Run Anypoint Flex Gateway on AWS ECS Fargate

Step 02: Store Configuration (registration.yaml) in AWS Secrets Manager

• Login to your AWS Account, Go to desired region
• Navigate to AWS Secrets Manager > Secrets > Store a new secret > Choose "Other type of secret"
• Select "Plaintext", delete any existing content and copy-paste the entire "registration.yaml" file content. Ensure you don't copy extra blank lines. Click Next
• Give a name to this secret, (Example: "mulesoft/flex-on-fargate/registrationfile"). Click Next, Next, Store.
• Copy and keep the Secret ARN safe. We will use it in next steps. 

Step 03: Create IAM Policies and IAM roles 

You have to configure required IAM role (executionRoleArn) that grants permissions to the AWS ECS agent to perform actions on your behalf before and during the container's runtime. This Role is used for activities like, Pulling the container image, Pushing container logs to Amazon CloudWatch, Retrieving sensitive data from AWS Secrets Manager or Systems Manager Parameter Store that you've referenced in the task definition. This role is mandatory for all Fargate tasks. Without it, ECS has no permission to set up and manage your container. 

We used essential permissions for this basic setup, and based on your needs, you can add more policies as required. First, we create IAM policy that provides access to the registration secret we created in Step 2

• Navigate to IAM > Access Management > Policies > Create Policy
• Switch to JSON view of Policy Editor, copy paste below permission and replace <arn-value-of-registration-secret-created-in-step2> with valid ARN.
• Click Next, Give Policy a Name. (Example:  "Flex-Registration-Secret-Permissions") and Click Create

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "<arn-value-of-registration-secret-created-in-step2>"
        }
    ]
}

Then, 

• Navigate to IAM > Access Management > Roles > Create Role
• Select AWS service > From drop-down select "Elastic Container Service" > Then Select "Elastic Container Service Task" as Use Case. Click Next
• Select "AmazonECSTaskExecutionRolePolicy" and the policy we created above (Flex-Registration-Secret-Permissions) and Click Next
• Give a Name to this IAM role, (Example:  "Flex-On-Fargate-Execution-Role"), Click Create.
• Copy and keep this IAM role ARM safe. We will use it in next steps.  

Step 04: Create ECS task definition

An ECS task definition is a blueprint for your application within Amazon ECS. It's a text file, typically in JSON format, that specifies how your containers should be run, including which Docker images to use, resource allocation (CPU and memory), networking, and more. The task definition is a blueprint for your application (the "what"), not where it runs (the "where"). The "where" is specified when you either run a standalone task "run-task" (launches one or more standalone tasks until they stop) or create/update an ECS service "create-service" (launches and maintains a long-running application, ensuring a specified number of tasks are always running and healthy) on the created task definition. 

In this task definition, we are passing the registration file as secret (environment variable) to flex gateway, so Flex Gateway service reads it and start itself. No need to specify any entrypoint parameters in this case.  

Navigate to Amazon ECS > Task definition > click on Create new task definition with JSON
Delete the displayed config and copy paste below task definition. For more info, you can refer to AWS documentation for details on ECS task definition json configuration. 

Here, you can specify 

• Desired values of CPU, Memory
• Replace <arn-of-iam-role-we-created> with IAM role ARN value
• Image (to your desired flex-gateway version as per release notes). At the time of writing, 1.10.0 is the latest available one, so I used it.
• Port details of your choice.
• You can omit "logConfiguration" section if you don't want cloudwatch logs. If using ensure in cloudwatch the specified "awslogs-group" exist in the specified "awslogs-region".
• Under "secrets", replace <arn-value-of-registration-secret-created-in-step2> with Secret ARN created in Step 2

Click Create. You should see a Task definition created with name "flex-on-fargate-task-definition"

{
    "family": "flex-on-fargate-task-definition",
    "networkMode": "awsvpc",
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "cpu": "1024",
    "memory": "2048",
    "executionRoleArn": "<arn-of-iam-role-we-created>",
    "containerDefinitions": [
        {
            "name": "flex-gateway",
            "image": "mulesoft/flex-gateway:1.10.0",
            "portMappings": [
                {
                    "containerPort": 8081,
                    "hostPort": 8081,
                    "protocol": "tcp"
                }
            ],
            "essential": true,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "/ecs/flex-gateway",
                    "awslogs-region": "ap-southeast-1",
                    "awslogs-stream-prefix": "flex-gw"
                }
            },
            "secrets": [
                {
                    "name": "FLEX_CONFIG",
                    "valueFrom": "<arn-value-of-registration-secret-created-in-step2>"
                }
            ]
        }
    ]
}

Step 05: Run the task definition by creating service

Assuming you have created a ECS cluster (type AWS Fargate) and a VPC with Public Subnets in desired region. Ensure the security group has rules that allow access to Internet (to ensure flex gateway container connects to control plane endpoints documented - link in reference section) and also has rules that accept inbound connection on the port specified in task defintion. 

• Navigate to Amazon ECS > Clusters > Click on your ECS cluster
• Under Services > Create Service
• Select the task defintion we created in previous step from drop down. Select latest "Task definition revision".
• Give any name for your service
• As per your preferences, you can modify Compute configuration and Deployment configuration or leave it to defaults. (desired task count is nothing but number of containers/replicas)
• Under the networking, choose the VPC, public subnets, where your Flex container should run and select required Security groups or create new if needed.
• Under the "Loadblancing", As per the needs, you can select and configure ALB/NLB either by creating new or using an existing one.
• And you can configure anyother optional settings that is desired for you.
• Click Create

Now, you should see a Service deployment created under your ECS cluster and it takes some time for provisioning.
Once provisioned, you should see the replicas reflecting in Runtime manager under your flex-gateway in Connected/Running State.

Anypoint Flex Gateway on AWS ECS Fargate is successfully provisioned.