-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtemplate.yaml
More file actions
268 lines (230 loc) · 7.14 KB
/
template.yaml
File metadata and controls
268 lines (230 loc) · 7.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
Backstage Application and ECS Cluster Service
Parameters:
Domain:
Type: String
Description: 'Application Platform'
System:
Type: String
Description: 'Application System'
Component:
Type: String
Description: 'Application Component'
CodeBranch:
Type: String
Description: 'Name of deployment branch'
ClusterName:
Type: AWS::SSM::Parameter::Value<String>
Description: Name of ECS cluster
ClusterTaskIamRoleArn:
Type: AWS::SSM::Parameter::Value<String>
Description: IAM role ARN for task ECS opperations.
ClusterAlbListenerArn:
Type: AWS::SSM::Parameter::Value<String>
Description: Name of ECS cluster
ClusterSecurityGroupId:
Type: AWS::SSM::Parameter::Value<String>
Description: ID of cluster security group
ContainerRepo:
Type: String
Description: ECR repository name
ContainerOrg:
Type: String
Description: ECR organization name
ContainerImage:
Type: String
Description: Container image
ContainerTag:
Type: String
Description: Container tag
ContainerCpu:
Type: Number
Description: Container CPU allocation units. 1024 is 1 CPU. Value may equal fraction of a CPU.
ContainerMemory:
Type: Number
Description: Container memory in megabytes
ContainerDesiredCount:
Type: Number
Description: How many copies of the service task to run
ContainerPort:
Type: Number
Description: Port container will listen on
AlbRulePriority:
Type: Number
Description: The priority for the routing rule added to the load balancer.
AlbRulePath:
Type: String
Description: A path on the public load balancer that this service
should be connected to. Use * to send all load balancer
traffic to this service.
VpcId:
Type: AWS::SSM::Parameter::Value<String>
Description: Account VPC ID
VpcSubnets:
Type: AWS::SSM::Parameter::Value<CommaDelimitedList>
Description: Account subnets
# Backstage Application Configuration parameters
PgHost:
Type: String
Description: PostgreSQL host
PgPort:
Type: String
Description: PostgreSQL port
PgUser:
Type: String
Description: PostgreSQL user
PgPassword:
Type: String
Description: PostgreSQL password
NoEcho: true
AuthGoogleClientId:
Type: String
Description: Google OAuth client ID
NoEcho: true
AuthGoogleClientSecret:
Type: String
Description: Google OAuth client secret
NoEcho: true
BackstageAppUrl:
Type: String
Description: URL of application frontend
BackstageBackendUrl:
Type: String
Description: URL of application backend
ServerlessOpsCatalogApiUrl:
Type: String
Description: ServerlessOps catalog API URL
ServerlessOpsAuthEndpoint:
Type: String
Description: ServerlessOps auth endpoint
ServerlessOpsAuthClientId:
Type: String
Description: ServerlessOps auth client ID
ServerlessOpsAuthClientSecret:
Type: String
Description: ServerlessOps auth client secret
NoEcho: true
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
RuntimePlatform:
CpuArchitecture: X86_64
OperatingSystemFamily: LINUX
Family: !Sub ${Component}-${CodeBranch}
Cpu: !Ref ContainerCpu
Memory: !Ref ContainerMemory
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
ExecutionRoleArn: !Ref ClusterTaskIamRoleArn
TaskRoleArn: !Ref TaskIamRole
ContainerDefinitions:
- Name: !Ref Component
Image: !Sub '${ContainerRepo}/${ContainerOrg}/${ContainerImage}:${ContainerTag}'
PortMappings:
- ContainerPort: !Ref ContainerPort
Environment:
- Name: POSTGRES_HOST
Value: !Ref PgHost
- Name: POSTGRES_PORT
Value: !Ref PgPort
- Name: POSTGRES_USER
Value: !Ref PgUser
- Name: POSTGRES_PASSWORD
Value: !Ref PgPassword
- Name: AUTH_GOOGLE_CLIENT_ID
Value: !Ref AuthGoogleClientId
- Name: AUTH_GOOGLE_CLIENT_SECRET
Value: !Ref AuthGoogleClientSecret
- Name: BACKSTAGE_APP_URL
Value: !Ref BackstageAppUrl
- Name: BACKSTAGE_BACKEND_URL
Value: !Ref BackstageBackendUrl
- Name: BACKSTAGE_BACKEND_PORT
Value: !Ref ContainerPort
- Name: SERVERLESSOPS_CATALOG_API_URL
Value: !Ref ServerlessOpsCatalogApiUrl
- Name: SERVERLESSOPS_AUTH_ENDPOINT
Value: !Ref ServerlessOpsAuthEndpoint
- Name: SERVERLESSOPS_AUTH_CLIENT_ID
Value: !Ref ServerlessOpsAuthClientId
- Name: SERVERLESSOPS_AUTH_CLIENT_SECRET
Value: !Ref ServerlessOpsAuthClientSecret
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-create-group: true
awslogs-group: !Sub '/aws/ecs/${ClusterName}/${AWS::StackName}'
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: app
Service:
Type: AWS::ECS::Service
Properties:
ServiceName: !Ref Component
Cluster: !Ref ClusterName
LaunchType: FARGATE
CapacityProviderStrategy:
- CapacityProvider: FARGATE_SPOT
Weight: 1
EnableECSManagedTags: true
PropagateTags: TASK_DEFINITION
EnableExecuteCommand: true
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 75
DeploymentCircuitBreaker:
Enable: true
Rollback: true
DesiredCount: !Ref ContainerDesiredCount
NetworkConfiguration:
AwsvpcConfiguration:
SecurityGroups:
- !Ref ClusterSecurityGroupId
Subnets: !Ref VpcSubnets
AssignPublicIp: ENABLED # Enabled because this runs in public subnet
TaskDefinition: !Ref TaskDefinition
LoadBalancers:
- ContainerName: !Ref Component
ContainerPort: !Ref ContainerPort
TargetGroupArn: !Ref AlbTargetGroup
HealthCheckGracePeriodSeconds: 60
AlbTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 5
HealthCheckPath: /
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 4
HealthyThresholdCount: 2
TargetType: ip
Port: !Ref ContainerPort
Protocol: HTTP
UnhealthyThresholdCount: 2
VpcId: !Ref VpcId
AlbListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
- TargetGroupArn: !Ref AlbTargetGroup
Type: forward
Conditions:
- Field: path-pattern
Values:
- !Ref AlbRulePath
ListenerArn: !Ref ClusterAlbListenerArn
Priority: !Ref AlbRulePriority
TaskIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies: []