#aws (2020-08)

I see this is NOT yet possible: https://github.com/aws/containers-roadmap/issues/89

Every pull request runs automated tests using terratest against examples/complete

tests are in test/src

https://github.com/cloudposse/terraform-aws-elasticsearch/releases/tag/0.19.0

You can’t share the resource, at least this particular between regions. You can share it between the different accounts, but for building a regional network using Transit Gateway, you need to create a peering connections between Transit Gateways in different AWS regions.

i saw that peering attachment option

but that means i need transit gateway in each region

Exactly. Or you can use other ways to create connection over regions, like using IPSec tunnels

I have vpc peering, but i wanted to use something to rule them all

thanks

Without peering, i dont think you can connect cross region

Yes it re-encrypts, although they don’t do any cert validation on the backend, its fire & forget

Just played with the TF CDK for Python yesterday. My experience was pretty awful. What is installed and used for python CDK is actually a skeleton that converts javascript to python and runs it. It was pretty slow, and difficult to find what I was looking for. I use tfswitch to manage the TF version in a container, which requires the TF version to be pinned, but couldn’t figure out how to pin the TF version with the CDK. So my experience was a short but painful one.

I’ve used CDK for AWS as well, and the experience was better, though I ran into CFN limitations, which is one of the reasons why TF interests me.

So, from my perspective, CDK is still a ways out from being very useful.

Thank you I shall wait to even go as far as you did then

Have been using the CDK (sans TF) with Python for a couple of weeks in a real-world scenario. I really like the programmatic feel of the setup, although having Python convert to Typescript behind the scenes ruins the usual developer toolchain for me (i.e. especially not being able to simply throw pdb into the mix); I could of course just go with Typescript but, aaaah. The documentation is autogenerated and sucks big time. They have taken idioms from other languages and pulled them down over Python and the result is not very pythonic. But for me, it sure beats HCL, which is an abhorrent nightmare of the NIH syndrome backed by naïve enthusiasm and silicon capital. In the words of L Peter Deutsch: “Every now and then I feel a temptation to design a programming language but then I just lie down until it goes away.”. Once you accept the tie-in to AWS and their stack concept, accept that CDK uses Python in name only and that there is no real state tracking, CDK feels welcoming especially for people with developer backgrounds (caveat: that’s me)

I’ll bring this up in #office-hours today

terraform

yah thats the model I’m coming from

but I’m trying to deploy a lambda in this new fangled Serverless model that uses cloudformation

right, so, no. huge limitation of cfn. you can construct the arn, since the format is known. or you can write a custom resource that basically runs describekey (or whatever the api call is) and returns the result

wow thats awful

or you can create the key in the stack, so you have access to its attributes

or just take the arn as a parameter and let the user figure out how to get it to you

I guess option 3 is that I create the IAM role/policy in terraform and have the serverless config reference that by name to add to the lambda

speaking of cdk, this is why i think cloudformation templates should always themselves be an artifact generated by something else. the cdk is great for this

the examples and docs point to fargate

I’m trying to use AppMesh with ECS+EC2

I’ve done it.

Got some code — stand by.

I setup Service Discovery as part of a talk I did on ECS. Here is the repo that went with the talk:

https://github.com/masterpointio/ecs-101-demo

Relevant bits are:

https://github.com/masterpointio/ecs-101-demo/blob/master/terraform/main.tf#L494-L518

https://github.com/masterpointio/ecs-101-demo/blob/master/terraform/main.tf#L478-L483

Though this doesn’t include App Mesh, so maybe it won’t fit what you’re after. But that service / DB task that I wire up to Service Discovery is running on EC2 and not Fargate.

Awesome, it is not clear in the docs if you can use your current alb as the endpoint for. Appmesh instead of service discovery but I found one of the aws training labs were thru show it using an internal alb instead of a service discovery endpoint

As always very confusing

Yeah… you gotta dig deep in the docs for the more complicated shit in AWS.

I’m going to write a module

I’m very interested on this too

only if you enalbe allocation tag on that specific tag, just after that the cost can be sorted out in Cost Explorer with tag

Take a look at how your VPN is configured. Generally, you can set it to route only the traffic to the VPN-connected network or to route all traffic. If it’s all traffic, there may be some network rules in the VPN VPC that you connect to that keep SSH from egressing the network.

I don’t have this, but if you used ssm, you could find useful a tool I’ve made last year : https://github.com/claranet/sshm

i havent tried ssm command line to filter instances. but, i have created a doc and association with tags and applied that association using tf ,

resource "aws_ssm_association" "config-files-load" {
  depends_on = [aws_s3_bucket_object.monitoring-config-files-upload]
  name       = aws_ssm_document.shell-config-update-doc.name
  targets {
    key    = local.monitoring_identifation_tag_name
    values = [local.monitoring_identifation_tag_value]
  }
  association_name = "${aws_ssm_document.shell-config-update-doc.name}-association"
}

resource "null_resource" "example2" {
  depends_on = [aws_ssm_association.config-files-load]
  provisioner "local-exec" {
    command = "aws ssm start-associations-once --association-id ${aws_ssm_association.config-files-load.association_id}  --region ${local.region}"
  }
}

there are so many ssm projects.

• https://github.com/gjbae1212/gossm

• https://github.com/itsdalmo/ssm-sh

• https://github.com/xen0l/aws-gate

• https://github.com/disneystreaming/ssm-helpers

• https://github.com/elpy1/ssh-over-ssm

I use sshm

if you have ssh over ssm working you can use cssh

and SSM RunCommand does not do this already?

This is run Powershell ask or any other sdk/CLI does . Do you need a specific example?

Especially route53!!

+100000000

Have you declared your VPC in allowed VPC for the domain?

Hey, thanks for the reply, sorted this out with the VPC Link.

optional thread

If the VPCs are peered, you can use peered vpc security group references. Otherwise, I don’t think there is a way to use the same security group, nor share the rules

Still probably not quite what you’re looking for though… https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

This is not working for the Transit Gateway connected VPCs.

No, it does not, it’s specific to vpc peering (at the moment, anyway)

This week I tried to reference one SG from another VPC and it didn’t worked.

interesting. i should have mentioned the vpcs are in different regions
You cannot reference the security group of a peer VPC that’s in a different region. Instead, use the CIDR block of the peer VPC.

thanks for clearing that up folks!

i guess i’ll just stick with the module that duplicates the same sgs per vpc-region

if you are in the same region and you use Shared VPCs ( which is newish) you can do that

I think it depends case by case. If it is a backend kind of application with a json report generation it doesn’t hurt much to do so. If it’s a critical consumer facing application then high idle timeouts make the application easily doss’able, async is the much nicer option.

Sigh. They still don’t have a plan for bucket names that include dots
Bucket Names with Dots – It is important to note that bucket names with “.” characters are perfectly valid for website hosting and other use cases. However, there are some known issues with TLS and with SSL certificates. We are hard at work on a plan to support virtual-host requests to these buckets, and will share the details well ahead of September 30, 2020.

LPT: Use #!/usr/bin/env bash. It is far more universally compatible

https://stackoverflow.com/questions/10376206/what-is-the-preferred-bash-shebang

Thanks Andrew!

I have several peering connections like what you describe and I’ve never come across any implications or issues related to the direction of a peering connection.

see doc for related info https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html

That is what I do. But I do 2 ECR. 1 in dev account for CI builds and 1 in shared account for candidates that have passed testing. Reduces risk of really bad code being able to get to most environments

We have a single ECR for multiple environments. We grant access to all of the accounts for each repo.

correct, cidrs are not allowed to overlap

thanks

though i edited it to clarify, because I think peering can be established, but routing will not work well

when i’ve tried it in the past, i received errors when the cidrs overlapped that did not allow the peering connection to be created

even when they transitively overlapped? (i’m not trying to do that, just wondering)

yes

it seems it no longer errors when creating the peering connection, that’s interesting

GOCD?

i’d like to stick with aws products, so codebuild, and codedeploy

looking at waf as an option but it’s expensive

we were thinking about perhaps splitting the security groups up but that kind of kicks the can down the road. once we’re at 60 ipcidrs for office ips, what do we do next ?

You can do up to 5 security groups, move to WAF, or create your own solution

for now i asked aws to increase the limit from 60 to 100 per sg per vpc in 1 region and they complied which is nice. i guess in the future, we’ll have to consider a waf or get more creative with a solution

Unless things have changed (I did this 2 years ago). There is a max of 300 rules. So, they would have increased the number of rules per group and reduced the number of groups you can have.

yep. the default is 60 rules per sg and 5 sgs per networking interface so 60*5 is 300. they have a hard limit of 1000 so either the 60 or 5 can increase but that 1000 cannot be exceeded.

https://aws.amazon.com/premiumsupport/knowledge-center/increase-security-group-rule-limit/

That’s an improvement. Good to know.

sounds like the cluster isn’t CPU pegged; have you already validated that you’re not hitting a max connection limits?

highly recommend AWS Support if you’re not paying for it. We have Business level in our Production account. We’ve had a few instances similar to this and they were able to dig into the logs/configuration and determine root cause for us. Worth every penny.

In our case business support couldn’t find a root cause apart from not being in the last patchlevel. After enabling the detailed logging (every request) the issue didn’t happened again.

could try opening a new case and see if the next engineer has better luck

Just to be completely sure I deployed a new database from an snapshot and nuked the database cluster

if you can associate metrics to “stress moments” probably worth setting up an alert that the team can get notified that things may be going sideways in the future

now we have an automated probe testing the connection every minute so I’m pretty confident about that. It opens an mysql connection, query a table with a select with limit 1 and if everything it’s ok it will close the mysql connection.

mysql ? version ? serverless ? workflow is write heavy ?

how many replicas?

MySQL Aurora with MySQL 5.7, single master and one replica. Workflow is primarily read as it’s a drupal website. Sometimes (with cache expirations), every node will launch a pool of connections against the MySQL server (every node at the same time as the cache was located in the database), and in that moment, when receiving about 1500 new connections (the instance size it’s an r5.2xlarge with max_connections default at 3000 connections), the mysql became zombie. After the second time happening the same, we did a change in the Drupal cache expiration and it never happened again.

Support was completely clueless and with the Drupal changes on the cache we couldn’t replicate the issue anymore.

we had a weird writing pattern issue that will trigger a failover immediately

I think at the end read or write the underlaying storage can’t keep up and it kills the writer

in you case you could leverage the RDS proxy

which is now GA

and same as you Support did not have a clue

and when I was in re:Invent asked this question and they did not answer

how do you use the same app to login to aws console ui ?

i know gimme-aws-creds will dump out the access key id and secret access key which can then be used to hit aws’ federated endpoint to create a session in aws console.

https://stackoverflow.com/questions/59952757/how-to-login-to-aws-console-using-access-key-secret-key-and-session-token

im wondering if there is an easier, more integrated way

for example, using aws-vault, it has a login command that will open aws console for you.

# open a browser window and login to the AWS Console
$ aws-vault login jonsmith

but to use this tool with nike’s gimme-aws-creds, i’d have to do the following.

1. get creds from gimme-aws-creds
2. enter them into aws-vault which is a pain since these creds are temporary
3. then run aws-vault login

so you want to trigger a console login from cli ?

yes

i suppose https://github.com/versent/saml2aws has a console arg so maybe that tool would be better

We use saml2aws

We previously used aws-okta which was literally a fork of aws-vault, but support has dropped

yah we have okta federation. You log into the Console with an okta saml redirect. You log into the CLI with gimme-aws which authenticates you and plops creds into the shell env

@Erik Osterman (Cloud Posse) ah ok so you have okta saml setup with saml2aws so you can get keys and use the saml2aws console to quickly login to the aws console

Yep and it works inside a container like geodesic

that makes a lot of sense. it’s too bad it doesn’t use oidc but i guess it doesn’t matter what kind of auth, as long as it works.

We use it with okta and gsuite depending on the customer

@Zach you use gimme-aws to get aws creds and then you have an okta app that allows you login to aws console ? could you explain more about that ?

its 2 differnet means of doing the same thing

If you want to go to the AWS Console, you click the AWS ‘app’ in Okta (the plugin). You auth, and then you assume an IAM role that your okta group maps to or allows.

At the CLI the gimme-aws-creds does basically the same thing, you tell it what account and role in AWS you want to assume

ah ok that makes sense. so i imagine the cli method and the okta app use the same client_id / client_secrets ?

the AWS keys? doubt it

no the oidc creds

oh i see, so probably different oidc client id and client secret

Hmmm not sure - the gimme-aws si configured with an okta secret. The aws side is … complicated? the okta docs aren’t great but if you follow them to the letter it all works

i may have to ping you and others more about this. IT at our place still holds the whole sso thing close to their hearts so waiting on them before i can configure

thats funny, our actual IT maintains the Azure AD and we just bypass all that with Okta for our engineering team

i like it a lot. one of the few that manage to handle the credential cache both for the sso session and for the aws sts session

project is well structured also, and the maintainers are responsive and accepting of prs

https://github.com/99designs/aws-vault#roles-and-mfa

Add mfa_serial to the profile in $HOME/.aws/config

I have the login working with MFA

But CloudTrail says additionalEventData.MFAUsed

As No

Let me try with –no-session

Still “No”

@Igor what is your ~/.aws/config for that profile and What is the full error? additionalEventData.MFAUsed is not an error

There is no error. That’s a property in the CloudTrail event log that states that MFA wasn’t used on login.

config is as linked. I have role_arn and mfa_serial on the profile

is this aws console login or aws-vault ? can you paste the full event log

and did you enforce MFA in your assume role?

install guide: https://hawkins.gitbook.io/dispatch/installation

repo: https://github.com/Netflix/dispatch

Someone at ours had a look and said too early/raw and went to zapier instead.

interesting. someone here had the same thought cause it had bugs.

i guess we wait

Something like this should work:

aws s3api list-buckets --query "Buckets[?starts_with(Name, \`tf-app-npd\`)]|[?contains(Name, \`state\`)]|[?!(contains(Name, \`tf-app-npd-shared-state\`))].Name"

jmespath has an or operator so theoretically you could use that to exclude multiple buckets

ohh interesting! How would I use the or operator with

[?!(contains(Name, \`tf-app-npd-shared-state\`))]

to exclude tf-app-npd-state

I’m not entirely sure

Looks like this works:

[?!(contains(Name, \`tf-app-npd-shared-state\`) || (contains(Name, \`tf-app-npd-state\`)))]

works like a charm! Thank you!

happy to help

you wouldn’t happen to be a pro with sed would you?

Not sure I’d call myself a pro, but I use it quite often. Happy to look at whatever you’re trying to do.

the result of the command above has the following output

[
    "tf-app-npd-kmstest-state",
    "tf-app-npd-pr16-state",
    "tf-app-npd-stage-state"
]

essentially, I’d like to ‘remove’ the tf-app-npd- and -state parts. So for the first bucket I’d be left with kmstest

sed 's/tf-app-npd-\|-state//g'

hmm, I piped that to the end of the awscli command but the result is the same

| sed 's/tf-app-npd-\|-state//g'

just to confirm, the pipe to sed is outside the "" on the aws command right?

yup, the whole command is

aws s3api list-buckets --output text --query "Buckets[?starts_with(Name, \`tf-app-npd\`)]|[?contains(Name, \`state\`)]|[?!(contains(Name, \`tf-app-npd-shared-state\`) || (contains(Name, \`tf-app-npd-state\`)))].[Name]" | sed 's/tf-app-npd-\|-state//g'

Odd… it worked for me when I copied your output

$ OUT='[                        
    "tf-app-npd-kmstest-state",
    "tf-app-npd-pr16-state",
    "tf-app-npd-stage-state"
]'

$ echo $OUT
[ "tf-app-npd-kmstest-state", "tf-app-npd-pr16-state", "tf-app-npd-stage-state" ]

$ echo $OUT | sed 's/tf-app-npd-\|-state//g'
[ "kmstest", "pr16", "stage" ]

hmm, are you using a macbook? I know sed on macos is slightly different

nope

ubuntu 18

and the command without sed still works right?

yes

Experimenting with my own buckets, looks like that sed or isn’t working right.

sed or isnt?

nevermind, I had a typo

what’s your sed --version?

HA, I dont think the macos sed has a version https://stackoverflow.com/questions/37639496/how-can-i-check-the-version-of-sed-in-os-x

got it!

so, on macos you need to run brew install gnu-sed

that gives me the version of sed that you’re probably using

or close enough to it

yep! thanks again! Appreciate the help

np

have you ever looped through a json list with bash

You’re gonna want jq for that - https://stedolan.github.io/jq/

Hey @bradym - you around for a quick bash/awscli question?

Sure, what’s up?

:slightly_smiling_face: I had an old awscli command I used to delete a versioned object in an S3 bucket like this

aws s3api delete-objects --bucket ${REMOTE_STATE_BUCKET} --delete "$(aws s3api list-object-versions --bucket ${REMOTE_STATE_BUCKET} --query='{Objects:Versions[].{Key:Key,VersionId:VersionId}}')"

This worked fine, however we decided to store more in this bucket so I wanted to delete only objects with a certain key, I ended up with this

aws s3api delete-objects --bucket ${REMOTE_STATE_BUCKET} --delete "$(aws s3api list-object-versions --bucket ${REMOTE_STATE_BUCKET} --output=json --query="Versions[?starts_with(Key,\`${STAGE}\`)].{Key:Key,VersionId:VersionId}")"

but now I get the following error

Error parsing parameter '--delete': Invalid JSON:
[
    {
        "Key": "stage/terraform.tfstate",
        "VersionId": ".oKrS6dg8TJGGjaDGeAvF7RryDqok.wy"
    }
]

any idea what its complaining about

Take a look at aws s3api list-object-versions help – there’s an example of what the JSON syntax for that command should be, and it looks like yours is not formatted quite right

Check out rclone

Thanks

aws s3 sync will delete. You just need to add the –delete option But for speed, consider using s3 replication for the copy. s3 replication can also do deletes. https://aws.amazon.com/blogs/storage/managing-delete-marker-replication-in-amazon-s3/

AWS have now reported on this

I may have answered my own question.

https://aws.amazon.com/about-aws/whats-new/2020/07/cloudfront-tls-security-policy/

When you create a new distribution using a custom SSL certificate, TLSv1.2_2019 will be the default policy option selected. You may use the AWS Management Console, Amazon CloudFront APIs, or AWS CloudFormation to update your existing distribution configuration to use this new security policy.

nice, i’ve wondered the same thing several times

Yes

Ok… Then we have something odd going on…

id create a support ticket on this just in case

you could check and create a new load balancer with the same acm cert and see if that works as expected

but the new acm cert should propagate to all load balancers /listeners that already use it.

things are fine, nothing to see here. Someone was trolling with adding an additional listener certificate.

Solved.

whats the solution ?

AWS treats this as OR

"Condition": {
         "StringEquals": {
           "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
         }
       }

Stupid bc it’s not obvioous at first but hey if it works it works

Also can use ForAnyValue

cool, i did not know you can do that

i’m guessing something like this, just based on some googling…

Host bastion
  ProxyCommand sh -c "aws ssm start-session --target <bastion-instance-id> --document-name AWS-StartSSHSession --parameters 'portNumber=%p' --region <region>"

Host <gitlab.remote>
  IdentityFile  <my key>
  User git
  ProxyCommand ssh -W %h:%p  ec2-user@bastion

or perhaps with ProxyJump?

Host bastion
  User ec2-user
  ProxyCommand sh -c "aws ssm start-session --target <bastion-instance-id> --document-name AWS-StartSSHSession --parameters 'portNumber=%p' --region <region>"

Host <gitlab.remote>
  IdentityFile  <my key>
  User git
  ProxyJump bastion

like this :

host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p' --profile production"

that works for me

roger, but that works where the host in the ssh command is the instance. in this case, the host is the gitlab remote (and the user does not have ssm:StartSshSession permissions to the gitlab host. but they do have a user in gitlab and an ssh key loaded in their gitlab profile)

https://github.com/Flaconi/terraform-aws-bastion-ssm-iam/blob/master/client/ssh_tunnel#L59

Mmm but ssm does not require ssh keys to connect, in that case you might want to ck slider instance connect

Is codepipeline involved, by any chance?

yes I’m using codepipeline

Then no, I was never able to work this out. It’s just what codepipeline does… Takes your source repo, exports it to a zip hosted in s3, then codebuild retrieves the zip. I stopped using codepipeline as a result

If you create a codebuild job with the source as your codecommit repo, and trigger the job directly, without codepipeline, then it works as you expect

Resolved with this -> https://itnext.io/how-to-access-git-metadata-in-codebuild-when-using-codepipeline-codecommit-ceacf2c5c1dc

Thank you Loren!

With git as workaround I don’t remember why it’s like this:

      - git init
      - git remote add origin https://${GITHUB_TOKEN}@github.com/owner/repo
      - git fetch --tags
      - git reset --hard origin/master

would this work for codecommit as well

I don’t use CodeCommit

OK - I’ll see if we can transition to anything but codecommit, there’s another functionality that doesn’t seem to work on codecommit which I spotted earlier. For now that medium blog will do. Thank you!

yeah, if you clone the repo as a codebuild step, then the “source” step of codepipeline is rather pointless

It works for us for now - so it’s OK. I’ll end up moving to github at a later stage.

thread

i know about the ECS_CONTAINER_METADATA_URI which is handy but this env variable is set in both ecs ec2 and fargate

ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v3.html

we subscribe to a sns topic that then notify on slack

thats a good way for the humans to know

with some lambda and that aws bot thingy

what’s a good way for the container itself to know

ahhhh

we use local healthcheck as like a readiness test

to curl itself basically

that’s a good way to get the current health of the container

but what’s a good way to determine, for the container, if it’s an ecs ec2 task vs an ecs fargate task ?

the only thing i can think of is if it hits the task metadata, gets the task arn, describes the arn, and determined the launch type from that.

OMG I had to read 3 time you question to realize it was something else

can you just add a ENV variable that the deployment set?

the other way we’re thinking is that the ip address looks different betw ecs and ec2, where for ecs ec2 the ip is an ip in our vpc, whereas the fargate ip is the docker bridge ip that is not in our vpc

ya we could probably add an env variable to all the tasks. that would be one solution.

i was hoping for something more dynamic

is there a metadata endpoint that you can curl and set a ENV variable?

you could use the same local healthcheck to actually set it

we’d have to set the env variable in the task definition and it would be a lot to update all of our tds.

the metadata endpoint is something we can curl from the container

cant believe amazon doesnt deliver the l aunch type in the metadata

a label may be a better option than an env variable

since the labels can be queried from the /tasks endpoint

@jose.amengual check this out

https://github.com/mackerelio/mackerel-container-agent/blob/c70de86ba1256fb0bfadba0a98237bf91a75b5db/platform/ecs/ecs.go#L21

basically we can query off of the env variable AWS_EXECUTION_ENV which can either be AWS_ECS_FARGATE or AWS_ECS_EC2

and stackoverflow confirmation https://stackoverflow.com/questions/54177061/is-it-possible-to-detect-fargate-without-trying-the-metadata-api

ohhhh cool

I’m curious what the use-case is for this

imagine you have task on fargate that you are migrating to ecs+ec2 and they set certain cpu and memory attributes base on available memory, you could use this to set certain different defaults so the tasks can run without issues

So you’d allow the container, once already launched, to modify its own task definition?

We use it for a fatlib that gets the ddagent hostname ip

ddagent as datadog agent?

yessir

for APM tracing you need that?

yessir

but I thought running as a daemon you could use the hostname?

how so ?

what host name ?

for ecs, we’ve been using the hostname as the ip of the ec2 via the metadata url, for fargate, we’ve been doing something similar

is it best to use a different string ?

is this for this bit of the dd docs :

Assign the private IP address for each underlying instance your containers are running on in your application container to the DD_AGENT_HOST environment variable. This allows your application traces to be shipped to the Agent. The Amazon's EC2 metadata endpoint allows discovery of the private IP address. To get the private IP address for each host, curl the following URL:

curl <http://169.254.169.254/latest/meta-data/local-ipv4>

and set the result as your Trace Agent Hostname environment variable for each application container shipping to APM:

os.environ['DD_AGENT_HOST'] = <EC2_PRIVATE_IP>

In cases where variables on your ECS application are set at launch time, you must set the hostname as an environment variable with DD_AGENT_HOST. Otherwise, you can set the hostname in your application's source code for Python, Javascript, or Ruby. For Java and .NET you can set the hostname in the ECS task. For example:

from : https://docs.datadoghq.com/integrations/amazon_ecs/?tab=awscli

yep so thats how we do it for ecs ec2

how do you do it for fargate

we do not use fargate for the stuff I manage

but since it is in deamon mode the hostname of the datadog task can be passed as a parameter to the collector

like :

https://docs.datadoghq.com/tracing/setup/java/

dd.agent.host

which will be the hostname of the container running in daemon mode

by default is datadog

I think

thats for java tho. we use python. would it be the same config

same

https://docs.datadoghq.com/tracing/setup/python/

Yea, mostly. That config controls whether the instance has a publically routable Internet IP address or a private one from your subnet(s) space if that makes sense.

As you say, that has no bearing on whether the path is routable (route tables/IGW and/or network ACL) or firewalled (security group).

So the cluster “itself” doesn’t have its own public/private setting right?

Yea, I think that’s right; seems like it’s implied by the instance level setting.

OK thanks

I’ve never tried adding one instance public and one instance private; not sure what would happen there. Probably an error.

I just tried that. not an error. The public/private ended up being set by the first instance in the cluster.

Wonder if the second (private) would be accessible by the cluster’s reader endpoint then (assuming it resolve to public IPs).

Happy to give you my TF code to check for yourself

All good; just wondering out loud