tb_pulumi.fargate¶

Infrastructural patterns related to AWS Fargate.

class tb_pulumi.fargate.AutoscalingFargateCluster(name: str, project: ~tb_pulumi.ThunderbirdPulumiProject, subnets: list[~pulumi_aws.ec2.subnet.Subnet], autoscalers: dict = {}, cluster: dict = {}, container_security_groups: dict[slice(<class 'str'>, <class 'dict'>, None)] = {}, listeners: dict[str, dict] = {}, load_balancer_security_groups: dict[str, dict] = {}, load_balancers: dict = {}, secrets: dict[str, list] = {}, services: dict = {}, ssm_params: dict[str, list] = {}, task_definitions: dict = {}, targets: dict = {<class 'dict'>, <class 'str'>}, opts: ~pulumi.resource.ResourceOptions = None)¶

Bases: ThunderbirdComponentResource

Pulumi Type: tb:fargate:AutoscalingFargateCluster

Builds a Fargate cluster with a variety of ways to customize services, load balancing, and autoscaling. Sends logs to CloudWatch.

The naming of keys in this configuration is significant. The parameters listed below detail this fact. In short, you will define by name a series of services that live in your cluster. The services bind together a collection of resources which operate together to make functional, load balanced, autoscaling services.

A service is bound to a single task definition which defines what containers will run in the task, what their environments look like, what ports they expose, etc. It is also associated with a single load balancer that routes traffic to your containers. This is done by associating targets (ports on containers) with listeners (servers that accept traffic from originating sources and route it according to rules which determine its target).

Produces the following resources:

autoscalers - Dict of tb_pulumi.autoscale.EcsServiceAutoscaler s created, organized in the same structure as the autoscalers parameter.

cluster - The aws.ecs.Cluster running the defined services.

container_security_groups - Dict of tb_pulumi.network.SecurityGroupWithRules resources in the same structure as the container_security_groups parameter.

execution_role_policies - Dict where the keys are names of services and the values are aws.iam.Policy resources defining permissions that ECS has when launching tasks for that service.

execution_roles - Dict where the keys are names of services and the values are aws.iam.Role s for ECS to use when launching tasks for that service.

listeners - A dict containing aws.lb.Listener s in the same structure as the listeners parameter.

load_balancer_security_groups - A dict containing tb_pulumi.network.SecurityGroupWithRules resources in the same structure as the load_balancer_security_groups parameter.

load_balancers - A dict containing aws.lb.LoadBalancer s in the same structure as the load_balancers parameter.

log_groups - A dict where the keys are names of services and the values are aws.cloudwatch.LogGroup s.

services - A dict where the keys are names of services and the values are aws.ecs.Service s.

target_groups - A dict of aws.lb.TargetGroup s in the same structure as the targets parameter.

task_definitions - A dict where the keys are names of services and the values are the aws.ecs.TaskDefinition s created for those services.

Parameters:

name (str) – A string identifying this set of resources.
project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.
subnets (list[aws.ec2.Subnet]) – A list of aws.ec2.Subnet s to build Fargate containers on. There must be at least one subnet to use.
autoscalers (dict, optional) – A dict where the keys are names of services you wish to autoscale and the values are valid parameters for a tb_pulumi.autoscale.EcsServiceAutoscaler. Do not provide the service option, as this will be implied by the key name. Defaults to {}.
cluster (dict, optional) –
A dict where the keys are inputs to an aws.ecs.Cluster resource. Describes the cluster which will house these services. Defaults to {}.
container_security_groups (_type_, optional) – A nested dict describing the security groups which will be used by a service’s containers to allow access exclusively from a load balancer. At the top level, the keys are names of services and the values are dicts. Those dicts’ keys are the names of the load_balancers these containers will allow access from, and their keys are valid parameters for a tb_pulumi.network.SecurityGroupWithRules. Do not supply any ingress source options. This class will automatically specify the load balancer’s security group as the only valid source. Defaults to {}.
listeners (dict[str, dict], optional) –
A nested dict describing your load balancers’ listeners and which targets they point to. At the top level, the keys are names of load balancers and the values are other dicts. Those dicts’ keys are the names of targets, and their values are inputs to an aws.lb.Listener resource. Defaults to {}.
load_balancer_security_groups (dict[str, dict], optional) – A dict where the keys are the names of load balancers and the values are parameters for a tb_pulumi.network.SecurityGroupWithRules. The ingress rules here define what is allowed to make calls to the load balanced service. Defaults to {}.
load_balancers (dict, optional) –
A dict where the keys are names you give to load balancers (as they will be referenced throughout this config) and the values are inputs to aws.lb.LoadBalancer s. There should be one load balancer defined for each service. If your service exposes multiple ports, you should add additional targets for those ports and additional listeners to the load balancer aimed at those targets. Defaults to {}.
secrets (dict[str, list], optional) – A dict where the keys are names of services and the values are lists of Secrets Manager secret ARNs. These are the secrets which are required for launching the service’s task. If your service’s task definition defines a container with a secrets-based environment variable, then you will need to list the ARN or an IAM-compatible ARN pattern here to grant that access to ECS at launch time. Defaults to {}.

services (dict, optional) –

A dict where the keys are the names of services (as they will be referenced throughout this configuration) and the values are dicts with a specific mapping:

services:
    service_name:
        assign_public_ip: yes|no  # "yes" required for containers to talk to the internet
        container_name: |
          "Name of a container in a task definition's ``container_definitions`` to route traffic to"
        container_port: "Port to route traffic to on the container."
        load_balancer: "Name of the load balancer routing traffic for this service"
        service: |
          "Dict of additional options to pass to the aws.ecs.Service resource constructor."
        target: |
          "Name of the target defined for this port"

Defaults to {}.

ssm_params (dict[str, list], optional) – A dict where the keys are names of services and the values are lists of AWS Systems Manager parameter ARNs. These are the SSM parameters which are required for launching the service’s task. If your service’s task definition defines a container with an SSM-based “secret” environment variable, then you will need to list the ARN or an IAM-compatible ARN pattern here to grant that access to ECS at launch time. Defaults to {}.
task_definitions (dict, optional) –
A dict where the keys are names of services (each service has exactly one task definition) and the keys are inputs to an aws.ecs.TaskDefinition resource. Defaults to {}.
targets (dict, optional) – A dict where the keys are the names for target groups (as they will be referenced throughout this configuration) and the values are inputs to an aws.ecs.TargetGroup resource. Defaults to {}.
opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.

Raises:

IndexError – When no subnets are provided to place containers in.

class tb_pulumi.fargate.FargateClusterWithLogging(name: str, project: ThunderbirdPulumiProject, subnets: list[str], assign_public_ip: bool = False, build_load_balancer: bool = True, container_security_groups: list[str] = [], desired_count: int = None, ecr_resources: list = ['*'], enable_container_insights: bool = False, health_check_grace_period_seconds: int = None, internal: bool = True, key_deletion_window_in_days: int = 7, load_balancer_security_groups: list[str] = [], services: dict = {}, task_definition: dict = {}, opts: ResourceOptions = None, **kwargs)¶

Bases: ThunderbirdComponentResource

Pulumi Type: tb:fargate:FargateClusterWithLogging

Builds a Fargate cluster running a variable number of tasks. Logs from these tasks will be sent to CloudWatch.

Produces the following resources:

cluster - The aws.ecs.Cluster.

log_group - aws.cloudwatch.LogGroup where these tasks send their logs.

log_key - aws.kms.Key used to encrypt log contents.

fargate_service_alb - tb_pulumi.fargate.FargateServiceAlb balancing traffic between these tasks.

policy_exec - aws.iam.Policy allowing the service access to other resources needed to launch tasks.

policy_log_sending - aws.iam.Policy allowing tasks to send logs to their log group.

service - aws.ecs.Service managing the tasks.

task_role - aws.iam.Role used for executing tasks in this cluster.

task_definition - aws.ecs.TaskDefinition describing the properties of the tasks being managed.

Parameters:

name (str) – A string identifying this set of resources.
project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.
subnets (list[str]) – A list of subnet IDs to build Fargate containers on. There must be at least one subnet to use.
assign_public_ip (bool, optional) – When True, containers will receive Internet-facing network interfaces. Must be enabled for Fargate-backed containers to talk out to the net. Defaults to False.
build_load_balancer (bool, optional) – When True, an Application Load Balancer will be created to route traffic to your Fargate containers. Defaults to True.
container_security_groups (list[str], optional) – List of security group IDs which will attach to the containers/tasks running in this cluster. Defaults to [].
desired_count (int, optional) – The number of containers the service should target to run. Defaults to 1.
ecr_resources (list, optional) – The containers will be granted permissions to pull images from ECR. If you would like to restrict these permissions, supply this argument as a list of ARNs as they would appear in an IAM Policy. Defaults to [‘*’].
enable_container_insights (bool, optional) – When True, enables advanced CloudWatch metrics collection. Defaults to False.
health_check_grace_period_seconds (int, optional) – Time to wait for a container to come online before attempting health checks. This can be used to prevent accidental health check failures. Defaults to None.
internal (bool, optional) – Whether traffic should be accepted from the Internet (False) or not (True). Defaults to True.
key_deletion_window_in_days (int, optional) – Number of days after the KMS key is deleted that it will be recoverable. If you need to forcibly delete a key, set this to 0. Defaults to 7.
load_balancer_security_groups (list[str], optional) – List of security group IDs which will attach to the load balancers created for these services.

services (dict, optional) –

A dict defining the ports to use when routing requests to each service. The keys should be the name of the service as described in a container definition. The values should be dicts supporting the options shown below. If no listenter_port is specified, the container_port will be used. The container_name is the name of a container as specified in a container definition which can receive this traffic.

{'web_portal': {
    'container_port': 8080,
    'container_name': 'web_backend',
    'listener_cert_arn': 'arn:aws:acm:region:account:certificate/id',
    'listener_port': 443,
    'listener_proto': 'HTTPS',
    'name': 'Arbitrary name for the ALB; must be unique and no longer than 32 characters.',
    'health_check': {
        # Keys match parameters listed here:
        # https://www.pulumi.com/registry/packages/aws/api-docs/alb/targetgroup/#targetgrouphealthcheck
    }
}}

Defaults to {}.

task_definition (dict, optional) – A dict representing an ECS task definition. Defaults to {}.
opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.
kwargs – Any other keyword arguments which will be passed as inputs to the ThunderbirdComponentResource superconstructor.

Raises:

IndexError – Thrown if the list of subnets is empty.

task_definition(task_def: dict, family: str, log_group_name: str, aws_region: str, tags: dict, task_role_arn: str, dependencies: list[Resource] = []) → TaskDefinition¶

Returns an ECS task definition resource.

Parameters:

task_def (dict) – A dict defining the task definition template which needs modification.
family (str) – A unique name for the task definition.
log_group_name (str) – Name of the log group to ship logs to.
aws_region (str) – AWS region to build in.
tags (dict, optional) – Key/value pairs to merge with the default tags which get applied to all resources in this group. Defaults to {}.
task_role_arn (str) – ARN of the IAM role the task will run as.
dependencies (list[pulumi.Resource]) – List of Resources this task definition is dependent upon.

Returns:

A TaskDefinition Resource

Return type:

aws.ecs.TaskDefinition

class tb_pulumi.fargate.FargateServiceAlb(name: str, project: ThunderbirdPulumiProject, subnets: list[Output], internal: bool = True, security_groups: list[str] = [], services: dict = {}, opts: ResourceOptions = None, **kwargs)¶

Bases: ThunderbirdComponentResource

Pulumi Type: tb:fargate:FargateServiceAlb

Builds an ALB with all of its constituent components to serve traffic for a set of ECS services. ECS does not allow reuse of a single ALB with multiple listeners, so if there are multiple services, multiple ALBs will be constructed.

Produces the following resources:

albs - Dict where the keys match the keys of the services parameter and the values are the aws.lb.LoadBalancers created for those services.

listeners - Dict where the keys match the keys of the services parameter and the values are the aws.lb.Listeners created for the load balancers for those services.

target_groups - Dict where the keys match the keys of the services parameter and the values are the aws.lb.TargetGroups created for the listeners for those services. Importantly, Fargate services manage their own targets, so this module does not track any target group attachments.

Parameters:

name (str) – A string identifying this set of resources.
project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.
subnets (list[pulumi.Output]) – A list of subnet resources (pulumi outputs) to attach the ALB to.
internal (bool, optional) – Whether traffic should be accepted from the Internet (False) or not (True). Defaults to True.
security_groups (list[str], optional) – A list of security group IDs to attach to the load balancer. Defaults to [].

services (dict, optional) –

{'web_portal': {
    'container_port': 8080,
    'container_name': 'web_backend',
    'listener_cert_arn': 'arn:aws:acm:region:account:certificate/id',
    'listener_port': 443,
    'listener_proto': 'HTTPS',
    'name': 'Arbitrary name for the ALB; must be unique and no longer than 32 characters.',
    'health_check': {
        # Keys match parameters listed here:
        # https://www.pulumi.com/registry/packages/aws/api-docs/alb/targetgroup/#targetgrouphealthcheck
    }
}}

Defaults to {}.

opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.
kwargs – Any other keyword arguments which will be passed as inputs to the ThunderbirdComponentResource superconstructor.