ecs: service.serviceConnectConfiguration generates bogus CloudMap namespaces

[franck102]

Describe the bug

This cdk code:

this.cluster = new ecs.Cluster(this, "MyCluster", {
            clusterName: cdk.PhysicalName.GENERATE_IF_NEEDED,
            vpc: this.vpc,
            defaultCloudMapNamespace: {
                name: "passmate.private",
                useForServiceConnect: true,
                type: cloudmap.NamespaceType.DNS_PRIVATE,
                vpc: this.vpc
            },
        });

... and in a different stack:

keycloakContainer.addPortMappings({
            name: "keycloak_http",
            containerPort: this.webPort});
...
this.service = new ecs.FargateService(this, 'Service', {
            cluster: props.cluster,
           ...
            serviceConnectConfiguration: {
                services: [{
                    portMappingName: "keycloak_http",
                    dnsName: "keycloak",
                    port: _keycloakPublicPort,
                }]
            }
        });

generates two namespaces in CloudMap:

Domain name       | Description | Instance discovery                           | Namespace ID
passmate.private | -                   | API calls and DNS queries in VPCs | ns-jfyvbvl33oocytvv
passmate.private | -                   | API calls                                             | ns-pge2n6bdb7z4k72x

The "DNS Queries" contains no services, the second namespace (API calls only) contains the keycloak service defined above.

Expected Behavior

I expected a private DNS entry to be created for the keycloak service, with the DNS name keycloak.passmate.private.

Current Behavior

No DNS record gets created.

The first namespace ("API calls and DNS queries in VPCs") has the expected aws:cloudformation:stack-id, aws:cloudformation:stack-name and aws:cloudformation:logical-id tags.

The second namespace ("API calls" only) which contains the service has a single "AmazonECSManaged" tag.

Reproduction Steps

Create a simple stack with cluster with a default CloudMap namespace & a ServiceConnect-enabled service as described above.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.79.1 (build 2e7f8b7)

Framework Version

"version": "2.79.0",

Node.js Version

v18.3.0

OS

macOS 12.6

Language

Typescript

Language Version

5.0.4

Other information

No response

[pahud]

Hi

I tried this in my environment and looks like it only create one namespace?

export class Demo2Stack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const vpc = getOrCreateVpc(this);
    const cluster = new ecs.Cluster(this, "MyCluster", {
      clusterName: PhysicalName.GENERATE_IF_NEEDED,
      vpc,
      defaultCloudMapNamespace: {
          name: "passmate.private",
          useForServiceConnect: true,
          type: servicediscovery.NamespaceType.DNS_PRIVATE,
          vpc
      },
    });
    const task = new ecs.FargateTaskDefinition(this, 'Task', {
      cpu: 256,
      memoryLimitMiB: 512,
    });
    task.addContainer('keycloak', {
      image: ecs.ContainerImage.fromRegistry('quay.io/keycloak/keycloak'),
      portMappings: [
        { name: 'keycloak_http', containerPort: 8080 },
      ]
    });
    new ecs.FargateService(this, 'Service', {
      cluster,
      taskDefinition: task,
      serviceConnectConfiguration: {
          services: [{
              portMappingName: "keycloak_http",
              dnsName: "keycloak",
              port: 80,
          }]
      }
    });
  };
};

Resources
[+] AWS::ECS::Cluster MyCluster MyCluster4C1BA579
[+] AWS::ServiceDiscovery::PrivateDnsNamespace MyCluster/DefaultServiceDiscoveryNamespace MyClusterDefaultServiceDiscoveryNamespace4A9016C4
[+] AWS::IAM::Role Task/TaskRole TaskTaskRoleE98524A1
[+] AWS::ECS::TaskDefinition Task Task79114B6B
[+] AWS::ECS::Service Service/Service ServiceD69D759B
[+] AWS::EC2::SecurityGroup Service/SecurityGroup ServiceSecurityGroupC96ED6A7

[pahud]

BTW, if you are building keycloak service on ECS or Fargate, you probably can refer to this aws-sample which does not use cloudmap but JDBC_PING and stickinessCookie instead. It's not perfect but worth a look.

https://github.com/aws-samples/cdk-keycloak/blob/main/src/keycloak.ts

[franck102]

I suspect the issue arises because the cluster and the service are defined in different stacks (see the Fn::ImportValue below)?
Everything indeed looks correct in the generated template - a single private dns namespace in the cluster, and service refers to it by name.
However at deploy time the service configuration causes AWS to instantiate a new namespace instead of reusing the cluster's default one.

Cluster template:

 PassmateCluster89C7783C:
    Type: AWS::ECS::Cluster
    Properties:
      ServiceConnectDefaults:
        Namespace: passmate.private
    Metadata:
      aws:cdk:path: PassmateStack/Infra/PassmateCluster/Resource
  PassmateClusterDefaultServiceDiscoveryNamespace9D590D92:
    Type: AWS::ServiceDiscovery::PrivateDnsNamespace
    Properties:
      Name: passmate.private
      Vpc:
        Ref: PassmateVpcE47AF4D1
    Metadata:
      aws:cdk:path: PassmateStack/Infra/PassmateCluster/DefaultServiceDiscoveryNamespace/Resource

Service template:

KeycloakClusterServiceDC58B5EE:
    Type: AWS::ECS::Service
    Properties:
      Cluster:
        Fn::ImportValue: PassmateStackInfraECB4C246:ExportsOutputRefPassmateCluster89C7783C280B02BA
    ...
      NetworkConfiguration:
        AwsvpcConfiguration:
         ...
      ServiceConnectConfiguration:
        Enabled: true
        Namespace: passmate.private
        Services:
          - ClientAliases:
              - DnsName: keycloak
                Port: 8088
                PortName: keycloak_http
        TaskDefinition:
          Ref: KeycloakClusterTaskDefinitionE5269269

[franck102]

BTW, if you are building keycloak service on ECS or Fargate, you probably can refer to this aws-sample which does not use cloudmap but JDBC_PING and stickinessCookie instead. It's not perfect but worth a look.

https://github.com/aws-samples/cdk-keycloak/blob/main/src/keycloak.ts

I am using DNS_PING for the cluster itself, I need Cloudmap for Keycloak integration with by backend services (Quarkus admin client). And I am trying to avoid the cost of an internal load balancer...

[pahud]

I think you probably should configure it like this(using nginx as a example):

    const vpc = getOrCreateVpc(this);
    const cluster = new ecs.Cluster(this, `MyCluster${id}`, {
      vpc,
      defaultCloudMapNamespace: {
          name: `${id}-ns`,
          useForServiceConnect: true,
          type: servicediscovery.NamespaceType.DNS_PRIVATE,
          vpc
      },
    });
    const task = new ecs.FargateTaskDefinition(this, 'Task', {
      cpu: 256,
      memoryLimitMiB: 512,
    });
    task.addContainer('nginx', {
      image: ecs.ContainerImage.fromRegistry('nginx'),
      portMappings: [
        { name: 'nginx_http', containerPort: 80 },
      ],
    });
    const service = new ecs.FargateService(this, 'Service', {
      cluster,
      taskDefinition: task,
      serviceConnectConfiguration: {
          services: [{
              portMappingName: "nginx_http",
              dnsName: "nginx",
              port: 80,
          }],
      },
    });
    service.node.addDependency(cluster.defaultCloudMapNamespace!);

defaultCloudMapNamespace creates the default CloudMap Namespace and serviceConnectConfiguration by default uses the default namespace if name is undefined. The addDependency() ensures their dependency.

Let me know if it works for you.