AWSTemplateFormatVersion: '2010-09-09' Description: Creates ECS cluster and associated resources. No EC2 instances are created as the cluster is intended to be used with Fargate. Parameters: EnvironmentName: Type: String Description: "A friendly environment name that will be used for namespacing all cluster resources. Example: staging, qa, or production" ClusterLogGroupRetentionInDays: Type: Number Default: 7 Resources: # ECS Resources ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Ref EnvironmentName # A security group for the containers we will run in ECS. Allows all traffic within the VPC CIDR range. ContainerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the ECS hosts that run containers VpcId: Fn::ImportValue: !Sub "${EnvironmentName}:VpcId" SecurityGroupIngress: - CidrIp: Fn::ImportValue: !Sub "${EnvironmentName}:VpcCIDR" IpProtocol: -1 TaskExecutionRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess DefaultTaskIamRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchFullAccess - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess - arn:aws:iam::aws:policy/AWSAppMeshPreviewEnvoyAccess - arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess ### Service discovery namespace ServiceDiscoveryNamespace: Type: AWS::ServiceDiscovery::PrivateDnsNamespace Properties: Name: !Sub ${EnvironmentName}.local Vpc: Fn::ImportValue: !Sub "${EnvironmentName}:VpcId" ### Log group for the cluster ClusterLogGroup: Type: 'AWS::Logs::LogGroup' Properties: LogGroupName: !Sub "${EnvironmentName}-cluster" RetentionInDays: !Ref ClusterLogGroupRetentionInDays # These are the values output by the CloudFormation template. Be careful # about changing any of them, because of them are exported with specific # names so that the other task related CF templates can use them. Outputs: ClusterName: Description: The name of the ECS cluster Value: !Ref 'ECSCluster' Export: Name: !Sub ${EnvironmentName}:ClusterName ContainerSecurityGroup: Description: A security group used to allow containers to receive traffic Value: !Ref ContainerSecurityGroup Export: Name: !Sub ${EnvironmentName}:ContainerSecurityGroup TaskExecutionRoleArn: Description: ECS Task Execution role Value: !GetAtt TaskExecutionRole.Arn Export: Name: !Sub ${EnvironmentName}:TaskExecutionRoleArn DefaultTaskIamRoleArn: Description: ECS Task role Value: !GetAtt DefaultTaskIamRole.Arn Export: Name: !Sub ${EnvironmentName}:DefaultTaskIamRoleArn ServiceDiscoveryNamespaceId: Description: Namespace for service discovery Value: !Ref ServiceDiscoveryNamespace Export: Name: !Sub ${EnvironmentName}:ServiceDiscoveryNamespaceId ServiceDiscoveryNamespaceArn: Description: Namespace for service discovery Value: !GetAtt ServiceDiscoveryNamespace.Arn Export: Name: !Sub ${EnvironmentName}:ServiceDiscoveryNamespaceArn ServiceDiscoveryNamespaceName: Description: Namespace for service discovery Value: !Sub ${EnvironmentName}.local Export: Name: !Sub ${EnvironmentName}:ServiceDiscoveryNamespaceName ClusterLogGroup: Description: Log group for cluster Value: !Ref ClusterLogGroup Export: Name: !Sub ${EnvironmentName}:ClusterLogGroup