AWS ECS Configuration

This document provides a summary of deploying the Arculus FIDO2 Server on AWS ECS Fargate.

For deployment overview and other deployment options, see 3. Deployment.

For the complete step-by-step guide, see CUSTOMER_DEPLOYMENT_GUIDE.md.

Architecture Overview

Prerequisites

AWS Account Requirements

AWS account with appropriate permissions
AWS CLI installed and configured
Required IAM permissions:
- CloudFormation
- ECS
- EC2 (security groups, VPC)
- Elastic Load Balancing
- IAM (roles, policies)
- CloudWatch Logs
- Secrets Manager
- S3

Network Infrastructure

Required VPC setup:

Component

Requirement

VPC

With public and private subnets

Availability Zones

Minimum 2 AZs

Internet Gateway

For public subnets

NAT Gateway

For private subnet internet access

SSL Certificate

Obtain or create an SSL certificate in AWS Certificate Manager:

# Request a new certificate
aws acm request-certificate \
  --domain-name auth.example.com \
  --validation-method DNS \
  --region us-east-1

MongoDB Database

Supported options:

MongoDB Atlas (cloud-managed)
Amazon DocumentDB
Self-managed MongoDB

CloudFormation Stack Structure

The deployment uses nested CloudFormation stacks:

master-stack.yaml
  |
  +-- security-stack.yaml (IAM roles, Secrets Manager)
  |
  +-- network-stack.yaml (ALB, Security Groups)
  |
  +-- compute-stack.yaml (ECS Cluster, Services, Tasks)

Stack Parameters

Parameter

Description

Example

Environment

Deployment environment

prod, staging, dev

ApplicationName

Resource naming prefix

arculus-auth

VpcId

Target VPC

vpc-xxx

PrivateSubnets

ECS service subnets

subnet-xxx,subnet-yyy

PublicSubnets

Load balancer subnets

subnet-aaa,subnet-bbb

CertificateArn

SSL certificate ARN

arn:aws:acm:...

DomainName

Application domain

auth.example.com

MongoDBHost

Database hostname

cluster.mongodb.net

MongoDBUsername

Database username

admin

MongoDBPassword

Database password

(secure value)

ImageTag

Docker image tag

latest

Deployment Steps

Step 1: Push Docker Images to ECR

# Create ECR repositories
aws ecr create-repository --repository-name pyfido
aws ecr create-repository --repository-name tomcat

# Authenticate Docker
aws ecr get-login-password | docker login --username AWS --password-stdin $ACCOUNT.dkr.ecr.$REGION.amazonaws.com

# Tag and push images
docker tag pyfido:latest $ACCOUNT.dkr.ecr.$REGION.amazonaws.com/pyfido:latest
docker push $ACCOUNT.dkr.ecr.$REGION.amazonaws.com/pyfido:latest

Step 2: Create S3 Bucket for Templates

./setup-s3.sh -b your-bucket-name

Step 3: Configure Parameters

Edit parameters/prod.json:

[
  { "ParameterKey": "Environment", "ParameterValue": "production" },
  { "ParameterKey": "VpcId", "ParameterValue": "vpc-xxx" },
  { "ParameterKey": "PrivateSubnets", "ParameterValue": "subnet-xxx,subnet-yyy" },
  { "ParameterKey": "PublicSubnets", "ParameterValue": "subnet-aaa,subnet-bbb" },
  { "ParameterKey": "CertificateArn", "ParameterValue": "arn:aws:acm:..." },
  { "ParameterKey": "DomainName", "ParameterValue": "auth.example.com" },
  { "ParameterKey": "MongoDBHost", "ParameterValue": "cluster.mongodb.net" },
  { "ParameterKey": "MongoDBUsername", "ParameterValue": "admin" },
  { "ParameterKey": "MongoDBPassword", "ParameterValue": "secure-password" }
]

Step 4: Deploy Stack

./deploy.sh -e prod -b your-bucket-name

Resource Sizing

Environment Mappings

Environment

PyFIDO CPU

PyFIDO Memory

Desired Count

dev

256

512 MB

staging

512

1024 MB

prod

1024

2048 MB

Scaling Considerations

CPU: Increase for high computation (signature verification)
Memory: Increase for high concurrent sessions
Task Count: Scale horizontally for high availability

Networking

Security Groups

Resource

Inbound

Source

ALB

443 (HTTPS)

0.0.0.0/0

ALB

5001 (PyFIDO)

0.0.0.0/0

ALB

8080 (Tomcat)

0.0.0.0/0

ECS Tasks

5001, 8080

ALB Security Group

MongoDB

27017

ECS Security Group

Load Balancer Configuration

Listener

Port

Protocol

Target

HTTPS

443

HTTPS

Tomcat

PyFIDO

5001

HTTPS

PyFIDO

Tomcat

8080

HTTPS

Tomcat

Secrets Management

Secrets are stored in AWS Secrets Manager:

Secret

Contents

MongoDB Secret

username, password, host, port

Application Secret

API keys, JWT secrets

ECS tasks access secrets via IAM task role permissions.

Logging

CloudWatch Log Groups

Log Group

Service

/ecs/arculus-auth/ENV/pyfido

PyFIDO Server

/ecs/arculus-auth/ENV/tomcat

Tomcat Portal

Log Retention

Environment

Retention

dev

7 days

staging

30 days

prod

90 days

Viewing Logs

# Tail PyFIDO logs
aws logs tail /ecs/arculus-auth/production/pyfido --follow

Service Management

Start/Stop Services

# Scale to 0 to stop
aws ecs update-service \
  --cluster arculus-auth-production \
  --service arculus-auth-production-pyfido \
  --desired-count 0

# Scale up to start
aws ecs update-service \
  --cluster arculus-auth-production \
  --service arculus-auth-production-pyfido \
  --desired-count 2

Force Redeployment

aws ecs update-service \
  --cluster arculus-auth-production \
  --service arculus-auth-production-pyfido \
  --force-new-deployment

Health Checks

Load Balancer Health Checks

Target

Path

Healthy Threshold

Interval

PyFIDO

/health

30s

Tomcat

30s

Verification

# Check service status
aws ecs describe-services \
  --cluster arculus-auth-production \
  --services arculus-auth-production-pyfido \
  --query 'services[].{Status:status,Running:runningCount}'

Stack Outputs

After deployment, retrieve key values:

aws cloudformation describe-stacks \
  --stack-name arculus-auth-production \
  --query 'Stacks[0].Outputs'

Output

Description

LoadBalancerDNS

ALB DNS name for DNS configuration

PyFidoEndpoint

PyFIDO API endpoint URL

TomcatEndpoint

Tomcat portal URL

ClusterName

ECS cluster name

MongoDBSecretArn

Secrets Manager ARN

DNS Configuration

Create a CNAME or ALIAS record pointing to the LoadBalancerDNS output:

auth.example.com -> arculus-alb-xxx.elb.amazonaws.com

For Route 53, use an A record with alias to the load balancer.

Updates and Maintenance

Rolling Updates

The deployment supports zero-downtime updates:

Update image tag in parameters
Run deploy script
ECS performs rolling replacement

Image Updates

# Update ImageTag parameter
vi parameters/prod.json

# Redeploy
./deploy.sh -e prod -b your-bucket-name

Cost Considerations

Component

Pricing Factor

Fargate

vCPU hours + GB hours

ALB

LCU hours + data processed

NAT Gateway

Per hour + data processed

Secrets Manager

Per secret + API calls

CloudWatch Logs

Data ingested + storage

PreviousDeployment Overview NextDocker Configuration

Last updated 3 days ago

hashtagArchitecture Overview

hashtagPrerequisites

hashtagAWS Account Requirements

hashtagNetwork Infrastructure

hashtagSSL Certificate

hashtagMongoDB Database

hashtagCloudFormation Stack Structure

hashtagStack Parameters

hashtagDeployment Steps

hashtagStep 1: Push Docker Images to ECR

hashtagStep 2: Create S3 Bucket for Templates

hashtagStep 3: Configure Parameters

hashtagStep 4: Deploy Stack

hashtagResource Sizing

hashtagEnvironment Mappings

hashtagScaling Considerations

hashtagNetworking

hashtagSecurity Groups

hashtagLoad Balancer Configuration

hashtagSecrets Management

hashtagLogging

hashtagCloudWatch Log Groups

hashtagLog Retention

hashtagViewing Logs

hashtagService Management

hashtagStart/Stop Services

hashtagForce Redeployment

hashtagHealth Checks

hashtagLoad Balancer Health Checks

hashtagVerification

hashtagStack Outputs

hashtagDNS Configuration

hashtagUpdates and Maintenance

hashtagRolling Updates

hashtagImage Updates

hashtagCost Considerations

Architecture Overview

Prerequisites

AWS Account Requirements

Network Infrastructure

SSL Certificate

MongoDB Database

CloudFormation Stack Structure

Stack Parameters

Deployment Steps

Step 1: Push Docker Images to ECR

Step 2: Create S3 Bucket for Templates

Step 3: Configure Parameters

Step 4: Deploy Stack

Resource Sizing

Environment Mappings

Scaling Considerations

Networking

Security Groups

Load Balancer Configuration

Secrets Management

Logging

CloudWatch Log Groups

Log Retention

Viewing Logs

Service Management

Start/Stop Services

Force Redeployment

Health Checks

Load Balancer Health Checks

Verification

Stack Outputs

DNS Configuration

Updates and Maintenance

Rolling Updates

Image Updates

Cost Considerations