-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathhasura-default-domain.yaml
666 lines (660 loc) · 23.3 KB
/
hasura-default-domain.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
Description: 'This template will deploy complete Hasura Setup on to ECS along with connection to Aurora Serverless PostgreSQL Cluster.'
Parameters:
DBMasterUsername:
Description: 'The username that will be used for the root admin user in PostgreSQL'
Type: String
DBMasterUserPassword:
Description: 'The password that will be used alongside the root admin username'
Type: String
DBName:
Description: 'The name of the PostgreSQL database'
Type: String
DockerImage:
Description: 'Name and tag of the Hasura Docker Image'
Type: String
Default: 'hasura/graphql-engine'
APIName:
Description: The name of the ECS Service.
Type: String
Default: 'HasuraGraphQLAPI'
ContainerPort:
Description: 'Hasura exposes stuff over 8080. We need to tell this to the container definition.'
Type: Number
Default: 8080
LoadBalancerPort:
Description: 'The load balancer accepts traffic on the port 80.'
Type: Number
Default: 80
HealthCheckPath:
Description: 'The Health check path. Hasura exposes /healthz as a health check path. Used on the LoadBalancing Target group.'
Type: String
Default: /healthz
MinContainers:
Description: 'for autoscaling'
Type: Number
Default: 1
MaxContainers:
Description: 'for autoscaling'
Type: Number
Default: 10
AutoScalingTargetValue:
Description: 'target CPU utilization (%)'
Type: Number
Default: 80
HasuraAccessKey:
Description: 'The console should have an access key for basic security.'
Type: String
Resources:
#Let's take care of the VPC
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
Tags:
- Key: Name
Value: !Sub '${APIName}-VPC'
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-internetgateway.html
InternetGateway:
Type: 'AWS::EC2::InternetGateway'
Properties:
Tags:
- Key: Name
Value: !Sub '${APIName}-InternetGateway'
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc-gateway-attachment.html
VPCGatewayAttachment:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html
SubnetAPublic:
Type: 'AWS::EC2::Subnet'
Properties:
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getavailabilityzones.html
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-select.html
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: '10.0.0.0/20'
MapPublicIpOnLaunch: true
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Subnet-A-Public'
- Key: Reach
Value: public
SubnetAPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: '10.0.16.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Subnet-A-Private'
- Key: Reach
Value: private
SubnetBPublic:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: '10.0.32.0/20'
MapPublicIpOnLaunch: true
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Subnet-B-Public'
- Key: Reach
Value: public
SubnetBPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: '10.0.48.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Subnet-B-Private'
- Key: Reach
Value: private
SubnetCPublic:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [2, !GetAZs '']
CidrBlock: '10.0.64.0/20'
MapPublicIpOnLaunch: true
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Subnet-C-Public'
- Key: Reach
Value: public
SubnetCPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [2, !GetAZs '']
CidrBlock: '10.0.80.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Subnet-C-Private'
- Key: Reach
Value: private
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html
RouteTableAPublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Route-Table-Public-A'
RouteTableAPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Route-Table-Private-A'
RouteTableBPublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Route-Table-Public-B'
RouteTableBPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Route-Table-Private-B'
RouteTableCPublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Route-Table-Public-C'
RouteTableCPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Route-Table-Private-C'
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet-route-table-assoc.html
RouteTableAssociationAPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPublic
RouteTableId: !Ref RouteTableAPublic
RouteTableAssociationAPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPrivate
RouteTableId: !Ref RouteTableAPrivate
RouteTableAssociationBPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetBPublic
RouteTableId: !Ref RouteTableBPublic
RouteTableAssociationBPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetBPrivate
RouteTableId: !Ref RouteTableBPrivate
RouteTableAssociationCPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetCPublic
RouteTableId: !Ref RouteTableCPublic
RouteTableAssociationCPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetCPrivate
RouteTableId: !Ref RouteTableCPrivate
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html
RouteTableAPublicInternetRoute:
Type: 'AWS::EC2::Route'
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableAPublic
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref InternetGateway
RouteTablePublicBInternetRoute:
Type: 'AWS::EC2::Route'
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableBPublic
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref InternetGateway
RouteTablePublicCInternetRoute:
Type: 'AWS::EC2::Route'
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableCPublic
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref InternetGateway
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl.html
NetworkAclPublic:
Type: 'AWS::EC2::NetworkAcl'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Public-Network-ACL'
NetworkAclPrivate:
Type: 'AWS::EC2::NetworkAcl'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub '${APIName}-Private-Network-ACL'
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet-network-acl-assoc.html
SubnetNetworkAclAssociationAPublic:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetAPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationAPrivate:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetAPrivate
NetworkAclId: !Ref NetworkAclPrivate
SubnetNetworkAclAssociationBPublic:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetBPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationBPrivate:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetBPrivate
NetworkAclId: !Ref NetworkAclPrivate
SubnetNetworkAclAssociationCPublic:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetCPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationCPrivate:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetCPrivate
NetworkAclId: !Ref NetworkAclPrivate
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html
NetworkAclEntryInPublicAllowAll:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: '0.0.0.0/0'
NetworkAclEntryOutPublicAllowAll:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: '0.0.0.0/0'
NetworkAclEntryInPrivateAllowVPC:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: '0.0.0.0/0'
NetworkAclEntryOutPrivateAllowVPC:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: '0.0.0.0/0'
#Now it's time to make the Security groups that will let things communicate with each other
DBSSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupName: !Sub '${APIName}-RDS-SecurityGroup'
GroupDescription: !Sub 'Security group to control access to RDS PostgreSQL instance inside the ${APIName} API stack VPC'
VpcId: !Ref 'VPC'
SecurityGroupIngress:
- IpProtocol: 'tcp'
SourceSecurityGroupId: !Ref 'EC2SecurityGroup'
FromPort: 5432
ToPort: 5432
Tags:
- Key: 'Name'
Value: !Sub '${APIName}-RDS-SecurityGroup'
#I'm listing security groups in the order that traffic would flow from the outside internet. It would first come through the SSL port 443 on the load balancer.
#This first security group should be assigned to any load balancer that is sitting in front of an EC2 instance in the VPC
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub '${APIName}-ELB-SecurityGroup'
GroupDescription: !Sub 'Security group to control external access to the load balancer. ${APIName}'
VpcId: !Ref 'VPC'
SecurityGroupIngress:
- IpProtocol: 'tcp'
FromPort: 443
ToPort: 443
CidrIp: '0.0.0.0/0'
- IpProtocol: 'tcp'
FromPort: 80
ToPort: 80
CidrIp: '0.0.0.0/0'
- IpProtocol: 'tcp'
FromPort: 443
ToPort: 443
CidrIpv6: '::/0'
- IpProtocol: 'tcp'
FromPort: 80
ToPort: 80
CidrIpv6: '::/0'
Tags:
- Key: 'Name'
Value: !Sub '${APIName}-ELB-SecurityGroup'
#After traffic comes in through a load balancer it goes to an EC2 instance. The EC2 instance should allow traffic from the load balancer over both port 80 and 8080 which are two common ports.
EC2SecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupName: !Sub '${APIName}-EC2-SecurityGroup'
GroupDescription: !Sub 'Security group to control access to an EC2 instance inside the ${APIName} stack VPC'
VpcId: !Ref 'VPC'
SecurityGroupIngress:
- IpProtocol: 'tcp'
SourceSecurityGroupId: !Ref 'LoadBalancerSecurityGroup'
FromPort: 8080
ToPort: 8080
- IpProtocol: 'tcp'
SourceSecurityGroupId: !Ref 'LoadBalancerSecurityGroup'
FromPort: 80
ToPort: 80
Tags:
- Key: 'Name'
Value: !Sub '${APIName}-EC2-SecurityGroup'
#Now It's time to make the PostgreSQL DB.
RDSSubnetGroup:
Type: 'AWS::RDS::DBSubnetGroup'
Properties:
DBSubnetGroupDescription: 'Subnet RDS Subnet group.'
DBSubnetGroupName: 'rds-subnetgroup'
SubnetIds:
- !Ref 'SubnetAPublic'
- !Ref 'SubnetBPublic'
- !Ref 'SubnetCPublic'
#https://dev.classmethod.jp/cloud/aws/cloudformation-aurora-postgresql/
AuroraClusterParameterGroup:
Type: 'AWS::RDS::DBClusterParameterGroup'
Properties:
Description: 'Parameter group for DB Cluster'
Family: 'aurora-postgresql10'
Parameters:
client_encoding: UTF8
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html
AuroraCluster:
DependsOn: RDSSubnetGroup
Type: 'AWS::RDS::DBCluster'
Properties:
Engine: 'aurora-postgresql'
EngineVersion: '10.7'
EngineMode: 'serverless'
DBClusterIdentifier: !Sub '${APIName}-Database-Cluster'
DatabaseName: !Ref 'DBName'
DBClusterParameterGroupName: !Ref 'AuroraClusterParameterGroup'
DBSubnetGroupName: !Ref 'RDSSubnetGroup'
MasterUsername: !Ref 'DBMasterUsername'
MasterUserPassword: !Ref 'DBMasterUserPassword'
Port: 5432
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbcluster-scalingconfiguration.html
ScalingConfiguration:
AutoPause: false
MaxCapacity: 32
MinCapacity: 2
VpcSecurityGroupIds:
- !Ref 'DBSSecurityGroup'
Cluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Join ['-', [!Ref APIName, Cluster]]
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html
TaskDefinition:
Type: AWS::ECS::TaskDefinition
# Makes sure the log group is created before it is used.
DependsOn: LogGroup
Properties:
# Name of the task definition. Subsequent versions of the task definition are grouped together under this name.
Family: !Join ['-', [!Ref APIName, TaskDefinition]]
# awsvpc is required for Fargate
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
# 256 (.25 vCPU) - Available memory values: 0.5GB, 1GB, 2GB
# 512 (.5 vCPU) - Available memory values: 1GB, 2GB, 3GB, 4GB
# 1024 (1 vCPU) - Available memory values: 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB
# 2048 (2 vCPU) - Available memory values: Between 4GB and 16GB in 1GB increments
# 4096 (4 vCPU) - Available memory values: Between 8GB and 30GB in 1GB increments
Cpu: 4096
# 0.5GB, 1GB, 2GB - Available cpu values: 256 (.25 vCPU)
# 1GB, 2GB, 3GB, 4GB - Available cpu values: 512 (.5 vCPU)
# 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB - Available cpu values: 1024 (1 vCPU)
# Between 4GB and 16GB in 1GB increments - Available cpu values: 2048 (2 vCPU)
# Between 8GB and 30GB in 1GB increments - Available cpu values: 4096 (4 vCPU)
Memory: 8GB
# A role needed by ECS.
# "The ARN of the task execution role that containers in this task can assume. All containers in this task are granted the permissions that are specified in this role."
# "There is an optional task execution IAM role that you can specify with Fargate to allow your Fargate tasks to make API calls to Amazon ECR."
ExecutionRoleArn: !Ref ExecutionRole
# "The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that grants containers in the task permission to call AWS APIs on your behalf."
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: !Ref APIName
Image: !Ref DockerImage
PortMappings:
- ContainerPort: !Ref ContainerPort
# Send logs to CloudWatch Logs
Command:
- 'graphql-engine'
- 'serve'
- '--enable-console'
Environment:
- Name: 'HASURA_GRAPHQL_DATABASE_URL'
#Make the PostgreSQL connection string from the parameters we have.
Value:
!Join [
'',
[
'postgres://',
!Ref 'DBMasterUsername',
':',
!Ref 'DBMasterUserPassword',
'@',
!GetAtt 'AuroraCluster.Endpoint.Address',
':5432/',
!Ref 'DBName',
],
]
- Name: 'HASURA_GRAPHQL_PG_TIMEOUT'
Value: '30'
- Name: 'HASURA_GRAPHQL_ENABLED_APIS'
Value: 'metadata,graphql,pgdump,developer'
- Name: 'HASURA_GRAPHQL_ACCESS_KEY'
Value: !Ref 'HasuraAccessKey'
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-region: !Ref AWS::Region
awslogs-group: !Ref LogGroup
awslogs-stream-prefix: ecs
# A role needed by ECS
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join ['-', [!Ref APIName, ExecutionRole]]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
# A role for the containers
TaskRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join ['-', [!Ref APIName, TaskRole]]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
# A role needed for auto scaling
AutoScalingRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join ['-', [!Ref APIName, AutoScalingRole]]
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole'
Service:
Type: AWS::ECS::Service
# This dependency is needed so that the load balancer is setup correctly in time
DependsOn:
- ListenerHTTP
Properties:
ServiceName: !Ref APIName
Cluster: !Ref Cluster
TaskDefinition: !Ref TaskDefinition
DeploymentConfiguration:
MinimumHealthyPercent: 100
MaximumPercent: 200
DesiredCount: 2
# This may need to be adjusted if the container takes a while to start up
HealthCheckGracePeriodSeconds: 120
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
# change to DISABLED if you're using private subnets that have access to a NAT gateway
AssignPublicIp: ENABLED
Subnets:
- !Ref 'SubnetAPublic'
- !Ref 'SubnetBPublic'
- !Ref 'SubnetCPublic'
SecurityGroups:
- !Ref 'EC2SecurityGroup'
LoadBalancers:
- ContainerName: !Ref APIName
ContainerPort: !Ref ContainerPort
TargetGroupArn: !Ref TargetGroup
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 10
# will look for a 200 status code by default unless specified otherwise
HealthCheckPath: !Ref HealthCheckPath
HealthCheckTimeoutSeconds: 5
UnhealthyThresholdCount: 2
HealthyThresholdCount: 2
Name: !Join ['-', [!Ref APIName, TargetGroup]]
Port: !Ref ContainerPort
Protocol: HTTP
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 60 # default is 300
TargetType: ip
VpcId: !Ref VPC
ListenerHTTP:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn: !Ref TargetGroup
Type: forward
LoadBalancerArn: !Ref LoadBalancer
Port: !Ref LoadBalancerPort
Protocol: HTTP
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
LoadBalancerAttributes:
# this is the default, but is specified here in case it needs to be changed
- Key: idle_timeout.timeout_seconds
Value: 360
Name: !Join ['-', [!Ref APIName, LoadBalancer]]
# "internal" is also an option
Scheme: internet-facing
SecurityGroups:
- !Ref 'LoadBalancerSecurityGroup'
Subnets:
- !Ref 'SubnetBPublic'
- !Ref 'SubnetCPublic'
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['', [/ecs/, !Ref APIName, TaskDefinition]]
AutoScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
Properties:
MinCapacity: !Ref MinContainers
MaxCapacity: !Ref MaxContainers
ResourceId: !Join ['/', [service, !Ref Cluster, !GetAtt Service.Name]]
ScalableDimension: ecs:service:DesiredCount
ServiceNamespace: ecs
# "The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that allows Application Auto Scaling to modify your scalable target."
RoleARN: !GetAtt AutoScalingRole.Arn
AutoScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: !Join ['-', [!Ref APIName, AutoScalingPolicy]]
PolicyType: TargetTrackingScaling
ScalingTargetId: !Ref AutoScalingTarget
TargetTrackingScalingPolicyConfiguration:
PredefinedMetricSpecification:
PredefinedMetricType: ECSServiceAverageCPUUtilization
ScaleInCooldown: 10
ScaleOutCooldown: 10
# Keep things at or lower than 50% CPU utilization, for example
TargetValue: !Ref AutoScalingTargetValue
Outputs:
AZA:
Description: 'AZ of A'
Value: !Select [0, !GetAZs '']
Export:
Name: !Sub '${AWS::StackName}-AZA'
SubnetAPublic:
Description: 'Subnet A public.'
Value: !Ref SubnetAPublic
Export:
Name: !Sub '${AWS::StackName}-SubnetAPublic'
SubnetBPublic:
Description: 'Subnet B public.'
Value: !Ref SubnetBPublic
Export:
Name: !Sub '${AWS::StackName}-SubnetBPublic'
SubnetCPublic:
Description: 'Subnet C public.'
Value: !Ref SubnetCPublic
Export:
Name: !Sub '${AWS::StackName}-SubnetCPublic'
EC2SecurityGroupID:
Description: 'The ID of the EC2 Security group'
Value: !GetAtt EC2SecurityGroup.GroupId
Export:
Name: !Sub '${AWS::StackName}-EC2-ID'