AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy a scheduled Fargate task that will be initiated off of EventBridge Events.
Mappings:
TaskSize:
x-small:
cpu: 256
memory: 512
small:
cpu: 512
memory: 1024
medium:
cpu: 1024
memory: 2048
large:
cpu: 2048
memory: 4096
x-large:
cpu: 4096
memory: 8192
Resources:
ScheduledEventRule:
Type: 'AWS::Events::Rule'
Properties:
ScheduleExpression: '{{service_instance.inputs.schedule_expression}}'
State: ENABLED
Targets:
- Arn: '{{environment.outputs.ClusterArn}}'
EcsParameters:
LaunchType: FARGATE
NetworkConfiguration:
AwsVpcConfiguration:
{% if service_instance.inputs.subnet_type == 'private' %}
AssignPublicIp: DISABLED
{% else %}
AssignPublicIp: ENABLED
{% endif %}
SecurityGroups:
- !GetAtt
- ScheduledTaskDefSecurityGroup
- GroupId
Subnets:
{% if service_instance.inputs.subnet_type == 'private' %}
- '{{environment.outputs.PrivateSubnet1}}'
- '{{environment.outputs.PrivateSubnet2}}'
{% else %}
- '{{environment.outputs.PublicSubnet1}}'
- '{{environment.outputs.PublicSubnet2}}'
{% endif %}
TaskCount: '{{service_instance.inputs.desired_count}}'
TaskDefinitionArn: !Ref ScheduledTaskDef
Id: Target0
Input: '{}'
RoleArn: !GetAtt
- ScheduledTaskDefEventsRole
- Arn
ScheduledTaskDefTaskRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: 2012-10-17
Policies:
- PolicyName: 'Publish2SNS'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Action: 'sns:Publish'
Resource: '{{environment.outputs.SNSTopicArn}}'
ScheduledTaskDef:
Type: 'AWS::ECS::TaskDefinition'
Properties:
ContainerDefinitions:
- Essential: true
Image: '{{service_instance.inputs.image}}'
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref ScheduledTaskDefLogGroup
awslogs-stream-prefix: '{{service.name}}/{{service_instance.name}}'
awslogs-region: !Ref 'AWS::Region'
Name: '{{service_instance.name}}'
Environment:
- Name: SNS_TOPIC_ARN
Value: '{"ping":"{{environment.outputs.SNSTopicArn}}"}'
- Name: SNS_REGION
Value: "{{environment.outputs.SNSRegion}}"
Cpu: !FindInMap [TaskSize, {{service_instance.inputs.task_size}}, cpu]
ExecutionRoleArn: '{{environment.outputs.ServiceTaskDefExecutionRoleArn}}'
Family: '{{service.name}}_{{service_instance.name}}'
Memory: !FindInMap [TaskSize, {{service_instance.inputs.task_size}}, memory]
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn: !GetAtt
- ScheduledTaskDefTaskRole
- Arn
ScheduledTaskDefLogGroup:
Type: 'AWS::Logs::LogGroup'
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
ScheduledTaskDefEventsRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: events.amazonaws.com
Version: 2012-10-17
ScheduledTaskDefEventsRoleDefaultPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyDocument:
Statement:
- Action: 'ecs:RunTask'
Condition:
ArnEquals:
'ecs:cluster': '{{environment.outputs.ClusterArn}}'
Effect: Allow
Resource: !Ref ScheduledTaskDef
- Action: 'iam:PassRole'
Effect: Allow
Resource: '{{environment.outputs.ServiceTaskDefExecutionRoleArn}}'
- Action: 'iam:PassRole'
Effect: Allow
Resource: !GetAtt
- ScheduledTaskDefTaskRole
- Arn
Version: 2012-10-17
PolicyName: ScheduledTaskDefEventsRoleDefaultPolicy
Roles:
- !Ref ScheduledTaskDefEventsRole
ScheduledTaskDefSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Automatically created Security Group for the Task
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: '-1'
VpcId: '{{environment.outputs.VPC}}'