Created
March 27, 2021 12:01
-
-
Save mgmarino/12f0f6b64c3bce8ab4d4eda88eb4e34f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: '2010-09-09' | |
Description: Voila Microservice Stack | |
Parameters: | |
Environment: | |
Type: String | |
AllowedValues: | |
- staging | |
- production | |
ECRRegistry: | |
Type: String | |
Version: | |
Type: String | |
wildcardCertificate: | |
Type: String | |
ContainerPort: | |
Type: Number | |
Default: 8080 | |
Mappings: | |
EnvironmentMap: | |
staging: | |
VPC: ** | |
PublicDNSName: your-dns-name | |
AvailabilityZones: ** | |
- | |
Subnets: | |
- | |
PrivateSubnets: | |
RDSSecurityGroup: | |
FargateCPU: ** | |
FargateRAM: ** | |
production: | |
VPC: ** | |
PublicDNSName: your-dns-name | |
AvailabilityZones: ** | |
- | |
Subnets: | |
- | |
PrivateSubnets: | |
RDSSecurityGroup: | |
FargateCPU: ** | |
FargateRAM: ** | |
Resources: | |
ECSCluster: | |
Type: AWS::ECS::Cluster | |
Properties: | |
CapacityProviders: | |
- FARGATE_SPOT | |
DefaultCapacityProviderStrategy: | |
- CapacityProvider: FARGATE_SPOT | |
Weight: 1 | |
ECSSecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: ECS Security Group | |
VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ] | |
ELBSecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: ELB Security Group | |
VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ] | |
SecurityGroupIngress: | |
- IpProtocol: tcp | |
FromPort: 443 | |
ToPort: 443 | |
CidrIp: 0.0.0.0/0 | |
Description: Standard HTTPS in | |
- IpProtocol: tcp | |
FromPort: 80 | |
ToPort: 80 | |
CidrIp: 0.0.0.0/0 | |
Description: HTTP in, will be redirected | |
ECSSecurityGroupHTTPInbound: | |
Type: AWS::EC2::SecurityGroupIngress | |
Properties: | |
GroupId: !Ref ECSSecurityGroup | |
IpProtocol: tcp | |
FromPort: 1 | |
ToPort: 65535 | |
SourceSecurityGroupId: !Ref ELBSecurityGroup | |
ECSALB: | |
Type: AWS::ElasticLoadBalancingV2::LoadBalancer | |
Properties: | |
Name: !Sub notebook-sharing-${Environment} | |
Scheme: internet-facing | |
LoadBalancerAttributes: | |
- Key: idle_timeout.timeout_seconds | |
Value: '60' | |
- Key: access_logs.s3.enabled | |
Value: 'true' | |
Subnets: !FindInMap [ EnvironmentMap, !Ref Environment, Subnets ] | |
SecurityGroups: | |
- !Ref ELBSecurityGroup | |
HttpListener: | |
Type: AWS::ElasticLoadBalancingV2::Listener | |
Properties: | |
DefaultActions: | |
- RedirectConfig: | |
Host: '#{host}' | |
Path: '/#{path}' | |
Port: '443' | |
Protocol: HTTPS | |
Query: '#{query}' | |
StatusCode: HTTP_301 | |
Type: redirect | |
LoadBalancerArn: !Ref ECSALB | |
Port: 80 | |
Protocol: HTTP | |
## Voila | |
TargetGroupServer: | |
Type: AWS::ElasticLoadBalancingV2::TargetGroup | |
DependsOn: ECSALB | |
Properties: | |
TargetGroupAttributes: | |
- Key: deregistration_delay.timeout_seconds | |
Value: '30' | |
HealthCheckIntervalSeconds: 30 | |
HealthCheckPath: / | |
HealthCheckTimeoutSeconds: 5 | |
HealthyThresholdCount: 2 | |
UnhealthyThresholdCount: 10 | |
Matcher: | |
HttpCode: '200,403' | |
TargetType: ip | |
Port: !Ref ContainerPort | |
Protocol: HTTP | |
VpcId: !FindInMap [ EnvironmentMap, !Ref Environment, VPC ] | |
TaskDefinition: | |
Type: AWS::ECS::TaskDefinition | |
Properties: | |
Family: !Sub "${AWS::StackName}-service-task" | |
RequiresCompatibilities: | |
- FARGATE | |
NetworkMode: awsvpc | |
TaskRoleArn: !GetAtt ECSTaskRole.Arn | |
ExecutionRoleArn: !GetAtt ECSExecutionRole.Arn | |
Cpu: !FindInMap [ EnvironmentMap, !Ref Environment, FargateCPU ] | |
Memory: !FindInMap [ EnvironmentMap, !Ref Environment, FargateRAM ] | |
ContainerDefinitions: | |
- Name: voila | |
Essential: true | |
Image: !Sub "${ECRRegistry}/notebook-server/voila:${Version}" | |
LogConfiguration: | |
LogDriver: awslogs | |
Options: | |
awslogs-group: !Ref CloudwatchLogsGroup | |
awslogs-region: !Sub ${AWS::Region} | |
awslogs-stream-prefix: !Sub "notebook-server-${Environment}" | |
PortMappings: | |
- ContainerPort: !Ref ContainerPort | |
Service: | |
Type: AWS::ECS::Service | |
DependsOn: | |
- HttpListener | |
- HttpsListener | |
Properties: | |
Cluster: !Ref ECSCluster | |
DesiredCount: 1 | |
HealthCheckGracePeriodSeconds: 30 | |
PlatformVersion: 1.4.0 | |
NetworkConfiguration: | |
AwsvpcConfiguration: | |
SecurityGroups: | |
- !Ref ECSSecurityGroup | |
Subnets: !FindInMap [ EnvironmentMap, !Ref Environment, PrivateSubnets ] | |
LoadBalancers: | |
- ContainerName: voila | |
ContainerPort: !Ref ContainerPort | |
TargetGroupArn: !Ref TargetGroupServer | |
TaskDefinition: !Ref TaskDefinition | |
PropagateTags: SERVICE | |
ECSTaskRole: | |
Type: AWS::IAM::Role | |
Properties: | |
RoleName: !Sub 'ecs-task-role-${AWS::StackName}-${Environment}' | |
AssumeRolePolicyDocument: | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- ecs.amazonaws.com | |
Action: ['sts:AssumeRole'] | |
Path: / | |
Policies: | |
- ** | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly | |
ECSExecutionRole: | |
Type: AWS::IAM::Role | |
Properties: | |
AssumeRolePolicyDocument: | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: [ecs.amazonaws.com] | |
Action: ['sts:AssumeRole'] | |
Path: / | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy | |
UserPool: | |
Type: AWS::Cognito::UserPool | |
Properties: | |
UserPoolName: !Sub 'notebook-${Environment}' | |
AutoVerifiedAttributes: | |
AdminCreateUserConfig: | |
AllowAdminCreateUserOnly: true | |
UnusedAccountValidityDays: 365 | |
Schema: | |
- Name: name | |
AttributeDataType: String | |
Mutable: true | |
- Name: email | |
AttributeDataType: String | |
Mutable: true | |
- Name: picture | |
AttributeDataType: String | |
Mutable: true | |
UserPoolDomain: | |
Type: AWS::Cognito::UserPoolDomain | |
Properties: | |
UserPoolId: !Ref UserPool | |
Domain: !Sub 'tado-notebook-${Environment}' | |
UserPoolIdentityProvider: | |
Type: AWS::Cognito::UserPoolIdentityProvider | |
Properties: | |
UserPoolId: !Ref UserPool | |
ProviderType: Google | |
ProviderName: Google | |
ProviderDetails: | |
client_id: ** Fill in ** | |
client_secret: ** Fill in ** | |
authorize_scopes: profile email openid | |
AttributeMapping: | |
email: email | |
name: name | |
picture: picture | |
username: sub | |
UIUserPoolClient: | |
Type: AWS::Cognito::UserPoolClient | |
DependsOn: UserPoolIdentityProvider | |
Properties: | |
ClientName: Notebook-Share-UI | |
GenerateSecret: true | |
UserPoolId: !Ref UserPool | |
AllowedOAuthFlows: [code, implicit] | |
AllowedOAuthFlowsUserPoolClient: true | |
AllowedOAuthScopes: [email, openid, profile] | |
SupportedIdentityProviders: [Google] | |
CallbackURLs: | |
- !Sub 'https://${ECSALB.DNSName}/oauth2/idpresponse' | |
- Fn::Sub: | |
- 'https://${PublicDNSName}/oauth2/idpresponse' | |
- { | |
PublicDNSName: !FindInMap [ EnvironmentMap, !Ref Environment, PublicDNSName ] | |
} | |
## Listener | |
HttpsListener: | |
Type: AWS::ElasticLoadBalancingV2::Listener | |
Properties: | |
Certificates: | |
- CertificateArn: !Ref wildcardCertificate | |
DefaultActions: | |
- Order: 1 | |
AuthenticateCognitoConfig: | |
UserPoolArn: !GetAtt UserPool.Arn | |
UserPoolClientId: !Ref UIUserPoolClient | |
UserPoolDomain: !Ref UserPoolDomain | |
Type: authenticate-cognito | |
- Order: 2 | |
TargetGroupArn: !Ref TargetGroupServer | |
Type: forward | |
LoadBalancerArn: !Ref ECSALB | |
Port: 443 | |
Protocol: HTTPS | |
Outputs: | |
LoadBalancerDNS: | |
Description: ALB DNS URL | |
Value: !GetAtt ECSALB.DNSName | |
Export: | |
Name: !Sub "${AWS::StackName}-DnsUrl" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment