# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: '2010-09-09' Description: Creates environment comprising VPC with 2 AZs, with a private and public subnet in each, and including NAT Gateways in each AZ. Parameters: EnvironmentName: Type: String Description: "A friendly environment name that will be used for namespacing all cluster resources. Example: staging, qa, or production" KeyspaceName: Type: String Description: "Name to use for Keyspace" ClusterLogGroupRetentionInDays: Type: Number Default: 7 Mappings: # Hard values for the subnet masks. These masks define # the range of internal IP addresses that can be assigned. # The VPC can have all IP's from 10.0.0.0 to 10.0.255.255 # There are four subnets which cover the ranges: # # 10.0.0.0 - 10.0.0.255 # 10.0.1.0 - 10.0.1.255 # 10.0.2.0 - 10.0.2.255 # 10.0.3.0 - 10.0.3.255 # # If you need more IP addresses (perhaps you have so many # instances that you run out) then you can customize these # ranges to add more SubnetConfig: VPC: CIDR: '10.0.0.0/16' PublicOne: CIDR: '10.0.0.0/24' PublicTwo: CIDR: '10.0.1.0/24' PrivateOne: CIDR: '10.0.100.0/24' PrivateTwo: CIDR: '10.0.101.0/24' Resources: # VPC in which containers will be networked. # It has two public subnets, and two private subnets. # We distribute the subnets across the first two available subnets # for the region, for high availability. VPC: Type: AWS::EC2::VPC Properties: EnableDnsSupport: true EnableDnsHostnames: true CidrBlock: !FindInMap ['SubnetConfig', 'VPC', 'CIDR'] Tags: - Key: Name Value: !Ref EnvironmentName # Two public subnets, where containers can have public IP addresses PublicSubnetOne: Type: AWS::EC2::Subnet Properties: AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref 'AWS::Region' VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PublicOne', 'CIDR'] MapPublicIpOnLaunch: true PublicSubnetTwo: Type: AWS::EC2::Subnet Properties: AvailabilityZone: !Select - 1 - Fn::GetAZs: !Ref 'AWS::Region' VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PublicTwo', 'CIDR'] MapPublicIpOnLaunch: true # Two private subnets where containers will only have private # IP addresses, and will only be reachable by other members of the # VPC PrivateSubnetOne: Type: AWS::EC2::Subnet Properties: AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref 'AWS::Region' VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PrivateOne', 'CIDR'] PrivateSubnetTwo: Type: AWS::EC2::Subnet Properties: AvailabilityZone: !Select - 1 - Fn::GetAZs: !Ref 'AWS::Region' VpcId: !Ref 'VPC' CidrBlock: !FindInMap ['SubnetConfig', 'PrivateTwo', 'CIDR'] # Setup networking resources for the public subnets. Containers # in the public subnets have public IP addresses and the routing table # sends network traffic via the internet gateway. InternetGateway: Type: AWS::EC2::InternetGateway GatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref 'VPC' InternetGatewayId: !Ref 'InternetGateway' PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' PublicRoute: Type: AWS::EC2::Route DependsOn: GatewayAttachment Properties: RouteTableId: !Ref 'PublicRouteTable' DestinationCidrBlock: '0.0.0.0/0' GatewayId: !Ref 'InternetGateway' PublicSubnetOneRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnetOne RouteTableId: !Ref PublicRouteTable PublicSubnetTwoRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnetTwo RouteTableId: !Ref PublicRouteTable # Setup networking resources for the private subnets. Containers # in these subnets have only private IP addresses, and must use a NAT # gateway to talk to the internet. We launch two NAT gateways, one for # each private subnet. NatGatewayOneAttachment: Type: AWS::EC2::EIP DependsOn: GatewayAttachment Properties: Domain: vpc NatGatewayTwoAttachment: Type: AWS::EC2::EIP DependsOn: GatewayAttachment Properties: Domain: vpc NatGatewayOne: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGatewayOneAttachment.AllocationId SubnetId: !Ref PublicSubnetOne NatGatewayTwo: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGatewayTwoAttachment.AllocationId SubnetId: !Ref PublicSubnetTwo PrivateRouteTableOne: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' PrivateRouteOne: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTableOne DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGatewayOne PrivateRouteTableOneAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTableOne SubnetId: !Ref PrivateSubnetOne PrivateRouteTableTwo: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' PrivateRouteTwo: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTableTwo DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGatewayTwo PrivateRouteTableTwoAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTableTwo SubnetId: !Ref PrivateSubnetTwo # Create ECS cluster # ECS Resources ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Ref EnvironmentName # A security group for the containers we will run in ECS. Allows all traffic within the VPC CIDR range. ContainerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the ECS hosts that run containers VpcId: !Ref VPC SecurityGroupIngress: - CidrIp: !GetAtt VPC.CidrBlock IpProtocol: -1 - SourceSecurityGroupId: !Ref PublicLoadBalancerSG IpProtocol: -1 TaskExecutionRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess ### Log group for the cluster ClusterLogGroup: Type: 'AWS::Logs::LogGroup' Properties: LogGroupName: !Sub "${EnvironmentName}-cluster" RetentionInDays: !Ref ClusterLogGroupRetentionInDays # Public load balancer # Public load balancer, hosted in public subnets that is accessible # to the public, and is intended to route traffic to one or more public # facing services. This is used for accepting traffic from the public # internet and directing it to public facing microservices PublicLoadBalancerSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the public facing load balancer VpcId: !Ref VPC SecurityGroupIngress: # Allow access to ALB from anywhere on the internet - CidrIp: 0.0.0.0/0 IpProtocol: -1 PublicLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: internet-facing Name: !Sub ${EnvironmentName}-ALB LoadBalancerAttributes: - Key: idle_timeout.timeout_seconds Value: '12' Subnets: # The load balancer is placed into the public subnets, so that traffic # from the internet can reach the load balancer directly via the internet gateway - !Ref PublicSubnetOne - !Ref PublicSubnetTwo SecurityGroups: [!Ref 'PublicLoadBalancerSG'] # A target group for the API server ServiceTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub ${EnvironmentName}-TG TargetType: ip HealthCheckIntervalSeconds: 10 HealthCheckPath: /ping HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 Matcher: HttpCode: '200-299' Port: 80 Protocol: HTTP UnhealthyThresholdCount: 10 VpcId: !Ref VPC TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: '5' - Key: slow_start.duration_seconds Value: '60' PublicLoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener DependsOn: - PublicLoadBalancer Properties: DefaultActions: - TargetGroupArn: !Ref ServiceTargetGroup Type: 'forward' LoadBalancerArn: !Ref PublicLoadBalancer Port: 80 Protocol: HTTP # Create Keyspace Keyspace: Type: AWS::Cassandra::Keyspace Properties: KeyspaceName: !Ref KeyspaceName # Private VPC endpoint for Keyspaces access KeyspacesVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: ServiceName: !Sub 'com.amazonaws.${AWS::Region}.cassandra' PrivateDnsEnabled: True SecurityGroupIds: - !Ref ContainerSecurityGroup SubnetIds: - !Ref PrivateSubnetOne - !Ref PrivateSubnetTwo VpcEndpointType: Interface VpcId: !Ref VPC # Keyspaces client roles KeyspacesECSReadRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: !Sub ${EnvironmentName}-Read PolicyDocument: Statement: - Effect: Allow Action: "cassandra:Select" Resource: - !Sub "arn:aws:cassandra:${AWS::Region}:${AWS::AccountId}:/keyspace/${KeyspaceName}/*" - !Sub "arn:aws:cassandra:${AWS::Region}:${AWS::AccountId}:/keyspace/system*" - Effect: Allow Action: - "ec2:DescribeNetworkInterfaces" - "ec2:DescribeVpcEndpoints" Resource: "*" ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchFullAccess KeyspacesECSWriteRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: !Sub ${EnvironmentName}-Write PolicyDocument: Statement: - Effect: Allow Action: "cassandra:*" Resource: - !Sub "arn:aws:cassandra:${AWS::Region}:${AWS::AccountId}:/keyspace/${KeyspaceName}/*" - !Sub "arn:aws:cassandra:${AWS::Region}:${AWS::AccountId}:/keyspace/system*" - Effect: Allow Action: - "ec2:DescribeNetworkInterfaces" - "ec2:DescribeVpcEndpoints" Resource: "*" ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchFullAccess # These are the values output by the CloudFormation template. Be careful # about changing any of them, because of them are exported with specific # names so that the other task related CF templates can use them. Outputs: VpcId: Description: The ID of the VPC that this stack is deployed in Value: !Ref 'VPC' Export: Name: !Sub ${EnvironmentName}:VpcId VpcCIDR: Description: The CIDR of the VPC that this stack is deployed in Value: !FindInMap ['SubnetConfig', 'VPC', 'CIDR'] Export: Name: !Sub ${EnvironmentName}:VpcCIDR PublicSubnetOne: Description: Public subnet one Value: !Ref 'PublicSubnetOne' Export: Name: !Sub ${EnvironmentName}:PublicSubnetOne PublicSubnetTwo: Description: Public subnet two Value: !Ref 'PublicSubnetTwo' Export: Name: !Sub ${EnvironmentName}:PublicSubnetTwo PrivateSubnetOne: Description: Private subnet one Value: !Ref 'PrivateSubnetOne' Export: Name: !Sub ${EnvironmentName}:PrivateSubnetOne PrivateSubnetTwo: Description: Private subnet two Value: !Ref 'PrivateSubnetTwo' Export: Name: !Sub ${EnvironmentName}:PrivateSubnetTwo ClusterName: Description: The name of the ECS cluster Value: !Ref 'ECSCluster' Export: Name: !Sub ${EnvironmentName}:ClusterName ContainerSecurityGroup: Description: A security group used to allow containers to receive traffic Value: !Ref ContainerSecurityGroup Export: Name: !Sub ${EnvironmentName}:ContainerSecurityGroup TaskExecutionRoleArn: Description: ECS Task Execution role Value: !GetAtt TaskExecutionRole.Arn Export: Name: !Sub ${EnvironmentName}:TaskExecutionRoleArn KeyspacesECSWriteRoleArn: Value: !GetAtt KeyspacesECSWriteRole.Arn Export: Name: !Sub ${EnvironmentName}:KeyspacesECSWriteRoleArn KeyspacesECSReadRoleArn: Value: !GetAtt KeyspacesECSReadRole.Arn Export: Name: !Sub ${EnvironmentName}:KeyspacesECSReadRoleArn ClusterLogGroup: Description: Log group for cluster Value: !Ref ClusterLogGroup Export: Name: !Sub ${EnvironmentName}:ClusterLogGroup PublicListener: Description: The ARN of the public load balancer's Listener Value: !Ref PublicLoadBalancerListener Export: Name: !Sub ${EnvironmentName}:PublicListener ServiceTargetGroup: Description: The ARN of the target group for the service Value: !Ref ServiceTargetGroup Export: Name: !Sub ${EnvironmentName}:ServiceTargetGroup ExternalUrl: Description: The url of the external load balancer Value: !Sub http://${PublicLoadBalancer.DNSName} Export: Name: !Sub ${EnvironmentName}:ExternalUrl