Amazon Elastic Container Service (ECS)¶
Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that makes it easy for you to deploy, manage, and scale containerized applications.
Airflow provides operators to run Task Definitions on an ECS cluster.
Prerequisite Tasks¶
To use these operators, you must do a few things:
Create necessary resources using AWS Console or AWS CLI.
Install API libraries via pip.
pip install 'apache-airflow[amazon]'
Detailed information is available Installation
Operators¶
Run a task definition¶
To run a Task Definition defined in an Amazon ECS cluster you can use
EcsOperator
.
You need to have created your ECS Cluster, and have created a Task Definition before you can use this Operator. The Task Definition contains details of the containerized application you want to run.
This Operator support running your containers in ECS Clusters that are either Serverless (FARGATE), via EC2,
or via external resources (EXTERNAL).
The parameters you need to configure for this Operator will depend upon which launch_type
you want to use.
launch_type="EC2|FARGATE|EXTERNAL"
If you are using AWS Fargate as your compute resource in your ECS Cluster, set the parameter
launch_type
to FARGATE. When using a launch type of FARGATE you will need to providenetwork_configuration
parameters.If you are using EC2 as the compute resources in your ECS Cluster, set the parameter to EC2.
If you have integrated external resources in your ECS Cluster, for example using ECS Anywhere, and want to run your containers on those external resources, set the parameter to EXTERNAL.
hello_world = EcsOperator(
task_id="hello_world",
cluster=os.environ.get("CLUSTER_NAME", "existing_cluster_name"),
task_definition=os.environ.get("TASK_DEFINITION", "existing_task_definition_name"),
launch_type="EXTERNAL|EC2",
aws_conn_id="aws_ecs",
overrides={
"containerOverrides": [
{
"name": "hello-world-container",
"command": ["echo", "hello", "world"],
},
],
},
tags={
"Customer": "X",
"Project": "Y",
"Application": "Z",
"Version": "0.0.1",
"Environment": "Development",
},
awslogs_group="/ecs/hello-world",
awslogs_region="aws-region",
awslogs_stream_prefix="ecs/hello-world-container"
)
hello_world = EcsOperator(
task_id="hello_world",
cluster=os.environ.get("CLUSTER_NAME", "existing_cluster_name"),
task_definition=os.environ.get("TASK_DEFINITION", "existing_task_definition_name"),
launch_type="FARGATE",
aws_conn_id="aws_ecs",
overrides={
"containerOverrides": [
{
"name": "hello-world-container",
"command": ["echo", "hello", "world"],
},
],
},
network_configuration={
"awsvpcConfiguration": {
"securityGroups": [os.environ.get("SECURITY_GROUP_ID", "sg-123abc")],
"subnets": [os.environ.get("SUBNET_ID", "subnet-123456ab")],
},
},
tags={
"Customer": "X",
"Project": "Y",
"Application": "Z",
"Version": "0.0.1",
"Environment": "Development",
},
awslogs_group="/ecs/hello-world",
awslogs_stream_prefix="prefix_b/hello-world-container",
)
Stream logs to AWS CloudWatch¶
To stream logs to AWS CloudWatch, you need to define the parameters below. Using the example above, we would add these additional parameters to enable logging to CloudWatch. You need to ensure that you have the appropriate level of permissions (see next section).
awslogs_group="/ecs/hello-world",
awslogs_region="aws-region",
awslogs_stream_prefix="ecs/hello-world-container"
IAM Permissions¶
You need to ensure you have the following IAM permissions to run tasks via this operator. In this example, the operator will have permissions to run tasks on an ECS Cluster called "cluster a" in a specific AWS region and account.
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:DescribeTasks"
],
"Resource": : [ "arn:aws:ecs:{aws region}:{aws account number}:cluster/{custer a}"
}
If you use the "reattach=True" (the default is False), you need to add further permissions. You need to add the following additional Actions to the IAM policy.
"ecs:DescribeTaskDefinition",
"ecs:ListTasks"
CloudWatch Permissions
If you plan on streaming Apache Airflow logs into AWS CloudWatch, you need to ensure that you have configured the appropriate permissions set.
iam.PolicyStatement(
actions=[
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:GetLogRecord",
"logs:GetLogGroupFields",
"logs:GetQueryResults"
],
effect=iam.Effect.ALLOW,
resources=[
"arn:aws:logs:{aws region}:{aws account number}:log-group:{aws-log-group-name}:log-stream:{aws-log-stream-name}/\*"
]
)