Created
December 9, 2017 10:59
-
-
Save li0nel/ef977beb7bc59372b3345893aa44f82e to your computer and use it in GitHub Desktop.
CloudFormation stack for the web tier
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ECSCluster: | |
| Type: AWS::ECS::Cluster | |
| Properties: | |
| ClusterName: !Ref EnvironmentName | |
| ECSAutoScalingGroup: | |
| Type: AWS::AutoScaling::AutoScalingGroup | |
| Properties: | |
| VPCZoneIdentifier: !Ref PrivateSubnets | |
| LaunchConfigurationName: !Ref ECSLaunchConfiguration | |
| MinSize: !Ref ClusterSize | |
| MaxSize: !Ref ClusterSize | |
| DesiredCapacity: !Ref ClusterSize | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${EnvironmentName} ECS host | |
| PropagateAtLaunch: true | |
| CreationPolicy: | |
| ResourceSignal: | |
| Timeout: PT15M | |
| UpdatePolicy: | |
| AutoScalingReplacingUpdate: | |
| WillReplace: true | |
| AutoScalingRollingUpdate: | |
| MinInstancesInService: 1 | |
| MaxBatchSize: 1 | |
| PauseTime: PT15M | |
| SuspendProcesses: | |
| - HealthCheck | |
| - ReplaceUnhealthy | |
| - AZRebalance | |
| - AlarmNotification | |
| - ScheduledActions | |
| WaitOnResourceSignals: true | |
| ECSLaunchConfiguration: | |
| Type: AWS::AutoScaling::LaunchConfiguration | |
| Properties: | |
| ImageId: !FindInMap [AWSRegionToAMI, !Ref "AWS::Region", AMI] | |
| InstanceType: !Ref InstanceType | |
| SecurityGroups: | |
| - !Ref ECSSecurityGroup | |
| IamInstanceProfile: !Ref ECSInstanceProfile | |
| KeyName: laravelaws | |
| UserData: | |
| "Fn::Base64": !Sub | | |
| #!/bin/bash | |
| yum update -y | |
| yum install -y aws-cfn-bootstrap aws-cli go | |
| echo '{ "credsStore": "ecr-login" }' > ~/.docker/config.json | |
| go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login | |
| cd /home/ec2-user/go/src/github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login | |
| go build | |
| export PATH=$PATH:/home/ec2-user/go/bin | |
| /opt/aws/bin/cfn-init -v --region ${AWS::Region} --stack ${AWS::StackName} --resource ECSLaunchConfiguration | |
| /opt/aws/bin/cfn-signal -e $? --region ${AWS::Region} --stack ${AWS::StackName} --resource ECSAutoScalingGroup | |
| Metadata: | |
| AWS::CloudFormation::Init: | |
| config: | |
| commands: | |
| 01_add_instance_to_cluster: | |
| command: !Sub echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config | |
| files: | |
| "/etc/cfn/cfn-hup.conf": | |
| mode: 000400 | |
| owner: root | |
| group: root | |
| content: !Sub | | |
| [main] | |
| stack=${AWS::StackId} | |
| region=${AWS::Region} | |
| "/etc/cfn/hooks.d/cfn-auto-reloader.conf": | |
| content: !Sub | | |
| [cfn-auto-reloader-hook] | |
| triggers=post.update | |
| path=Resources.ECSLaunchConfiguration.Metadata.AWS::CloudFormation::Init | |
| action=/opt/aws/bin/cfn-init -v --region ${AWS::Region} --stack ${AWS::StackName} --resource ECSLaunchConfiguration | |
| services: | |
| sysvinit: | |
| cfn-hup: | |
| enabled: true | |
| ensureRunning: true | |
| files: | |
| - /etc/cfn/cfn-hup.conf | |
| - /etc/cfn/hooks.d/cfn-auto-reloader.conf | |
| # This IAM Role is attached to all of the ECS hosts. It is based on the default role | |
| # published here: | |
| # http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html | |
| # | |
| # You can add other IAM policy statements here to allow access from your ECS hosts | |
| # to other AWS services. Please note that this role will be used by ALL containers | |
| # running on the ECS host. | |
| ECSRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| Path: / | |
| RoleName: !Sub ${EnvironmentName}-ECSRole-${AWS::Region} | |
| AssumeRolePolicyDocument: | | |
| { | |
| "Statement": [{ | |
| "Action": "sts:AssumeRole", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| } | |
| }] | |
| } | |
| ManagedPolicyArns: | |
| - "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" | |
| Policies: | |
| - PolicyName: ecs-service | |
| PolicyDocument: | | |
| { | |
| "Statement": [{ | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ecs:CreateCluster", | |
| "ecs:DeregisterContainerInstance", | |
| "ecs:DiscoverPollEndpoint", | |
| "ecs:Poll", | |
| "ecs:RegisterContainerInstance", | |
| "ecs:StartTelemetrySession", | |
| "ecs:Submit*", | |
| "logs:CreateLogStream", | |
| "logs:PutLogEvents", | |
| "ecr:BatchCheckLayerAvailability", | |
| "ecr:BatchGetImage", | |
| "ecr:GetDownloadUrlForLayer", | |
| "ecr:GetAuthorizationToken" | |
| ], | |
| "Resource": "*" | |
| }] | |
| } | |
| - PolicyName: ec2-s3-write-access | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:PutObject | |
| - s3:GetBucketAcl | |
| - s3:PutObjectTagging | |
| - s3:ListBucket | |
| - s3:PutObjectAcl | |
| Resource: !Sub arn:aws:s3:::${S3BucketName}/* | |
| - PolicyName: ec2-cloudwatch-write-access | |
| PolicyDocument: | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - logs:CreateLogStream | |
| - logs:PutLogEvents | |
| - logs:CreateLogGroup | |
| Resource: "*" | |
| ECSInstanceProfile: | |
| Type: AWS::IAM::InstanceProfile | |
| Properties: | |
| Path: / | |
| Roles: | |
| - !Ref ECSRole | |
| ECR1: | |
| Type: AWS::ECR::Repository | |
| Properties: | |
| # RepositoryName: !Sub ${AWS::StackName}-nginx | |
| RepositoryPolicyText: | |
| Version: "2012-10-17" | |
| Statement: | |
| - | |
| Sid: AllowPushPull | |
| Effect: Allow | |
| Principal: | |
| AWS: | |
| - !Sub arn:aws:iam::${AWS::AccountId}:role/${ECSRole} | |
| Action: | |
| - "ecr:GetDownloadUrlForLayer" | |
| - "ecr:BatchGetImage" | |
| - "ecr:BatchCheckLayerAvailability" | |
| - "ecr:PutImage" | |
| - "ecr:InitiateLayerUpload" | |
| - "ecr:UploadLayerPart" | |
| - "ecr:CompleteLayerUpload" | |
| ECR2: | |
| Type: AWS::ECR::Repository | |
| Properties: | |
| # RepositoryName: !Sub ${AWS::StackName}-laravel | |
| RepositoryPolicyText: | |
| Version: "2012-10-17" | |
| Statement: | |
| - | |
| Sid: AllowPushPull | |
| Effect: Allow | |
| Principal: | |
| AWS: | |
| - !Sub arn:aws:iam::${AWS::AccountId}:role/${ECSRole} | |
| Action: | |
| - "ecr:GetDownloadUrlForLayer" | |
| - "ecr:BatchGetImage" | |
| - "ecr:BatchCheckLayerAvailability" | |
| - "ecr:PutImage" | |
| - "ecr:InitiateLayerUpload" | |
| - "ecr:UploadLayerPart" | |
| - "ecr:CompleteLayerUpload" | |
| LoadBalancer: | |
| Type: AWS::ElasticLoadBalancingV2::LoadBalancer | |
| Properties: | |
| Name: !Ref EnvironmentName | |
| Subnets: !Ref PublicSubnets | |
| SecurityGroups: | |
| - !Ref LBSecurityGroup | |
| Tags: | |
| - Key: Name | |
| Value: !Ref EnvironmentName | |
| LoadBalancerListenerHTTP: | |
| Type: AWS::ElasticLoadBalancingV2::Listener | |
| Properties: | |
| LoadBalancerArn: !Ref LoadBalancer | |
| Port: 80 | |
| Protocol: HTTP | |
| DefaultActions: | |
| - Type: forward | |
| TargetGroupArn: !Ref DefaultTargetGroup | |
| LoadBalancerListenerHTTPS: | |
| Type: AWS::ElasticLoadBalancingV2::Listener | |
| Properties: | |
| LoadBalancerArn: !Ref LoadBalancer | |
| Port: 443 | |
| Protocol: HTTPS | |
| Certificates: | |
| - CertificateArn: !Ref LBCertificateArn | |
| DefaultActions: | |
| - Type: forward | |
| TargetGroupArn: !Ref DefaultTargetGroup | |
| # We define a default target group here, as this is a mandatory Parameters | |
| # when creating an Application Load Balancer Listener. This is not used, instead | |
| # a target group is created per-service in each service template (../services/*) | |
| DefaultTargetGroup: | |
| Type: AWS::ElasticLoadBalancingV2::TargetGroup | |
| Properties: | |
| Name: !Sub ${EnvironmentName}-default | |
| VpcId: !Ref VPC | |
| Port: 80 | |
| Protocol: HTTP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment