snyk-omar · October 28, 2022 19:51
diff --git a/snyk-broker.template.yaml b/snyk-broker.template.yaml
 AWSTemplateFormatVersion: 2010-09-09
 Parameters:
  KeyName:
    Type: 'AWS::EC2::KeyPair::KeyName'
    Description: Name of an existing EC2 KeyPair to enable SSH access to the ECS instances.
  VpcId:
    Type: 'AWS::EC2::VPC::Id'
    Description: Select a VPC that allows instances to access the Internet.
  SubnetId:
    Type: 'List<AWS::EC2::Subnet::Id>'
    Description: Select at least two subnets in your selected VPC.
  DesiredCapacity:
    Type: Number
    Default: '1'
    Description: Number of instances to launch in your ECS cluster.
  MaxSize:
    Type: Number
    Default: '1'
    Description: Maximum number of instances that can be launched in your ECS cluster.
  InstanceType:
    Description: EC2 instance type
    Type: String
    Default: t2.micro
    AllowedValues:
      - t2.micro
    ConstraintDescription: Please choose a valid instance type.
 Mappings:
  AWSRegionToAMI:
    us-east-1:
      AMIID: ami-09bee01cc997a78a6
 Resources:
  ECSCluster:
    Type: 'AWS::ECS::Cluster'
  EcsSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: ECS Security Group
      VpcId: !Ref VpcId
  EcsSecurityGroupHTTPinbound:
    Type: 'AWS::EC2::SecurityGroupIngress'
    Properties:
      GroupId: !Ref EcsSecurityGroup
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      CidrIp: 0.0.0.0/0
  EcsSecurityGroupSSHinbound:
    Type: 'AWS::EC2::SecurityGroupIngress'
    Properties:
      GroupId: !Ref EcsSecurityGroup
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      CidrIp: 0.0.0.0/0
  EcsSecurityGroupALBports:
    Type: 'AWS::EC2::SecurityGroupIngress'
    Properties:
      GroupId: !Ref EcsSecurityGroup
      IpProtocol: tcp
      FromPort: 31000
      ToPort: 61000
      SourceSecurityGroupId: !Ref EcsSecurityGroup
  CloudwatchLogsGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: !Join 
        - '-'
        - - ECSLogGroup
          - !Ref 'AWS::StackName'
      RetentionInDays: 7
  taskdefinition:
    Type: 'AWS::ECS::TaskDefinition'
    Properties:
      Family: !Join 
        - ''
        - - !Ref 'AWS::StackName'
          - '-snyk-broker'
      ContainerDefinitions:
        - Name: snyk-code-agent
          Cpu: 10
          Image: 'snyk/code-agent:latest'
          Memory: 200
          Environment:
            - PORT: 7000
            - SNYK_TOKEN: 
          PortMappings:
            - ContainerPort: 7000
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Ref CloudwatchLogsGroup
              awslogs-region: !Ref 'AWS::Region'
              awslogs-stream-prefix: ecs-demo-app
        - Name: snyk-broker
          Cpu: '10'
          Essential: 'true'
          Image: 'snyk/broker:azure-repos'
          Memory: '300'
          Environment:
            - BROKER_TOKEN: 
            - AZURE_REPOS_TOKEN: 
            - AZURE_REPOS_ORG:
            - AZURE_REPOS_HOST: 
            - BROKER_CLIENT_URL: 'http://snyk-broker:8000'
            - PORT: 8000
            - GIT_CLIENT_URL: 'http://snyk-code-agent:7000'
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Ref CloudwatchLogsGroup
              awslogs-region: !Ref 'AWS::Region'
              awslogs-stream-prefix: snyk-broker
          PortMappings:
            - ContainerPort: 8000
  ECSALB:
    Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
    Properties:
      Name: ECSALB
      Scheme: internet-facing
      LoadBalancerAttributes:
        - Key: idle_timeout.timeout_seconds
          Value: '30'
      Subnets: !Ref SubnetId
      SecurityGroups:
        - !Ref EcsSecurityGroup
  ALBListener:
    Type: 'AWS::ElasticLoadBalancingV2::Listener'
    DependsOn: ECSServiceRole
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref ECSTG
      LoadBalancerArn: !Ref ECSALB
      Port: '80'
      Protocol: HTTP
  ECSALBListenerRule:
    Type: 'AWS::ElasticLoadBalancingV2::ListenerRule'
    DependsOn: ALBListener
    Properties:
      Actions:
        - Type: forward
          TargetGroupArn: !Ref ECSTG
      Conditions:
        - Field: path-pattern
          Values:
            - /
      ListenerArn: !Ref ALBListener
      Priority: 1
  ECSTG:
    Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
    DependsOn: ECSALB
    Properties:
      HealthCheckIntervalSeconds: 10
      HealthCheckPath: /
      HealthCheckProtocol: HTTP
      HealthCheckTimeoutSeconds: 5
      HealthyThresholdCount: 2
      Name: ECSTG
      Port: 80
      Protocol: HTTP
      UnhealthyThresholdCount: 2
      VpcId: !Ref VpcId
  # ECSAutoScalingGroup:
  #   Type: 'AWS::AutoScaling::AutoScalingGroup'
  #   Properties:
  #     VPCZoneIdentifier: !Ref SubnetId
  #     LaunchConfigurationName: !Ref ContainerInstances
  #     MinSize: '1'
  #     MaxSize: !Ref MaxSize
  #     DesiredCapacity: !Ref DesiredCapacity
  #   CreationPolicy:
  #     ResourceSignal:
  #       Timeout: PT15M
  #   UpdatePolicy:
  #     AutoScalingReplacingUpdate:
  #       WillReplace: 'true'
  # ContainerInstances:
  #   Type: 'AWS::AutoScaling::LaunchConfiguration'
  #   Properties:
  #     ImageId: !FindInMap 
  #       - AWSRegionToAMI
  #       - !Ref 'AWS::Region'
  #       - AMIID
  #     SecurityGroups:
  #       - !Ref EcsSecurityGroup
  #     InstanceType: !Ref InstanceType
  #     IamInstanceProfile: !Ref EC2InstanceProfile
  #     KeyName: !Ref KeyName
  #     UserData: !Base64 
  #       'Fn::Join':
  #         - ''
  #         - - |
  #             #!/bin/bash -xe
  #           - echo ECS_CLUSTER=
  #           - !Ref ECSCluster
  #           - |2
  #              >> /etc/ecs/ecs.config
  #           - |
  #             yum install -y aws-cfn-bootstrap
  #           - '/opt/aws/bin/cfn-signal -e $? '
  #           - '         --stack '
  #           - !Ref 'AWS::StackName'
  #           - '         --resource ECSAutoScalingGroup '
  #           - '         --region '
  #           - !Ref 'AWS::Region'
  #           - |+

  # service:
  #   Type: 'AWS::ECS::Service'
  #   DependsOn: ALBListener
  #   Properties:
  #     Cluster: !Ref ECSCluster
  #     DesiredCount: '1'
  #     LoadBalancers:
  #       - ContainerName: snyk-broker
  #         ContainerPort: '80'
  #         TargetGroupArn: !Ref ECSTG
  #     Role: !Ref ECSServiceRole
  #     TaskDefinition: !Ref taskdefinition
  ECSServiceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ecs-service
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
                  - 'elasticloadbalancing:DeregisterTargets'
                  - 'elasticloadbalancing:Describe*'
                  - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
                  - 'elasticloadbalancing:RegisterTargets'
                  - 'ec2:Describe*'
                  - 'ec2:AuthorizeSecurityGroupIngress'
                Resource: '*'
  ServiceScalingTarget:
    Type: 'AWS::ApplicationAutoScaling::ScalableTarget'
    DependsOn: service
    Properties:
      MaxCapacity: 2
      MinCapacity: 1
      ResourceId: !Join 
        - ''
        - - service/
          - !Ref ECSCluster
          - /
          - !GetAtt 
            - service
            - Name
      RoleARN: !GetAtt 
        - AutoscalingRole
        - Arn
      ScalableDimension: 'ecs:service:DesiredCount'
      ServiceNamespace: ecs
  ServiceScalingPolicy:
    Type: 'AWS::ApplicationAutoScaling::ScalingPolicy'
    Properties:
      PolicyName: AStepPolicy
      PolicyType: StepScaling
      ScalingTargetId: !Ref ServiceScalingTarget
      StepScalingPolicyConfiguration:
        AdjustmentType: PercentChangeInCapacity
        Cooldown: 60
        MetricAggregationType: Average
        StepAdjustments:
          - MetricIntervalLowerBound: 0
            ScalingAdjustment: 200
  ALB500sAlarmScaleUp:
    Type: 'AWS::CloudWatch::Alarm'
    Properties:
      EvaluationPeriods: '1'
      Statistic: Average
      Threshold: '10'
      AlarmDescription: Alarm if our ALB generates too many HTTP 500s.
      Period: '60'
      AlarmActions:
        - !Ref ServiceScalingPolicy
      Namespace: AWS/ApplicationELB
      Dimensions:
        - Name: LoadBalancer
          Value: !GetAtt 
            - ECSALB
            - LoadBalancerFullName
      ComparisonOperator: GreaterThanThreshold
      MetricName: HTTPCode_ELB_5XX_Count
  EC2Role:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ecs-service
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ecs:CreateCluster'
                  - 'ecs:DeregisterContainerInstance'
                  - 'ecs:DiscoverPollEndpoint'
                  - 'ecs:Poll'
                  - 'ecs:RegisterContainerInstance'
                  - 'ecs:StartTelemetrySession'
                  - 'ecs:Submit*'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'
  AutoscalingRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - application-autoscaling.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: service-autoscaling
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'application-autoscaling:*'
                  - 'cloudwatch:DescribeAlarms'
                  - 'cloudwatch:PutMetricAlarm'
                  - 'ecs:DescribeServices'
                  - 'ecs:UpdateService'
                Resource: '*'
  EC2InstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref EC2Role
 Outputs:
  ecsservice:
    Value: !Ref service
  ecscluster:
    Value: !Ref ECSCluster
  ECSALB:
    Description: Your ALB DNS URL
    Value: !Join 
      - ''
      - - !GetAtt 
          - ECSALB
          - DNSName
  taskdef:
    Value: !Ref taskdefinition
	AWSTemplateFormatVersion: 2010-09-09
	Parameters:
	KeyName:
	Type: 'AWS::EC2::KeyPair::KeyName'
	Description: Name of an existing EC2 KeyPair to enable SSH access to the ECS instances.
	VpcId:
	Type: 'AWS::EC2::VPC::Id'
	Description: Select a VPC that allows instances to access the Internet.
	SubnetId:
	Type: 'List<AWS::EC2::Subnet::Id>'
	Description: Select at least two subnets in your selected VPC.
	DesiredCapacity:
	Type: Number
	Default: '1'
	Description: Number of instances to launch in your ECS cluster.
	MaxSize:
	Type: Number
	Default: '1'
	Description: Maximum number of instances that can be launched in your ECS cluster.
	InstanceType:
	Description: EC2 instance type
	Type: String
	Default: t2.micro
	AllowedValues:
	- t2.micro
	ConstraintDescription: Please choose a valid instance type.
	Mappings:
	AWSRegionToAMI:
	us-east-1:
	AMIID: ami-09bee01cc997a78a6
	Resources:
	ECSCluster:
	Type: 'AWS::ECS::Cluster'
	EcsSecurityGroup:
	Type: 'AWS::EC2::SecurityGroup'
	Properties:
	GroupDescription: ECS Security Group
	VpcId: !Ref VpcId
	EcsSecurityGroupHTTPinbound:
	Type: 'AWS::EC2::SecurityGroupIngress'
	Properties:
	GroupId: !Ref EcsSecurityGroup
	IpProtocol: tcp
	FromPort: 80
	ToPort: 80
	CidrIp: 0.0.0.0/0
	EcsSecurityGroupSSHinbound:
	Type: 'AWS::EC2::SecurityGroupIngress'
	Properties:
	GroupId: !Ref EcsSecurityGroup
	IpProtocol: tcp
	FromPort: 22
	ToPort: 22
	CidrIp: 0.0.0.0/0
	EcsSecurityGroupALBports:
	Type: 'AWS::EC2::SecurityGroupIngress'
	Properties:
	GroupId: !Ref EcsSecurityGroup
	IpProtocol: tcp
	FromPort: 31000
	ToPort: 61000
	SourceSecurityGroupId: !Ref EcsSecurityGroup
	CloudwatchLogsGroup:
	Type: 'AWS::Logs::LogGroup'
	Properties:
	LogGroupName: !Join
	- '-'
	- - ECSLogGroup
	- !Ref 'AWS::StackName'
	RetentionInDays: 7
	taskdefinition:
	Type: 'AWS::ECS::TaskDefinition'
	Properties:
	Family: !Join
	- ''
	- - !Ref 'AWS::StackName'
	- '-snyk-broker'
	ContainerDefinitions:
	- Name: snyk-code-agent
	Cpu: 10
	Image: 'snyk/code-agent:latest'
	Memory: 200
	Environment:
	- PORT: 7000
	- SNYK_TOKEN:
	PortMappings:
	- ContainerPort: 7000
	LogConfiguration:
	LogDriver: awslogs
	Options:
	awslogs-group: !Ref CloudwatchLogsGroup
	awslogs-region: !Ref 'AWS::Region'
	awslogs-stream-prefix: ecs-demo-app
	- Name: snyk-broker
	Cpu: '10'
	Essential: 'true'
	Image: 'snyk/broker:azure-repos'
	Memory: '300'
	Environment:
	- BROKER_TOKEN:
	- AZURE_REPOS_TOKEN:
	- AZURE_REPOS_ORG:
	- AZURE_REPOS_HOST:
	- BROKER_CLIENT_URL: 'http://snyk-broker:8000'
	- PORT: 8000
	- GIT_CLIENT_URL: 'http://snyk-code-agent:7000'
	LogConfiguration:
	LogDriver: awslogs
	Options:
	awslogs-group: !Ref CloudwatchLogsGroup
	awslogs-region: !Ref 'AWS::Region'
	awslogs-stream-prefix: snyk-broker
	PortMappings:
	- ContainerPort: 8000
	ECSALB:
	Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
	Properties:
	Name: ECSALB
	Scheme: internet-facing
	LoadBalancerAttributes:
	- Key: idle_timeout.timeout_seconds
	Value: '30'
	Subnets: !Ref SubnetId
	SecurityGroups:
	- !Ref EcsSecurityGroup
	ALBListener:
	Type: 'AWS::ElasticLoadBalancingV2::Listener'
	DependsOn: ECSServiceRole
	Properties:
	DefaultActions:
	- Type: forward
	TargetGroupArn: !Ref ECSTG
	LoadBalancerArn: !Ref ECSALB
	Port: '80'
	Protocol: HTTP
	ECSALBListenerRule:
	Type: 'AWS::ElasticLoadBalancingV2::ListenerRule'
	DependsOn: ALBListener
	Properties:
	Actions:
	- Type: forward
	TargetGroupArn: !Ref ECSTG
	Conditions:
	- Field: path-pattern
	Values:
	- /
	ListenerArn: !Ref ALBListener
	Priority: 1
	ECSTG:
	Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
	DependsOn: ECSALB
	Properties:
	HealthCheckIntervalSeconds: 10
	HealthCheckPath: /
	HealthCheckProtocol: HTTP
	HealthCheckTimeoutSeconds: 5
	HealthyThresholdCount: 2
	Name: ECSTG
	Port: 80
	Protocol: HTTP
	UnhealthyThresholdCount: 2
	VpcId: !Ref VpcId
	# ECSAutoScalingGroup:
	# Type: 'AWS::AutoScaling::AutoScalingGroup'
	# Properties:
	# VPCZoneIdentifier: !Ref SubnetId
	# LaunchConfigurationName: !Ref ContainerInstances
	# MinSize: '1'
	# MaxSize: !Ref MaxSize
	# DesiredCapacity: !Ref DesiredCapacity
	# CreationPolicy:
	# ResourceSignal:
	# Timeout: PT15M
	# UpdatePolicy:
	# AutoScalingReplacingUpdate:
	# WillReplace: 'true'
	# ContainerInstances:
	# Type: 'AWS::AutoScaling::LaunchConfiguration'
	# Properties:
	# ImageId: !FindInMap
	# - AWSRegionToAMI
	# - !Ref 'AWS::Region'
	# - AMIID
	# SecurityGroups:
	# - !Ref EcsSecurityGroup
	# InstanceType: !Ref InstanceType
	# IamInstanceProfile: !Ref EC2InstanceProfile
	# KeyName: !Ref KeyName
	# UserData: !Base64
	# 'Fn::Join':
	# - ''
	# - - \|
	# #!/bin/bash -xe
	# - echo ECS_CLUSTER=
	# - !Ref ECSCluster
	# - \|2
	# >> /etc/ecs/ecs.config
	# - \|
	# yum install -y aws-cfn-bootstrap
	# - '/opt/aws/bin/cfn-signal -e $? '
	# - ' --stack '
	# - !Ref 'AWS::StackName'
	# - ' --resource ECSAutoScalingGroup '
	# - ' --region '
	# - !Ref 'AWS::Region'
	# - \|+

	# service:
	# Type: 'AWS::ECS::Service'
	# DependsOn: ALBListener
	# Properties:
	# Cluster: !Ref ECSCluster
	# DesiredCount: '1'
	# LoadBalancers:
	# - ContainerName: snyk-broker
	# ContainerPort: '80'
	# TargetGroupArn: !Ref ECSTG
	# Role: !Ref ECSServiceRole
	# TaskDefinition: !Ref taskdefinition
	ECSServiceRole:
	Type: 'AWS::IAM::Role'
	Properties:
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- ecs.amazonaws.com
	Action:
	- 'sts:AssumeRole'
	Path: /
	Policies:
	- PolicyName: ecs-service
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action:
	- 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
	- 'elasticloadbalancing:DeregisterTargets'
	- 'elasticloadbalancing:Describe*'
	- 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
	- 'elasticloadbalancing:RegisterTargets'
	- 'ec2:Describe*'
	- 'ec2:AuthorizeSecurityGroupIngress'
	Resource: '*'
	ServiceScalingTarget:
	Type: 'AWS::ApplicationAutoScaling::ScalableTarget'
	DependsOn: service
	Properties:
	MaxCapacity: 2
	MinCapacity: 1
	ResourceId: !Join
	- ''
	- - service/
	- !Ref ECSCluster
	- /
	- !GetAtt
	- service
	- Name
	RoleARN: !GetAtt
	- AutoscalingRole
	- Arn
	ScalableDimension: 'ecs:service:DesiredCount'
	ServiceNamespace: ecs
	ServiceScalingPolicy:
	Type: 'AWS::ApplicationAutoScaling::ScalingPolicy'
	Properties:
	PolicyName: AStepPolicy
	PolicyType: StepScaling
	ScalingTargetId: !Ref ServiceScalingTarget
	StepScalingPolicyConfiguration:
	AdjustmentType: PercentChangeInCapacity
	Cooldown: 60
	MetricAggregationType: Average
	StepAdjustments:
	- MetricIntervalLowerBound: 0
	ScalingAdjustment: 200
	ALB500sAlarmScaleUp:
	Type: 'AWS::CloudWatch::Alarm'
	Properties:
	EvaluationPeriods: '1'
	Statistic: Average
	Threshold: '10'
	AlarmDescription: Alarm if our ALB generates too many HTTP 500s.
	Period: '60'
	AlarmActions:
	- !Ref ServiceScalingPolicy
	Namespace: AWS/ApplicationELB
	Dimensions:
	- Name: LoadBalancer
	Value: !GetAtt
	- ECSALB
	- LoadBalancerFullName
	ComparisonOperator: GreaterThanThreshold
	MetricName: HTTPCode_ELB_5XX_Count
	EC2Role:
	Type: 'AWS::IAM::Role'
	Properties:
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- ec2.amazonaws.com
	Action:
	- 'sts:AssumeRole'
	Path: /
	Policies:
	- PolicyName: ecs-service
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action:
	- 'ecs:CreateCluster'
	- 'ecs:DeregisterContainerInstance'
	- 'ecs:DiscoverPollEndpoint'
	- 'ecs:Poll'
	- 'ecs:RegisterContainerInstance'
	- 'ecs:StartTelemetrySession'
	- 'ecs:Submit*'
	- 'logs:CreateLogStream'
	- 'logs:PutLogEvents'
	Resource: '*'
	AutoscalingRole:
	Type: 'AWS::IAM::Role'
	Properties:
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- application-autoscaling.amazonaws.com
	Action:
	- 'sts:AssumeRole'
	Path: /
	Policies:
	- PolicyName: service-autoscaling
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action:
	- 'application-autoscaling:*'
	- 'cloudwatch:DescribeAlarms'
	- 'cloudwatch:PutMetricAlarm'
	- 'ecs:DescribeServices'
	- 'ecs:UpdateService'
	Resource: '*'
	EC2InstanceProfile:
	Type: 'AWS::IAM::InstanceProfile'
	Properties:
	Path: /
	Roles:
	- !Ref EC2Role
	Outputs:
	ecsservice:
	Value: !Ref service
	ecscluster:
	Value: !Ref ECSCluster
	ECSALB:
	Description: Your ALB DNS URL
	Value: !Join
	- ''
	- - !GetAtt
	- ECSALB
	- DNSName
	taskdef:
	Value: !Ref taskdefinition