li0nel

# One Docker registry that we will use both for the Laravel application
# image and our Nginx image.
# Note that if you give a name to the repository, CloudFormation can't
# update it without a full replacement.
ECR:
    Type: AWS::ECR::Repository
    Properties:
#            RepositoryName: !Sub ${AWS::StackName}-nginx
        RepositoryPolicyText:
            Version: "2012-10-17"

li0nel

# This IAM Role is attached to all of the ECS hosts. It is based on the default role
# published here:
# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
#
# You can add other IAM policy statements here to allow access from your ECS hosts
# to other AWS services. Please note that this role will be used by ALL containers
# running on the ECS host.

ECSRole:
    Type: AWS::IAM::Role

li0nel

# This template defines our ECS cluster and its desired size.
# The Launch Configuration defines how each new instance in our cluster should be bootstrapped
# through its User Data
# The Metadata object gets EC2 instances to register in the ECS cluster
ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
        ClusterName: !Ref EnvironmentName

ECSAutoScalingGroup:

li0nel

# CloudFormation will generate one unique bucket name for us
# Nothing else to do!
Bucket:
    Type: AWS::S3::Bucket
    Properties:
        AccessControl: PublicRead

li0nel

# This security group defines who/where is allowed to access the RDS instance.
# Only instances associated with our ECS security group can reach to the database endpoint.
DBSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
      GroupDescription: Open database for access
      VpcId: !Ref VPC
      SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: '3306'

li0nel

# This security group defines who/where is allowed to access the Application Load Balancer.
# By default, we've opened this up to the public internet (0.0.0.0/0) but can you restrict
# it further if you want.
LoadBalancerSecurityGroup:
   Type: AWS::EC2::SecurityGroup
   Properties:
       VpcId: !Ref VPC
       GroupDescription: Access to the load balancer that sits in front of ECS
       SecurityGroupIngress:
           # Allow access from anywhere to our ECS services

li0nel

# This security group defines who/where is allowed to access the ECS hosts directly.
# By default we're just allowing access from the load balancer.  If you want to SSH
# into the hosts, or expose non-load balanced services you can open their ports here.
ECSSecurityGroup:
   Type: AWS::EC2::SecurityGroup
   Properties:
       VpcId: !Ref VPC
       GroupDescription: Access to the ECS hosts and the tasks/containers that run on them
       SecurityGroupIngress:
           # Only allow inbound access to ECS from the ELB

li0nel

Elasticsearch:
    Type: AWS::Elasticsearch::Domain
    Properties:
        DomainName: !Sub ${AWS::StackName}-es
        ElasticsearchVersion: 5.5
        ElasticsearchClusterConfig:
            InstanceType: t2.small.elasticsearch
            ZoneAwarenessEnabled: false
            InstanceCount: 1
        EBSOptions:

li0nel

DatabaseReplicaInstance:
    Type: AWS::RDS::DBInstance
    DependsOn: DatabasePrimaryInstance
    Properties:
        Engine: aurora
        DBClusterIdentifier: !Ref DatabaseCluster
        DBInstanceClass: !Ref DatabaseInstanceType
        DBSubnetGroupName: !Ref DatabaseSubnetGroup

li0nel

location ~ \.php$ {
    root /var/www/html/public;
    fastcgi_cache cache_key;
    fastcgi_cache_valid 200 204 1m;
    fastcgi_ignore_headers Cache-Control;
    fastcgi_no_cache $http_authorization $cookie_laravel_session;
    fastcgi_cache_lock on;
    fastcgi_cache_lock_timeout 10s;

    add_header X-Proxy-Cache $upstream_cache_status;