span><span class="n">date</span><span class="p">.</span><span class="nf">today</span><span class="p">()</span> <span class="o">-</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> <span class="n">tomorrow</span><span class="o">=</span><span class="n">date</span><span class="p">.</span><span class="nf">today</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">cw_client</span><span class="p">.</span><span class="nf">get_metric_data</span><span class="p">(</span> <span class="n">MetricDataQueries</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">mq1</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">MetricStat</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Metric</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Namespace</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">AWS/AmazonMQ</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">MetricName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">MessageReadyCount</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Dimensions</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Broker</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">:</span> <span class="n">mq_cluster_name</span> <span class="p">},</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">:</span> <span class="sh">"</span><span class="s">VirtualHost</span><span class="sh">"</span><span class="p">,</span> <span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">:</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span> <span class="p">},</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">:</span> <span class="sh">"</span><span class="s">Queue</span><span class="sh">"</span><span class="p">,</span> <span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">:</span> <span class="n">mq_queue_name</span> <span class="p">}</span> <span class="p">]</span> <span class="p">},</span> <span class="sh">'</span><span class="s">Period</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">'</span><span class="s">Stat</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Sum</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Unit</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Count</span><span class="sh">'</span> <span class="p">},</span> <span class="p">},</span> <span class="p">],</span> <span class="n">StartTime</span><span class="o">=</span><span class="nf">datetime</span><span class="p">(</span><span class="n">yesterday</span><span class="p">.</span><span class="n">year</span><span class="p">,</span> <span class="n">yesterday</span><span class="p">.</span><span class="n">month</span><span class="p">,</span> <span class="n">yesterday</span><span class="p">.</span><span class="n">day</span><span class="p">),</span> <span class="n">EndTime</span><span class="o">=</span><span class="nf">datetime</span><span class="p">(</span><span class="n">tomorrow</span><span class="p">.</span><span class="n">year</span><span class="p">,</span> <span class="n">tomorrow</span><span class="p">.</span><span class="n">month</span><span class="p">,</span> <span class="n">tomorrow</span><span class="p">.</span><span class="n">day</span><span class="p">)</span> <span class="p">)</span> <span class="n">queue_size</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">MetricDataResults</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">Values</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Running Task: </span><span class="sh">"</span> <span class="o">+</span> <span class="nf">str</span><span class="p">(</span><span class="n">running_task_count</span><span class="p">))</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Queue Message Count (per second): </span><span class="sh">"</span> <span class="o">+</span> <span class="nf">str</span><span class="p">(</span><span class="n">queue_size</span><span class="p">))</span> <span class="sh">"""</span><span class="s"> Backlog Per Capacity Unit = Queue Size (MessageReadyCount) / Running Capacity of ECS Task Count </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="n">backlog_per_capacity_unit</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="nf">int</span><span class="p">(</span><span class="n">queue_size</span><span class="p">)</span> <span class="o">/</span> <span class="n">running_task_count</span><span class="p">)</span> <span class="k">except</span> <span class="nb">ZeroDivisionError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">Handling run-time error:</span><span class="sh">'</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">backlog_per_capacity_unit</span> <span class="o">=</span> <span class="mi">0</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Backlog Per Capacity Unit: </span><span class="sh">"</span> <span class="o">+</span> <span class="nf">str</span><span class="p">(</span><span class="n">backlog_per_capacity_unit</span><span class="p">))</span> <span class="sh">"""</span><span class="s"> Acceptable backlog per capacity unit = Acceptable Message Processing Latency (seconds) / Average time to Process a Message each Task (seconds) </span><span class="sh">"""</span> <span class="n">acceptablebacklogpercapacityunit</span> <span class="o">=</span> <span class="nf">float</span><span class="p">((</span><span class="nf">int</span><span class="p">(</span><span class="n">acceptable_latency</span><span class="p">)</span> <span class="o">/</span> <span class="nf">float</span><span class="p">(</span><span class="n">time_process_per_message</span><span class="p">)))</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Acceptable backlog per capacity unit: </span><span class="sh">"</span> <span class="o">+</span> <span class="nf">str</span><span class="p">(</span><span class="n">acceptablebacklogpercapacityunit</span><span class="p">))</span> <span class="nf">putMetricToCW</span><span class="p">(</span><span class="n">cw_client</span><span class="p">,</span> <span class="sh">'</span><span class="s">AmazonMQ</span><span class="sh">'</span><span class="p">,</span> <span class="n">mq_cluster_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">Queue</span><span class="sh">'</span><span class="p">,</span> <span class="n">mq_queue_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">MessageReadyCount</span><span class="sh">'</span><span class="p">,</span> <span class="nf">int</span><span class="p">(</span><span class="n">queue_size</span><span class="p">),</span> <span class="sh">'</span><span class="s">Queue Based Scaling Metrics</span><span class="sh">'</span><span class="p">)</span> <span class="nf">putMetricToCW</span><span class="p">(</span><span class="n">cw_client</span><span class="p">,</span> <span class="sh">'</span><span class="s">AmazonMQ</span><span class="sh">'</span><span class="p">,</span> <span class="n">mq_cluster_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">Queue</span><span class="sh">'</span><span class="p">,</span> <span class="n">mq_queue_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">BackLogPerCapacityUnit</span><span class="sh">'</span><span class="p">,</span> <span class="n">backlog_per_capacity_unit</span><span class="p">,</span> <span class="sh">'</span><span class="s">Queue Based Scaling Metrics</span><span class="sh">'</span><span class="p">)</span> <span class="nf">putMetricToCW</span><span class="p">(</span><span class="n">cw_client</span><span class="p">,</span> <span class="sh">'</span><span class="s">AmazonMQ</span><span class="sh">'</span><span class="p">,</span> <span class="n">mq_cluster_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">Queue</span><span class="sh">'</span><span class="p">,</span> <span class="n">mq_queue_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">AcceptableBackLogPerCapacityUnit</span><span class="sh">'</span><span class="p">,</span> <span class="n">acceptablebacklogpercapacityunit</span><span class="p">,</span> <span class="sh">'</span><span class="s">Queue Based Scaling Metrics</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">putMetricToCW</span><span class="p">(</span><span class="n">cw</span><span class="p">,</span> <span class="n">dimension_name</span><span class="p">,</span> <span class="n">dimension_value</span><span class="p">,</span> <span class="n">dimension_sub_attribute_name</span><span class="p">,</span> <span class="n">dimension_sub_attribute_value</span><span class="p">,</span> <span class="n">metric_name</span><span class="p">,</span> <span class="n">metric_value</span><span class="p">,</span> <span class="n">namespace</span><span class="p">):</span> <span class="n">cw</span><span class="p">.</span><span class="nf">put_metric_data</span><span class="p">(</span> <span class="n">Namespace</span><span class="o">=</span><span class="n">namespace</span><span class="p">,</span> <span class="n">MetricData</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">MetricName</span><span class="sh">'</span><span class="p">:</span> <span class="n">metric_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">Dimensions</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">:</span> <span class="n">dimension_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">:</span> <span class="n">dimension_value</span> <span class="p">},</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">:</span> <span class="n">dimension_sub_attribute_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">:</span> <span class="n">dimension_sub_attribute_value</span> <span class="p">}</span> <span class="p">],</span> <span class="sh">'</span><span class="s">Timestamp</span><span class="sh">'</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">dateutil</span><span class="p">.</span><span class="n">tz</span><span class="p">.</span><span class="nf">tzlocal</span><span class="p">()),</span> <span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">:</span> <span class="n">metric_value</span> <span class="p">}</span> <span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p>Note that in order to get AmazonMQ for RabbitMQ metric (MessageReadyCount) I have used CloudWatch client SDK call because I was unable to find any API call to get this metric directly from AmazonMQ for RabbitMQ broker client SDK.</p> <p>I have deployed this lambda using SAM template and here is the solution for it.<br>               <code>template.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Transform</span><span class="pi">:</span> <span class="s">AWS::Serverless-2016-10-31</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">Stack which creates a lambda function that is invoked by a CloudWatch Event Rule every minute to update custom metric datapoints through aws sdk calls.</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">Env</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Values can be dev, qa, devops, test, staging and prod respectively</span> <span class="na">ClusterNameParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">ServiceNameParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">MqClusterNameParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">MqQueueNameParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">AcceptableLatencyParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">TimeProcessPerMessageParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">SecurityGroupIdParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">SubnetIdAParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">SubnetIdBParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">SubnetIdCParameter</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">CustomMetricRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">lambda.amazonaws.com'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">events.amazonaws.com'</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">sts:AssumeRole'</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">LambdaBasicExecutionPolicy'</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">LambdaExecutionPolicy</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ec2:Describe*</span> <span class="pi">-</span> <span class="s">ec2:CreateNetworkInterface</span> <span class="pi">-</span> <span class="s">ec2:DeleteNetworkInterface</span> <span class="pi">-</span> <span class="s">ec2:DescribeNetworkInterfaces</span> <span class="pi">-</span> <span class="s">cloudwatch:GetMetricData</span> <span class="pi">-</span> <span class="s">cloudwatch:PutMetricData</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecs:*"</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">ExtraPolicy</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssm:GetParameters</span> <span class="pi">-</span> <span class="s">ssm:GetParameter</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">LogPolicy'</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">logs:CreateLogGroup'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">logs:CreateLogStream'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">logs:PutLogEvents'</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">CustomMetricFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::Serverless::Function'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">FunctionName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">create-custom-metric-for-scaling-${Env}-cluster</span> <span class="c1"># FunctionName uses Env variable to identify its belonging to the Env specific cluster</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">A function that is invoked by a CloudWatch Event every minute to update custom metric datapoints through aws sdk calls.</span> <span class="na">CodeUri</span><span class="pi">:</span> <span class="s">src/</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">app.lambda_handler</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">python3.9</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">900</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">CustomMetricRole.Arn</span> <span class="na">Events</span><span class="pi">:</span> <span class="na">CloudWatchEventRule</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Schedule</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Input</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">{"cluster_name":</span><span class="nv"> </span><span class="s">"${ClusterNameParameter}","service_name":</span><span class="nv"> </span><span class="s">"${ServiceNameParameter}","mq_cluster_name":</span><span class="nv"> </span><span class="s">"${MqClusterNameParameter}","mq_queue_name":</span><span class="nv"> </span><span class="s">"${MqQueueNameParameter}","acceptable_latency":</span><span class="nv"> </span><span class="s">"${AcceptableLatencyParameter}","time_process_per_message":</span><span class="nv"> </span><span class="s">"${TimeProcessPerMessageParameter}"}'</span> <span class="c1"># Read more about schedule expressions here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html</span> <span class="na">Schedule</span><span class="pi">:</span> <span class="s">cron(* * * * ? *)</span> <span class="c1"># Invoke function every minute</span> <span class="na">VpcConfig</span><span class="pi">:</span> <span class="na">SecurityGroupIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SecurityGroupIdParameter</span> <span class="na">SubnetIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SubnetIdAParameter</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SubnetIdBParameter</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SubnetIdCParameter</span> </code></pre> </div> <p>Here is the SAM template deployment command:<br> First, create the SAM template’s parameter file.</p> <p>              <code>.sam-params-dev</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Env=dev ClusterNameParameter=dev-worker-cluster ServiceNameParameter=dev-worker-service MqClusterNameParameter=scan-dev MqQueueNameParameter=scans_dev AcceptableLatencyParameter=250 TimeProcessPerMessageParameter=0.8 SecurityGroupIdParameter=sg-123456789 SubnetIdAParameter=subnet-123456789 SubnetIdBParameter=subnet-123456789 SubnetIdCParameter=subnet-123456789 </code></pre> </div> <p><code>sam deploy --stack-name create-custom-metric --template-file template.yml --s3-bucket test-deployment-bucket --capabilities CAPABILITY_IAM --region us-east-1 --parameter-overrides $(cat .sam-params-dev)</code></p> <p>Finally, we will use AWS CLI to put the auto-scaling policy with a target value on ECS.<br> First, create the JSON policy.</p> <p>              <code>config-dev.json</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"TargetValue"</span><span class="p">:</span><span class="mf">312.5</span><span class="p">,</span><span class="w"> </span><span class="nl">"ScaleOutCooldown"</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"ScaleInCooldown"</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"CustomizedMetricSpecification"</span><span class="p">:{</span><span class="w"> </span><span class="nl">"MetricName"</span><span class="p">:</span><span class="s2">"BackLogPerCapacityUnit"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Namespace"</span><span class="p">:</span><span class="s2">"Queue Based Scaling Metrics"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Dimensions"</span><span class="p">:[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="s2">"AmazonMQ"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="s2">"scan-dev"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="s2">"Queue"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Value"</span><span class="p">:</span><span class="s2">"scans_dev"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Statistic"</span><span class="p">:</span><span class="s2">"Average"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>In above policy, the target value is <strong>Acceptable backlog per instance</strong>. This means it is: <br> <code>acceptable latency/time process per message = 250/0.8 = 312.5</code> <strong>BackLogPerCapacityUnit</strong> is the custom metric that we have created through our lambda in <strong>Queue Based Scaling Metrics</strong> namespace.<br> <strong>scan-dev</strong> is the RabbitMQ cluster name and <strong>scans_dev</strong> is the queue name.</p> <p><code>aws application-autoscaling register-scalable-target \<br> --service-namespace ecs \<br> --scalable-dimension ecs:service:DesiredCount \<br> --resource-id service/dev-worker-cluster/dev-worker-service \<br> --min-capacity 1 \<br> --max-capacity 10 \<br> --profile dev</code></p> <p><code>aws application-autoscaling put-scaling-policy \<br> --policy-name ecs-scaling-based-on-message-consumption-rate \<br> --service-namespace ecs \<br> --resource-id service/dev-worker-cluster/dev-worker-service \<br> --scalable-dimension ecs:service:DesiredCount \<br> --policy-type TargetTrackingScaling \<br> --target-tracking-scaling-policy-configuration file://config-dev.json \<br> --profile dev</code></p> <p>We can automate the creation of the application auto-scaling policy with Terraform and CloudFormation if required.<br> Note that we are just applying the autoscaling policy and AWS will create CloudWatch Alarm itself.</p> <p>See the git repository <a href="https://github.com/muhammad-ahmad-khan/Queue-Depth-Based-ECS-Auto-Scaling" rel="noopener noreferrer">here</a>.</p> devops aws ecs autoscaling