Secure Configuration

For a production-ready installation of Consul on ECS, you will need to make sure that the cluster is secured. A secure Consul cluster should include the following:

  1. TLS Encryption for RPC communication between Consul clients and servers.
  2. Gossip Encryption for encrypting gossip traffic.
  3. Access Control (ACLs) for authentication and authorization for Consul clients and services on the mesh.

NOTE: This page assumes that you have already configured your Consul server with the above features.

Deploy ACL Controller

Before deploying your service, you will need to deploy the ACL controller so that it can provision the necessary tokens for tasks on the service mesh. To learn more about the ACL Controller, please see Automatic ACL Token Provisioning.

To deploy the controller, you will first need store an ACL token with acl:write privileges and a CA certificate for the Consul server in AWS Secrets Manager.

  1. resource "aws_secretsmanager_secret" "bootstrap_token" {
  2.   name  = "bootstrap-token"
  3. }
  5. resource "aws_secretsmanager_secret_version" "bootstrap_token" {
  6.   secret_id     = aws_secretsmanager_secret.bootstrap_token.id
  7.   secret_string = "<bootstrap token>"
  8. }
  10. resource "aws_secretsmanager_secret" "ca_cert" {
  11.   name  = "server-ca-cert"
  12. }
  14. resource "aws_secretsmanager_secret_version" "ca_cert" {
  15.   secret_id     = aws_secretsmanager_secret.ca_cert.id
  16.   secret_string = "<CA certificate for the Consul server's HTTPS endpoint>"
  17. }

Use the acl-controller terraform module to deploy the controller:

  1. module "acl_controller" {
  2.   source                            = "hashicorp/consul/aws-ecs//modules/acl-controller"
  3.   consul_bootstrap_token_secret_arn = aws_secretsmanager_secret.bootstrap_token.arn
  4.   consul_server_http_addr           = "https://consul-server.example.com:8501"
  5.   consul_server_ca_cert_arn         = aws_secretsmanager_secret.ca_cert.arn
  6.   ecs_cluster_arn                   = "arn:aws:ecs:my-region:111111111111:cluster/consul-ecs"
  7.   region                            = "my-region"
  8.   subnets                           = ["subnet-abcdef123456789"]
  9.   name_prefix                       = "consul-ecs"
  10. }

The name_prefix parameter is used to prefix any secrets that the ACL controller will update in AWS Secrets Manager.

NOTE: Make sure that the name_prefix is unique for each ECS cluster where you are deploying this controller.

Deploy Services

Once the ACL controller is up and running, you will be able to deploy services on the mesh using the mesh-task module. Start with the basic configuration for the Task Module and specify additional settings to make the configuration production-ready.

First, you will need to create an AWS Secrets Manager secret for the gossip encryption key that the Consul clients should use.

  1. resource "aws_secretsmanager_secret" "gossip_key" {
  2.   name  = "gossip-encryption-key"
  3. }
  5. resource "aws_secretsmanager_secret_version" "gossip_key" {
  6.   secret_id     = aws_secretsmanager_secret.gossip_key.id
  7.   secret_string = "<Gossip encryption key>"
  8. }

Next, add the following configurations to enable secure deployment. Note that the acl_secret_name_prefix should be the same as the name_prefix you provide to the ACL controller module.

  1. module "my_task" {
  2.   source = "hashicorp/consul/aws-ecs//modules/mesh-task"
  3.   family = "my_task"
  5.   ...
  7.   tls                            = true
  8.   consul_server_ca_cert_arn      = aws_secretsmanager_secret.ca_cert.arn
  9.   gossip_key_secret_arn          = aws_secretsmanager_secret.gossip_key.arn
  11.   acls                           = true
  12.   consul_client_token_secret_arn = module.acl_controller.client_token_secret_arn
  13.   acl_secret_name_prefix         = "consul-ecs"
  14. }

Now you can deploy your services! Follow the rest of the steps in the Installation instructions to deploy and connect your services.