mgmarino · March 27, 2021 12:01
diff --git a/example-voila-stack.yaml b/example-voila-stack.yaml
 AWSTemplateFormatVersion: '2010-09-09'
 Description: Voila Microservice Stack

 Parameters:
  Environment:
    Type: String
    AllowedValues:
    - staging
    - production
  ECRRegistry:
    Type: String
  Version:
    Type: String
  wildcardCertificate:
    Type: String
  ContainerPort:
    Type: Number
    Default: 8080

 Mappings:
  EnvironmentMap:
    staging:
      VPC: ** 
      PublicDNSName: your-dns-name 
      AvailabilityZones: **
        -
      Subnets:
        - 
      PrivateSubnets:
      RDSSecurityGroup: 
      FargateCPU: ** 
      FargateRAM: **
    production:
      VPC: ** 
      PublicDNSName: your-dns-name 
      AvailabilityZones: **
        -
      Subnets:
        - 
      PrivateSubnets:
      RDSSecurityGroup: 
      FargateCPU: ** 
      FargateRAM: **

 Resources:
  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      CapacityProviders:
        - FARGATE_SPOT
      DefaultCapacityProviderStrategy:
        - CapacityProvider: FARGATE_SPOT
          Weight: 1

  ECSSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: ECS Security Group
      VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ]

  ELBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: ELB Security Group
      VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ]
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
          Description: Standard HTTPS in
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
          Description: HTTP in, will be redirected

  ECSSecurityGroupHTTPInbound:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref ECSSecurityGroup
      IpProtocol: tcp
      FromPort: 1
      ToPort: 65535
      SourceSecurityGroupId: !Ref ELBSecurityGroup

  ECSALB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Sub notebook-sharing-${Environment}
      Scheme: internet-facing
      LoadBalancerAttributes:
      - Key: idle_timeout.timeout_seconds
        Value: '60'
      - Key: access_logs.s3.enabled
        Value: 'true'
      Subnets: !FindInMap [ EnvironmentMap, !Ref Environment, Subnets ]
      SecurityGroups:
        - !Ref ELBSecurityGroup

  HttpListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
      - RedirectConfig:
          Host: '#{host}'
          Path: '/#{path}'
          Port: '443'
          Protocol: HTTPS
          Query: '#{query}'
          StatusCode: HTTP_301
        Type: redirect
      LoadBalancerArn: !Ref ECSALB
      Port: 80
      Protocol: HTTP

 ## Voila
  TargetGroupServer:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    DependsOn: ECSALB
    Properties:
      TargetGroupAttributes:
      - Key: deregistration_delay.timeout_seconds
        Value: '30'
      HealthCheckIntervalSeconds: 30
      HealthCheckPath: /
      HealthCheckTimeoutSeconds: 5
      HealthyThresholdCount: 2
      UnhealthyThresholdCount: 10
      Matcher:
        HttpCode: '200,403'
      TargetType: ip
      Port: !Ref ContainerPort
      Protocol: HTTP
      VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ]

  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: !Sub "${AWS::StackName}-service-task"
      RequiresCompatibilities:
      - FARGATE
      NetworkMode: awsvpc
      TaskRoleArn: !GetAtt ECSTaskRole.Arn
      ExecutionRoleArn: !GetAtt ECSExecutionRole.Arn
      Cpu: !FindInMap [ EnvironmentMap, !Ref Environment, FargateCPU ]
      Memory: !FindInMap [ EnvironmentMap, !Ref Environment, FargateRAM ]
      ContainerDefinitions:
      - Name: voila
        Essential: true
        Image: !Sub "${ECRRegistry}/notebook-server/voila:${Version}"
        LogConfiguration:
          LogDriver: awslogs
          Options:
            awslogs-group: !Ref CloudwatchLogsGroup
            awslogs-region: !Sub ${AWS::Region}
            awslogs-stream-prefix: !Sub "notebook-server-${Environment}"
        PortMappings:
        - ContainerPort: !Ref ContainerPort

  Service:
    Type: AWS::ECS::Service
    DependsOn:
      - HttpListener
      - HttpsListener
    Properties:
      Cluster: !Ref ECSCluster
      DesiredCount: 1
      HealthCheckGracePeriodSeconds: 30
      PlatformVersion: 1.4.0
      NetworkConfiguration:
        AwsvpcConfiguration:
          SecurityGroups:
          - !Ref ECSSecurityGroup
          Subnets: !FindInMap [ EnvironmentMap, !Ref Environment, PrivateSubnets ]
      LoadBalancers:
      - ContainerName: voila
        ContainerPort: !Ref ContainerPort
        TargetGroupArn: !Ref TargetGroupServer
      TaskDefinition: !Ref TaskDefinition
      PropagateTags: SERVICE

  ECSTaskRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'ecs-task-role-${AWS::StackName}-${Environment}'
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service:
              - ecs.amazonaws.com
          Action: ['sts:AssumeRole']
      Path: /
      Policies:
        - **
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly

  ECSExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ecs.amazonaws.com]
            Action: ['sts:AssumeRole']
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

  UserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Sub 'notebook-${Environment}'
      AutoVerifiedAttributes:
        - email
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
        UnusedAccountValidityDays: 365
      Schema:
        - Name: name
          AttributeDataType: String
          Mutable: true
        - Name: email
          AttributeDataType: String
          Mutable: true
        - Name: picture
          AttributeDataType: String
          Mutable: true

  UserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      UserPoolId: !Ref UserPool
      Domain: !Sub 'tado-notebook-${Environment}'

  UserPoolIdentityProvider:
    Type: AWS::Cognito::UserPoolIdentityProvider
    Properties:
      UserPoolId: !Ref UserPool
      ProviderType: Google
      ProviderName: Google
      ProviderDetails:
        client_id: ** Fill in ** 
        client_secret: ** Fill in **
        authorize_scopes: profile email openid
      AttributeMapping:
        email: email
        name: name
        picture: picture
        username: sub

  UIUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    DependsOn: UserPoolIdentityProvider
    Properties:
      ClientName: Notebook-Share-UI
      GenerateSecret: true
      UserPoolId: !Ref UserPool
      AllowedOAuthFlows: [code, implicit]
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthScopes: [email, openid, profile]
      SupportedIdentityProviders: [Google]
      CallbackURLs:
        - !Sub 'https://${ECSALB.DNSName}/oauth2/idpresponse'
        - Fn::Sub:
          - 'https://${PublicDNSName}/oauth2/idpresponse'
          - {
            PublicDNSName: !FindInMap [ EnvironmentMap, !Ref Environment, PublicDNSName ]
          }

 ## Listener
  HttpsListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      Certificates:
      - CertificateArn: !Ref wildcardCertificate
      DefaultActions:
      - Order: 1
        AuthenticateCognitoConfig:
          UserPoolArn: !GetAtt UserPool.Arn
          UserPoolClientId: !Ref UIUserPoolClient
          UserPoolDomain: !Ref UserPoolDomain
        Type: authenticate-cognito
      - Order: 2
        TargetGroupArn: !Ref TargetGroupServer
        Type: forward
      LoadBalancerArn: !Ref ECSALB
      Port: 443
      Protocol: HTTPS

 Outputs:
  LoadBalancerDNS:
    Description: ALB DNS URL
    Value: !GetAtt ECSALB.DNSName
    Export:
      Name: !Sub "${AWS::StackName}-DnsUrl"
	AWSTemplateFormatVersion: '2010-09-09'
	Description: Voila Microservice Stack

	Parameters:
	Environment:
	Type: String
	AllowedValues:
	- staging
	- production
	ECRRegistry:
	Type: String
	Version:
	Type: String
	wildcardCertificate:
	Type: String
	ContainerPort:
	Type: Number
	Default: 8080

	Mappings:
	EnvironmentMap:
	staging:
	VPC: **
	PublicDNSName: your-dns-name
	AvailabilityZones: **
	-
	Subnets:
	-
	PrivateSubnets:
	RDSSecurityGroup:
	FargateCPU: **
	FargateRAM: **
	production:
	VPC: **
	PublicDNSName: your-dns-name
	AvailabilityZones: **
	-
	Subnets:
	-
	PrivateSubnets:
	RDSSecurityGroup:
	FargateCPU: **
	FargateRAM: **

	Resources:
	ECSCluster:
	Type: AWS::ECS::Cluster
	Properties:
	CapacityProviders:
	- FARGATE_SPOT
	DefaultCapacityProviderStrategy:
	- CapacityProvider: FARGATE_SPOT
	Weight: 1

	ECSSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: ECS Security Group
	VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ]

	ELBSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: ELB Security Group
	VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ]
	SecurityGroupIngress:
	- IpProtocol: tcp
	FromPort: 443
	ToPort: 443
	CidrIp: 0.0.0.0/0
	Description: Standard HTTPS in
	- IpProtocol: tcp
	FromPort: 80
	ToPort: 80
	CidrIp: 0.0.0.0/0
	Description: HTTP in, will be redirected

	ECSSecurityGroupHTTPInbound:
	Type: AWS::EC2::SecurityGroupIngress
	Properties:
	GroupId: !Ref ECSSecurityGroup
	IpProtocol: tcp
	FromPort: 1
	ToPort: 65535
	SourceSecurityGroupId: !Ref ELBSecurityGroup

	ECSALB:
	Type: AWS::ElasticLoadBalancingV2::LoadBalancer
	Properties:
	Name: !Sub notebook-sharing-${Environment}
	Scheme: internet-facing
	LoadBalancerAttributes:
	- Key: idle_timeout.timeout_seconds
	Value: '60'
	- Key: access_logs.s3.enabled
	Value: 'true'
	Subnets: !FindInMap [ EnvironmentMap, !Ref Environment, Subnets ]
	SecurityGroups:
	- !Ref ELBSecurityGroup

	HttpListener:
	Type: AWS::ElasticLoadBalancingV2::Listener
	Properties:
	DefaultActions:
	- RedirectConfig:
	Host: '#{host}'
	Path: '/#{path}'
	Port: '443'
	Protocol: HTTPS
	Query: '#{query}'
	StatusCode: HTTP_301
	Type: redirect
	LoadBalancerArn: !Ref ECSALB
	Port: 80
	Protocol: HTTP

	## Voila
	TargetGroupServer:
	Type: AWS::ElasticLoadBalancingV2::TargetGroup
	DependsOn: ECSALB
	Properties:
	TargetGroupAttributes:
	- Key: deregistration_delay.timeout_seconds
	Value: '30'
	HealthCheckIntervalSeconds: 30
	HealthCheckPath: /
	HealthCheckTimeoutSeconds: 5
	HealthyThresholdCount: 2
	UnhealthyThresholdCount: 10
	Matcher:
	HttpCode: '200,403'
	TargetType: ip
	Port: !Ref ContainerPort
	Protocol: HTTP
	VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ]

	TaskDefinition:
	Type: AWS::ECS::TaskDefinition
	Properties:
	Family: !Sub "${AWS::StackName}-service-task"
	RequiresCompatibilities:
	- FARGATE
	NetworkMode: awsvpc
	TaskRoleArn: !GetAtt ECSTaskRole.Arn
	ExecutionRoleArn: !GetAtt ECSExecutionRole.Arn
	Cpu: !FindInMap [ EnvironmentMap, !Ref Environment, FargateCPU ]
	Memory: !FindInMap [ EnvironmentMap, !Ref Environment, FargateRAM ]
	ContainerDefinitions:
	- Name: voila
	Essential: true
	Image: !Sub "${ECRRegistry}/notebook-server/voila:${Version}"
	LogConfiguration:
	LogDriver: awslogs
	Options:
	awslogs-group: !Ref CloudwatchLogsGroup
	awslogs-region: !Sub ${AWS::Region}
	awslogs-stream-prefix: !Sub "notebook-server-${Environment}"
	PortMappings:
	- ContainerPort: !Ref ContainerPort

	Service:
	Type: AWS::ECS::Service
	DependsOn:
	- HttpListener
	- HttpsListener
	Properties:
	Cluster: !Ref ECSCluster
	DesiredCount: 1
	HealthCheckGracePeriodSeconds: 30
	PlatformVersion: 1.4.0
	NetworkConfiguration:
	AwsvpcConfiguration:
	SecurityGroups:
	- !Ref ECSSecurityGroup
	Subnets: !FindInMap [ EnvironmentMap, !Ref Environment, PrivateSubnets ]
	LoadBalancers:
	- ContainerName: voila
	ContainerPort: !Ref ContainerPort
	TargetGroupArn: !Ref TargetGroupServer
	TaskDefinition: !Ref TaskDefinition
	PropagateTags: SERVICE

	ECSTaskRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: !Sub 'ecs-task-role-${AWS::StackName}-${Environment}'
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- ecs.amazonaws.com
	Action: ['sts:AssumeRole']
	Path: /
	Policies:
	- **
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly

	ECSExecutionRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service: [ecs.amazonaws.com]
	Action: ['sts:AssumeRole']
	Path: /
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

	UserPool:
	Type: AWS::Cognito::UserPool
	Properties:
	UserPoolName: !Sub 'notebook-${Environment}'
	AutoVerifiedAttributes:
	- email
	AdminCreateUserConfig:
	AllowAdminCreateUserOnly: true
	UnusedAccountValidityDays: 365
	Schema:
	- Name: name
	AttributeDataType: String
	Mutable: true
	- Name: email
	AttributeDataType: String
	Mutable: true
	- Name: picture
	AttributeDataType: String
	Mutable: true

	UserPoolDomain:
	Type: AWS::Cognito::UserPoolDomain
	Properties:
	UserPoolId: !Ref UserPool
	Domain: !Sub 'tado-notebook-${Environment}'

	UserPoolIdentityProvider:
	Type: AWS::Cognito::UserPoolIdentityProvider
	Properties:
	UserPoolId: !Ref UserPool
	ProviderType: Google
	ProviderName: Google
	ProviderDetails:
	client_id: Fill in
	client_secret: Fill in
	authorize_scopes: profile email openid
	AttributeMapping:
	email: email
	name: name
	picture: picture
	username: sub

	UIUserPoolClient:
	Type: AWS::Cognito::UserPoolClient
	DependsOn: UserPoolIdentityProvider
	Properties:
	ClientName: Notebook-Share-UI
	GenerateSecret: true
	UserPoolId: !Ref UserPool
	AllowedOAuthFlows: [code, implicit]
	AllowedOAuthFlowsUserPoolClient: true
	AllowedOAuthScopes: [email, openid, profile]
	SupportedIdentityProviders: [Google]
	CallbackURLs:
	- !Sub 'https://${ECSALB.DNSName}/oauth2/idpresponse'
	- Fn::Sub:
	- 'https://${PublicDNSName}/oauth2/idpresponse'
	- {
	PublicDNSName: !FindInMap [ EnvironmentMap, !Ref Environment, PublicDNSName ]
	}

	## Listener
	HttpsListener:
	Type: AWS::ElasticLoadBalancingV2::Listener
	Properties:
	Certificates:
	- CertificateArn: !Ref wildcardCertificate
	DefaultActions:
	- Order: 1
	AuthenticateCognitoConfig:
	UserPoolArn: !GetAtt UserPool.Arn
	UserPoolClientId: !Ref UIUserPoolClient
	UserPoolDomain: !Ref UserPoolDomain
	Type: authenticate-cognito
	- Order: 2
	TargetGroupArn: !Ref TargetGroupServer
	Type: forward
	LoadBalancerArn: !Ref ECSALB
	Port: 443
	Protocol: HTTPS

	Outputs:
	LoadBalancerDNS:
	Description: ALB DNS URL
	Value: !GetAtt ECSALB.DNSName
	Export:
	Name: !Sub "${AWS::StackName}-DnsUrl"