Apply suggestions from code review

Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
This commit is contained in:
trujillo-adam 2022-06-20 13:53:48 -07:00 committed by GitHub
parent f6d0220af8
commit c779d224e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 26 additions and 26 deletions

View File

@ -11,7 +11,7 @@ You can run Consul Enterprise on ECS by specifying the Consul Enterprise Docker
## Specify the Consul image
When instantiating the [`mesh-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task) or [`gateway-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/gateway-task) module,
When you set up an instance of the [`mesh-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/mesh-task) or [`gateway-task`](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/submodules/gateway-task) module,
set the parameter `consul_image` to a Consul Enterprise image. The following example instructs the `mesh-task` module to import Consul Enterprise version 1.12.0:
```hcl
@ -63,10 +63,10 @@ If client support is required for any of the features, then you must use a Consu
Consul on ECS supports [admin partitions](/docs/enterprise/admin-partitions) and [namespaces](/docs/enterprise/namespaces) when Consul Enterprise servers and clients are used. These features have the following requirements:
* ACLs must be enabled.
* ACL controller must run in the ECS cluster.
* `mesh-tasks` must use a Consul Enterprise client image.
* `gateway-task`s must use a Consul Enterprise client image.
- ACLs must be enabled.
- ACL controller must run in the ECS cluster.
- `mesh-task` must use a Consul Enterprise client image.
- `gateway-task` must use a Consul Enterprise client image.
The ACL controller automatically manages ACL policies and token provisioning for clients and services on the service mesh.
It also creates admin partitions and namespaces if they do not already exist.

View File

@ -7,7 +7,7 @@ description: >-
# Manual Installation
The following instructions describe how to manually create the ECS task definition using the [`consul-ecs` Docker image](https://gallery.ecr.aws/hashicorp/consul-ecs) without Terraform. Refer to the [Consul ECS Terraform module](/docs/ecs/terraform/install) documentation for an alternative method for installing Consul on ECS.
The following instructions describe how to use the [`consul-ecs` Docker image](https://gallery.ecr.aws/hashicorp/consul-ecs) to manually create the ECS task definition without Terraform. If you prefer to use Terraform, refer to [Consul ECS Terraform module](/docs/ecs/terraform/install).
If you intend to peer the service mesh to multiple Consul datacenters or partitions, you must use the Consul ECS Terraform module to install your service mesh on ECS. Manually configuring mesh gateways without using the `gateway-task` Terraform module is not supported.
@ -19,12 +19,12 @@ You should have some familiarity with AWS ECS. See [What is Amazon Elastic Conta
## Task Definition
Create a task definition configured to create the containers:
Configure a task definition that creates the containers:
* Your application container
* An Envoy sidecar-proxy container
* A Consul client container
* A `consul-ecs-mesh-init` container for service mesh setup
- Your application container
- An Envoy sidecar-proxy container
- A Consul client container
- A `consul-ecs-mesh-init` container for service mesh setup
* (Optional) A `consul-ecs-health-sync` container to sync ECS health checks into Consul
## Top-level fields

View File

@ -13,11 +13,11 @@ This topic describes how to enable Consul security features for your production
The following features must be configured for your Consul server cluster:
* [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
* [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
* [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
- [TLS encryption](/docs/security/encryption#rpc-encryption-with-tls) for RPC communication between Consul clients and servers.
- [Gossip encryption](/docs/security/encryption#gossip-encryption) for encrypting gossip traffic.
- [Access control lists (ACLs)](/docs/security/acl) for authentication and authorization for Consul clients and services on the mesh.
You should already have followed the [installation instructions](/docs/ecs/manual/install) to understand how to define the necessary components of the task definition for Consul on ECS.
You should already have followed the [manual installation instructions](/docs/ecs/manual/install) to define the necessary components of the task definition for Consul on ECS.
You should be familiar with [specifying sensitive data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html) on ECS.
@ -36,7 +36,7 @@ This section describes how to manually create ACL tokens. You can install the AC
### Define policies
Confiture the following ACL policy for the Consul client token:
Configure the following ACL policy for the Consul client token:
```hcl
node_prefix "" {
@ -58,12 +58,12 @@ If you intend to create a gateway for connecting multiple Consul datacenters, yo
Mesh gateways must run in the default namespace.
```hcl
namespace "default" { // If namespaces enabled
namespace "default" { ## If namespaces enabled
service "<Service Name>" {
policy = "write"
}
}
namespace_prefix "" { // If namespaces enabled
namespace_prefix "" { ## If namespaces enabled
service_prefix "" {
policy = "read"
}
@ -78,8 +78,8 @@ agent_prefix "" {
#### Terminating gateway policy
```hcl
partition "<partition>" { // If partitions enabled
namespace "<namespace>" { // If namespaces enabled
partition "<partition>" { ## If partitions enabled
namespace "<namespace>" { ## If namespaces enabled
service "<Service Name>" {
policy = "write"
}
@ -93,8 +93,8 @@ partition "<partition>" { // If partitions enabled
#### Ingress gateway policy
```hcl
partition "<partition>" { // If partitions enabled
namespace "<namespace>" { // If namespaces enabled
partition "<partition>" { ## If partitions enabled
namespace "<namespace>" { ## If namespaces enabled
service "<Service Name>" {
policy = "write"
}
@ -114,12 +114,12 @@ partition "<partition>" { // If partitions enabled
Create the Consul client token and the service tokens after adding the necessary policies. Service tokens should be associated with a service identity. The service identity includes `service:write` permissions for the service and sidecar proxy.
You can create tokens using the [`consul acl token create`](/commands/acl/token/create) command or the [`[PUT] /v1/acl/token`](/api-docs/acl/tokens#create-a-token) API endpoint.
The following example shows how to use the Consul CLI to create a service token for a service named example-client-app:
The following example shows how to use the Consul CLI to create a service token for a service named `example-client-app`:
```shell-session
$ consul acl token create -service-identity=example-client-app ...
```
You will need to create one service token for each registered Consul service in ECS, including when new services are added to the service mesh.
You need to create one service token for each registered Consul service in ECS. When you add new services to the service mesh, you must create new tokens for each service.
## Secret storage

View File

@ -66,7 +66,7 @@ module "acl_controller" {
```
The `name_prefix` parameter is used to prefix any secrets that the ACL controller will
update in AWS Secrets Manager. The `name_prefix` parameter value must be unique for each ECS cluster where you are deploying this controller.
update in AWS Secrets Manager. The `name_prefix` parameter value must be unique for each ECS cluster where you deploy this controller.
## Deploy your services
@ -74,7 +74,7 @@ Follow the instructions described in [Create a task definition](/docs/ecs/terraf
### Create an AWS Secrets Manager secret
The secret stores the gossip encryption key that the Consul clients will use.
The secret stores the gossip encryption key that the Consul clients use.
<CodeBlock>