--- AWSTemplateFormatVersion: 2010-09-09 Parameters: Name: Type: String Cluster: Type: String DesiredCount: Type: Number Default: 0 LaunchType: Type: String Default: Fargate AllowedValues: - Fargate - EC2 TargetGroup: Type: String SourceSecurityGroup: Type: AWS::EC2::SecurityGroup::Id Subnets: Type: List ContainerImageURI: Type: String SealerKeyArn: Type: String Conditions: Fargate: !Equals [ !Ref LaunchType, "Fargate" ] EC2: !Equals [ !Ref LaunchType, "EC2" ] Resources: EcsServiceLinkedRole: Type: "AWS::IAM::ServiceLinkedRole" Properties: AWSServiceName: "ecs.amazonaws.com" Description: "Role to enable Amazon ECS to manage your cluster." TaskRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Policies: - PolicyName: "GetSealerKeySecret" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "secretsmanager:GetResourcePolicy" - "secretsmanager:GetSecretValue" - "secretsmanager:DescribeSecret" - "secretsmanager:ListSecretVersionIds" Resource: !Ref SealerKeyArn TaskExecutionRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ecs-tasks.amazonaws.com ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy LogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub /ecs/${Name} FargateService: Type: AWS::ECS::Service Condition: Fargate Properties: Cluster: !Ref Cluster DesiredCount: !Ref DesiredCount HealthCheckGracePeriodSeconds: 120 TaskDefinition: !Ref TaskDefinition LaunchType: FARGATE NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - !Ref SourceSecurityGroup Subnets: !Ref Subnets LoadBalancers: - ContainerName: shibboleth-idp ContainerPort: 443 TargetGroupArn: !Ref TargetGroup EC2Service: Type: AWS::ECS::Service Condition: EC2 Properties: Cluster: !Ref Cluster DesiredCount: !Ref DesiredCount HealthCheckGracePeriodSeconds: 120 TaskDefinition: !Ref TaskDefinition LaunchType: EC2 LoadBalancers: - ContainerName: shibboleth-idp ContainerPort: 443 TargetGroupArn: !Ref TargetGroup TaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: !Sub shibboleth-idp-${Name} RequiresCompatibilities: - !If [ Fargate, "FARGATE", "EC2" ] Memory: !If [ Fargate, 4096, 3884 ] Cpu: 2048 NetworkMode: !If [ Fargate, "awsvpc", "bridge" ] TaskRoleArn: !Ref TaskRole ExecutionRoleArn: !Ref TaskExecutionRole ContainerDefinitions: - Name: shibboleth-idp Image: !Ref ContainerImageURI Environment: - Name: SEALER_KEY_SECRET_ID Value: !Ref SealerKeyArn Essential: true Memory: !If [ Fargate, 4096, 3884 ] PortMappings: - ContainerPort: 443 LogConfiguration: LogDriver: awslogs Options: awslogs-region: !Ref AWS::Region awslogs-group: !Ref LogGroup awslogs-stream-prefix: !Ref Name Outputs: Service: Value: !If [ Fargate, !Ref FargateService, !Ref EC2Service ]