Hosting a Wordpress Application on ECS Fargate with RDS, Parameter Store, and Secrets Manager

Create a new RDS database:

• Select MySQL for the engine type
• Use the default engine version
• Ensure it is a Free Tier template
• Name your cluster identifier wordpress
• Set the Master username to admin
• Enable Manage master credentials in AWS Secrets Manager with the default AWS KMS encryption key
• Select a db.t4g.micro burstable class instance type
• Create a 20 GiB volume using a gp3 volume type
• Use the database subnet group from the DB subnet group dropdown
• Make sure it is not publicly accessible
• Create a new Security Group for it called database-sg with No preference for the Availability Zone
• Create an initial database named wordpress

• Within the AWS Systems Manager Parameter Store capability, create 2 new parameters with the below information.
• After complete, verify there is a new secret in Secrets Manager and retrieve the secret value to view your admin credentials.

| Name | Description | Tier | Type | Data type | Value | |------------------------|-----------------------------|----------|-------------------------------------|-----------|---------------------------------------------------------------------------------------------| | /dev/WORDPRESS_DB_HOST | Wordpress RDS endpoint | Standard | String | text | YOUR_RDS_ENDPOINT:3306 (Example: wordpress-rds.cc5tzmus2oai.us-east-1.rds.amazonaws.com:3306 | | /dev/WORDPRESS_DB_NAME | Wordpress RDS Database Name | Standard | SecureString (default encryption) | text | wordpress |

Within the Amazon ECR service, create a new private repository:

• Select private repositories
• Create a new one
• Set Visibility settings to Private
• For Repository name enter wordpress
• Leave Tag immutability disabled
• Enable the Scan on push option
• Leave KMS encryption disabled

Navigate to the Amazon ECS service in a new tab:

• Find task definitions and create a new one
• Enter wordpress-td for the Task definition family
• Under Infrastructure requirements, for Launch type, select AWS Fargate
• Select OurEcsTaskRole for the Task role
• For the Task execution role, find and select the role OurEcsTaskExecutionRole
• Under Container - 1, enter the following settings for Container details:

| Name | Image URI | Essential container |
|---------------------|--------------------------------------------------------------------------------------------------------------------------------|---------------------| | wordpress | Your ECR Image URI from the custom image you pushed (Example: 294991935974.dkr.ecr.us-east-1.amazonaws.com/wordpress:latest) | Yes |

• Click on Add environment variable and then fill in the information for each of the following 4 variables. PLEASE NOTE THE ARN SYNTAX OF THE SECRETS MANAGER SECRET.

| Key | Value type | Value | |-------------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | WORDPRESS_DB_HOST | ValueFrom | ARN of the respective Parameter Store parameter (Example: arn:aws:ssm:us-east-1:552898056824:parameter/dev/WORDPRESS_DB_HOST | | WORDPRESS_DB_NAME | ValueFrom | ARN of the respective Parameter Store parameter (Example: arn:aws:ssm:us-east-1:552898056824:parameter/dev/WORDPRESS_DB_NAME | | WORDPRESS_DB_USER | ValueFrom | ARN of the respective Secrets Manager RDS secret with :username:: added to the end specifying the specific key value (Example: arn:aws:secretsmanager:us-east-1:552898056824:secret:rds!db-1380b131-f0b2-4ef3-833f-4ab7a78f29fd-BAsjMA:username:: | | WORDPRESS_DB_PASSWORD | ValueFrom | ARN of the respective Secrets Manager RDS secret with :password:: added to the end specifying the specific key value (Example: arn:aws:secretsmanager:us-east-1:552898056824:secret:rds!db-1380b131-f0b2-4ef3-833f-4ab7a78f29fd-BAsjMA:password:: |

• Create the task definition

Within ECS, select Clusters:

• Create a new cluster
• For Cluster name enter Wordpress-Cluster
• Under Infrastructure, select AWS Fargate (serverless)
• Once completed, move on to creating our service

Wait for the cluster creation to complete before moving on. If you get any service related errors, please navigate to the CloudFormation template that is created for you by the service and retry the deployment.

• Before you begin, please verify the required resources below exist and if any of these do not exist, please exit the lab and restart.

  | Type | Name | |---------------------------|----------------------------| | Application Load Balancer | OurApplicationLoadBalancer | | Security Group | ALBAllowHttp | | Cloud9 Environment | OurCloud9Environment | | IAM Role | OurEcsTaskExecutionRole | | IAM Role | OurEcsTaskRole |

• Create a new Database Subnet Group within RDS

• Name it database-subnet-group

• Select the us-east-1a, us-east-1b, and us-east-1c AZs

• Select the subnets with the CIDRs of 10.0.20.0/24, 10.0.21.0/24, and 10.0.22.0/24

• Edit the inbound rules for the database-sg that you created
• Delete the existing rule and add a new inbound rule with the following information:

| Type | Protocol | Port range | Source | Value | Description - optional | |--------------|----------|------------|--------|---------------|-------------------------------| | MYSQL/Aurora | TCP | 3306 | Custom | 10.0.0.0/16 | Allow MySQL access from VPC |

Create a new set of access keys for your IAM user:

• Within the AWS IAM console, select your IAM user
• Create a new set of access keys
• Save the access key and secret access key values for later

Navigate back to the ECR tab:

• Click on View push commands
• Copy and paste Step 1 into your Cloud9 terminal. Before entering, add the --profile cloud_user to the portion before the pipe! Example below:

aws ecr get-login-password --region us-east-1 --profile cloud_user | docker login --username AWS --password-stdin 111111111111.dkr.ecr.us-east-1.amazonaws.com

• Pull the latest Docker image for Wordpress running this command:

   docker pull wordpress:latest

• Once complete, tag the image to push by copying and pasting Step 3 from the ECR push commands prompt
• Now run Step 4 from the ECR push commands.
• Verify the image exists within the ECR console after completion

Navigate to Cloud9 in a new tab:

• Open the OurCloud9Environment environment
• Clear any messages that popup
• Run aws configure --profile cloud_user
• Paste in your recently created access keys when prompted
• Use us-east-1 as the default Region
• Use json as the default output
• If you get a popup about AWS managed temporary credentials, select Cancel and then Re-enable after refresh
• Test you can perform an AWS CLIv2 command (Example: aws s3 ls --profile cloud_user)

Navigate to your recently created Wordpress-Cluster:

• Under the Services tab, click on Create
• For Compute options select Launch type
• Make sure the Launch type is set to FARGATE
• Make sure Platform version is set to LATEST
• For Application type select Service
• For Family, under Task definition, choose your wordpress-td task definition from the dropdown and use the LATEST version
• Name your service wordpress-service
• Set desired tasks to 1
• For Networking, select Your Custom VPC
• For Subnets, only select the ones titled Private Subnet
• Create a new security group called app-sg
• For Inbound rules for security groups, enter the following information:

| Type | Protocl | Port range | Source | Values | |------|---------|------------|--------------|--------------------------------------| | HTTP | TCP | 80 | Source group | Security Group of the ALBAllowHttp |

• Make sure Public IP is turned off
• For Load balancer type, select Application Load Balancer
• Use an existing load balancer
• Find the load balancer named OurApplicationLoadBalancer
• Set the Health check grace period to 30 seconds
• Leave the Listener values as default
• For Target group, name it wordpress-tg
• For the Health check path, enter /wp-admin/images/wordpress-logo.svg
• Create

• Navigate to the Amazon EC2 console
• Find and select the OurApplicationLoadBalancer ALB
• Copy the DNS name
• Paste the DNS name into a new tab using HTTP
• You should be greeted by the Wordpress setup page!