AWSTemplateFormatVersion: 2010-09-09 Description: An example CloudFormation template for Fargate. Parameters: VPC: Type: AWS::EC2::VPC::Id SubnetA: Type: AWS::EC2::Subnet::Id SubnetB: Type: AWS::EC2::Subnet::Id Resources: FalcoDemoCluster: Type: AWS::ECS::Cluster TaskDefinition: Type: AWS::ECS::TaskDefinition # Makes sure the log group is created before it is used. DependsOn: LogGroup Properties: # awsvpc is required for Fargate NetworkMode: awsvpc RequiresCompatibilities: - FARGATE # 256 (.25 vCPU) - Available memory values: 0.5GB, 1GB, 2GB # 512 (.5 vCPU) - Available memory values: 1GB, 2GB, 3GB, 4GB # 1024 (1 vCPU) - Available memory values: 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB # 2048 (2 vCPU) - Available memory values: Between 4GB and 16GB in 1GB increments # 4096 (4 vCPU) - Available memory values: Between 8GB and 30GB in 1GB increments Cpu: 512 # 0.5GB, 1GB, 2GB - Available cpu values: 256 (.25 vCPU) # 1GB, 2GB, 3GB, 4GB - Available cpu values: 512 (.5 vCPU) # 2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB - Available cpu values: 1024 (1 vCPU) # Between 4GB and 16GB in 1GB increments - Available cpu values: 2048 (2 vCPU) # Between 8GB and 30GB in 1GB increments - Available cpu values: 4096 (4 vCPU) Memory: 1GB # A role needed by ECS. # "The ARN of the task execution role that containers in this task can assume. All containers in this task are granted the permissions that are specified in this role." # "There is an optional task execution IAM role that you can specify with Fargate to allow your Fargate tasks to make API calls to Amazon ECR." ExecutionRoleArn: !Ref ExecutionRole # "The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that grants containers in the task permission to call AWS APIs on your behalf." TaskRoleArn: !Ref TaskRole ContainerDefinitions: - Name: InstrumentedImage # Ref is not handled yet :( Image: "sysdiglabs/writer-to-bin:latest" # We override EntryPoint during rewrite so we MUST be explicit in the template EntryPoint: [] Command: ["/usr/bin/demo-writer-c", "/usr/bin/oh-no-i-wrote-in-bin"] # Send application logs to CloudWatch Logs LogConfiguration: LogDriver: awslogs Options: awslogs-region: !Ref AWS::Region awslogs-group: !Ref LogGroup awslogs-stream-prefix: ecs # A role needed by ECS ExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: 'sts:AssumeRole' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy' # A role for the containers TaskRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: 'sts:AssumeRole' # ManagedPolicyArns: # - Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: # Needed for creating log group for falco - Effect: Allow Action: "cloudwatch:*" Resource: "*" # Permissions given in the default iam role for ecs tasks - Effect: Allow Action: - "ecr:GetAuthorizationToken" - "ecr:BatchCheckLayerAvailability" - "ecr:GetDownloadUrlForLayer" - "ecr:BatchGetImage" - "logs:CreateLogGroup" - "logs:CreateLogStream" - "logs:PutLogEvents" Resource: "*" ContainerSecurityGroup: # aka no security group Type: AWS::EC2::SecurityGroup Properties: GroupDescription: TEST ONLY VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: 0.0.0.0/0 Service: Type: AWS::ECS::Service Properties: ServiceName: SDSDemoSvc Cluster: !Ref FalcoDemoCluster TaskDefinition: !Ref TaskDefinition DeploymentConfiguration: MinimumHealthyPercent: 100 MaximumPercent: 200 DesiredCount: 1 LaunchType: FARGATE # This is required otherwise we do not get SYS_PTRACE :( PlatformVersion: 1.4.0 NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: ENABLED Subnets: - !Ref SubnetA - !Ref SubnetB SecurityGroups: - !Ref ContainerSecurityGroup LogGroup: Type: AWS::Logs::LogGroup