Deploying to AWS ECS Fargate

Aembit provides different deployment options that you can use to deploy Aembit Edge Components in your environment. Each of these options provides similar features and functionality. The steps for each of these options, however, are specific to the deployment option you select.

This page describes the process to deploy Aembit Edge Components to ECS Fargate using Terraform.

To deploy Aembit Edge Components to your Kubernetes cluster, you must follow these steps:

1. Add a Trust Provider
2. Add an Agent Controller
3. Modify and deploy terraform configuration

To further customize your deployments, see the available optional configurations.

Before you begin

1. Ensure that Terraform has valid AWS credentials to deploy resources. Terraform doesn’t require the AWS CLI but can use its credentials if available. Terraform automatically looks for credentials in environment variables, AWS credentials files, IAM roles, and other sources.

   For details on configuring authentication, refer to the AWS Provider Authentication Guide.

2. Verify that you have initialized Terraform and that you have the required permissions to execute the deployment. Go to your Terraform deployment directory for the Client Workload and run the following command:

   terraform plan

   The command should complete without errors.

Step 1 - Add a Trust Provider

You need to create a Trust Provider, or use an existing one, to enable the Agent Controller (created in the next step) to authenticate with the Aembit cloud. This Trust Provider relies on the AWS Role associated with your application for authentication.

1. Log into your Aembit tenant and go to Edge Components —> Trust Providers.

2. Click + New, revealing the Trust Provider pop out.

3. Enter a Name and optional Description.

4. Select AWS Role as the Trust Provider.

5. Under Match Rules, click + New Rule and set the following:

   1. Attribute - Select accountId

   2. Value - Enter the AWS account ID (without dashes) where your Client Workload is running

6. Click Save.

   

Step 2 - Add an Agent Controller

1. Log into your Aembit tenant and go to Edge Components —> Agent Controllers.

2. Click + New, revealing the Agent Controller pop out.

3. Enter a Name and optional Description.

4. Select the Trust Provider you created in Step 1.

5. Click Save.

   

Step 3 - Modify and deploy Terraform configuration

1. Add the Aembit Edge ECS Module to your Terraform code, using configuration:

   module "aembit-ecs" {
     source  = "Aembit/ecs/aembit"
     version = "1.x.y" # Find the latest version at https://registry.terraform.io/modules/Aembit/ecs/aembit/latest
   
     aembit_tenantid = "<Aembit_Tenant_ID>"
     aembit_agent_controller_id = "<Aembit_Agent_Controller_ID>"
   
     ecs_cluster = "<ECS_Fargate_cluster_name>"
     ecs_vpc_id = "<ECS_Fargate_cluster_VPC_id>"
     ecs_subnets = ["<ECS_Fargate_cluster_subnet_1>","<ECS_Fargate_cluster_subnet_2>","<ECS_Fargate_cluster_subnet_3>"]
     ecs_security_groups = ["<Security_group_for_Agent_Controller>"]
   }

   Note

   To see additional configuration options, see Optional configurations

2. Add the Aembit Agent Proxy container definition to your Client Workload Task Definitions.

   The following code sample shows an example of this by injecting jsondecode(module.aembit-ecs.agent_proxy_container) as the first container of the Task definition for your Client Workload.

   resource "aws_ecs_task_definition" "workload_task" {
     family                = "workload_task"
     container_definitions = jsonencode([
       jsondecode(module.aembit-ecs.agent_proxy_container),
       {
         name = "workload"
         ...

3. Add the required for explicit steering environment variables to your Client Workload Task Definitions. For example:

   environment = [
     {"name": "http_proxy", "value": module.aembit-ecs.aembit_http_proxy},
     {"name": "https_proxy", "value": module.aembit-ecs.aembit_https_proxy}
   ]

4. Execute terraform init to download Aembit ECS Fargate module.

5. With your Terraform code updated as described, run terraform apply or your typical Terraform configuration scripts to deploy Aembit Edge into your AWS ECS Client Workloads.

Optional configurations

The following table lists the configurable variables of the module and their default values.

All variables are required unless marked optional.

Parameter	Description	Default
aembit_tenantid	The Aembit TenantID with which to associate this installation and Client Workloads.	not set
aembit_agent_controller_id	The Aembit Agent Controller ID with which to associate this installation.	not set
aembit_trusted_ca_certs	(Optional) Additional CA Certificates that the Aembit AgentProxy should trust for Server Workload connectivity.	not set
ecs_cluster	The AWS ECS Cluster into which the Aembit Agent Controller should be deployed.	not set
ecs_vpc_id	The AWS VPC which the Aembit Agent Controller will be configured for network connectivity. This must be the same VPC as your Client Workload ECS Tasks.	not set
ecs_subnets	The subnets which the Aembit Agent Controller and Agent Proxy containers can utilize for connectivity between Proxy and Controller and Aembit Cloud.	not set
ecs_security_groups	The security group which will be assigned to the AgentController service. This security group must allow inbound HTTP access from the AgentProxy containers running in your Client Workload ECS Tasks.	not set
agent_controller_task_role_arn	The AWS IAM Task Role to use for the Aembit AgentController Service container. This role is used for AgentController registration with the Aembit Cloud Service.	arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ecsTaskExecutionRole
agent_controller_execution_role_arn	The AWS IAM Task Execution Role used by Amazon ECS and Fargate agents for the Aembit AgentController Service.	arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ecsTaskExecutionRole
log_group_name	(Optional) Specifies the name of an optional log group to create and send logs to for components created by this module. You can set this value to null.	/aembit/edge
agent_controller_image	The container image to use for the AgentController installation.	not set
agent_proxy_image	The container image to use for the AgentProxy installation.	not set
aembit_stack	The Aembit Stack which hosts the specified Tenant.	useast2.aembit.io
ecs_task_prefix	Prefix to include in front of the Agent Controller ECS Task Definitions to ensure uniqueness.	aembit_
ecs_service_prefix	Prefix to include in front of the Agent Controller Service Name to ensure uniqueness.	aembit_
ecs_private_dns_domain	The Private DNS TLD that will be configured and used in the specified AWS VPC for AgentProxy to AgentController connectivity.	aembit.local
agent_proxy_resource_set_id	Associates Agent Proxy with a specific Resource Set	not set