You need to have an ECS cluster running with at least one EC2 instance.
You need to know the (private) Subnet-IDs where you want to place the agent and extension tasks.
The security group used by the ec2 instances need to allow inbound traffic to the extension-host and extension-container (ports 8085 and 8086) as they are running as daemon service using the host network.
The agent needs some permissions to be able to look up extensions running in the cluster. Create a IAM role for the agent task with the following permissions:
aws iam create-role --role-name steadybit-agent-task-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
aws iam put-role-policy --role-name steadybit-agent-task-role --policy-name steadybit-agent-extension-lookup --policy-document file://steadybit-agent-role-permissions.json
If you like to install the extension-aws you need to create a new IAM role with the following permissions. Please have a look at the extension documentation for the latest list of required permissions.
aws iam create-role --role-name steadybit-extension-aws-task-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
aws iam put-role-policy --role-name steadybit-extension-aws-task-role --policy-name steadybit-extension-aws --policy-document file://steadybit-extension-aws-role-permissions.json
Replace all placeholders in the JSON files with your values. All placeholders are prefixed with MY-. Take care, the placeholders are used multiple times in the JSON files.
MY-AGENT-KEY: Your agent key
MY-CLUSTER-NAME: The name of your ECS cluster
MY-PLATFORM-URL: The URL of your Steadybit platform, for SaaS use https://platform.steadybit.com
MY-REGION: The AWS region where your ECS cluster is running
Agent - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow outbound traffic to the Steadybit platform and to the extensions (ports 8080-8099).
Extension Host - please replace the cluster-name. The extension will use the host network strategy and use the security groupd and subnets of your ec2 instances.
Extension Container - please replace the cluster-name. The extension will use the host network strategy and use the security groupd and subnets of your ec2 instances.
Extension HTTP - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085) and outbound traffic to all ports/destination you want to reach out with the http checks implemented in the extension.
Extension AWS - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085)
The agent and most of the extensions can be run as an ECS service in Fargate.
However, extension-host and extension-container are not compatible with AWS Fargate because they require access to the underlying compute instance which is not possible with Fargate.
extension-aws can also be used with Fargate and offers some alternative actions to discover and attack ECS resources.
The agent needs some permissions to be able to look up extensions running in the cluster. Create a IAM role for the agent task with the following permissions:
aws iam create-role --role-name steadybit-agent-task-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
aws iam put-role-policy --role-name steadybit-agent-task-role --policy-name steadybit-agent-extension-lookup --policy-document file://steadybit-agent-role-permissions.json
Fargate tasks needs a task execution role to be able to write logs. If you don't already have an existing role, you can create one via:
aws iam create-role --role-name steadybit-agent-task-execution-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
aws iam attach-role-policy --role-name steadybit-agent-task-execution-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
If you like to install the extension-aws you need to create a new IAM role with the following permissions. Please have a look at the extension documentation for the latest list of required permissions.
aws iam create-role --role-name steadybit-extension-aws-task-role --assume-role-policy-document file://steadybit-agent-role-trust-policy.json
aws iam put-role-policy --role-name steadybit-extension-aws-task-role --policy-name steadybit-extension-aws --policy-document file://steadybit-extension-aws-role-permissions.json
Replace all placeholders in the JSON files with your values. All placeholders are prefixed with MY-. Take care, the placeholders are used multiple times in the JSON files.
MY-AGENT-KEY: Your agent key
MY-CLUSTER-NAME: The name of your ECS cluster
MY-PLATFORM-URL: The URL of your Steadybit platform, for SaaS use https://platform.steadybit.com
MY-REGION: The AWS region where your ECS cluster is running
Agent - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow outbound traffic to the Steadybit platform and to the extensions (ports 8080-8099).
Extension HTTP - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085) and outbound traffic to all ports/destination you want to reach out with the http checks implemented in the extension.
Extension AWS - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085)
A: Yes, with ECS Exec, details can be found here, short summary below:
You need to allow update your service to allow it, e.g.: aws ecs update-service --service steadybit-agent --cluster <your-cluster> --enable-execute-command
The task role needs the following permissions:
ssmmessages:CreateControlChannel
ssmmessages:CreateDataChannel
ssmmessages:OpenControlChannel
ssmmessages:OpenDataChannel
The task definition needs to include initProcessEnabled in the linuxParameters, e.g:
After that, you can shell into the agent task with aws ecs execute-command --cluster <your-cluster> --task <your-task-id> --container <container-name> --interactive --command "/bin/bash"
