AWSTemplateFormatVersion: '2010-09-09' Description: Sets up App Mesh with an ECS-hosted Virtual gateway. Parameters: EnvironmentName: Type: String Description: "A friendly environment name that will be used for namespacing all cluster resources. Example: staging, qa, or production" EnvoyImage: Type: String Description: Image location for Envoy proxy Default: public.ecr.aws/appmesh/aws-appmesh-envoy:v1.18.3.0-prod Resources: ### Mesh Mesh: Type: AWS::AppMesh::Mesh Properties: MeshName: !Ref EnvironmentName Spec: EgressFilter: Type: DROP_ALL ### Virtual gateway for ingress into mesh VirtualGateway: Type: AWS::AppMesh::VirtualGateway Properties: MeshName: !GetAtt Mesh.MeshName Spec: Listeners: - PortMapping: Port: 9080 Protocol: http VirtualGatewayName: vg-ingress IngressTaskIamRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } Policies: - PolicyName: ACMExportCertificateAccess PolicyDocument: | { "Statement": [{ "Effect": "Allow", "Action": ["acm:ExportCertificate"], "Resource": ["*"] }] } - PolicyName: ACMCertificateAuthorityAccess PolicyDocument: | { "Statement": [{ "Effect": "Allow", "Action": ["acm-pca:GetCertificateAuthorityCertificate"], "Resource": ["*"] }] } ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchFullAccess - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess - arn:aws:iam::aws:policy/AWSAppMeshPreviewEnvoyAccess - arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess IngressServiceDiscoveryRecord: Type: 'AWS::ServiceDiscovery::Service' Properties: Name: "ingress" DnsConfig: NamespaceId: Fn::ImportValue: !Sub "${EnvironmentName}:ServiceDiscoveryNamespaceId" DnsRecords: - Type: A TTL: 300 HealthCheckCustomConfig: FailureThreshold: 1 IngressTaskDefinition: Type: AWS::ECS::TaskDefinition Properties: RequiresCompatibilities: - 'FARGATE' Family: !Sub '${EnvironmentName}-Ingress' NetworkMode: 'awsvpc' Cpu: 256 Memory: 512 TaskRoleArn: !Ref IngressTaskIamRole ExecutionRoleArn: Fn::ImportValue: !Sub "${EnvironmentName}:TaskExecutionRoleArn" ContainerDefinitions: - Name: 'envoy' Image: !Ref EnvoyImage Essential: true StopTimeout: 5 Ulimits: - Name: "nofile" HardLimit: 15000 SoftLimit: 15000 PortMappings: - ContainerPort: 9901 Protocol: 'tcp' - ContainerPort: 9080 Protocol: 'tcp' HealthCheck: Command: - 'CMD-SHELL' - 'curl -s http://localhost:9901/server_info | grep state | grep -q LIVE' Interval: 5 Timeout: 2 Retries: 3 StartPeriod: 60 LogConfiguration: LogDriver: 'awslogs' Options: awslogs-group: Fn::ImportValue: !Sub "${EnvironmentName}:ClusterLogGroup" awslogs-region: !Ref AWS::Region awslogs-stream-prefix: 'ingress-envoy' Environment: - Name: 'APPMESH_RESOURCE_ARN' Value: !Ref VirtualGateway - Name: 'ENABLE_ENVOY_STATS_TAGS' Value: '1' - Name: 'ENABLE_ENVOY_DOG_STATSD' Value: '1' - Name: 'STATSD_PORT' Value: '8125' - Name: 'cw-agent' Image: 'amazon/cloudwatch-agent:latest' Essential: true StopTimeout: 5 PortMappings: - ContainerPort: 8125 Protocol: 'udp' Environment: - Name: CW_CONFIG_CONTENT Value: Fn::Sub: - "{ \"metrics\": { \"namespace\":\"${MetricNamespace}\", \"metrics_collected\": { \"statsd\": { \"metrics_aggregation_interval\": 0}}}}" - MetricNamespace: Fn::Join: - '/' - - !Ref EnvironmentName - gateway-envoy - StatsD LogConfiguration: LogDriver: 'awslogs' Options: awslogs-group: Fn::ImportValue: !Sub "${EnvironmentName}:ClusterLogGroup" awslogs-region: !Ref AWS::Region awslogs-stream-prefix: 'ingress-cw-agent' IngressService: Type: 'AWS::ECS::Service' DependsOn: - PublicLoadBalancerListener Properties: Cluster: Fn::ImportValue: !Sub "${EnvironmentName}:ClusterName" DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 100 DesiredCount: 1 LaunchType: FARGATE ServiceRegistries: - RegistryArn: 'Fn::GetAtt': IngressServiceDiscoveryRecord.Arn NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - Fn::ImportValue: !Sub "${EnvironmentName}:ContainerSecurityGroup" Subnets: - Fn::ImportValue: !Sub "${EnvironmentName}:PrivateSubnetOne" - Fn::ImportValue: !Sub "${EnvironmentName}:PrivateSubnetTwo" TaskDefinition: !Ref IngressTaskDefinition LoadBalancers: - ContainerName: envoy ContainerPort: 9080 TargetGroupArn: !Ref IngressTargetGroup PublicLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Scheme: internet-facing Subnets: - Fn::ImportValue: !Sub "${EnvironmentName}:PublicSubnetOne" - Fn::ImportValue: !Sub "${EnvironmentName}:PublicSubnetTwo" Type: network IngressTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: HealthCheckIntervalSeconds: 10 HealthCheckPort: 9080 HealthCheckProtocol: TCP HealthCheckTimeoutSeconds: 10 HealthyThresholdCount: 2 TargetType: ip Name: !Sub "${EnvironmentName}-ingress" Port: 80 Protocol: TCP UnhealthyThresholdCount: 2 TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: 5 VpcId: Fn::ImportValue: !Sub "${EnvironmentName}:VpcId" PublicLoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener DependsOn: - PublicLoadBalancer Properties: DefaultActions: - TargetGroupArn: !Ref IngressTargetGroup Type: 'forward' LoadBalancerArn: !Ref PublicLoadBalancer Port: 80 Protocol: TCP # These are the values output by the CloudFormation template. Be careful # about changing any of them, because of them are exported with specific # names so that the other task related CF templates can use them. Outputs: MeshName: Description: The name of the App MeshName Value: !GetAtt Mesh.MeshName Export: Name: !Sub ${EnvironmentName}:MeshName EnvoyImage: Value: !Ref EnvoyImage Export: Name: !Sub ${EnvironmentName}:EnvoyImage IngressEndpoint: Value: !GetAtt PublicLoadBalancer.DNSName Export: Name: !Sub ${EnvironmentName}:IngressEndpoint