Alternative to public subnets

[adavies48]

Hey I was wondering if there is a work around to using public subnets? In my company they're restricted and not possible to implement. I've seen in the docs and from a response to a chat that public subnets are required, but there must be a way to use artillery without them? Any help would be great thanks.

[bernardobridge]

Hi @adavies48 👋,

You can create your own VPC with private subnets and have Artillery run in it by using the --subnet-ids flag (you can also configure security groups similarly).

Here's the reference for the CLI flags:
https://www.artillery.io/docs/reference/cli/run-fargate#fargate-specific-flags

[adavies48]

Great thank you, I will try that.

[bernardobridge]

Apologies @adavies48 , this information is actually incorrect. Please refer to the post below for the correct details:

#2437 (comment)

[hassy]

You have to run in a public subnet to be able to pull Docker images from Artillery's public ECR repository.

The workaround is to:

• clone Artillery's worker image and host it in your own private ECR repo
• edit the IAM role that Artillery generates to allow pulls from your private ECR repo
• configure Artillery to use your own copy of the worker image by setting the WORKER_IMAGE_URL environment variable to the URL of the image in your private ECR repo

We'll support this natively in Artillery at some point but no ETA on that right now.

[Mathdon]

Hi @hassy any help would be appreciated, feel like we are close to getting it working just stuck at the last hurdle

[hassy]

@Mathdon that's very odd, that file is definitely there (otherwise all Fargate tests would fail).

Can you double check that you updated the image that's hosted here: https://gallery.ecr.aws/d8a4z9o5/artillery-worker - that's the image used for distributed load tests. Rather than the image hosted on Dockerhub, which only wraps the Arillery CLI itself.

[hassy]

e.g. the image to clone into your private ECR repo for Artillery v2.0.14 would be public.ecr.aws/d8a4z9o5/artillery-worker:2.0.14-x86_64

[Mathdon]

Thank you @hassy I will check that :)

[hassy]

feel free to email me directly with any more information that might not be suitable to share publicly here - [email protected]

[bbeesley]

Gonna chime in here since I have this working now. First step was setting up a github action to sync the public ECR images over to our private ECR. Here's what my action looks like in case you wanna copy:

name: Update the artillery-worker ecr image
on:
  workflow_dispatch:
    inputs:
      new_version:
        description: "The artillery worker docker image tag to import (dont include the architecture suffix)"
        required: true
        default: 2.0.21
env:
  IMAGE_SOURCE: 'public.ecr.aws/d8a4z9o5/artillery-worker'
  IMAGE_SINK: '<the aws account id where your private ecr repo lives>.dkr.ecr.eu-central-1.amazonaws.com/artillery-worker'
jobs:
  copy-image:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: install regctl
        uses: regclient/actions/regctl-installer@main
        with:
          release: 'latest'
      - name: aws auth
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: <a role that can push to your ECR repo>
          aws-region: eu-central-1
      - name: ecr private login
        uses: aws-actions/amazon-ecr-login@v2
      - name: aws auth
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: <a role that can read from public ECR - I think it just needs ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken>
          aws-region: us-east-1
      - name: ecr public login
        uses: aws-actions/amazon-ecr-login@v2
        with:
          registry-type: public
      - name: copy amd64 image
        run: |
          regctl image copy ${{ env.IMAGE_SOURCE }}:${{ inputs.new_version }}-x86_64 ${{ env.IMAGE_SINK }}:${{ inputs.new_version }}-x86_64
      - name: copy arm64 image
        run: |
          regctl image copy ${{ env.IMAGE_SOURCE }}:${{ inputs.new_version }}-arm64 ${{ env.IMAGE_SINK }}:${{ inputs.new_version }}-arm64

obviously update the roles to work with your CI, but then you can just run the action with whatever tags you wanna copy across.

Next you need to make sure artillery has attempted to run in fargate already because you're gonna have to modify the execution role it creates. If you've already used artillery fargate in the aws account you're using, the role has been created, if not, just let it fail once.

The name of the role is artilleryio-ecs-worker-role, you need to attach policies to allow it to pull from your private ECR, I use AmazonS3ReadOnlyAccess and AmazonECSTaskExecutionRolePolicy. So now your role will be able to pull the private ECR image.

Now you can just run the command to kick off the test, but point it at the private subnets, something like this is what I use:

artillery run-fargate --region eu-central-1 --count 5 --cluster `aws ecs list-clusters --query "clusterArns[0]" --output text | grep -o '[^/]*$'`  \
    --subnet-ids "`aws ec2 describe-subnets --filters 'Name=tag:Tier,Values=Private' --query 'Subnets[*].SubnetId' --output text | tr '\t' ','`" \
    --security-group-ids "`aws ec2 describe-security-groups --filters 'Name=group-name,Values=default' --query 'SecurityGroups[*].GroupId' --output text`" my-private-test.yml --record --key ***

Then everything seems to work well. I guess the if I were to make a suggestion it would be that it'd be nice if there was an artillery cli flag I could pass to tell it to include private ECR permissions on the role so that manual step isn't required.