Combine Fargate and EC2 services

2025-06-24 22:26:56 +02:00 · 2021-11-13 16:39:06 +02:00
parent da53ff6e38
commit ac968e072e
2 changed files with 107 additions and 107 deletions
--- a/deployments/cluster-ec2.yml
+++ b/deployments/cluster-ec2.yml
@ -4,23 +4,19 @@ Parameters:
  EnvironmentName:
    Type: String
    Default: production
-    Description: "A friendly environment name that will be used for namespacing all cluster resources. Example: staging, qa, or production"
+    Description: A friendly environment name that will be used for namespacing all cluster resources, like staging, qa, or production
  InstanceType:
    Type: String
    Default: t2.micro
-    Description: Class of EC2 instance used to host containers. Choose t2 for testing, m5 for general purpose, c5 for CPU intensive services, and r5 for memory intensive services
-    AllowedValues: [ t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge,
-     m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.12xlarge, m5.24xlarge,
-     c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.18xlarge,
-     r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge, r5.12xlarge, r5.24xlarge ]
-    ConstraintDescription: Please choose a valid instance type.
+    Description: Class of EC2 instance used to host containers
+    AllowedValues: [ t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge ]
  DesiredCapacity:
    Type: Number
-    Default: '1'
+    Default: 1
    Description: Number of EC2 instances to launch in your ECS cluster.
  MaxSize:
    Type: Number
-    Default: '3'
+    Default: 3
    Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
  ECSAMI:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
@ -123,7 +119,7 @@ Resources:

  # Role for the EC2 hosts. This allows the ECS agent on the EC2 hosts
  # to communciate with the ECS control plane, as well as download the docker
-  # images from ECR to run on your host.
+  # images from ECR to run on your host (AmazonEC2ContainerServiceforEC2Role)
  EC2Role:
    Type: AWS::IAM::Role
    Properties:
@ -140,58 +136,61 @@ Resources:
          Statement:
          - Effect: Allow
            Action:
-              - 'ecs:CreateCluster'
-              - 'ecs:DeregisterContainerInstance'
-              - 'ecs:DiscoverPollEndpoint'
-              - 'ecs:Poll'
-              - 'ecs:RegisterContainerInstance'
-              - 'ecs:StartTelemetrySession'
-              - 'ecs:Submit*'
-              - 'logs:CreateLogStream'
-              - 'logs:PutLogEvents'
-              - 'ecr:GetAuthorizationToken'
-              - 'ecr:BatchGetImage'
-              - 'ecr:GetDownloadUrlForLayer'
+              - ec2:DescribeTags
+              - ecs:CreateCluster
+              - ecs:DeregisterContainerInstance
+              - ecs:DiscoverPollEndpoint
+              - ecs:Poll
+              - ecs:RegisterContainerInstance
+              - ecs:StartTelemetrySession
+              - ecs:UpdateContainerInstancesState
+              - ecs:Submit*
+              - ecr:GetAuthorizationToken
+              - ecr:BatchCheckLayerAvailability
+              - ecr:GetDownloadUrlForLayer
+              - ecr:BatchGetImage
+              - logs:CreateLogStream
+              - logs:PutLogEvents
            Resource: '*'

-  # This is an IAM role which authorizes ECS to manage resources on your
-  # account on your behalf, such as updating your load balancer with the
-  # details of where your containers are, so that traffic can reach your
-  # containers.
-  ECSRole:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-        - Effect: Allow
-          Principal:
-            Service: [ecs.amazonaws.com]
-          Action: ['sts:AssumeRole']
-      Path: /
-      Policies:
-      - PolicyName: ecs-service
-        PolicyDocument:
-          Statement:
-          - Effect: Allow
-            Action:
-              # Rules which allow ECS to attach network interfaces to instances
-              # on your behalf in order for awsvpc networking mode to work right
-              - 'ec2:AttachNetworkInterface'
-              - 'ec2:CreateNetworkInterface'
-              - 'ec2:CreateNetworkInterfacePermission'
-              - 'ec2:DeleteNetworkInterface'
-              - 'ec2:DeleteNetworkInterfacePermission'
-              - 'ec2:Describe*'
-              - 'ec2:DetachNetworkInterface'
+  # # This is an IAM role which authorizes ECS to manage resources on your
+  # # account on your behalf, such as updating your load balancer with the
+  # # details of where your containers are, so that traffic can reach your
+  # # containers.
+  # ECSRole:
+  #   Type: AWS::IAM::Role
+  #   Properties:
+  #     AssumeRolePolicyDocument:
+  #       Statement:
+  #       - Effect: Allow
+  #         Principal:
+  #           Service: [ecs.amazonaws.com]
+  #         Action: ['sts:AssumeRole']
+  #     Path: /
+  #     Policies:
+  #     - PolicyName: ecs-service
+  #       PolicyDocument:
+  #         Statement:
+  #         - Effect: Allow
+  #           Action:
+  #             # Rules which allow ECS to attach network interfaces to instances
+  #             # on your behalf in order for awsvpc networking mode to work right
+  #             - 'ec2:AttachNetworkInterface'
+  #             - 'ec2:CreateNetworkInterface'
+  #             - 'ec2:CreateNetworkInterfacePermission'
+  #             - 'ec2:DeleteNetworkInterface'
+  #             - 'ec2:DeleteNetworkInterfacePermission'
+  #             - 'ec2:Describe*'
+  #             - 'ec2:DetachNetworkInterface'

-              # Rules which allow ECS to update load balancers on your behalf
-              # with the information sabout how to send traffic to your containers
-              - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
-              - 'elasticloadbalancing:DeregisterTargets'
-              - 'elasticloadbalancing:Describe*'
-              - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
-              - 'elasticloadbalancing:RegisterTargets'
-            Resource: '*'
+  #             # Rules which allow ECS to update load balancers on your behalf
+  #             # with the information sabout how to send traffic to your containers
+  #             - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
+  #             - 'elasticloadbalancing:DeregisterTargets'
+  #             - 'elasticloadbalancing:Describe*'
+  #             - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
+  #             - 'elasticloadbalancing:RegisterTargets'
+  #           Resource: '*'

 # These are the values output by the CloudFormation template. Be careful
 # about changing any of them, because of them are exported with specific
@ -207,8 +206,8 @@ Outputs:
    Value: !GetAtt 'AutoscalingRole.Arn'
    Export:
      Name: !Sub ${EnvironmentName}:AutoscalingRole
-  ECSRole:
-    Description: The ARN of the ECS role
-    Value: !GetAtt 'ECSRole.Arn'
-    Export:
-      Name: !Sub ${EnvironmentName}:ECSRole
+  # ECSRole:
+  #   Description: The ARN of the ECS role
+  #   Value: !GetAtt 'ECSRole.Arn'
+  #   Export:
+  #     Name: !Sub ${EnvironmentName}:ECSRole
--- a/deployments/cluster-fargate.yml
+++ b/deployments/cluster-fargate.yml
@ -35,46 +35,47 @@ Resources:
              - 'ecs:UpdateService'
            Resource: '*'

-  # This is an IAM role which authorizes ECS to manage resources on your
-  # account on your behalf, such as updating your load balancer with the
-  # details of where your containers are, so that traffic can reach your
-  # containers.
-  ECSRole:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-        - Effect: Allow
-          Principal:
-            Service: [ecs.amazonaws.com]
-          Action: ['sts:AssumeRole']
-      Path: /
-      Policies:
-      - PolicyName: ecs-service
-        PolicyDocument:
-          Statement:
-          - Effect: Allow
-            Action:
-              # Rules which allow ECS to attach network interfaces to instances
-              # on your behalf in order for awsvpc networking mode to work right
-              - 'ec2:AttachNetworkInterface'
-              - 'ec2:CreateNetworkInterface'
-              - 'ec2:CreateNetworkInterfacePermission'
-              - 'ec2:DeleteNetworkInterface'
-              - 'ec2:DeleteNetworkInterfacePermission'
-              - 'ec2:Describe*'
-              - 'ec2:DetachNetworkInterface'
+  # # This is an IAM role which authorizes ECS to manage resources on your
+  # # account on your behalf, such as updating your load balancer with the
+  # # details of where your containers are, so that traffic can reach your
+  # # containers.
+  # ECSRole:
+  #   Type: AWS::IAM::Role
+  #   Properties:
+  #     AssumeRolePolicyDocument:
+  #       Statement:
+  #       - Effect: Allow
+  #         Principal:
+  #           Service: [ecs.amazonaws.com]
+  #         Action: ['sts:AssumeRole']
+  #     Path: /
+  #     Policies:
+  #     - PolicyName: ecs-service
+  #       PolicyDocument:
+  #         Statement:
+  #         - Effect: Allow
+  #           Action:
+  #             # Rules which allow ECS to attach network interfaces to instances
+  #             # on your behalf in order for awsvpc networking mode to work right
+  #             - 'ec2:AttachNetworkInterface'
+  #             - 'ec2:CreateNetworkInterface'
+  #             - 'ec2:CreateNetworkInterfacePermission'
+  #             - 'ec2:DeleteNetworkInterface'
+  #             - 'ec2:DeleteNetworkInterfacePermission'
+  #             - 'ec2:Describe*'
+  #             - 'ec2:DetachNetworkInterface'

-              # Rules which allow ECS to update load balancers on your behalf
-              # with the information sabout how to send traffic to your containers
-              - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
-              - 'elasticloadbalancing:DeregisterTargets'
-              - 'elasticloadbalancing:Describe*'
-              - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
-              - 'elasticloadbalancing:RegisterTargets'
-            Resource: '*'
+  #             # Rules which allow ECS to update load balancers on your behalf
+  #             # with the information sabout how to send traffic to your containers
+  #             - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
+  #             - 'elasticloadbalancing:DeregisterTargets'
+  #             - 'elasticloadbalancing:Describe*'
+  #             - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
+  #             - 'elasticloadbalancing:RegisterTargets'
+  #           Resource: '*'

-  # This is a role which is used by the ECS tasks themselves.
+  # This is a role which is used by the ECS tasks themselves
+  # (AmazonECSTaskExecutionRolePolicy)
  ECSTaskExecutionRole:
    Type: AWS::IAM::Role
    Properties:
@ -116,11 +117,11 @@ Outputs:
    Value: !GetAtt 'AutoscalingRole.Arn'
    Export:
      Name: !Sub ${EnvironmentName}:AutoscalingRole
-  ECSRole:
-    Description: The ARN of the ECS role
-    Value: !GetAtt 'ECSRole.Arn'
-    Export:
-      Name: !Sub ${EnvironmentName}:ECSRole
+  # ECSRole:
+  #   Description: The ARN of the ECS role
+  #   Value: !GetAtt 'ECSRole.Arn'
+  #   Export:
+  #     Name: !Sub ${EnvironmentName}:ECSRole
  ECSTaskExecutionRole:
    Description: The ARN of the ECS role
    Value: !GetAtt 'ECSTaskExecutionRole.Arn'