portmap | Golang实现的内网端口映射，类似花生壳实现

I think you are missing the login step before deploy the applications.

Can you try use this command before deploying?

The whole problem had nothing to do with AWS, but the server I am running (weblogic) failed to start because I was trying to mount EFS in /, which cannot be done as it would overlay many critical startup and credential files. If I had the whole filesystem already on EFS (which I did not, I used a blank filesystem), then this likely would have been fine. I mounted it successfully to a lower subdirectory and the container spun up and is running.

The default AWS TargetGroup HealthCheckPath is simply / (see the docs). And as a standard Spring Boot application often responds with a HTTP 404 like this:

the ApplicationLoadBalancers health checks Status inside the TargetGroups go to unhealthy, thus triggering a restart of the Fargate Services.

How do we solve this? In Spring Boot you would normally use the spring-boot-actuator. Adding it to your pom.xml the application responds to localhost:yourPort/actuator/health:

In the AWS docs there's a detailed guide on how to grant ECS EC2 & Fargate launch type Tasks access to private Registries. Derived from that there are 4 steps to take:

1. Obtain Token or credentials to access private Container Registry
2. Create AWS Secrets Manager Secret containing Token/Creds to private Registry
3. Craft Task Execution Role (using aws.iam.Role) containing inlinePolicy for private Container Registry access
4. Enhance awsx.ecs.FargateService to use our Task Execution Role & Secret ARN in repositoryCredentials

0. Obtain Token or credentials to access private Container Registry

If you don't already have them, you'll need to create an Access Token or credentials inside our private Registry so that an external service is able to access it. With GitHub Container Registry for example we need to create a Personal Access Token (see docs here) using the read:packages scope as a minimum:

1. Create AWS Secrets Manager Secret containing Token/Creds to private Registry

Now head over to the AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ and create a new Secret via the Store a new secret button. In the GUI choose Other type of secrets and Plaintext - and then fill in your private Registry credentials as JSON:

Update

Remove brackets from your files

Based on the comments.

The template is fine. The ALB does not work because it is placed in private subnets along with ECS service. Assuming that private subnets are correctly setup to work with NAT gateway and access the internet, the following should be made:

• Place ALB in public subnets - it must be there, as otherwise it will no be accessible from the internet.

Also double check all the route tables for NAT, public subnets, internet gateway.

There is a known terraform aws provider bug for this issue.

In order to make terraform not replace the running task / container definition, I have to fill out all the default values that its showing on terraform plan with either null or empty sets of configuration.

Once all the parameters are filled out, I ran the terafform plan/apply cycle again to ensure its not replacing the container definition like it was doing it before.

I tried to reproduce the same at my side and it worked fine. There are couple of configuration changes I did to the above yaml.

1. Added the gateway label “gateway: shared-gw“ to the VirtualGateway. Make sure that you have this label in the namespace as well.
2. Corrected the dns hostname. This should be your application clusterIp service name serviceDiscovery: dns: hostname: httpd-echo1.shared.svc.cluster.local

Also, ensure that your Laodbalancer is Active and the target group listener for this LB is showing healthy status

I am adding the updated yaml below. You can try this and see if it works.

Got the setup working by using a nested stack, and return values in the nested stack's "Output" section. Please refer to above for details, thanks.