Skip to content

Instantly share code, notes, and snippets.

@bneil

bneil/main.tf

Created July 19, 2024 01:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bneil/c08962fbbdb1b1d06da2656b54d30ad4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bneil/c08962fbbdb1b1d06da2656b54d30ad4 to your computer and use it in GitHub Desktop.
Download ZIP
Struggling to allow the 20 udp ports to the container
Raw
main.tf
locals {
environment = "dev"
services = {
ex-tcp-7000 = {
port = 7000
protocol = "TCP"
}
ex-udp-5020 = {
port = 5020
protocol = "UDP"
}
ex-udp-5019 = {
port = 5019
protocol = "UDP"
}
ex-udp-5018 = {
port = 5018
protocol = "UDP"
}
ex-udp-5017 = {
port = 5017
protocol = "UDP"
}
ex-udp-5016 = {
port = 5016
protocol = "UDP"
}
ex-udp-5015 = {
port = 5015
protocol = "UDP"
}
ex-udp-5014 = {
port = 5014
protocol = "UDP"
}
ex-udp-5013 = {
port = 5013
protocol = "UDP"
}
ex-udp-5012 = {
port = 5012
protocol = "UDP"
}
ex-udp-5011 = {
port = 5011
protocol = "UDP"
}
ex-udp-5010 = {
port = 5010
protocol = "UDP"
}
ex-udp-5009 = {
port = 5009
protocol = "UDP"
}
ex-udp-5008 = {
port = 5008
protocol = "UDP"
}
ex-udp-5007 = {
port = 5007
protocol = "UDP"
}
ex-udp-5006 = {
port = 5006
protocol = "UDP"
}
ex-udp-5005 = {
port = 5005
protocol = "UDP"
}
ex-udp-5004 = {
port = 5004
protocol = "UDP"
}
ex-udp-5003 = {
port = 5003
protocol = "UDP"
}
ex-udp-5002 = {
port = 5002
protocol = "UDP"
}
ex-udp-5001 = {
port = 5001
protocol = "UDP"
}
ex-udp-5000 = {
port = 5000
protocol = "UDP"
}
}
}
data "aws_availability_zones" "available" { state = "available" }
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.9.0"
azs = data.aws_availability_zones.available.names
cidr = "10.0.0.0/16"
private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
enable_nat_gateway = true
single_nat_gateway = true
create_igw = true
}
module "nlb" {
source = "terraform-aws-modules/alb/aws"
version = "~> 9.9.0"
load_balancer_type = "network"
#security_groups = [module.vpc.default_security_group_id]
vpc_id = module.vpc.vpc_id
subnets = module.vpc.public_subnets
# this lets us tear it down
enable_deletion_protection = false
security_group_name = "dev-cluster-sg"
security_group_ingress_rules = {
all_ingress_7000 = {
from_port = 7000
to_port = 7000
ip_protocol = "TCP"
description = "JSONP Traffic"
cidr_ipv4 = "0.0.0.0/0"
},
all_ingress_udp = {
from_port = 5000
to_port = 5020
protocol = "UDP"
description = "UDP Traffic"
cidr_ipv4 = "0.0.0.0/0"
}
}
security_group_egress_rules = {
all = {
ip_protocol = "-1"
description = "Allow out all traffic"
cidr_ipv4 = "0.0.0.0/0"
}
}
listeners = {
for key, value in local.services : key => {
name = key
port = value.port
protocol = value.protocol
forward = {
target_group_key = key
}
}
}
target_groups = {
for key, value in local.services : key => {
name = key
port = value.port
protocol = value.protocol
target_type = "ip"
create_attachment = false
}
}
}
module "ecs" {
source = "terraform-aws-modules/ecs/aws"
version = "~> 4.1.3"
cluster_name = "${local.environment}-cluster"
fargate_capacity_providers = {
FARGATE = {
default_capacity_provider_strategy = {
base = 20
weight = 50
}
}
FARGATE_SPOT = {
default_capacity_provider_strategy = {
weight = 50
}
}
}
}
resource "aws_cloudwatch_log_group" "ion_cw" {
name = "ion_cw"
}
resource "aws_ecs_task_definition" "this" {
container_definitions = jsonencode([
{
environment : [
{ name = "ENV", value = "placeholder" }
],
essential = true,
image = "docker.io/pionwebrtc/ion-sfu:latest-jsonrpc"
name = "ion-sfu"
portMappings = [
{
containerPort = 7000
hostPort = 7000
},
{
containerPortRange = "5000-5020"
hostPortRange = "5000-5020"
protocol = "udp"
}
]
logConfiguration : {
logDriver = "awslogs"
options = {
awslogs-group = "${aws_cloudwatch_log_group.ion_cw.name}"
awslogs-region = "us-west-2"
awslogs-stream-prefix = "ecs"
}
}
}
])
cpu = 256
execution_role_arn = "arn:aws:iam::381491913429:role/ecsTaskExecutionRole"
family = "${local.environment}-tasks"
memory = 512
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
}
resource "aws_ecs_service" "this" {
cluster = module.ecs.cluster_id
desired_count = 1
launch_type = "FARGATE"
name = "${local.environment}-ion-service"
task_definition = resource.aws_ecs_task_definition.this.arn
lifecycle {
ignore_changes = [desired_count]
}
load_balancer {
container_name = "ion-sfu"
container_port = 7000
target_group_arn = module.nlb.target_groups["ex-tcp-7000"].arn
}
network_configuration {
security_groups = [module.nlb.security_group_id]
subnets = module.vpc.private_subnets
}
}
output "lb_url" { value = "http://${module.nlb.dns_name}" }
@bneil
Copy link
Copy Markdown
Author

bneil commented Jul 19, 2024
edited
Loading

The above is in regard to my question on the aws subreddit How to allow many ports to ecs
When I tried to replace the resource 'aws_ecs_service' with

resource "aws_ecs_service" "this" {
  cluster         = module.ecs.cluster_id
  desired_count   = 1
  launch_type     = "FARGATE"
  name            = "${local.environment}-ion-service"
  task_definition = resource.aws_ecs_task_definition.this.arn

  lifecycle {
    ignore_changes = [desired_count]
  }

  dynamic "load_balancer" {
    for_each = local.services
    content {
      container_name   = "ion-sfu"
      container_port   = load_balancer.value.port
      target_group_arn = module.nlb.target_groups[load_balancer.key].arn
    }
  }

  network_configuration {
    security_groups = [module.nlb.security_group_id]
    subnets         = module.vpc.private_subnets
  }
}

I got back an error saying i couldnt specify more than five target groups as mentioned here:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html#multiple-targetgroups-considerations

For services that use an Application Load Balancer or Network Load Balancer, you cannot attach more than five target groups to a service.

So, does anyone have a way they know to do this? I'll keep looking - but any help is appreciate. Thanks folks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment