actions
/
unity-builder
mirror of https://github.com/game-ci/unity-builder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

baked in cloud formation template

pull/387/head
Frostebite 2022-04-20 23:51:30 +01:00
parent 09c6df818f
commit d26cc2b620
4 changed files with 1085 additions and 1089 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1036
dist/index.js vendored
View File

File diff suppressed because it is too large Load Diff

2
dist/index.js.map vendored
View File

File diff suppressed because one or more lines are too long

724
src/model/cloud-runner/providers/aws/cloud-formations/base-stack-formation.ts
View File

@ -1,391 +1,391 @@
export class BaseStackFormation { export class BaseStackFormation {
public static readonly formation: string = ` AWSTemplateFormatVersion: '2010-09-09' public static readonly formation: string = `AWSTemplateFormatVersion: '2010-09-09'
Description: Game-CI base stack Description: Game-CI base stack
Parameters: Parameters:
EnvironmentName: EnvironmentName:
Type: String Type: String
Default: development Default: development
Description: 'Your deployment environment: DEV, QA , PROD' Description: 'Your deployment environment: DEV, QA , PROD'
Version: Version:
Type: String Type: String
Description: 'hash of template' Description: 'hash of template'
# ContainerPort: # ContainerPort:
# Type: Number # Type: Number
# Default: 80 # Default: 80
# Description: What port number the application inside the docker container is binding to # Description: What port number the application inside the docker container is binding to
Mappings: Mappings:
# Hard values for the subnet masks. These masks define # Hard values for the subnet masks. These masks define
# the range of internal IP addresses that can be assigned. # the range of internal IP addresses that can be assigned.
# The VPC can have all IP's from 10.0.0.0 to 10.0.255.255 # The VPC can have all IP's from 10.0.0.0 to 10.0.255.255
# There are four subnets which cover the ranges: # There are four subnets which cover the ranges:
# #
# 10.0.0.0 - 10.0.0.255 # 10.0.0.0 - 10.0.0.255
# 10.0.1.0 - 10.0.1.255 # 10.0.1.0 - 10.0.1.255
# 10.0.2.0 - 10.0.2.255 # 10.0.2.0 - 10.0.2.255
# 10.0.3.0 - 10.0.3.255 # 10.0.3.0 - 10.0.3.255
SubnetConfig: SubnetConfig:
VPC:
CIDR: '10.0.0.0/16'
PublicOne:
CIDR: '10.0.0.0/24'
PublicTwo:
CIDR: '10.0.1.0/24'
Resources:
# VPC in which containers will be networked.
# It has two public subnets, and two private subnets.
# We distribute the subnets across the first two available subnets
# for the region, for high availability.
VPC: VPC:
Type: AWS::EC2::VPC CIDR: '10.0.0.0/16'
Properties: PublicOne:
EnableDnsSupport: true CIDR: '10.0.0.0/24'
EnableDnsHostnames: true PublicTwo:
CidrBlock: !FindInMap ['SubnetConfig', 'VPC', 'CIDR'] CIDR: '10.0.1.0/24'
EFSServerSecurityGroup: Resources:
Type: AWS::EC2::SecurityGroup # VPC in which containers will be networked.
Properties: # It has two public subnets, and two private subnets.
GroupName: 'efs-server-endpoints' # We distribute the subnets across the first two available subnets
GroupDescription: Which client ip addrs are allowed to access EFS server # for the region, for high availability.
VpcId: !Ref 'VPC' VPC:
SecurityGroupIngress: Type: AWS::EC2::VPC
- IpProtocol: tcp Properties:
FromPort: 2049 EnableDnsSupport: true
ToPort: 2049 EnableDnsHostnames: true
SourceSecurityGroupId: !Ref ContainerSecurityGroup CidrBlock: !FindInMap ['SubnetConfig', 'VPC', 'CIDR']
#CidrIp: !FindInMap ['SubnetConfig', 'VPC', 'CIDR']
# A security group for the containers we will run in Fargate.
# Rules are added to this security group based on what ingress you
# add for the cluster.
ContainerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: 'task security group'
GroupDescription: Access to the Fargate containers
VpcId: !Ref 'VPC'
# SecurityGroupIngress:
# - IpProtocol: tcp
# FromPort: !Ref ContainerPort
# ToPort: !Ref ContainerPort
# CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
FromPort: 2049
ToPort: 2049
CidrIp: '0.0.0.0/0'
# Two public subnets, where containers can have public IP addresses EFSServerSecurityGroup:
PublicSubnetOne: Type: AWS::EC2::SecurityGroup
Type: AWS::EC2::Subnet Properties:
Properties: GroupName: 'efs-server-endpoints'
AvailabilityZone: !Select GroupDescription: Which client ip addrs are allowed to access EFS server
- 0 VpcId: !Ref 'VPC'
- Fn::GetAZs: !Ref 'AWS::Region' SecurityGroupIngress:
VpcId: !Ref 'VPC' - IpProtocol: tcp
CidrBlock: !FindInMap ['SubnetConfig', 'PublicOne', 'CIDR'] FromPort: 2049
# MapPublicIpOnLaunch: true ToPort: 2049
SourceSecurityGroupId: !Ref ContainerSecurityGroup
#CidrIp: !FindInMap ['SubnetConfig', 'VPC', 'CIDR']
# A security group for the containers we will run in Fargate.
# Rules are added to this security group based on what ingress you
# add for the cluster.
ContainerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: 'task security group'
GroupDescription: Access to the Fargate containers
VpcId: !Ref 'VPC'
# SecurityGroupIngress:
# - IpProtocol: tcp
# FromPort: !Ref ContainerPort
# ToPort: !Ref ContainerPort
# CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
FromPort: 2049
ToPort: 2049
CidrIp: '0.0.0.0/0'
PublicSubnetTwo: # Two public subnets, where containers can have public IP addresses
Type: AWS::EC2::Subnet PublicSubnetOne:
Properties: Type: AWS::EC2::Subnet
AvailabilityZone: !Select Properties:
- 1 AvailabilityZone: !Select
- Fn::GetAZs: !Ref 'AWS::Region' - 0
VpcId: !Ref 'VPC' - Fn::GetAZs: !Ref 'AWS::Region'
CidrBlock: !FindInMap ['SubnetConfig', 'PublicTwo', 'CIDR'] VpcId: !Ref 'VPC'
# MapPublicIpOnLaunch: true CidrBlock: !FindInMap ['SubnetConfig', 'PublicOne', 'CIDR']
# MapPublicIpOnLaunch: true
# Setup networking resources for the public subnets. Containers PublicSubnetTwo:
# in the public subnets have public IP addresses and the routing table Type: AWS::EC2::Subnet
# sends network traffic via the internet gateway. Properties:
InternetGateway: AvailabilityZone: !Select
Type: AWS::EC2::InternetGateway - 1
GatewayAttachement: - Fn::GetAZs: !Ref 'AWS::Region'
Type: AWS::EC2::VPCGatewayAttachment VpcId: !Ref 'VPC'
Properties: CidrBlock: !FindInMap ['SubnetConfig', 'PublicTwo', 'CIDR']
VpcId: !Ref 'VPC' # MapPublicIpOnLaunch: true
InternetGatewayId: !Ref 'InternetGateway'
# Attaching a Internet Gateway to route table makes it public. # Setup networking resources for the public subnets. Containers
PublicRouteTable: # in the public subnets have public IP addresses and the routing table
Type: AWS::EC2::RouteTable # sends network traffic via the internet gateway.
Properties: InternetGateway:
VpcId: !Ref 'VPC' Type: AWS::EC2::InternetGateway
PublicRoute: GatewayAttachement:
Type: AWS::EC2::Route Type: AWS::EC2::VPCGatewayAttachment
DependsOn: GatewayAttachement Properties:
Properties: VpcId: !Ref 'VPC'
RouteTableId: !Ref 'PublicRouteTable' InternetGatewayId: !Ref 'InternetGateway'
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref 'InternetGateway'
# Attaching a public route table makes a subnet public. # Attaching a Internet Gateway to route table makes it public.
PublicSubnetOneRouteTableAssociation: PublicRouteTable:
Type: AWS::EC2::SubnetRouteTableAssociation Type: AWS::EC2::RouteTable
Properties: Properties:
SubnetId: !Ref PublicSubnetOne VpcId: !Ref 'VPC'
RouteTableId: !Ref PublicRouteTable PublicRoute:
PublicSubnetTwoRouteTableAssociation: Type: AWS::EC2::Route
Type: AWS::EC2::SubnetRouteTableAssociation DependsOn: GatewayAttachement
Properties: Properties:
SubnetId: !Ref PublicSubnetTwo RouteTableId: !Ref 'PublicRouteTable'
RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref 'InternetGateway'
# ECS Resources # Attaching a public route table makes a subnet public.
ECSCluster: PublicSubnetOneRouteTableAssociation:
Type: AWS::ECS::Cluster Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnetOne
RouteTableId: !Ref PublicRouteTable
PublicSubnetTwoRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnetTwo
RouteTableId: !Ref PublicRouteTable
# A role used to allow AWS Autoscaling to inspect stats and adjust scaleable targets # ECS Resources
# on your AWS account ECSCluster:
AutoscalingRole: Type: AWS::ECS::Cluster
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [application-autoscaling.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'application-autoscaling:*'
- 'cloudwatch:DescribeAlarms'
- 'cloudwatch:PutMetricAlarm'
- 'ecs:DescribeServices'
- 'ecs:UpdateService'
Resource: '*'
# This is an IAM role which authorizes ECS to manage resources on your # A role used to allow AWS Autoscaling to inspect stats and adjust scaleable targets
# account on your behalf, such as updating your load balancer with the # on your AWS account
# details of where your containers are, so that traffic can reach your AutoscalingRole:
# containers. Type: AWS::IAM::Role
ECSRole: Properties:
Type: AWS::IAM::Role AssumeRolePolicyDocument:
Properties: Statement:
AssumeRolePolicyDocument: - Effect: Allow
Statement: Principal:
- Effect: Allow Service: [application-autoscaling.amazonaws.com]
Principal: Action: ['sts:AssumeRole']
Service: [ecs.amazonaws.com] Path: /
Action: ['sts:AssumeRole'] Policies:
Path: / - PolicyName: service-autoscaling
Policies: PolicyDocument:
- PolicyName: ecs-service Statement:
PolicyDocument: - Effect: Allow
Statement: Action:
- Effect: Allow - 'application-autoscaling:*'
Action: - 'cloudwatch:DescribeAlarms'
# Rules which allow ECS to attach network interfaces to instances - 'cloudwatch:PutMetricAlarm'
# on your behalf in order for awsvpc networking mode to work right - 'ecs:DescribeServices'
- 'ec2:AttachNetworkInterface' - 'ecs:UpdateService'
- 'ec2:CreateNetworkInterface' Resource: '*'
- 'ec2:CreateNetworkInterfacePermission'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DeleteNetworkInterfacePermission'
- 'ec2:Describe*'
- 'ec2:DetachNetworkInterface'
# Rules which allow ECS to update load balancers on your behalf # This is an IAM role which authorizes ECS to manage resources on your
# with the information sabout how to send traffic to your containers # account on your behalf, such as updating your load balancer with the
- 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer' # details of where your containers are, so that traffic can reach your
- 'elasticloadbalancing:DeregisterTargets' # containers.
- 'elasticloadbalancing:Describe*' ECSRole:
- 'elasticloadbalancing:RegisterInstancesWithLoadBalancer' Type: AWS::IAM::Role
- 'elasticloadbalancing:RegisterTargets' Properties:
Resource: '*' AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
# Rules which allow ECS to attach network interfaces to instances
# on your behalf in order for awsvpc networking mode to work right
- 'ec2:AttachNetworkInterface'
- 'ec2:CreateNetworkInterface'
- 'ec2:CreateNetworkInterfacePermission'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DeleteNetworkInterfacePermission'
- 'ec2:Describe*'
- 'ec2:DetachNetworkInterface'
# This is a role which is used by the ECS tasks themselves. # Rules which allow ECS to update load balancers on your behalf
ECSTaskExecutionRole: # with the information sabout how to send traffic to your containers
Type: AWS::IAM::Role - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
Properties: - 'elasticloadbalancing:DeregisterTargets'
AssumeRolePolicyDocument: - 'elasticloadbalancing:Describe*'
Statement: - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
- Effect: Allow - 'elasticloadbalancing:RegisterTargets'
Principal: Resource: '*'
Service: [ecs-tasks.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: AmazonECSTaskExecutionRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
# Allow the use of secret manager
- 'secretsmanager:GetSecretValue'
- 'kms:Decrypt'
# Allow the ECS Tasks to download images from ECR # This is a role which is used by the ECS tasks themselves.
- 'ecr:GetAuthorizationToken' ECSTaskExecutionRole:
- 'ecr:BatchCheckLayerAvailability' Type: AWS::IAM::Role
- 'ecr:GetDownloadUrlForLayer' Properties:
- 'ecr:BatchGetImage' AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs-tasks.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: AmazonECSTaskExecutionRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
# Allow the use of secret manager
- 'secretsmanager:GetSecretValue'
- 'kms:Decrypt'
# Allow the ECS tasks to upload logs to CloudWatch # Allow the ECS Tasks to download images from ECR
- 'logs:CreateLogStream' - 'ecr:GetAuthorizationToken'
- 'logs:PutLogEvents' - 'ecr:BatchCheckLayerAvailability'
Resource: '*' - 'ecr:GetDownloadUrlForLayer'
- 'ecr:BatchGetImage'
DeleteCFNLambdaExecutionRole: # Allow the ECS tasks to upload logs to CloudWatch
Type: 'AWS::IAM::Role' - 'logs:CreateLogStream'
Properties: - 'logs:PutLogEvents'
AssumeRolePolicyDocument: Resource: '*'
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Service: ['lambda.amazonaws.com']
Action: 'sts:AssumeRole'
Path: '/'
Policies:
- PolicyName: DeleteCFNLambdaExecutionRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:*:*:*'
- Effect: 'Allow'
Action:
- 'cloudformation:DeleteStack'
- 'kinesis:DeleteStream'
- 'secretsmanager:DeleteSecret'
- 'kinesis:DescribeStreamSummary'
- 'logs:DeleteLogGroup'
- 'logs:DeleteSubscriptionFilter'
- 'ecs:DeregisterTaskDefinition'
- 'lambda:DeleteFunction'
- 'lambda:InvokeFunction'
- 'events:RemoveTargets'
- 'events:DeleteRule'
- 'lambda:RemovePermission'
Resource: '*'
### cloud watch to kinesis role DeleteCFNLambdaExecutionRole:
CloudWatchIAMRole: Type: 'AWS::IAM::Role'
Type: AWS::IAM::Role Properties:
Properties: AssumeRolePolicyDocument:
AssumeRolePolicyDocument: Version: '2012-10-17'
Statement: Statement:
- Effect: Allow - Effect: 'Allow'
Principal: Principal:
Service: [logs.amazonaws.com] Service: ['lambda.amazonaws.com']
Action: ['sts:AssumeRole'] Action: 'sts:AssumeRole'
Path: / Path: '/'
Policies: Policies:
- PolicyName: service-autoscaling - PolicyName: DeleteCFNLambdaExecutionRole
PolicyDocument: PolicyDocument:
Statement: Version: '2012-10-17'
- Effect: Allow Statement:
Action: - Effect: 'Allow'
- 'kinesis:PutRecord' Action:
Resource: '*' - 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:*:*:*'
- Effect: 'Allow'
Action:
- 'cloudformation:DeleteStack'
- 'kinesis:DeleteStream'
- 'secretsmanager:DeleteSecret'
- 'kinesis:DescribeStreamSummary'
- 'logs:DeleteLogGroup'
- 'logs:DeleteSubscriptionFilter'
- 'ecs:DeregisterTaskDefinition'
- 'lambda:DeleteFunction'
- 'lambda:InvokeFunction'
- 'events:RemoveTargets'
- 'events:DeleteRule'
- 'lambda:RemovePermission'
Resource: '*'
#####################EFS##################### ### cloud watch to kinesis role
EfsFileStorage: CloudWatchIAMRole:
Type: 'AWS::EFS::FileSystem' Type: AWS::IAM::Role
Properties: Properties:
BackupPolicy: AssumeRolePolicyDocument:
Status: ENABLED Statement:
PerformanceMode: maxIO - Effect: Allow
Encrypted: false Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'kinesis:PutRecord'
Resource: '*'
FileSystemPolicy: #####################EFS#####################
Version: '2012-10-17' EfsFileStorage:
Statement: Type: 'AWS::EFS::FileSystem'
- Effect: 'Allow' Properties:
Action: BackupPolicy:
- 'elasticfilesystem:ClientMount' Status: ENABLED
- 'elasticfilesystem:ClientWrite' PerformanceMode: maxIO
- 'elasticfilesystem:ClientRootAccess' Encrypted: false
Principal:
AWS: '*'
MountTargetResource1: FileSystemPolicy:
Type: AWS::EFS::MountTarget Version: '2012-10-17'
Properties: Statement:
FileSystemId: !Ref EfsFileStorage - Effect: 'Allow'
SubnetId: !Ref PublicSubnetOne Action:
SecurityGroups: - 'elasticfilesystem:ClientMount'
- !Ref EFSServerSecurityGroup - 'elasticfilesystem:ClientWrite'
- 'elasticfilesystem:ClientRootAccess'
Principal:
AWS: '*'
MountTargetResource2: MountTargetResource1:
Type: AWS::EFS::MountTarget Type: AWS::EFS::MountTarget
Properties: Properties:
FileSystemId: !Ref EfsFileStorage FileSystemId: !Ref EfsFileStorage
SubnetId: !Ref PublicSubnetTwo SubnetId: !Ref PublicSubnetOne
SecurityGroups: SecurityGroups:
- !Ref EFSServerSecurityGroup - !Ref EFSServerSecurityGroup
Outputs: MountTargetResource2:
EfsFileStorageId: Type: AWS::EFS::MountTarget
Description: 'The connection endpoint for the database.' Properties:
Value: !Ref EfsFileStorage FileSystemId: !Ref EfsFileStorage
Export: SubnetId: !Ref PublicSubnetTwo
Name: !Sub ${'${EnvironmentName}'}:EfsFileStorageId SecurityGroups:
ClusterName: - !Ref EFSServerSecurityGroup
Description: The name of the ECS cluster
Value: !Ref 'ECSCluster'
Export:
Name: !Sub${' ${EnvironmentName}'}:ClusterName
AutoscalingRole:
Description: The ARN of the role used for autoscaling
Value: !GetAtt 'AutoscalingRole.Arn'
Export:
Name: !Sub ${'${EnvironmentName}'}:AutoscalingRole
ECSRole:
Description: The ARN of the ECS role
Value: !GetAtt 'ECSRole.Arn'
Export:
Name: !Sub ${'${EnvironmentName}'}:ECSRole
ECSTaskExecutionRole:
Description: The ARN of the ECS role tsk execution role
Value: !GetAtt 'ECSTaskExecutionRole.Arn'
Export:
Name: !Sub ${'${EnvironmentName}'}:ECSTaskExecutionRole
DeleteCFNLambdaExecutionRole: Outputs:
Description: Lambda execution role for cleaning up cloud formations EfsFileStorageId:
Value: !GetAtt 'DeleteCFNLambdaExecutionRole.Arn' Description: 'The connection endpoint for the database.'
Export: Value: !Ref EfsFileStorage
Name: !Sub ${'${EnvironmentName}'}:DeleteCFNLambdaExecutionRole Export:
Name: !Sub ${'${EnvironmentName}'}:EfsFileStorageId
ClusterName:
Description: The name of the ECS cluster
Value: !Ref 'ECSCluster'
Export:
Name: !Sub${' ${EnvironmentName}'}:ClusterName
AutoscalingRole:
Description: The ARN of the role used for autoscaling
Value: !GetAtt 'AutoscalingRole.Arn'
Export:
Name: !Sub ${'${EnvironmentName}'}:AutoscalingRole
ECSRole:
Description: The ARN of the ECS role
Value: !GetAtt 'ECSRole.Arn'
Export:
Name: !Sub ${'${EnvironmentName}'}:ECSRole
ECSTaskExecutionRole:
Description: The ARN of the ECS role tsk execution role
Value: !GetAtt 'ECSTaskExecutionRole.Arn'
Export:
Name: !Sub ${'${EnvironmentName}'}:ECSTaskExecutionRole
CloudWatchIAMRole: DeleteCFNLambdaExecutionRole:
Description: The ARN of the CloudWatch role for subscription filter Description: Lambda execution role for cleaning up cloud formations
Value: !GetAtt 'CloudWatchIAMRole.Arn' Value: !GetAtt 'DeleteCFNLambdaExecutionRole.Arn'
Export: Export:
Name: !Sub ${'${EnvironmentName}'}:CloudWatchIAMRole Name: !Sub ${'${EnvironmentName}'}:DeleteCFNLambdaExecutionRole
VpcId:
Description: The ID of the VPC that this stack is deployed in CloudWatchIAMRole:
Value: !Ref 'VPC' Description: The ARN of the CloudWatch role for subscription filter
Export: Value: !GetAtt 'CloudWatchIAMRole.Arn'
Name: !Sub ${'${EnvironmentName}'}:VpcId Export:
PublicSubnetOne: Name: !Sub ${'${EnvironmentName}'}:CloudWatchIAMRole
Description: Public subnet one VpcId:
Value: !Ref 'PublicSubnetOne' Description: The ID of the VPC that this stack is deployed in
Export: Value: !Ref 'VPC'
Name: !Sub ${'${EnvironmentName}'}:PublicSubnetOne Export:
PublicSubnetTwo: Name: !Sub ${'${EnvironmentName}'}:VpcId
Description: Public subnet two PublicSubnetOne:
Value: !Ref 'PublicSubnetTwo' Description: Public subnet one
Export: Value: !Ref 'PublicSubnetOne'
Name: !Sub ${'${EnvironmentName}'}:PublicSubnetTwo Export:
ContainerSecurityGroup: Name: !Sub ${'${EnvironmentName}'}:PublicSubnetOne
Description: A security group used to allow Fargate containers to receive traffic PublicSubnetTwo:
Value: !Ref 'ContainerSecurityGroup' Description: Public subnet two
Export: Value: !Ref 'PublicSubnetTwo'
Name: !Sub ${'${EnvironmentName}'}:ContainerSecurityGroup Export:
Name: !Sub ${'${EnvironmentName}'}:PublicSubnetTwo
ContainerSecurityGroup:
Description: A security group used to allow Fargate containers to receive traffic
Value: !Ref 'ContainerSecurityGroup'
Export:
Name: !Sub ${'${EnvironmentName}'}:ContainerSecurityGroup
`; `;
} }

312
src/model/cloud-runner/providers/aws/cloud-formations/task-definition-formation.ts
View File

@ -1,160 +1,158 @@
export class TaskDefinitionFormation { export class TaskDefinitionFormation {
public static readonly formation: string = ` AWSTemplateFormatVersion: 2010-09-09 public static readonly formation: string = `AWSTemplateFormatVersion: 2010-09-09
Description: >- Description: >-
AWS Fargate cluster that can span public and private subnets. Supports public AWS Fargate cluster that can span public and private subnets. Supports public
facing load balancers, private internal load balancers, and both internal and facing load balancers, private internal load balancers, and both internal and
external service discovery namespaces. external service discovery namespaces.
Parameters: Parameters:
EnvironmentName: EnvironmentName:
Type: String Type: String
Default: development Default: development
Description: 'Your deployment environment: DEV, QA , PROD' Description: 'Your deployment environment: DEV, QA , PROD'
ServiceName: ServiceName:
Type: String Type: String
Default: example Default: example
Description: A name for the service Description: A name for the service
ImageUrl: ImageUrl:
Type: String Type: String
Default: nginx Default: nginx
Description: >- Description: >-
The url of a docker image that contains the application process that will The url of a docker image that contains the application process that will
handle the traffic for this service handle the traffic for this service
ContainerPort: ContainerPort:
Type: Number Type: Number
Default: 80 Default: 80
Description: What port number the application inside the docker container is binding to Description: What port number the application inside the docker container is binding to
ContainerCpu: ContainerCpu:
Type: Number Type: Number
Default: 1024 Default: 1024
Description: How much CPU to give the container. 1024 is 1 CPU Description: How much CPU to give the container. 1024 is 1 CPU
ContainerMemory: ContainerMemory:
Type: Number Type: Number
Default: 2048 Default: 2048
Description: How much memory in megabytes to give the container Description: How much memory in megabytes to give the container
BUILDGUID: BUILDGUID:
Type: String Type: String
Default: '' Default: ''
Command: Command:
Type: String Type: String
Default: 'ls' Default: 'ls'
EntryPoint: EntryPoint:
Type: String Type: String
Default: '/bin/sh' Default: '/bin/sh'
WorkingDirectory: WorkingDirectory:
Type: String Type: String
Default: '/efsdata/' Default: '/efsdata/'
Role: Role:
Type: String Type: String
Default: '' Default: ''
Description: >- Description: >-
(Optional) An IAM role to give the service's containers if the code within (Optional) An IAM role to give the service's containers if the code within
needs to access other AWS resources like S3 buckets, DynamoDB tables, etc needs to access other AWS resources like S3 buckets, DynamoDB tables, etc
EFSMountDirectory: EFSMountDirectory:
Type: String Type: String
Default: '/efsdata' Default: '/efsdata'
# template secrets p1 - input # template secrets p1 - input
Mappings: Mappings:
SubnetConfig: SubnetConfig:
VPC: VPC:
CIDR: 10.0.0.0/16 CIDR: 10.0.0.0/16
PublicOne: PublicOne:
CIDR: 10.0.0.0/24 CIDR: 10.0.0.0/24
PublicTwo: PublicTwo:
CIDR: 10.0.1.0/24 CIDR: 10.0.1.0/24
Conditions: Conditions:
HasCustomRole: !Not HasCustomRole: !Not
- !Equals - !Equals
- Ref: Role - Ref: Role
- '' - ''
Resources: Resources:
LogGroup: LogGroup:
Type: 'AWS::Logs::LogGroup' Type: 'AWS::Logs::LogGroup'
Properties: Properties:
LogGroupName: !Ref ServiceName LogGroupName: !Ref ServiceName
Metadata: Metadata:
'AWS::CloudFormation::Designer': 'AWS::CloudFormation::Designer':
id: aece53ae-b82d-4267-bc16-ed964b05db27 id: aece53ae-b82d-4267-bc16-ed964b05db27
SubscriptionFilter: SubscriptionFilter:
Type: 'AWS::Logs::SubscriptionFilter' Type: 'AWS::Logs::SubscriptionFilter'
Properties: Properties:
FilterPattern: '' FilterPattern: ''
RoleArn: RoleArn:
'Fn::ImportValue': !Sub '${'${EnvironmentName}'}:CloudWatchIAMRole' 'Fn::ImportValue': !Sub '${'${EnvironmentName}'}:CloudWatchIAMRole'
LogGroupName: !Ref ServiceName LogGroupName: !Ref ServiceName
DestinationArn: DestinationArn:
'Fn::GetAtt': 'Fn::GetAtt':
- KinesisStream - KinesisStream
- Arn - Arn
Metadata: Metadata:
'AWS::CloudFormation::Designer': 'AWS::CloudFormation::Designer':
id: 7f809e91-9e5d-4678-98c1-c5085956c480 id: 7f809e91-9e5d-4678-98c1-c5085956c480
DependsOn: DependsOn:
- LogGroup - LogGroup
- KinesisStream - KinesisStream
KinesisStream: KinesisStream:
Type: 'AWS::Kinesis::Stream' Type: 'AWS::Kinesis::Stream'
Properties: Properties:
Name: !Ref ServiceName Name: !Ref ServiceName
ShardCount: 1 ShardCount: 1
Metadata: Metadata:
'AWS::CloudFormation::Designer': 'AWS::CloudFormation::Designer':
id: c6f18447-b879-4696-8873-f981b2cedd2b id: c6f18447-b879-4696-8873-f981b2cedd2b
# template secrets p2 - secret
# template secrets p2 - secret TaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
TaskDefinition: Properties:
Type: 'AWS::ECS::TaskDefinition' Family: !Ref ServiceName
Properties: Cpu: !Ref ContainerCpu
Family: !Ref ServiceName Memory: !Ref ContainerMemory
Cpu: !Ref ContainerCpu NetworkMode: awsvpc
Memory: !Ref ContainerMemory Volumes:
NetworkMode: awsvpc - Name: efs-data
Volumes: EFSVolumeConfiguration:
- Name: efs-data FilesystemId:
EFSVolumeConfiguration: 'Fn::ImportValue': !Sub '${'${EnvironmentName}'}:EfsFileStorageId'
FilesystemId: TransitEncryption: ENABLED
'Fn::ImportValue': !Sub '${'${EnvironmentName}'}:EfsFileStorageId' RequiresCompatibilities:
TransitEncryption: ENABLED - FARGATE
RequiresCompatibilities: ExecutionRoleArn:
- FARGATE 'Fn::ImportValue': !Sub '${'${EnvironmentName}'}:ECSTaskExecutionRole'
ExecutionRoleArn: TaskRoleArn:
'Fn::ImportValue': !Sub '${'${EnvironmentName}'}:ECSTaskExecutionRole' 'Fn::If':
TaskRoleArn: - HasCustomRole
'Fn::If': - !Ref Role
- HasCustomRole - !Ref 'AWS::NoValue'
- !Ref Role ContainerDefinitions:
- !Ref 'AWS::NoValue' - Name: !Ref ServiceName
ContainerDefinitions: Cpu: !Ref ContainerCpu
- Name: !Ref ServiceName Memory: !Ref ContainerMemory
Cpu: !Ref ContainerCpu Image: !Ref ImageUrl
Memory: !Ref ContainerMemory EntryPoint:
Image: !Ref ImageUrl Fn::Split:
EntryPoint: - ','
Fn::Split: - !Ref EntryPoint
- ',' Command:
- !Ref EntryPoint Fn::Split:
Command: - ','
Fn::Split: - !Ref Command
- ',' WorkingDirectory: !Ref WorkingDirectory
- !Ref Command Environment:
WorkingDirectory: !Ref WorkingDirectory - Name: ALLOW_EMPTY_PASSWORD
Environment: Value: 'yes'
- Name: ALLOW_EMPTY_PASSWORD # template - env vars
Value: 'yes' MountPoints:
# template - env vars - SourceVolume: efs-data
MountPoints: ContainerPath: !Ref EFSMountDirectory
- SourceVolume: efs-data ReadOnly: false
ContainerPath: !Ref EFSMountDirectory Secrets:
ReadOnly: false # template secrets p3 - container def
Secrets: LogConfiguration:
# template secrets p3 - container def LogDriver: awslogs
LogConfiguration: Options:
LogDriver: awslogs awslogs-group: !Ref ServiceName
Options: awslogs-region: !Ref 'AWS::Region'
awslogs-group: !Ref ServiceName awslogs-stream-prefix: !Ref ServiceName
awslogs-region: !Ref 'AWS::Region' DependsOn:
awslogs-stream-prefix: !Ref ServiceName - LogGroup
DependsOn:
- LogGroup
`; `;
} }