将 efs 卷添加到 ecs fargate

Question

我想将 EFS 与 Fargate 一起使用，但任务启动时出现此错误：

ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: Failed to resolve "fs-xxxxx.efs.eu-west-1.amazonaws.com" - check that your file system ID is correct

我已经检查了文件系统 ID，它是正确的...如何获得有关此错误的更多信息？ 会不会和安全组有关？

这是我在 terraform 中使用的代码，我为两个可用区使用了两个挂载点：

resource "aws_efs_file_system" "efs_apache" {
}

resource "aws_efs_mount_target" "efs-mount" {
  count                     = 2

  file_system_id            = aws_efs_file_system.efs_apache.id
  subnet_id                 = sort(var.subnet_ids)[count.index]
  security_groups           = [aws_security_group.efs.id]
}

resource "aws_efs_access_point" "efs-access-point" {
  file_system_id = aws_efs_file_system.efs_apache.id
}

resource "aws_security_group" "efs" {
  name        = "${var.name}-efs-sg"
  description = "Allow traffic from self"
  vpc_id      = var.vpc_id

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port = 2049
    to_port   = 2049
    protocol  = "tcp"
    security_groups = [aws_security_group.fargate_sg.id]
  }
}

这是 Fargate 服务：

resource "aws_ecs_task_definition" "task_definition" {
  family                    = var.name
  requires_compatibilities  = ["FARGATE"]
  network_mode              = "awsvpc"
  execution_role_arn        = aws_iam_role.task_execution_role.arn
  task_role_arn             = aws_iam_role.task_role.arn
  cpu                       = var.cpu
  memory                    = var.memoryHardLimit
  volume {
    name      = "efs-apache"

    efs_volume_configuration {
      file_system_id = aws_efs_file_system.efs_apache.id
      root_directory = "/"
      transit_encryption      = "ENABLED"

      authorization_config {
        access_point_id = aws_efs_access_point.efs-access-point.id
        iam             = "ENABLED"
      }
    }
  }

  depends_on                = [aws_efs_file_system.efs_apache]

  container_definitions     = <<EOF
    [
      {
        "name": "${var.name}",
        "image": "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${lower(var.project_name)}_app:latest",
        "memory": ${var.memoryHardLimit},
        "memoryReservation":  ${var.memorySoftLimit},
        "cpu": ${var.cpu},
        "essential": true,
        "command": [
          "/bin/sh -c \"/app/start.sh"
        ],
        "entryPoint": [
          "sh",
          "-c"
        ],
        "mountPoints": [
          {
            "containerPath": "/var/www/sites_json",
            "sourceVolume": "efs-apache",
            "readOnly": false
          }
        ],
        "portMappings": [
          {
            "containerPort": ${var.docker_container_port},
            "hostPort": ${var.docker_container_port}
          }
        ],
        "logConfiguration": {
            "logDriver": "awslogs",
            "options": {
                "awslogs-group": "${var.name}-Task-LogGroup",
                "awslogs-region": "${data.aws_region.current.name}",
                "awslogs-stream-prefix": "ecs"
            }
        }
      }
    ]
EOF
}

我该如何解决？

Answer 1

确保您已在 VPC 中启用 DNS 解析和 DNS 主机名。 EFS 需要启用这两个选项才能工作，因为它依赖 DNS 主机名来解析连接。这让我停留了一段时间，因为 Internet 上的大多数文档都关注此错误的安全组。

terraform AWS 提供程序资源 aws_vpc 默认设置为 enable_dns_hostnames = false，因此您需要将其显式设置为 true。您的 terraform VPC 配置应如下所示：

resource "aws_vpc" "main" {
cidr_block             = "10.255.248.0/22"
enable_dns_hostnames   = true
}

Answer 2

我花了几个小时调查这个问题，问题是 EFS 没有安装在子网上（aws_efs_mount_target 在 Terraform 脚本中丢失）