How do I collect distributed tracing data for ECS/Fargate services with AWS X-Ray?
To collect distributed tracing data for ECS/Fargate services using AWS X-Ray, it’s necessary to set up the X-Ray daemon as a sidecar container within your ECS task definition. Additionally, you must attach the appropriate IAM policies to allow your tasks to write trace data to X-Ray. Below is an example program demonstrating these steps:
- Define the IAM role and policy for the ECS task.
- Create an ECS task definition that includes both the application and the X-Ray daemon containers.
- Configure the ECS service to use this task definition.
Here is the configuration:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// IAM Role for ECS Tasks
const ecsTaskExecutionRole = new aws.iam.Role("ecs_task_execution_role", {
name: "ecsTaskExecutionRole",
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Effect: "Allow",
Principal: {
Service: "ecs-tasks.amazonaws.com",
},
}],
}),
});
const ecsTaskExecutionRolePolicy = new aws.iam.RolePolicyAttachment("ecs_task_execution_role_policy", {
role: ecsTaskExecutionRole.name,
policyArn: "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
});
// IAM Policy for X-Ray
const xrayWritePolicy = new aws.iam.Policy("xray_write_policy", {
name: "XRayWriteAccess",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
],
Effect: "Allow",
Resource: "*",
}],
}),
});
// Attach the X-Ray policy to the task role
const xrayPolicyAttachment = new aws.iam.RolePolicyAttachment("xray_policy_attachment", {
role: ecsTaskExecutionRole.name,
policyArn: xrayWritePolicy.arn,
});
// ECS Task Definition
const app = new aws.ecs.TaskDefinition("app", {
family: "fargate-task",
requiresCompatibilities: ["FARGATE"],
networkMode: "awsvpc",
cpu: "256",
memory: "512",
executionRoleArn: ecsTaskExecutionRole.arn,
containerDefinitions: JSON.stringify([
{
name: "my-app",
image: "nginx",
essential: true,
portMappings: [{
containerPort: 80,
hostPort: 80,
}],
},
{
name: "xray-daemon",
image: "amazon/aws-xray-daemon",
essential: true,
portMappings: [{
containerPort: 2000,
hostPort: 2000,
protocol: "udp",
}],
environment: [{
name: "AWS_REGION",
value: "us-west-2",
}],
},
]),
});
const cluster = new aws.ecs.Cluster("cluster", {name: "my-cluster"});
// ECS Service
const appService = new aws.ecs.Service("app_service", {
name: "app-service",
cluster: cluster.id,
taskDefinition: app.arn,
desiredCount: 1,
launchType: "FARGATE",
networkConfiguration: {
subnets: [
"subnet-abc123",
"subnet-def456",
],
assignPublicIp: true,
},
});
In this example, we defined an IAM role with the necessary policies for ECS tasks and attached it to the task execution role. Next, we created an ECS task definition with an application container (my-app
) and an AWS X-Ray daemon container (xray-daemon
). Finally, we set up an ECS service to run this task.
This setup configures the ECS/Fargate environments to collect distributed tracing data using AWS X-Ray. By running the ECS service, the application will automatically send trace data to AWS X-Ray for monitoring and analysis.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.