[terraform] Set up ECS Service Connect
ClosedPublic
Actions

Authored by michal on Aug 30 2023, 2:03 PM.

Details

Reviewers

kamil
• jon
varun
tomek
bartek

Commits

rCOMMb97113d03b11: [terraform] Set up ECS Service Connect

Summary

We need our services talking to each other, and ECS Service Connect is the best way to do that.
Without this, services would have to talk via the public internet, which is not ideal because the traffic would go as follows:

client (in ECS cluster) -> load balancer -> public internet -> load balancer -> service (in the same cluster)

Also, we pay for Load Balancer traffic, so this would be a waste of money.

ECS Service Connect allows us to talk to services in the same cluster without going through the public internet, by using names similiar to these in Docker Compose networks: http://blob-service:50053

This diff enables the ECS service connect for Blob and Identity service - these two will need to be accessible for others. Also set some variables to make them easy to use.

Test Plan

Deployed this to staging, along with reports service (a blob client) with config introduced in one of the next diffs.

Diff Detail

Repository

rCOMM Comm

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

bartek created this revision.Aug 30 2023, 2:03 PM

bartek held this revision as a draft.

Herald added subscribers: tomek, ashoat. · View Herald TranscriptAug 30 2023, 2:03 PM

bartek added a child revision: D9040: [terraform] Add reports service.Aug 30 2023, 2:16 PM

Harbormaster completed remote builds in B22285: Diff 30610.Aug 30 2023, 2:22 PM

bartek published this revision for review.Aug 30 2023, 2:43 PM

bartek added inline comments.

services/terraform/remote/service_blob.tf
2–14 ↗	(On Diff #30610)	I'll organize these long variable names better in a follow-up diff, they can be grouped into sub-objects
93–98 ↗	(On Diff #30610)	Doc on what they mean: https://docs.aws.amazon.com/AmazonECS/latest/userguide/service-connect-concepts.html#service-connect-concepts-terms tldr: port name - corresponds to port name from task definition port - publicly accessed by clients discovery name - kind of service name dns_name - direct name that other services access it (`http://dns_name:port`) In our case port name is `blob-service-ecs-http` (or sth like that) - it's long and cumbersome We set discovery name to `blob-service`. The `dns_name` defaults to `{discovery name}.{namespace}` and our namespace is named the same as cluster (`comm-services-ecs-cluster`). Again, `http://blob-service.comm-services-ecs-cluster:51001` isn't very convenient. So we override `dns_name` to just `blob-service` Finally, we get `http://blob-service:51001`
services/terraform/remote/service_identity.tf
11–13 ↗	(On Diff #30610)	Not sure if for gRPC endpoints we use `http://` prefix or any other so left it without scheme