2021-11-03 08:35:22 +02:00
|
|
|
AWSTemplateFormatVersion: '2010-09-09'
|
|
|
|
|
Description: EC2 ECS cluster running containers in public or private subnets.
|
|
|
|
|
Parameters:
|
|
|
|
|
EnvironmentName:
|
|
|
|
|
Type: String
|
|
|
|
|
Default: production
|
2021-11-14 09:13:12 +02:00
|
|
|
Description: A friendly environment name that will be used for namespacing all
|
|
|
|
|
cluster resources, for example staging, qa, or production
|
2021-11-13 19:38:58 +02:00
|
|
|
LaunchType:
|
|
|
|
|
Type: String
|
|
|
|
|
Default: Fargate
|
|
|
|
|
AllowedValues: [Fargate, EC2]
|
2021-11-03 08:35:22 +02:00
|
|
|
InstanceType:
|
|
|
|
|
Type: String
|
|
|
|
|
Default: t2.micro
|
2021-11-13 16:39:06 +02:00
|
|
|
Description: Class of EC2 instance used to host containers
|
|
|
|
|
AllowedValues: [ t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge ]
|
2021-11-03 08:35:22 +02:00
|
|
|
ECSAMI:
|
|
|
|
|
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
|
|
|
|
|
Default: /aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id
|
2021-11-13 19:38:58 +02:00
|
|
|
Description: The Amazon Machine Image ID used for the EC2 cluster
|
2021-11-13 21:18:17 +02:00
|
|
|
|
2021-11-13 19:38:58 +02:00
|
|
|
Conditions:
|
|
|
|
|
EC2: !Equals [ !Ref LaunchType, 'EC2' ]
|
2021-11-13 21:18:17 +02:00
|
|
|
|
2021-11-03 08:35:22 +02:00
|
|
|
Resources:
|
2021-11-13 19:38:58 +02:00
|
|
|
|
|
|
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
|
# ECS Cluster
|
|
|
|
|
#-----------------------------------------------------------------------------#
|
2021-11-03 08:35:22 +02:00
|
|
|
ECSCluster:
|
|
|
|
|
Type: AWS::ECS::Cluster
|
|
|
|
|
|
2021-11-13 19:38:58 +02:00
|
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
|
# Instance Autoscaling Group (EC2 Launch Type)
|
|
|
|
|
#-----------------------------------------------------------------------------#
|
2021-11-03 08:35:22 +02:00
|
|
|
ECSAutoScalingGroup:
|
|
|
|
|
Type: AWS::AutoScaling::AutoScalingGroup
|
2021-11-14 20:12:54 +02:00
|
|
|
DependsOn: ECSCluster
|
2021-11-13 19:38:58 +02:00
|
|
|
Condition: EC2
|
2021-11-03 08:35:22 +02:00
|
|
|
Properties:
|
|
|
|
|
NewInstancesProtectedFromScaleIn: true
|
|
|
|
|
VPCZoneIdentifier:
|
|
|
|
|
# Choose private subnets if using NAT gateways
|
|
|
|
|
- Fn::ImportValue: !Sub ${EnvironmentName}:PublicSubnetOne
|
|
|
|
|
- Fn::ImportValue: !Sub ${EnvironmentName}:PublicSubnetTwo
|
2021-11-13 19:38:58 +02:00
|
|
|
LaunchConfigurationName: !Ref ContainerInstances
|
|
|
|
|
MinSize: 1
|
|
|
|
|
MaxSize: 3
|
|
|
|
|
DesiredCapacity: 1
|
2021-11-03 08:35:22 +02:00
|
|
|
CreationPolicy:
|
|
|
|
|
ResourceSignal:
|
2021-11-15 10:34:10 +02:00
|
|
|
Timeout: PT5M
|
2021-11-03 08:35:22 +02:00
|
|
|
UpdatePolicy:
|
2021-11-15 10:34:10 +02:00
|
|
|
# AutoScalingReplacingUpdate:
|
|
|
|
|
# WillReplace: true
|
|
|
|
|
AutoScalingRollingUpdate:
|
|
|
|
|
MinSuccessfulInstancesPercent: 100
|
|
|
|
|
WaitOnResourceSignals: true
|
|
|
|
|
PauseTime: PT5M
|
|
|
|
|
SuspendProcesses:
|
|
|
|
|
# Suspend everything except Launch and Terminate.
|
|
|
|
|
- AddToLoadBalancer
|
|
|
|
|
- AlarmNotification
|
|
|
|
|
- AZRebalance
|
|
|
|
|
- HealthCheck
|
|
|
|
|
- ReplaceUnhealthy
|
|
|
|
|
- ScheduledActions
|
2021-11-13 19:38:58 +02:00
|
|
|
|
2021-11-03 08:35:22 +02:00
|
|
|
ContainerInstances:
|
|
|
|
|
Type: AWS::AutoScaling::LaunchConfiguration
|
2021-11-13 19:38:58 +02:00
|
|
|
Condition: EC2
|
2021-11-03 08:35:22 +02:00
|
|
|
Properties:
|
2021-11-13 19:38:58 +02:00
|
|
|
ImageId: !Ref ECSAMI
|
2021-11-03 08:35:22 +02:00
|
|
|
SecurityGroups:
|
|
|
|
|
- Fn::ImportValue: !Sub ${EnvironmentName}:ContainerSecurityGroup
|
2021-11-13 19:38:58 +02:00
|
|
|
InstanceType: !Ref InstanceType
|
|
|
|
|
IamInstanceProfile: !Ref EC2InstanceProfile
|
2021-11-03 08:35:22 +02:00
|
|
|
UserData:
|
|
|
|
|
Fn::Base64: !Sub |
|
|
|
|
|
#!/bin/bash -xe
|
|
|
|
|
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
|
|
|
|
|
yum install -y aws-cfn-bootstrap
|
|
|
|
|
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
|
2021-11-13 19:38:58 +02:00
|
|
|
|
2021-11-03 08:35:22 +02:00
|
|
|
EC2InstanceProfile:
|
|
|
|
|
Type: AWS::IAM::InstanceProfile
|
2021-11-13 19:38:58 +02:00
|
|
|
Condition: EC2
|
2021-11-03 08:35:22 +02:00
|
|
|
Properties:
|
|
|
|
|
Path: /
|
2021-11-13 19:38:58 +02:00
|
|
|
Roles: [!Ref EC2Role]
|
2021-11-03 08:35:22 +02:00
|
|
|
|
2021-11-13 19:38:58 +02:00
|
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
|
# Capacity Provider (EC2 Launch Type)
|
|
|
|
|
#-----------------------------------------------------------------------------#
|
2021-11-03 08:35:22 +02:00
|
|
|
ECSCapacityProvider:
|
|
|
|
|
Type: AWS::ECS::CapacityProvider
|
2021-11-14 20:12:54 +02:00
|
|
|
DependsOn: ECSCluster
|
2021-11-13 19:38:58 +02:00
|
|
|
Condition: EC2
|
2021-11-03 08:35:22 +02:00
|
|
|
Properties:
|
2021-11-14 20:12:54 +02:00
|
|
|
AutoScalingGroupProvider:
|
|
|
|
|
AutoScalingGroupArn: !Ref ECSAutoScalingGroup
|
|
|
|
|
ManagedScaling:
|
|
|
|
|
MaximumScalingStepSize: 2
|
|
|
|
|
MinimumScalingStepSize: 1
|
|
|
|
|
Status: ENABLED
|
|
|
|
|
TargetCapacity: 100
|
|
|
|
|
ManagedTerminationProtection: ENABLED
|
2021-11-13 19:38:58 +02:00
|
|
|
|
2021-11-03 08:35:22 +02:00
|
|
|
ECSClusterCapProvAssoc:
|
|
|
|
|
Type: AWS::ECS::ClusterCapacityProviderAssociations
|
2021-11-13 19:38:58 +02:00
|
|
|
Condition: EC2
|
2021-11-03 08:35:22 +02:00
|
|
|
Properties:
|
|
|
|
|
Cluster: !Ref ECSCluster
|
|
|
|
|
CapacityProviders:
|
|
|
|
|
- !Ref ECSCapacityProvider
|
|
|
|
|
DefaultCapacityProviderStrategy:
|
|
|
|
|
- CapacityProvider: !Ref ECSCapacityProvider
|
|
|
|
|
Weight: 100
|
|
|
|
|
|
2021-11-13 19:38:58 +02:00
|
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
|
# Role for Application Autoscaling
|
|
|
|
|
#-----------------------------------------------------------------------------#
|
2021-11-03 08:35:22 +02:00
|
|
|
AutoscalingRole:
|
|
|
|
|
Type: AWS::IAM::Role
|
|
|
|
|
Properties:
|
|
|
|
|
AssumeRolePolicyDocument:
|
|
|
|
|
Statement:
|
|
|
|
|
- Effect: Allow
|
|
|
|
|
Principal:
|
|
|
|
|
Service: [application-autoscaling.amazonaws.com]
|
2021-11-13 19:38:58 +02:00
|
|
|
Action: [sts:AssumeRole]
|
2021-11-03 08:35:22 +02:00
|
|
|
Path: /
|
|
|
|
|
Policies:
|
|
|
|
|
- PolicyName: service-autoscaling
|
|
|
|
|
PolicyDocument:
|
|
|
|
|
Statement:
|
|
|
|
|
- Effect: Allow
|
|
|
|
|
Action:
|
2021-11-13 19:38:58 +02:00
|
|
|
- application-autoscaling:*
|
|
|
|
|
- cloudwatch:DescribeAlarms
|
|
|
|
|
- cloudwatch:PutMetricAlarm
|
|
|
|
|
- ecs:DescribeServices
|
|
|
|
|
- ecs:UpdateService
|
2021-11-03 08:35:22 +02:00
|
|
|
Resource: '*'
|
|
|
|
|
|
2021-11-13 19:38:58 +02:00
|
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
|
# Role for EC2 Hosts (EC2 Launch Type)
|
|
|
|
|
#-----------------------------------------------------------------------------#
|
2021-11-03 08:35:22 +02:00
|
|
|
EC2Role:
|
|
|
|
|
Type: AWS::IAM::Role
|
2021-11-13 19:38:58 +02:00
|
|
|
Condition: EC2
|
2021-11-03 08:35:22 +02:00
|
|
|
Properties:
|
|
|
|
|
AssumeRolePolicyDocument:
|
|
|
|
|
Statement:
|
|
|
|
|
- Effect: Allow
|
|
|
|
|
Principal:
|
|
|
|
|
Service: [ec2.amazonaws.com]
|
2021-11-13 19:38:58 +02:00
|
|
|
Action: [sts:AssumeRole]
|
2021-11-03 08:35:22 +02:00
|
|
|
Path: /
|
|
|
|
|
Policies:
|
2021-11-14 22:11:54 +02:00
|
|
|
# AmazonEC2ContainerServiceforEC2Role
|
|
|
|
|
- PolicyName: ecs-service
|
2021-11-03 08:35:22 +02:00
|
|
|
PolicyDocument:
|
|
|
|
|
Statement:
|
|
|
|
|
- Effect: Allow
|
|
|
|
|
Action:
|
2021-11-13 16:39:06 +02:00
|
|
|
- ec2:DescribeTags
|
|
|
|
|
- ecs:CreateCluster
|
|
|
|
|
- ecs:DeregisterContainerInstance
|
|
|
|
|
- ecs:DiscoverPollEndpoint
|
|
|
|
|
- ecs:Poll
|
|
|
|
|
- ecs:RegisterContainerInstance
|
|
|
|
|
- ecs:StartTelemetrySession
|
|
|
|
|
- ecs:UpdateContainerInstancesState
|
|
|
|
|
- ecs:Submit*
|
|
|
|
|
- ecr:GetAuthorizationToken
|
|
|
|
|
- ecr:BatchCheckLayerAvailability
|
|
|
|
|
- ecr:GetDownloadUrlForLayer
|
|
|
|
|
- ecr:BatchGetImage
|
|
|
|
|
- logs:CreateLogStream
|
|
|
|
|
- logs:PutLogEvents
|
2021-11-03 08:35:22 +02:00
|
|
|
Resource: '*'
|
|
|
|
|
|
2021-11-13 19:38:58 +02:00
|
|
|
#-----------------------------------------------------------------------------#
|
2021-11-14 22:11:54 +02:00
|
|
|
# Role for ECS Tasks
|
2021-11-13 19:38:58 +02:00
|
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
|
ECSTaskExecutionRole:
|
|
|
|
|
Type: AWS::IAM::Role
|
|
|
|
|
Properties:
|
|
|
|
|
AssumeRolePolicyDocument:
|
|
|
|
|
Statement:
|
|
|
|
|
- Effect: Allow
|
|
|
|
|
Principal:
|
|
|
|
|
Service: [ecs-tasks.amazonaws.com]
|
|
|
|
|
Action: [sts:AssumeRole]
|
|
|
|
|
Path: /
|
|
|
|
|
Policies:
|
|
|
|
|
- PolicyName: AmazonECSTaskExecutionRolePolicy
|
|
|
|
|
PolicyDocument:
|
|
|
|
|
Statement:
|
|
|
|
|
- Effect: Allow
|
|
|
|
|
Action:
|
|
|
|
|
# Allow the ECS Tasks to download images from ECR
|
|
|
|
|
- ecr:GetAuthorizationToken
|
|
|
|
|
- ecr:BatchCheckLayerAvailability
|
|
|
|
|
- ecr:GetDownloadUrlForLayer
|
|
|
|
|
- ecr:BatchGetImage
|
|
|
|
|
|
|
|
|
|
# Allow the ECS tasks to upload logs to CloudWatch
|
|
|
|
|
- logs:CreateLogStream
|
|
|
|
|
- logs:PutLogEvents
|
|
|
|
|
Resource: '*'
|
|
|
|
|
|
2021-11-14 22:11:54 +02:00
|
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
|
# Role for ECS
|
|
|
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
|
ECSRole:
|
|
|
|
|
Type: AWS::IAM::Role
|
|
|
|
|
Properties:
|
|
|
|
|
AssumeRolePolicyDocument:
|
|
|
|
|
Statement:
|
|
|
|
|
- Effect: Allow
|
|
|
|
|
Principal:
|
|
|
|
|
Service: [ecs.amazonaws.com]
|
2021-11-16 10:48:45 +02:00
|
|
|
Action: [sts:AssumeRole]
|
2021-11-14 22:11:54 +02:00
|
|
|
Path: /
|
|
|
|
|
Policies:
|
|
|
|
|
- PolicyName: ecs-service
|
|
|
|
|
PolicyDocument:
|
|
|
|
|
Statement:
|
|
|
|
|
- Effect: Allow
|
|
|
|
|
Action:
|
|
|
|
|
# Rules which allow ECS to attach network interfaces to instances
|
|
|
|
|
# on your behalf in order for awsvpc networking mode to work right
|
2021-11-16 10:48:45 +02:00
|
|
|
- ec2:AttachNetworkInterface
|
|
|
|
|
- ec2:CreateNetworkInterface
|
|
|
|
|
- ec2:CreateNetworkInterfacePermission
|
|
|
|
|
- ec2:DeleteNetworkInterface
|
|
|
|
|
- ec2:DeleteNetworkInterfacePermission
|
|
|
|
|
- ec2:Describe*
|
|
|
|
|
- ec2:DetachNetworkInterface
|
2021-11-03 08:35:22 +02:00
|
|
|
|
2021-11-14 22:11:54 +02:00
|
|
|
# Rules which allow ECS to update load balancers on your behalf
|
|
|
|
|
# with the information sabout how to send traffic to your containers
|
2021-11-16 10:48:45 +02:00
|
|
|
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
|
|
|
|
|
- elasticloadbalancing:DeregisterTargets
|
|
|
|
|
- elasticloadbalancing:Describe*
|
|
|
|
|
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
|
|
|
|
|
- elasticloadbalancing:RegisterTargets
|
2021-11-14 22:11:54 +02:00
|
|
|
Resource: '*'
|
2021-11-03 08:35:22 +02:00
|
|
|
|
|
|
|
|
Outputs:
|
|
|
|
|
ClusterName:
|
|
|
|
|
Description: The name of the ECS cluster
|
2021-11-13 19:38:58 +02:00
|
|
|
Value: !Ref ECSCluster
|
2021-11-03 08:35:22 +02:00
|
|
|
Export:
|
|
|
|
|
Name: !Sub ${EnvironmentName}:ClusterName
|
|
|
|
|
AutoscalingRole:
|
|
|
|
|
Description: The ARN of the role used for autoscaling
|
2021-11-13 19:38:58 +02:00
|
|
|
Value: !GetAtt AutoscalingRole.Arn
|
2021-11-03 08:35:22 +02:00
|
|
|
Export:
|
|
|
|
|
Name: !Sub ${EnvironmentName}:AutoscalingRole
|
2021-11-14 22:11:54 +02:00
|
|
|
ECSRole:
|
|
|
|
|
Description: The ARN of the ECS role
|
|
|
|
|
Value: !GetAtt ECSRole.Arn
|
|
|
|
|
Export:
|
|
|
|
|
Name: !Sub ${EnvironmentName}:ECSRole
|
2021-11-13 19:38:58 +02:00
|
|
|
ECSTaskExecutionRole:
|
|
|
|
|
Description: The ARN of the ECS role
|
|
|
|
|
Value: !GetAtt ECSTaskExecutionRole.Arn
|
|
|
|
|
Export:
|
|
|
|
|
Name: !Sub ${EnvironmentName}:ECSTaskExecutionRole
|
