From 03175de2bf75458305b988df791857a46588caf8 Mon Sep 17 00:00:00 2001 From: mdugdale Date: Sat, 27 Mar 2021 23:48:31 +0000 Subject: [PATCH] typescript aws --- dist/base-setup.yml | 413 ++++++++++++++++++++++++++++++ dist/cloudformation-stack-ttl.yml | 86 ++----- 2 files changed, 441 insertions(+), 58 deletions(-) create mode 100644 dist/base-setup.yml diff --git a/dist/base-setup.yml b/dist/base-setup.yml new file mode 100644 index 00000000..ba34c537 --- /dev/null +++ b/dist/base-setup.yml @@ -0,0 +1,413 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: AWS Fargate cluster that can span public and private subnets. Supports + public facing load balancers, private internal load balancers, and + both internal and external service discovery namespaces. +Parameters: + EnvironmentName: + Type: String + Default: development + Description: "Your deployment environment: DEV, QA , PROD" + + # ContainerPort: + # Type: Number + # Default: 80 + # Description: What port number the application inside the docker container is binding to + + + +Mappings: + # Hard values for the subnet masks. These masks define + # the range of internal IP addresses that can be assigned. + # The VPC can have all IP's from 10.0.0.0 to 10.0.255.255 + # There are four subnets which cover the ranges: + # + # 10.0.0.0 - 10.0.0.255 + # 10.0.1.0 - 10.0.1.255 + # 10.0.2.0 - 10.0.2.255 + # 10.0.3.0 - 10.0.3.255 + + SubnetConfig: + VPC: + CIDR: '10.0.0.0/16' + PublicOne: + CIDR: '10.0.0.0/24' + PublicTwo: + CIDR: '10.0.1.0/24' + +Resources: + + + + # VPC in which containers will be networked. + # It has two public subnets, and two private subnets. + # We distribute the subnets across the first two available subnets + # for the region, for high availability. + VPC: + Type: AWS::EC2::VPC + Properties: + EnableDnsSupport: true + EnableDnsHostnames: true + CidrBlock: !FindInMap ['SubnetConfig', 'VPC', 'CIDR'] + + EFSServerSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: "efs-server-endpoints" + GroupDescription: Which client ip addrs are allowed to access EFS server + VpcId: !Ref 'VPC' + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 2049 + ToPort: 2049 + SourceSecurityGroupId: !Ref ContainerSecurityGroup + #CidrIp: !FindInMap ['SubnetConfig', 'VPC', 'CIDR'] + # A security group for the containers we will run in Fargate. + # Rules are added to this security group based on what ingress you + # add for the cluster. + ContainerSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: "task security group" + GroupDescription: Access to the Fargate containers + VpcId: !Ref 'VPC' + # SecurityGroupIngress: + # - IpProtocol: tcp + # FromPort: !Ref ContainerPort + # ToPort: !Ref ContainerPort + # CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 2049 + ToPort: 2049 + CidrIp: "0.0.0.0/0" + + + + + # Two public subnets, where containers can have public IP addresses + PublicSubnetOne: + Type: AWS::EC2::Subnet + Properties: + AvailabilityZone: !Select + - 0 + - Fn::GetAZs: !Ref 'AWS::Region' + VpcId: !Ref 'VPC' + CidrBlock: !FindInMap ['SubnetConfig', 'PublicOne', 'CIDR'] + # MapPublicIpOnLaunch: true + + PublicSubnetTwo: + Type: AWS::EC2::Subnet + Properties: + AvailabilityZone: !Select + - 1 + - Fn::GetAZs: !Ref 'AWS::Region' + VpcId: !Ref 'VPC' + CidrBlock: !FindInMap ['SubnetConfig', 'PublicTwo', 'CIDR'] + # MapPublicIpOnLaunch: true + + + # Setup networking resources for the public subnets. Containers + # in the public subnets have public IP addresses and the routing table + # sends network traffic via the internet gateway. + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachement: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: !Ref 'VPC' + InternetGatewayId: !Ref 'InternetGateway' + + # Attaching a Internet Gateway to route table makes it public. + PublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref 'VPC' + PublicRoute: + Type: AWS::EC2::Route + DependsOn: GatewayAttachement + Properties: + RouteTableId: !Ref 'PublicRouteTable' + DestinationCidrBlock: '0.0.0.0/0' + GatewayId: !Ref 'InternetGateway' + + # Attaching a public route table makes a subnet public. + PublicSubnetOneRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref PublicSubnetOne + RouteTableId: !Ref PublicRouteTable + PublicSubnetTwoRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref PublicSubnetTwo + RouteTableId: !Ref PublicRouteTable + + + + # ECS Resources + ECSCluster: + Type: AWS::ECS::Cluster + + + + # A role used to allow AWS Autoscaling to inspect stats and adjust scaleable targets + # on your AWS account + AutoscalingRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [application-autoscaling.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: service-autoscaling + PolicyDocument: + Statement: + - Effect: Allow + Action: + - 'application-autoscaling:*' + - 'cloudwatch:DescribeAlarms' + - 'cloudwatch:PutMetricAlarm' + - 'ecs:DescribeServices' + - 'ecs:UpdateService' + Resource: '*' + + # This is an IAM role which authorizes ECS to manage resources on your + # account on your behalf, such as updating your load balancer with the + # details of where your containers are, so that traffic can reach your + # containers. + ECSRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ecs.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: + # Rules which allow ECS to attach network interfaces to instances + # on your behalf in order for awsvpc networking mode to work right + - 'ec2:AttachNetworkInterface' + - 'ec2:CreateNetworkInterface' + - 'ec2:CreateNetworkInterfacePermission' + - 'ec2:DeleteNetworkInterface' + - 'ec2:DeleteNetworkInterfacePermission' + - 'ec2:Describe*' + - 'ec2:DetachNetworkInterface' + + # Rules which allow ECS to update load balancers on your behalf + # with the information sabout how to send traffic to your containers + - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer' + - 'elasticloadbalancing:DeregisterTargets' + - 'elasticloadbalancing:Describe*' + - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer' + - 'elasticloadbalancing:RegisterTargets' + Resource: '*' + + # This is a role which is used by the ECS tasks themselves. + ECSTaskExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ecs-tasks.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: AmazonECSTaskExecutionRolePolicy + PolicyDocument: + Statement: + - Effect: Allow + Action: + # Allow upload to S3 + - 's3:GetObject' + - 's3:GetObjectVersion' + - 's3:PutObject' + + # Allow the use of secret manager + - 'secretsmanager:GetSecretValue' + - 'kms:Decrypt' + + # Allow the ECS Tasks to download images from ECR + - 'ecr:GetAuthorizationToken' + - 'ecr:BatchCheckLayerAvailability' + - 'ecr:GetDownloadUrlForLayer' + - 'ecr:BatchGetImage' + + # Allow the ECS tasks to upload logs to CloudWatch + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + Resource: '*' + + DeleteCFNLambdaExecutionRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + Service: ["lambda.amazonaws.com"] + Action: "sts:AssumeRole" + Path: "/" + Policies: + - PolicyName: "DeleteLambdaExRoleName" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "logs:CreateLogGroup" + - "logs:CreateLogStream" + - "logs:PutLogEvents" + Resource: "arn:aws:logs:*:*:*" + - Effect: "Allow" + Action: + - "cloudformation:DeleteStack" + Resource: "*" + + +### cloud watch to kinesis role + + CloudWatchIAMRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [logs.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: service-autoscaling + PolicyDocument: + Statement: + - Effect: Allow + Action: + - 'kinesis:PutRecord' + Resource: '*' +#####################EFS##################### + + EfsFileStorage: + Type: 'AWS::EFS::FileSystem' + Properties: + BackupPolicy: + Status: ENABLED + PerformanceMode: maxIO + Encrypted: false + + + FileSystemPolicy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "elasticfilesystem:ClientMount" + - "elasticfilesystem:ClientWrite" + - "elasticfilesystem:ClientRootAccess" + Principal: + AWS: "*" + + + MountTargetResource1: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EfsFileStorage + SubnetId: !Ref PublicSubnetOne + SecurityGroups: + - !Ref EFSServerSecurityGroup + + MountTargetResource2: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EfsFileStorage + SubnetId: !Ref PublicSubnetTwo + SecurityGroups: + - !Ref EFSServerSecurityGroup + + S3Bucket: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: + BucketName: game-ci-storage + + + + + + + + +Outputs: + + EfsFileStorageId: + Description: 'The connection endpoint for the database.' + Value: !Ref EfsFileStorage + Export: + Name: !Sub ${EnvironmentName}:EfsFileStorageId + ClusterName: + Description: The name of the ECS cluster + Value: !Ref 'ECSCluster' + Export: + Name: !Sub ${EnvironmentName}:ClusterName + AutoscalingRole: + Description: The ARN of the role used for autoscaling + Value: !GetAtt 'AutoscalingRole.Arn' + Export: + Name: !Sub ${EnvironmentName}:AutoscalingRole + ECSRole: + Description: The ARN of the ECS role + Value: !GetAtt 'ECSRole.Arn' + Export: + Name: !Sub ${EnvironmentName}:ECSRole + ECSTaskExecutionRole: + Description: The ARN of the ECS role tsk execution role + Value: !GetAtt 'ECSTaskExecutionRole.Arn' + Export: + Name: !Sub ${EnvironmentName}:ECSTaskExecutionRole + + DeleteCFNLambdaExecutionRole: + Description: s3 + Value: !GetAtt 'ECSTaskExecutionRole.Arn' + Export: + Name: !Sub ${EnvironmentName}:DeleteCFNLambdaExecutionRole + + CloudWatchIAMRole: + Description: The ARN of the CloudWatch role for subscription filter + Value: !GetAtt 'CloudWatchIAMRole.Arn' + Export: + Name: !Sub ${EnvironmentName}:CloudWatchIAMRole + VpcId: + Description: The ID of the VPC that this stack is deployed in + Value: !Ref 'VPC' + Export: + Name: !Sub ${EnvironmentName}:VpcId + PublicSubnetOne: + Description: Public subnet one + Value: !Ref 'PublicSubnetOne' + Export: + Name: !Sub ${EnvironmentName}:PublicSubnetOne + PublicSubnetTwo: + Description: Public subnet two + Value: !Ref 'PublicSubnetTwo' + Export: + Name: !Sub ${EnvironmentName}:PublicSubnetTwo + + ContainerSecurityGroup: + Description: A security group used to allow Fargate containers to receive traffic + Value: !Ref 'ContainerSecurityGroup' + Export: + Name: !Sub ${EnvironmentName}:ContainerSecurityGroup diff --git a/dist/cloudformation-stack-ttl.yml b/dist/cloudformation-stack-ttl.yml index eecb89d7..4c2df2af 100644 --- a/dist/cloudformation-stack-ttl.yml +++ b/dist/cloudformation-stack-ttl.yml @@ -23,39 +23,32 @@ Parameters: TTL: Type: Number Description: Time-to-live in minutes for the stack. + DeleteLambdaExRoleName: + Type: Number + Description: Time-to-live in minutes for the stack. + DeleteCFNLambdaName: + Type: Number + Description: Time-to-live in minutes for the stack. + DeleteStackEventRuleName: + Type: Number + Description: Time-to-live in minutes for the stack. + DeleteCFNLambdaPermissionName: + Type: Number + Description: Time-to-live in minutes for the stack. + LambdaExecutionRoleName: + Type: Number + Description: Time-to-live in minutes for the stack. + GenerateCronExpressionLambdaName: + Type: Number + Description: Time-to-live in minutes for the stack. + GenerateCronExpressionName: + Type: Number + Description: Time-to-live in minutes for the stack. Resources: - DeleteCFNLambdaExecutionRole: - Type: "AWS::IAM::Role" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Principal: - Service: ["lambda.amazonaws.com"] - Action: "sts:AssumeRole" - Path: "/" - Policies: - - PolicyName: "DeleteLambdaExRole${BUILDID}" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: - - "logs:CreateLogGroup" - - "logs:CreateLogStream" - - "logs:PutLogEvents" - Resource: "arn:aws:logs:*:*:*" - - Effect: "Allow" - Action: - - "cloudformation:DeleteStack" - Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${BUILDID}/*" DeleteCFNLambda: Type: "AWS::Lambda::Function" - DependsOn: - - DeleteCFNLambdaExecutionRole Properties: - FunctionName: "DeleteCFNLambda-${BUILDID}" + FunctionName: !Ref "DeleteCFNLambdaName" Code: ZipFile: | import boto3 @@ -83,14 +76,14 @@ Resources: Handler: "index.handler" Runtime: "python3.6" Timeout: "5" - Role: !GetAtt DeleteCFNLambdaExecutionRole.Arn + Role: 'Fn::ImportValue': !Sub '${EnvironmentName}:DeleteCFNLambdaExecutionRole' DeleteStackEventRule: DependsOn: - DeleteCFNLambda - GenerateCronExpression Type: "AWS::Events::Rule" Properties: - Name: "DeleteStackEventRule${BUILDID}" + Name: !Ref "DeleteStackEventRuleName" Description: Delete stack event ScheduleExpression: !GetAtt GenerateCronExpression.cron_exp State: "ENABLED" @@ -101,36 +94,14 @@ Resources: PermissionForDeleteCFNLambda: Type: "AWS::Lambda::Permission" Properties: - FunctionName: "DeleteCFNLambda-${BUILDID}" + FunctionName: "DeleteCFNLambdaPermission" Action: "lambda:InvokeFunction" Principal: "events.amazonaws.com" SourceArn: !GetAtt DeleteStackEventRule.Arn - BasicLambdaExecutionRole: - Type: "AWS::IAM::Role" - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Principal: - Service: ["lambda.amazonaws.com"] - Action: "sts:AssumeRole" - Path: "/" - Policies: - - PolicyName: "BasicLambdaExecutionRole-${BUILDID}" - PolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: "Allow" - Action: - - "logs:CreateLogGroup" - - "logs:CreateLogStream" - - "logs:PutLogEvents" - Resource: "arn:aws:logs:*:*:*" GenerateCronExpLambda: Type: "AWS::Lambda::Function" Properties: - FunctionName: "MakeCronLambda-${BUILDID}" + FunctionName: "GenerateCronExpressionLambda" Code: ZipFile: | from datetime import datetime, timedelta @@ -168,12 +139,11 @@ Resources: Handler: "index.handler" Runtime: "python3.6" Timeout: "5" - Role: !GetAtt BasicLambdaExecutionRole.Arn - + Role: 'Fn::ImportValue': !Sub '${EnvironmentName}:ECSTaskExecutionRole' GenerateCronExpression: Type: "Custom::GenerateCronExpression" Version: "1.0" Properties: - Name: !Sub "GenerateCronExpression-${BUILDID}" + Name: "GenerateCronExpression" ServiceToken: !GetAtt GenerateCronExpLambda.Arn ttl: !Ref 'TTL'