Created
April 7, 2025 02:17
-
-
Save auxesis/de6bd286d2d3edc294377486c77bff44 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: Deploy CipherStash Proxy to ECS Fargate | |
| Parameters: | |
| VpcId: | |
| Type: AWS::EC2::VPC::Id | |
| SubnetIds: | |
| Type: List<AWS::EC2::Subnet::Id> | |
| SecurityGroupId: | |
| Type: AWS::EC2::SecurityGroup::Id | |
| RdsHost: | |
| Type: String | |
| RdsPort: | |
| Type: String | |
| Default: '5432' | |
| RdsDatabaseName: | |
| Type: String | |
| RdsUsername: | |
| Type: String | |
| EcrImageUrl: | |
| Type: String | |
| Description: Full ECR Image URL (e.g. 123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/cipherstash-proxy:latest) | |
| CipherStashSecretArn: | |
| Type: String | |
| Description: ARN of the Secrets Manager secret containing CipherStash credentials | |
| Resources: | |
| LogGroup: | |
| Type: AWS::Logs::LogGroup | |
| Properties: | |
| LogGroupName: /ecs/cipherstash-proxy | |
| RetentionInDays: 14 | |
| TaskExecutionRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: ecsTaskExecutionRole | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: ecs-tasks.amazonaws.com | |
| Action: sts:AssumeRole | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy | |
| Policies: | |
| - PolicyName: CipherStashSecretAccess | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - secretsmanager:GetSecretValue | |
| - kms:Decrypt | |
| Resource: !Ref CipherStashSecretArn | |
| TaskDefinition: | |
| Type: AWS::ECS::TaskDefinition | |
| Properties: | |
| Family: cipherstash-proxy | |
| Cpu: '256' | |
| Memory: '512' | |
| NetworkMode: awsvpc | |
| RequiresCompatibilities: | |
| - FARGATE | |
| RuntimePlatform: | |
| OperatingSystemFamily: LINUX | |
| CpuArchitecture: ARM64 | |
| ExecutionRoleArn: !GetAtt TaskExecutionRole.Arn | |
| ContainerDefinitions: | |
| - Name: cipherstash-proxy | |
| Image: !Ref EcrImageUrl | |
| Essential: true | |
| PortMappings: | |
| - ContainerPort: 6432 | |
| - ContainerPort: 9930 | |
| Environment: | |
| - Name: CS_DATABASE__HOST | |
| Value: !Ref RdsHost | |
| - Name: CS_DATABASE__PORT | |
| Value: !Ref RdsPort | |
| - Name: CS_DATABASE__USERNAME | |
| Value: !Ref RdsUsername | |
| - Name: CS_DATABASE__NAME | |
| Value: !Ref RdsDatabaseName | |
| - Name: CS_PROMETHEUS__ENABLED | |
| Value: 'true' | |
| - Name: CS_DATABASE__INSTALL_EQL | |
| Value: 'true' | |
| - Name: CS_DATABASE__INSTALL_EXAMPLE_SCHEMA | |
| Value: 'true' | |
| Secrets: | |
| - Name: CS_WORKSPACE_ID | |
| ValueFrom: !Sub "${CipherStashSecretArn}:CS_WORKSPACE_ID::" | |
| - Name: CS_CLIENT_ID | |
| ValueFrom: !Sub "${CipherStashSecretArn}:CS_CLIENT_ID::" | |
| - Name: CS_DEFAULT_KEYSET_ID | |
| ValueFrom: !Sub "${CipherStashSecretArn}:CS_DEFAULT_KEYSET_ID::" | |
| - Name: CS_CLIENT_KEY | |
| ValueFrom: !Sub "${CipherStashSecretArn}:CS_CLIENT_KEY::" | |
| - Name: CS_CLIENT_ACCESS_KEY | |
| ValueFrom: !Sub "${CipherStashSecretArn}:CS_CLIENT_ACCESS_KEY::" | |
| - Name: CS_DATABASE__PASSWORD | |
| ValueFrom: !Sub "${CipherStashSecretArn}:CS_DATABASE__PASSWORD::" | |
| LogConfiguration: | |
| LogDriver: awslogs | |
| Options: | |
| awslogs-group: /ecs/cipherstash-proxy | |
| awslogs-region: !Ref AWS::Region | |
| awslogs-stream-prefix: cipherstash-proxy | |
| Cluster: | |
| Type: AWS::ECS::Cluster | |
| Properties: | |
| ClusterName: ecs-app | |
| Service: | |
| Type: AWS::ECS::Service | |
| Properties: | |
| Cluster: !Ref Cluster | |
| ServiceName: CipherStashProxy | |
| LaunchType: FARGATE | |
| DesiredCount: 1 | |
| TaskDefinition: !Ref TaskDefinition | |
| NetworkConfiguration: | |
| AwsvpcConfiguration: | |
| Subnets: !Ref SubnetIds | |
| SecurityGroups: | |
| - !Ref SecurityGroupId | |
| AssignPublicIp: ENABLED | |
| Outputs: | |
| ClusterName: | |
| Value: !Ref Cluster | |
| ServiceName: | |
| Value: !Ref Service | |
| TaskDefinitionArn: | |
| Value: !Ref TaskDefinition | |
| LogGroupName: | |
| Value: !Ref LogGroup |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws cloudformation deploy \ | |
| --template-file cipherstash-proxy.yaml \ | |
| --stack-name cipherstash-proxy-stack \ | |
| --capabilities CAPABILITY_NAMED_IAM \ | |
| --parameter-overrides \ | |
| VpcId=vpc-xxxxxx \ | |
| SubnetIds=subnet-aaaaa,subnet-bbbbb \ | |
| SecurityGroupId=sg-xxxxxx \ | |
| RdsHost=mydb.cluster-xxxxxx.rds.amazonaws.com \ | |
| RdsPort=5432 \ | |
| RdsDatabaseName=mydb \ | |
| RdsUsername=myuser \ | |
| EcrImageUrl=111222333444.dkr.ecr.ap-southeast-2.amazonaws.com/cipherstash-proxy:latest \ | |
| CipherStashSecretArn=arn:aws:secretsmanager:ap-southeast-2:111222333444:secret:cipherstash-proxy-xxxxx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment