A common way to run containers in the AWS cloud is to use Elastic Container Service (ECS). ECS is a fully managed container orchestration service that makes it easy to deploy, manage, and scale containerized applications.
It is best practice and common to run this infrastructure behind security guardrails like strict security groups and private subnets.
Also, a routine for many System's administrators and Developers, is to connect to servers that run their company's software in order to troubleshoot, validate output and even install dependencies. If you have your systems running in a private network, you got a few options to allow communication to hosts in that network:
- Add a bastion host or jump server.
- Connect a site-2-site VPN.
- Remote access VPN.
- Allow IP(s) address in the server's security group.
All these options are valid and proved to work over the years, but they come with some costs that in the short to mid-term you start to deal with:
- Hard implementation.
- Fragile firewall configuration.
- Yet, another server to secure and maintain.
In this example, we will run Wiretrustee client configured as a daemon set in ECS deployed with Terraform.
This allows you to:
- Run Wiretrustee as an ECS native service, you can manage and maintain it the same way you do with your other services.
- Connect to EC2 running on private subnets without the need to open firewall rules or configure bastion servers.
- Access other services connected to your Wiretrustee network and running anywhere.
- Terraform > 1.0.
- A Wiretrustee account with a Setup Key.
- Another Wiretrustee client in your network to validate the connection (possibly your laptop or a machine you are running this example on).
- The AWS CLI installed.
- An AWS account.
- Your AWS credentials. You can create a new Access Key on this page.
Before getting started with this example, be aware that creating the resources from it may incur charges from AWS.
Clone this repository, download, and install Terraform following the guide here.
Using a text editor, edit the variables.tf file, and update the
wt_setup_key variable with your setup key. Also, make sure that
ssh_public_key_path variable is pointing to the correct public key path. If necessary, update the remaining variables according to your requirements and their descriptions.
Before continuing, you may also update the provider.tf to configure proper AWS region and default tags.
Creating the resources with Terraform
Follow the steps below to run terraform and create your test environment:
- From the root of the cloned repository, enter the ecs-client-daemon folder and run terraform init to download the modules and providers used in this example.
- Run terraform plan to get the estimated changes
terraform plan -out plan.tf
- Run terraform apply to create your infrastructure
terraform apply plan.tf
Validating the deployment
After a few minutes, the autoscaling group will launch an EC2 instance and there you will find the Wiretrustee's ECS Daemon service running. With that, we can go to our Wiretrustee dashboard and pick the IP of the node that is running Wiretrustee, then we can connect to the node via ssh. For Unix(s) systems:
Once you've login, you should be able to see the containers running by using the docker command:
sudo docker ps
Deleting the infrastructure resources used in the example
Once you are done validating the example, you can remove the resources with the following steps:
- Run terraform plan with the flag
terraform plan -out plan.tf -destroy
- Then execute the apply command:
terraform apply plan.tf