Serverless Consul service mesh with ECS and HCP
Consul with Elastic Container Service (ECS) and Hashicorp Cloud Platform (HCP) provides you with a fully-managed service mesh ecosystem. Empowering your AWS ECS tasks with Consul service mesh connectivity enables you to take advantage of features such as zero-trust-security, intentions, observability, traffic policy, and more.
In this tutorial, you will use Terraform to create an HCP Consul environment, an ECS cluster, and various AWS services. This environment will be used to highlight the ease of deployment, simplified scalability, and reduced operational overhead gained by utilizing this pattern.
Specifically, you will:
- Create a service principal and key in HashiCorp Cloud Platform (HCP)
- Customize the Terraform environment deployment script
- Deploy a HashiCorp Cloud Platform (HCP) Consul cluster and an Elastic Container Service (ECS) example application using the Terraform script
- Explore your deployment with the HashiCorp Cloud Platform (HCP) portal UI
- Inspect your environment using the Consul UI
- Explore the sample application UI
- Enable service mesh networking with Consul Intentions
- Decommission the HashiCorp Cloud Platform (HCP) and Elastic Container Service (ECS) environment
While this tutorial uses elements that are not suitable for production environments including a development-tier HCP cluster and lack of redundancy within the architecture, it will teach you the core concepts for deploying and interacting with a fully-managed service mesh with AWS Elastic Container Service (ECS) and HashiCorp Cloud Platform (HCP). Refer to the Consul Reference Architecture for Consul best practices and the AWS Well-Architected Documentation for AWS best practices.
Prerequisites
To complete this tutorial you will need the following.
- Basic command line access
- The Terraform v1.0.0+ installed
- Git installed
- Admin access to the HashiCorp Cloud Platform (HCP) Consul portal
- AWS account and associated credentials that allow you to create resources.
Clone GitHub repository
Clone the GitHub repository containing the configuration files and resources.
Check out the v0.5
tag of the repository.
Change directory to the ECS module.
Create and configure credential resources
Create HCP service principal and key
Create a Service Principal and key to enable HCP Consul deployment with Terraform.
From the left menu select Access Control (IAM) in the Settings section.
In the Access Control (IAM) page, click on the Service Principals tab and click on the Create a service principal link.
Specify a name for the service principal (learn-hcp
in this tutorial). Choose the Contributor
role from the drop-down menu.
Once created, click on the service principal's name to view its details.
From the detail page, click on the create service principal key link. A popup resembling the following will appear:
Note
Remember to copy the Client ID and secret. You will not be able to retrieve the secret later, and it is required in the next step.
Configure AWS and HCP environment variables
You can provide your AWS and HCP credentials to Terraform as environment variables. The required AWS environment variables are AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
The required HCP environment variables are HCP_CLIENT_ID
and HCP_CLIENT_SECRET
If you don't have AWS Access Credentials, create your AWS Access Key ID and Secret Access Key by navigating to your service credentials in the IAM service on AWS.
Click "Create access key" on that page to view your AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
In the same terminal where you will run Terraform commands, set your AWS environment variable values.
Tip
If you don't have access to IAM user credentials, use another authentication method described in the AWS provider documentation.
Create a Terraform configuration file for your secrets
Terraform will utilize your unique credentials to build a complete HashiCorp Cloud Platform (HCP) Consul cluster and example application in Elastic Container Service (ECS).
Create a file named terraform.tfvars
in your working directory and copy the following configuration into the file.
Replace the placeholders with your values and save the file.
To learn more about each of the Terraform attributes, see the respective resource documentation in the Terraform registry.
Note
By default, secrets created by AWS Secrets Manager require 30 days before they can be deleted. If this tutorial is destroyed and recreated, a name conflict error will occur for these secrets. This can be resolved by changing the value of name
in your terraform.tfvars
file.
Explore the Terraform manifest files
The Terraform manifest files used in this tutorial deploy various resources that enable your fully managed service mesh ecosystem. Below is the purpose of each Terraform manifest file.
data.tf
- Data sources that allow Terraform to use information defined outside of Terraform.ecs-clusters.tf
- AWS ECS cluster deployment resources.ecs-services.tf
- AWS ECS service deployment resources.hcp-consul.tf
- HCP Consul cluster deployment resources.hvn.tf
- HashiCorp Virtual Network (HVN) deployment resources.load-balancer.tf
- AWS Application Load Balancer (ALB) deployment resources.logging.tf
- AWS Cloudwatch logging configuration.modules.tf
- AWS ECS task application definitions.network-peering.tf
- HCP and AWS network communication configuration.outputs.tf
- Unique values output after Terraform successfully completes a deployment.providers.tf
- AWS and HCP provider definitions for Terraform.secrets-manager.tf
- AWS Secrets Manager configuration.security-groups
- AWS Security Group port management definitions.variables.tf
- Parameter definitions used to customize unique user environment attributes.vpc.tf
- AWS Virtual Private Cloud (VPC) deployment resources.terraform.tfvars
- Your unique credentials and environment attributes (created in the previous step).
Note
By default, the hcp-consul.tf
file creates a "development" size tier
HCP Cluster. Development tiers are single-server Consul datacenters recommended for testing or evaluation purposes only. For production, we recommend using the "standard" or "plus" tier because each Consul
datacenter will have the recommended three server nodes.
Deploy the HCP + ECS environment
With the Terraform manifest files and your custom credentials file, you are now ready to deploy your infrastructure.
Issue the terraform init
command from your working directory to download the necessary providers and initialize the backend.
Once Terraform has been initialized, you can verify the resources that will
be created using the plan
command.
Finally, you can deploy the resources using the apply
command.
Remember to confirm the run by entering yes
.
Once you confirm, it will take a few minutes to complete the deploy
. Terraform will print the following output if the deployment is successful.
Note
The deploy
could take up to 10 minutes to complete. Feel free to grab a cup of
coffee while waiting for the cluster to complete initialization or learn more about the Raft protocol in a fun, interactive way.
Perform testing procedures
Explore the HCP Portal UI
Once deployed, you can verify that the resources have been created in the HCP portal. Open https://portal.cloud.hashicorp.com in your browser.
Click on the Consul item on the left navigation pane to see the overview for your newly deployed Consul cluster, then select your dc1 cluster to review your cluster details.
On your dc1 cluster detail page, click the Generate Token button to generate an ACL token for your Consul datacenter and copy it to a local text file.
Note
The Terraform script in this tutorial will create a Consul datacenter that is publicly accessible from the internet for ease of use. For production, we recommend using private endpoints.
Access the Consul UI
Once HCP Consul is deployed, you can access the Consul UI by clicking Public from the list of Cluster URLs on the HCP Consul cluster overview page.
This will copy the public IP address to your clipboard. You can now paste this IP address into your browser to access the Consul UI.
HCP Consul is secure by default, so you will need an ACL token to view any data in the UI. Select the login option in the top right corner of the Consul UI, then paste the ACL token you generated in the previous step. This will authorize you to interact with the Consul UI.
Open the menu item labeled Services in the left of the screen. Notice the informational text in service mesh with proxy on each ECS service.
Explore the sample application
One of the ECS service tasks defined in this environment deploys the application fake-service
, a Consul client agent, and an Envoy sidecar proxy in your ECS cluster.
Visit the unique client_lb_address
URL that was output by Terraform after your run to see the deployed fake-service
application.
Notice the lack of communication between the two services. This is due to the deny
by default service mesh communication behavior.
Enable service mesh networking
Consul Intentions are used to control which services may establish connections or make requests.
Open the menu item labeled Intentions in the left of the screen. Click the Create button in the top right to create an intention.
Set the source service as hcp-ecs-example-client-app, the destination service as hcp-ecs-example-server-app, both namespace fields as default, and communication behavior to Allow. Click the Save button in the bottom left once complete.
Revisit your fake-service
application at the unique client_lb_address
URL that was output by Terraform after your run. Notice that the two services are now able to communicate with each other.
You have successfully deployed a serverless environment across ECS and HCP using Terraform. Within this environment, you enabled service mesh communication with Consul intentions.
Destroy resources
Use the terraform destroy
command to clean up the resources you created.
Remember to confirm by entering yes
.
Once you confirm, it will take a few minutes to complete the removal. Terraform will print the following output if the command is successful.
Next steps
In this tutorial you learned how to deploy a fully-managed service mesh with AWS Elastic Container Service (ECS) and HashiCorp Cloud Platform (HCP) with Terraform. With Terraform, you accomplished this task using the Terraform HCP and AWS providers. You also learned how to enable service mesh communication between services using Consul intentions.
You can find the full documentation for the HashiCorp Cloud Platform and AWS providers in the Terraform registry documentation.
To get additional hands-on experience with Consul's service discovery and service mesh features, you can follow these guides to connect a Consul client deployed in a virtual machine or on Elastic Kubernetes Service (EKS).
If you encounter any issues, please contact the HCP team at support.hashicorp.com.