version: "3.5" x-aws-vpc: "" secrets: docdb_password: name: "" external: true services: # Orion is the context broker orion: secrets: - docdb_password image: fiware/orion:latest deploy: x-aws-autoscaling: min: 2 max: 4 #required cpu: 50 resources: limits: cpus: "2" memory: 2048M networks: - orion-sg container_name: fiware-orion ports: - "1026:1026" entrypoint: ["/bin/sh", "-c"] environment: DOCDB_ENDPOINT: DOCDB_USER: awsdemo ORION_LOGS_LEVEL: WARN command: - | sleep 5 export DOCDB_PASSWORD=`cat /run/secrets/docdb_password` /usr/bin/contextBroker -fg -multiservice -ngsiv1Autocast -disableFileLog -dbhost $${DOCDB_ENDPOINT}:27017 -rplSet rs0 -dbuser $${DOCDB_USER} -dbpwd $${DOCDB_PASSWORD} -dbDisableRetryWrites -logLevel $${ORION_LOGS_LEVEL} healthcheck: test: curl --fail -s http://orion:1026/version || exit 1 x-aws-cloudformation: Resources: OrionTCP1026TargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: HealthCheckPath: /version HealthCheckPort: 1026 HealthCheckProtocol: HTTP Protocol: HTTP Port: 1026 VpcId: TargetType: ip LoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: IpAddressType: ipv4 Name: orion-alb LoadBalancerAttributes: - Key: routing.http2.enabled Value: true Scheme: internet-facing SecurityGroups: - Subnets: - - Type: application OrionTCP1026Listener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: Ref: LoadBalancer Port: 1026 Protocol: HTTP DefaultActions: - TargetGroupArn: Ref: OrionTCP1026TargetGroup Type: forward WebACL: Type: AWS::WAFv2::WebACL Properties: Name: orion-waf DefaultAction: Block: {} Scope: REGIONAL VisibilityConfig: CloudWatchMetricsEnabled: true MetricName: orion-waf SampledRequestsEnabled: false Rules: - Name: AWS-AWSManagedRulesAmazonIpReputationList Priority: 0 Statement: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesAmazonIpReputationList OverrideAction: Count: {} VisibilityConfig: CloudWatchMetricsEnabled: true MetricName: AWSManagedRulesAmazonIpReputationList SampledRequestsEnabled: false - Name: "AWSManagedRulesKnownBadInputsRule" Priority: 1 Statement: ManagedRuleGroupStatement: VendorName: "AWS" Name: "AWSManagedRulesKnownBadInputsRuleSet" OverrideAction: None: {} VisibilityConfig: CloudWatchMetricsEnabled: true MetricName: "AWSManagedRulesKnownBadInputsRule" SampledRequestsEnabled: true - Name: "AWSManagedRulesAmazonIpReputation" Priority: 2 Statement: ManagedRuleGroupStatement: VendorName: "AWS" Name: "AWSManagedRulesAmazonIpReputationList" OverrideAction: None: {} VisibilityConfig: CloudWatchMetricsEnabled: true MetricName: "AWSManagedRulesAmazonIpReputation" SampledRequestsEnabled: true - Name: Custom-IPaddress-DenyList Priority: 3 Action: Block: {} Statement: IPSetReferenceStatement: Arn: Fn::GetAtt: IPDenyList.Arn VisibilityConfig: CloudWatchMetricsEnabled: true MetricName: Custom-IPaddress-DenyList SampledRequestsEnabled: true - Name: Custom-IPaddress-AllowList Priority: 4 Action: Allow: {} Statement: IPSetReferenceStatement: Arn: Fn::GetAtt: IPAllowList.Arn VisibilityConfig: CloudWatchMetricsEnabled: true MetricName: Custom-IPaddress-AllowList SampledRequestsEnabled: true - Name: Custom-Ratebased Priority: 5 Action: Count: {} Statement: RateBasedStatement: AggregateKeyType: IP Limit: 100 ScopeDownStatement: NotStatement: Statement: IPSetReferenceStatement: Arn: Fn::GetAtt: IPAllowList.Arn VisibilityConfig: CloudWatchMetricsEnabled: true MetricName: Custom-Ratebased SampledRequestsEnabled: true DependsOn: - IPDenyList - IPAllowList IPAllowList: Type: "AWS::WAFv2::IPSet" Properties: Name: Custom-orion-ipaddress-allowlist Scope: REGIONAL IPAddressVersion: IPV4 Addresses: - IPDenyList: Type: "AWS::WAFv2::IPSet" Properties: Name: Custom-orion-ipaddress-denylist Scope: REGIONAL IPAddressVersion: IPV4 Addresses: - WebACLAssociation: Type: "AWS::WAFv2::WebACLAssociation" DependsOn: [LoadBalancer, WebACL] Properties: WebACLArn: Fn::GetAtt: WebACL.Arn ResourceArn: Ref: LoadBalancer networks: orion-sg: external: true name: