diff --git a/deployments/cluster-ec2.yml b/deployments/cluster-ec2.yml index aac68d8..ecd2dd3 100644 --- a/deployments/cluster-ec2.yml +++ b/deployments/cluster-ec2.yml @@ -4,23 +4,19 @@ Parameters: EnvironmentName: Type: String Default: production - Description: "A friendly environment name that will be used for namespacing all cluster resources. Example: staging, qa, or production" + Description: A friendly environment name that will be used for namespacing all cluster resources, like staging, qa, or production InstanceType: Type: String Default: t2.micro - Description: Class of EC2 instance used to host containers. Choose t2 for testing, m5 for general purpose, c5 for CPU intensive services, and r5 for memory intensive services - AllowedValues: [ t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge, - m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.12xlarge, m5.24xlarge, - c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.18xlarge, - r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge, r5.12xlarge, r5.24xlarge ] - ConstraintDescription: Please choose a valid instance type. + Description: Class of EC2 instance used to host containers + AllowedValues: [ t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge ] DesiredCapacity: Type: Number - Default: '1' + Default: 1 Description: Number of EC2 instances to launch in your ECS cluster. MaxSize: Type: Number - Default: '3' + Default: 3 Description: Maximum number of EC2 instances that can be launched in your ECS cluster. ECSAMI: Type: AWS::SSM::Parameter::Value @@ -123,7 +119,7 @@ Resources: # Role for the EC2 hosts. This allows the ECS agent on the EC2 hosts # to communciate with the ECS control plane, as well as download the docker - # images from ECR to run on your host. + # images from ECR to run on your host (AmazonEC2ContainerServiceforEC2Role) EC2Role: Type: AWS::IAM::Role Properties: @@ -140,58 +136,61 @@ Resources: Statement: - Effect: Allow Action: - - 'ecs:CreateCluster' - - 'ecs:DeregisterContainerInstance' - - 'ecs:DiscoverPollEndpoint' - - 'ecs:Poll' - - 'ecs:RegisterContainerInstance' - - 'ecs:StartTelemetrySession' - - 'ecs:Submit*' - - 'logs:CreateLogStream' - - 'logs:PutLogEvents' - - 'ecr:GetAuthorizationToken' - - 'ecr:BatchGetImage' - - 'ecr:GetDownloadUrlForLayer' + - ec2:DescribeTags + - ecs:CreateCluster + - ecs:DeregisterContainerInstance + - ecs:DiscoverPollEndpoint + - ecs:Poll + - ecs:RegisterContainerInstance + - ecs:StartTelemetrySession + - ecs:UpdateContainerInstancesState + - ecs:Submit* + - ecr:GetAuthorizationToken + - ecr:BatchCheckLayerAvailability + - ecr:GetDownloadUrlForLayer + - ecr:BatchGetImage + - logs:CreateLogStream + - logs:PutLogEvents Resource: '*' - # This is an IAM role which authorizes ECS to manage resources on your - # account on your behalf, such as updating your load balancer with the - # details of where your containers are, so that traffic can reach your - # containers. - ECSRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [ecs.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: - # Rules which allow ECS to attach network interfaces to instances - # on your behalf in order for awsvpc networking mode to work right - - 'ec2:AttachNetworkInterface' - - 'ec2:CreateNetworkInterface' - - 'ec2:CreateNetworkInterfacePermission' - - 'ec2:DeleteNetworkInterface' - - 'ec2:DeleteNetworkInterfacePermission' - - 'ec2:Describe*' - - 'ec2:DetachNetworkInterface' + # # This is an IAM role which authorizes ECS to manage resources on your + # # account on your behalf, such as updating your load balancer with the + # # details of where your containers are, so that traffic can reach your + # # containers. + # ECSRole: + # Type: AWS::IAM::Role + # Properties: + # AssumeRolePolicyDocument: + # Statement: + # - Effect: Allow + # Principal: + # Service: [ecs.amazonaws.com] + # Action: ['sts:AssumeRole'] + # Path: / + # Policies: + # - PolicyName: ecs-service + # PolicyDocument: + # Statement: + # - Effect: Allow + # Action: + # # Rules which allow ECS to attach network interfaces to instances + # # on your behalf in order for awsvpc networking mode to work right + # - 'ec2:AttachNetworkInterface' + # - 'ec2:CreateNetworkInterface' + # - 'ec2:CreateNetworkInterfacePermission' + # - 'ec2:DeleteNetworkInterface' + # - 'ec2:DeleteNetworkInterfacePermission' + # - 'ec2:Describe*' + # - 'ec2:DetachNetworkInterface' - # Rules which allow ECS to update load balancers on your behalf - # with the information sabout how to send traffic to your containers - - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer' - - 'elasticloadbalancing:DeregisterTargets' - - 'elasticloadbalancing:Describe*' - - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer' - - 'elasticloadbalancing:RegisterTargets' - Resource: '*' + # # Rules which allow ECS to update load balancers on your behalf + # # with the information sabout how to send traffic to your containers + # - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer' + # - 'elasticloadbalancing:DeregisterTargets' + # - 'elasticloadbalancing:Describe*' + # - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer' + # - 'elasticloadbalancing:RegisterTargets' + # Resource: '*' # These are the values output by the CloudFormation template. Be careful # about changing any of them, because of them are exported with specific @@ -207,8 +206,8 @@ Outputs: Value: !GetAtt 'AutoscalingRole.Arn' Export: Name: !Sub ${EnvironmentName}:AutoscalingRole - ECSRole: - Description: The ARN of the ECS role - Value: !GetAtt 'ECSRole.Arn' - Export: - Name: !Sub ${EnvironmentName}:ECSRole + # ECSRole: + # Description: The ARN of the ECS role + # Value: !GetAtt 'ECSRole.Arn' + # Export: + # Name: !Sub ${EnvironmentName}:ECSRole diff --git a/deployments/cluster-fargate.yml b/deployments/cluster-fargate.yml index d77ca70..7023330 100644 --- a/deployments/cluster-fargate.yml +++ b/deployments/cluster-fargate.yml @@ -35,46 +35,47 @@ Resources: - 'ecs:UpdateService' Resource: '*' - # This is an IAM role which authorizes ECS to manage resources on your - # account on your behalf, such as updating your load balancer with the - # details of where your containers are, so that traffic can reach your - # containers. - ECSRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [ecs.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: - # Rules which allow ECS to attach network interfaces to instances - # on your behalf in order for awsvpc networking mode to work right - - 'ec2:AttachNetworkInterface' - - 'ec2:CreateNetworkInterface' - - 'ec2:CreateNetworkInterfacePermission' - - 'ec2:DeleteNetworkInterface' - - 'ec2:DeleteNetworkInterfacePermission' - - 'ec2:Describe*' - - 'ec2:DetachNetworkInterface' + # # This is an IAM role which authorizes ECS to manage resources on your + # # account on your behalf, such as updating your load balancer with the + # # details of where your containers are, so that traffic can reach your + # # containers. + # ECSRole: + # Type: AWS::IAM::Role + # Properties: + # AssumeRolePolicyDocument: + # Statement: + # - Effect: Allow + # Principal: + # Service: [ecs.amazonaws.com] + # Action: ['sts:AssumeRole'] + # Path: / + # Policies: + # - PolicyName: ecs-service + # PolicyDocument: + # Statement: + # - Effect: Allow + # Action: + # # Rules which allow ECS to attach network interfaces to instances + # # on your behalf in order for awsvpc networking mode to work right + # - 'ec2:AttachNetworkInterface' + # - 'ec2:CreateNetworkInterface' + # - 'ec2:CreateNetworkInterfacePermission' + # - 'ec2:DeleteNetworkInterface' + # - 'ec2:DeleteNetworkInterfacePermission' + # - 'ec2:Describe*' + # - 'ec2:DetachNetworkInterface' - # Rules which allow ECS to update load balancers on your behalf - # with the information sabout how to send traffic to your containers - - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer' - - 'elasticloadbalancing:DeregisterTargets' - - 'elasticloadbalancing:Describe*' - - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer' - - 'elasticloadbalancing:RegisterTargets' - Resource: '*' + # # Rules which allow ECS to update load balancers on your behalf + # # with the information sabout how to send traffic to your containers + # - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer' + # - 'elasticloadbalancing:DeregisterTargets' + # - 'elasticloadbalancing:Describe*' + # - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer' + # - 'elasticloadbalancing:RegisterTargets' + # Resource: '*' - # This is a role which is used by the ECS tasks themselves. + # This is a role which is used by the ECS tasks themselves + # (AmazonECSTaskExecutionRolePolicy) ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: @@ -116,11 +117,11 @@ Outputs: Value: !GetAtt 'AutoscalingRole.Arn' Export: Name: !Sub ${EnvironmentName}:AutoscalingRole - ECSRole: - Description: The ARN of the ECS role - Value: !GetAtt 'ECSRole.Arn' - Export: - Name: !Sub ${EnvironmentName}:ECSRole + # ECSRole: + # Description: The ARN of the ECS role + # Value: !GetAtt 'ECSRole.Arn' + # Export: + # Name: !Sub ${EnvironmentName}:ECSRole ECSTaskExecutionRole: Description: The ARN of the ECS role Value: !GetAtt 'ECSTaskExecutionRole.Arn'