-1

I have a terraform setup that deploys successfully without error. It uses Github actions, but I don't think that matters.

It creates an ECS-EC2 cluster. I'm using an ECS-Optimized AMI (have verified it in the console), have an internet gateway with the right things in the route table, but the service does not place a task... in the console, I see:

No Container Instances found in your cluster

As far as I can tell, I've jumped through all the hoops. My code is here: https://gist.github.com/afisher-stelligent/efbbb32debef3f2eae4b61957f225c44

Any pointers would be appreciated. Been banging my head on this quite a bit. Have tried suggestions here, here, and several other places.

Stranger still, if I drill down far enough, it says I have no ec2 instances registered to my cluster.

Update #1

I ran the AWS Systems Manager runbook for Troubleshooting ECS Issues (AWSSupport-TroubleshootECSContainerInstance)... it pointed out that my VPC Endpoints were not allowing traffic, which is strange because I have an ingress rule from the private subnets properly configured.

I changed the inbound CIDR block to 0.0.0.0/0 and I now get errors about log group creation. Which is progress. But not super secure.

Allen Fisher
  • 607
  • 2
  • 7
  • 28
  • The `container_name = "myapp"` and the `"name": "my-app"` have to match I think. – Marko E Sep 26 '22 at 18:57
  • Thanks, yeah, that was me sanitizing my code for posting. Everything matches in the actual TF – Allen Fisher Sep 26 '22 at 19:28
  • I did discover I was using an ID instead of an ARN in one place and that did not fix the issue – Allen Fisher Sep 26 '22 at 19:29
  • 1
    I would suggest to ensure that when you "sanitizing" your code, you do not actually make it worse then it is. Otherwise its unlikely you will find an answer to your issue. – Marcin Sep 27 '22 at 00:32
  • Yeah Sorry... I'm usually much, much better about that... I didn't do my normal findall when I post code – Allen Fisher Sep 27 '22 at 14:42

1 Answers1

0

Turns out the problem was the Security Group for the ECS cluster. It was using dynamic port mapping and the ephemeral ports weren't open. Adding an ingress rule to cover them was the ticket.

ingress {
  description = "Allow ephemeral ports"
  from_port   = 49153
  to_port     = 65535
  protocol    = "tcp"
  cidr_blocks = [cider_block]
}
Allen Fisher
  • 607
  • 2
  • 7
  • 28