AWSTemplateFormatVersion: '2010-09-09' Description: Docker EE for AWS 17.06.2-ee-6-aws2 (qs-1qup6ra7m) Conditions: CloudStorEfsSelected: !Equals - !Ref 'EnableCloudStorEfs' - 'yes' CreateLogResources: !Equals - !Ref 'EnableCloudWatchLogs' - 'yes' EFSSupported: !Equals - !FindInMap - AWSRegion2AZ - !Ref 'AWS::Region' - EFSSupport - 'yes' HasOnly2AZs: !Equals - !FindInMap - AWSRegion2AZ - !Ref 'AWS::Region' - NumAZs - '2' InstallCloudStorEFSPreReqs: !And - !Condition 'EFSSupported' - !Condition 'CloudStorEfsSelected' LambdaSupported: !Equals - !FindInMap - AWSRegion2AZ - !Ref 'AWS::Region' - LambdaSupport - 'yes' Mappings: AWSInstanceType2Arch: c3.2xlarge: Arch: HVM64 c3.4xlarge: Arch: HVM64 c3.8xlarge: Arch: HVM64 c3.large: Arch: HVM64 c3.xlarge: Arch: HVM64 c4.2xlarge: Arch: HVM64 c4.4xlarge: Arch: HVM64 c4.8xlarge: Arch: HVM64 c4.large: Arch: HVM64 c4.xlarge: Arch: HVM64 cc2.8xlarge: Arch: HVM64 cr1.8xlarge: Arch: HVM64 d2.2xlarge: Arch: HVM64 d2.4xlarge: Arch: HVM64 d2.8xlarge: Arch: HVM64 d2.xlarge: Arch: HVM64 g2.2xlarge: Arch: HVMG2 hi1.4xlarge: Arch: HVM64 hs1.8xlarge: Arch: HVM64 i3.16xlarge: Arch: HVM64 i3.2xlarge: Arch: HVM64 i3.4xlarge: Arch: HVM64 i3.8xlarge: Arch: HVM64 i3.large: Arch: HVM64 i3.xlarge: Arch: HVM64 m3.2xlarge: Arch: HVM64 m3.large: Arch: HVM64 m3.medium: Arch: HVM64 m3.xlarge: Arch: HVM64 m4.10xlarge: Arch: HVM64 m4.16xlarge: Arch: HVM64 m4.2xlarge: Arch: HVM64 m4.4xlarge: Arch: HVM64 m4.large: Arch: HVM64 m4.xlarge: Arch: HVM64 r3.2xlarge: Arch: HVM64 r3.4xlarge: Arch: HVM64 r3.8xlarge: Arch: HVM64 r3.large: Arch: HVM64 r3.xlarge: Arch: HVM64 r4.16xlarge: Arch: HVM64 r4.2xlarge: Arch: HVM64 r4.4xlarge: Arch: HVM64 r4.8xlarge: Arch: HVM64 r4.large: Arch: HVM64 r4.xlarge: Arch: HVM64 t2.2xlarge: Arch: HVM64 t2.large: Arch: HVM64 t2.medium: Arch: HVM64 t2.micro: Arch: HVM64 t2.small: Arch: HVM64 t2.xlarge: Arch: HVM64 AWSRegion2AZ: ap-northeast-1: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'yes' Name: Tokyo NumAZs: '2' ap-northeast-2: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'yes' Name: Seoul NumAZs: '2' ap-south-1: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'yes' Name: Mumbai NumAZs: '2' ap-southeast-1: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'yes' Name: Singapore NumAZs: '2' ap-southeast-2: AZ0: '0' AZ1: '1' AZ2: '2' EFSSupport: 'yes' LambdaSupport: 'yes' Name: Sydney NumAZs: '3' ca-central-1: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'no' Name: Central NumAZs: '2' eu-central-1: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'yes' Name: Frankfurt NumAZs: '2' eu-west-1: AZ0: '0' AZ1: '1' AZ2: '2' EFSSupport: 'yes' LambdaSupport: 'yes' Name: Ireland NumAZs: '3' eu-west-2: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'yes' Name: London NumAZs: '2' sa-east-1: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'no' Name: Sao Paulo NumAZs: '2' us-east-1: AZ0: '0' AZ1: '1' AZ2: '2' EFSSupport: 'yes' LambdaSupport: 'yes' Name: N. Virgina NumAZs: '4' us-east-2: AZ0: '0' AZ1: '1' AZ2: '2' EFSSupport: 'yes' LambdaSupport: 'yes' Name: Ohio NumAZs: '3' us-gov-west-1: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'no' Name: GovCloud NumAZs: '2' us-west-1: AZ0: '0' AZ1: '1' AZ2: '0' EFSSupport: 'no' LambdaSupport: 'yes' Name: N. California NumAZs: '2' us-west-2: AZ0: '0' AZ1: '1' AZ2: '2' EFSSupport: 'yes' LambdaSupport: 'yes' Name: Oregon NumAZs: '3' AWSRegionArch2AMI: ap-northeast-1: HVM64: ami-6a2e490c HVMG2: NOT_SUPPORTED ap-northeast-2: HVM64: ami-3101a15f HVMG2: NOT_SUPPORTED ap-south-1: HVM64: ami-9c2771f3 HVMG2: NOT_SUPPORTED ap-southeast-1: HVM64: ami-57a7db2b HVMG2: NOT_SUPPORTED ap-southeast-2: HVM64: ami-997d81fb HVMG2: NOT_SUPPORTED ca-central-1: HVM64: ami-944dc8f0 HVMG2: NOT_SUPPORTED eu-central-1: HVM64: ami-633ba70c HVMG2: NOT_SUPPORTED eu-west-1: HVM64: ami-8375ebfa HVMG2: NOT_SUPPORTED eu-west-2: HVM64: ami-be263dda HVMG2: NOT_SUPPORTED sa-east-1: HVM64: ami-53317c3f HVMG2: NOT_SUPPORTED us-east-1: HVM64: ami-94daf8ee HVMG2: NOT_SUPPORTED us-east-2: HVM64: ami-71082214 HVMG2: NOT_SUPPORTED us-west-1: HVM64: ami-23747643 HVMG2: NOT_SUPPORTED us-west-2: HVM64: ami-4050e038 HVMG2: NOT_SUPPORTED DockerForAWS: version: DTRINITTAG: 17.06.2-ee-6-aws2 DTRTAG: 2.4.1 HasDDC: 'yes' UCPINITTAG: 17.06.2-ee-6-aws2 UCPTAG: 2.2.5 addOn: ddc channel: 17.06-DDC docker: 17.06.2-ee-6 forAws: 17.06.2-ee-6-aws2 VpcCidrs: pubsubnet1: cidr: 172.31.0.0/20 pubsubnet2: cidr: 172.31.16.0/20 pubsubnet3: cidr: 172.31.32.0/20 pubsubnet4: cidr: 172.31.48.0/20 vpc: cidr: 172.31.0.0/16 Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Swarm Size Parameters: - ManagerSize - ClusterSize - Label: default: Swarm Properties Parameters: - KeyName - RemoteSSH - EnableSystemPrune - EnableCloudWatchLogs - EnableCloudStorEfs - Label: default: Swarm Manager Properties Parameters: - ManagerInstanceType - ManagerDiskSize - ManagerDiskType - Label: default: Swarm Worker Properties Parameters: - InstanceType - WorkerDiskSize - WorkerDiskType - Label: default: HTTP Proxy Parameters: - HTTPProxy - HTTPSProxy - NoProxy - Label: default: Docker EE Properties Parameters: - DDCUsernameSet - DDCPasswordSet - License ParameterLabels: ClusterSize: default: Number of Swarm worker nodes DDCPasswordSet: default: Enter your Docker EE password DDCUsernameSet: default: Enter the Username you want to use with Docker EE EnableCloudStorEfs: default: Create EFS prerequisites for CloudStor EnableCloudWatchLogs: default: Use CloudWatch for container logging EnableSystemPrune: default: Enable daily resource cleanup HTTPProxy: default: Value for HTTP_PROXY environment variable HTTPSProxy: default: Value for HTTPS_PROXY environment variable InstanceType: default: Agent worker instance type KeyName: default: Which SSH key to use License: default: Enter your Docker EE License ManagerDiskSize: default: Manager ephemeral storage volume size ManagerDiskType: default: Manager ephemeral storage volume type ManagerInstanceType: default: Swarm manager instance type ManagerSize: default: Number of Swarm managers NoProxy: default: Value for NO_PROXY environment variable RemoteSSH: default: Which IPs are allowed to SSH WorkerDiskSize: default: Worker ephemeral storage volume size WorkerDiskType: default: Worker ephemeral storage volume type Outputs: DDCUsername: Description: Docker EE Username. Value: !Ref 'DDCUsernameSet' DTRLoginURL: Description: Docker EE DTR Login URL. Value: !Join - '' - - https:// - !GetAtt 'DTRLoadBalancer.DNSName' DefaultDNSTarget: Description: Use this name to update your DNS records. Value: !GetAtt 'ExternalLoadBalancer.DNSName' ELBDNSZoneID: Description: Use this zone ID to update your DNS records. Value: !GetAtt 'ExternalLoadBalancer.CanonicalHostedZoneNameID' ManagerSecurityGroupID: Description: SecurityGroup ID of ManagerVpcSG. Value: !Ref 'ManagerVpcSG' Managers: Description: 'You can see the manager nodes associated with this cluster here. Follow the instructions here: https://docs.docker.com/docker-for-aws/deploy/ .' Value: !Join - '' - - https:// - !Ref 'AWS::Region' - .console.aws.amazon.com/ec2/v2/home?region= - !Ref 'AWS::Region' - '#Instances:tag:aws:autoscaling:groupName=' - !Ref 'ManagerAsg' - ;sort=desc:dnsName NodeSecurityGroupID: Description: SecurityGroup ID of NodeVpcSG. Value: !Ref 'NodeVpcSG' SwarmWideSecurityGroupID: Description: SecurityGroup ID of SwarmWideSG. Value: !Ref 'SwarmWideSG' UCPLoginURL: Description: Docker EE UCP Login URL. Value: !Join - '' - - https:// - !GetAtt 'UCPLoadBalancer.DNSName' VPCID: Description: Use this as the VPC for configuring Private Hosted Zones. Value: !Ref 'Vpc' ZoneAvailabilityComment: Description: Availabilty Zones Comment. Value: !If - HasOnly2AZs - This region only has 2 Availabiliy Zones (AZ). If one of those AZs goes away, it will cause problems for your Swarm Managers. Please use a Region with at least 3 AZs. - This region has at least 3 Availability Zones (AZ). This is ideal to ensure a fully functional Swarm in case you lose an AZ. Parameters: ClusterSize: Default: '5' Description: Number of worker nodes in the Swarm (0-1000). MaxValue: '1000' MinValue: '0' Type: Number DDCPasswordSet: ConstraintDescription: must be at least 8 characters Description: Docker EE Password. MaxLength: '40' MinLength: '8' NoEcho: true Type: String DDCUsernameSet: ConstraintDescription: Please enter the username you want to use for Docker EE. Default: admin Description: Docker EE Username. Type: String EnableCloudStorEfs: AllowedValues: - 'no' - 'yes' Default: 'no' Description: Create CloudStor EFS mount targets. Type: String EnableCloudWatchLogs: AllowedValues: - 'no' - 'yes' Default: 'no' Description: Send all Container logs to CloudWatch. Type: String EnableSystemPrune: AllowedValues: - 'no' - 'yes' Default: 'no' Description: Cleans up unused images, containers, networks and volumes. Type: String HTTPProxy: AllowedPattern: ^\S*$ ConstraintDescription: HTTP_PROXY environment variable setting. Description: Value for HTTP_PROXY environment variable. Type: String HTTPSProxy: AllowedPattern: ^\S*$ ConstraintDescription: HTTPS_PROXY environment variable setting. Description: Value for HTTPS_PROXY environment variable. Type: String InstanceType: AllowedValues: - t2.small - t2.medium - t2.large - t2.xlarge - t2.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m4.16xlarge - m3.medium - m3.large - m3.xlarge - m3.2xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - c3.large - c3.xlarge - c3.2xlarge - c3.4xlarge - c3.8xlarge - r3.large - r3.xlarge - r3.2xlarge - r3.4xlarge - r3.8xlarge - r4.large - r4.xlarge - r4.2xlarge - r4.4xlarge - r4.8xlarge - r4.16xlarge - i3.large - i3.xlarge - i3.2xlarge - i3.4xlarge - i3.8xlarge - i3.16xlarge - cc2.8xlarge - cr1.8xlarge - d2.2xlarge - d2.4xlarge - d2.8xlarge - d2.xlarge - g2.2xlarge - hi1.4xlarge - hs1.8xlarge ConstraintDescription: Must be a valid EC2 HVM instance type. Default: t2.small Description: EC2 HVM instance type (t2.micro, m3.medium, etc). Type: String KeyName: ConstraintDescription: Must be the name of an existing EC2 KeyPair. Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. Type: AWS::EC2::KeyPair::KeyName License: Description: Docker EE License in JSON format or URL to download it. Get Trial License here https://store.docker.com/editions/enterprise/docker-ee-trial. NoEcho: true Type: String ManagerDiskSize: Default: '20' Description: Size of Manager's ephemeral storage volume in GiB. MaxValue: '1024' MinValue: '20' Type: Number ManagerDiskType: AllowedValues: - standard - gp2 Default: gp2 Description: Manager ephemeral storage volume type. Type: String ManagerInstanceType: AllowedValues: - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m4.16xlarge - m3.medium - m3.large - m3.xlarge - m3.2xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - c3.large - c3.xlarge - c3.2xlarge - c3.4xlarge - c3.8xlarge - r3.large - r3.xlarge - r3.2xlarge - r3.4xlarge - r3.8xlarge - r4.large - r4.xlarge - r4.2xlarge - r4.4xlarge - r4.8xlarge - r4.16xlarge - i3.large - i3.xlarge - i3.2xlarge - i3.4xlarge - i3.8xlarge - i3.16xlarge ConstraintDescription: Must be a valid EC2 HVM instance type. Default: m4.large Description: EC2 HVM instance type (t2.micro, m3.medium, etc). Type: String ManagerSize: AllowedValues: - '3' - '5' Default: '3' Description: Number of Swarm manager nodes (3, 5). Type: Number NoProxy: AllowedPattern: ^\S*$ ConstraintDescription: NO_PROXY environment variable setting. Description: Value for NO_PROXY environment variable. Type: String RemoteSSH: ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. Description: The value 0.0.0.0/0 will allow SSH from anywhere. MaxLength: '18' MinLength: '9' Type: String WorkerDiskSize: Default: '20' Description: Size of Workers's ephemeral storage volume in GiB. MaxValue: '1024' MinValue: '20' Type: Number WorkerDiskType: AllowedValues: - standard - gp2 Default: standard Description: Worker ephemeral storage volume type. Type: String Resources: AZInfo: Condition: LambdaSupported Properties: Region: !Ref 'AWS::Region' ServiceToken: !GetAtt 'AZInfoFunction.Arn' Type: Custom::AZInfo AZInfoFunction: Condition: LambdaSupported Properties: Code: ZipFile: !Join - "\n" - - import cfnresponse - import boto3 - 'def handler(event, context):' - ' ec2c = boto3.client(''ec2'')' - ' r = ec2c.describe_availability_zones()' - ' azs = r.get(''AvailabilityZones'')' - ' az_list = [az.get(''ZoneName'') for az in azs if az.get(''State'') == ''available'']' - ' az0 = az_list[0]' - ' az1 = az_list[1]' - ' if len(az_list) > 2:' - ' az2 = az_list[2]' - ' else:' - ' az2 = az0' - ' resp = {''AZ0'': az0, ''AZ1'': az1, ''AZ2'': az2}' - ' cfnresponse.send(event, context, cfnresponse.SUCCESS, resp)' - ' return resp' Handler: index.handler MemorySize: 128 Role: !GetAtt 'LambdaExecutionRole.Arn' Runtime: python3.7 Timeout: 10 Type: AWS::Lambda::Function AttachGateway: DependsOn: - Vpc - InternetGateway Properties: InternetGatewayId: !Ref 'InternetGateway' VpcId: !Ref 'Vpc' Type: AWS::EC2::VPCGatewayAttachment CloudstorEBSPolicy: DependsOn: - ProxyRole - WorkerRole Properties: PolicyDocument: Statement: - Action: - ec2:CreateTags - ec2:AttachVolume - ec2:DetachVolume - ec2:CreateVolume - ec2:DeleteVolume - ec2:DescribeVolumes - ec2:DescribeVolumeStatus - ec2:CreateSnapshot - ec2:DeleteSnapshot - ec2:DescribeSnapshots Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: cloudstor-ebs-policy Roles: - !Ref 'ProxyRole' - !Ref 'WorkerRole' Type: AWS::IAM::Policy DDCBucket: DeletionPolicy: Retain Type: AWS::S3::Bucket DTRLoadBalancer: DependsOn: - AttachGateway - DTRLoadBalancerSG - PubSubnetAz1 - PubSubnetAz2 - PubSubnetAz3 Properties: ConnectionSettings: IdleTimeout: 1800 CrossZone: true HealthCheck: HealthyThreshold: '2' Interval: '300' Target: HTTPS:12391/health Timeout: '10' UnhealthyThreshold: '10' Listeners: - InstancePort: '12391' LoadBalancerPort: '443' Protocol: TCP - InstancePort: '12392' LoadBalancerPort: '80' Protocol: TCP SecurityGroups: - !Ref 'DTRLoadBalancerSG' Subnets: !If - HasOnly2AZs - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - !Ref 'PubSubnetAz3' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - ELB-DTR Type: AWS::ElasticLoadBalancing::LoadBalancer DTRLoadBalancerSG: DependsOn: Vpc Properties: GroupDescription: DTR Load Balancer SecurityGroup. SecurityGroupIngress: - CidrIp: '0.0.0.0/0' FromPort: 443 IpProtocol: tcp ToPort: 443 VpcId: !Ref 'Vpc' Type: AWS::EC2::SecurityGroup DockerLogGroup: Condition: CreateLogResources Properties: LogGroupName: !Join - '-' - - !Ref 'AWS::StackName' - lg RetentionInDays: 7 Type: AWS::Logs::LogGroup DynDBPolicies: DependsOn: - ProxyRole - SwarmDynDBTable Properties: PolicyDocument: Statement: - Action: - dynamodb:PutItem - dynamodb:DeleteItem - dynamodb:GetItem - dynamodb:UpdateItem - dynamodb:Query Effect: Allow Resource: !Join - '' - - 'arn:aws:dynamodb:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - :table/ - !Ref 'SwarmDynDBTable' Version: '2012-10-17' PolicyName: dyndb-getput Roles: - !Ref 'ProxyRole' Type: AWS::IAM::Policy DynDBWorkerPolicies: DependsOn: - WorkerRole - SwarmDynDBTable Properties: PolicyDocument: Statement: - Action: - dynamodb:GetItem - dynamodb:Query Effect: Allow Resource: !Join - '' - - 'arn:aws:dynamodb:' - !Ref 'AWS::Region' - ':' - !Ref 'AWS::AccountId' - :table/ - !Ref 'SwarmDynDBTable' Version: '2012-10-17' PolicyName: worker-dyndb-get Roles: - !Ref 'WorkerRole' Type: AWS::IAM::Policy ExternalLoadBalancer: DependsOn: - AttachGateway - ExternalLoadBalancerSG - PubSubnetAz1 - PubSubnetAz2 - PubSubnetAz3 Properties: ConnectionSettings: IdleTimeout: 600 CrossZone: true HealthCheck: HealthyThreshold: '2' Interval: '10' Target: HTTP:44554/ Timeout: '8' UnhealthyThreshold: '4' Listeners: - InstancePort: '7' LoadBalancerPort: '7' Protocol: TCP SecurityGroups: - !Ref 'ExternalLoadBalancerSG' Subnets: !If - HasOnly2AZs - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - !Ref 'PubSubnetAz3' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - ELB Type: AWS::ElasticLoadBalancing::LoadBalancer ExternalLoadBalancerSG: DependsOn: Vpc Properties: GroupDescription: External Load Balancer SecurityGroup. SecurityGroupIngress: - CidrIp: '0.0.0.0/0' FromPort: 0 IpProtocol: '-1' ToPort: 65535 VpcId: !Ref 'Vpc' Type: AWS::EC2::SecurityGroup FileSystemGP: Condition: InstallCloudStorEFSPreReqs Properties: FileSystemTags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - EFS-GP PerformanceMode: generalPurpose Type: AWS::EFS::FileSystem FileSystemMaxIO: Condition: InstallCloudStorEFSPreReqs Properties: FileSystemTags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - EFS-MaxIO PerformanceMode: maxIO Type: AWS::EFS::FileSystem InternetGateway: DependsOn: Vpc Properties: Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - IGW Type: AWS::EC2::InternetGateway LambdaExecutionRole: Condition: LambdaSupported Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Version: '2012-10-17' Path: / Policies: - PolicyDocument: Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: arn:aws:logs:*:*:* - Action: - ec2:DescribeAvailabilityZones Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: root Type: AWS::IAM::Role ManagerAsg: CreationPolicy: ResourceSignal: Count: !Ref 'ManagerSize' Timeout: PT1H DependsOn: - SwarmDynDBTable - PubSubnetAz1 - PubSubnetAz2 - PubSubnetAz3 - ExternalLoadBalancer - UCPLoadBalancer - DTRLoadBalancer Properties: DesiredCapacity: !Ref 'ManagerSize' HealthCheckGracePeriod: 1200 HealthCheckType: ELB LaunchConfigurationName: !Ref 'ManagerLaunchConfig17062ee3aws1' LoadBalancerNames: - !Ref 'ExternalLoadBalancer' - !Ref 'UCPLoadBalancer' - !Ref 'DTRLoadBalancer' MaxSize: '6' MetricsCollection: - Granularity: 1Minute MinSize: '0' Tags: - Key: Name PropagateAtLaunch: true Value: !Join - '-' - - !Ref 'AWS::StackName' - Manager - Key: swarm-node-type PropagateAtLaunch: true Value: manager - Key: swarm-stack-id PropagateAtLaunch: true Value: !Ref 'AWS::StackId' - Key: DOCKER_FOR_AWS_VERSION PropagateAtLaunch: true Value: !FindInMap - DockerForAWS - version - forAws - Key: DOCKER_VERSION PropagateAtLaunch: true Value: !FindInMap - DockerForAWS - version - docker VPCZoneIdentifier: - !If - HasOnly2AZs - !Join - ',' - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - !Join - ',' - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - !Ref 'PubSubnetAz3' Type: AWS::AutoScaling::AutoScalingGroup UpdatePolicy: AutoScalingRollingUpdate: MaxBatchSize: 1 MinInstancesInService: !Ref 'ManagerSize' PauseTime: PT1H WaitOnResourceSignals: true ManagerLaunchConfig17062ee3aws1: DependsOn: ExternalLoadBalancer Properties: AssociatePublicIpAddress: true BlockDeviceMappings: - DeviceName: /dev/xvdb Ebs: VolumeSize: !Ref 'ManagerDiskSize' VolumeType: !Ref 'ManagerDiskType' IamInstanceProfile: !Ref 'ProxyInstanceProfile' ImageId: !FindInMap - AWSRegionArch2AMI - !Ref 'AWS::Region' - !FindInMap - AWSInstanceType2Arch - !Ref 'ManagerInstanceType' - Arch InstanceType: !Ref 'ManagerInstanceType' KeyName: !Ref 'KeyName' SecurityGroups: - !Ref 'ManagerVpcSG' - !Ref 'SwarmWideSG' UserData: !Base64 Fn::Join: - '' - - "#!/bin/sh\n" - export EXTERNAL_LB=' - !Ref 'ExternalLoadBalancer' - "'\n" - export DOCKER_FOR_IAAS_VERSION=' - !FindInMap - DockerForAWS - version - forAws - "'\n" - export CHANNEL=' - !FindInMap - DockerForAWS - version - channel - "'\n" - export EDITION_ADDON=' - !FindInMap - DockerForAWS - version - addOn - "'\n" - "export LOCAL_IP=$(wget -qO- http://169.254.169.254/latest/meta-data/local-ipv4)\n" - "export INSTANCE_TYPE=$(wget -qO- http://169.254.169.254/latest/meta-data/instance-type)\n" - "export NODE_AZ=$(wget -qO- http://169.254.169.254/latest/meta-data/placement/availability-zone/)\n" - "export NODE_REGION=$(echo $NODE_AZ | sed 's/.$//')\n" - export ENABLE_CLOUDWATCH_LOGS=' - !Ref 'EnableCloudWatchLogs' - "'\n" - export AWS_REGION=' - !Ref 'AWS::Region' - "'\n" - export MANAGER_SECURITY_GROUP_ID=' - !Ref 'ManagerVpcSG' - "'\n" - export WORKER_SECURITY_GROUP_ID=' - !Ref 'NodeVpcSG' - "'\n" - export DYNAMODB_TABLE=' - !Ref 'SwarmDynDBTable' - "'\n" - export STACK_NAME=' - !Ref 'AWS::StackName' - "'\n" - export STACK_ID=' - !Ref 'AWS::StackId' - "'\n" - export ACCOUNT_ID=' - !Ref 'AWS::AccountId' - "'\n" - export VPC_ID=' - !Ref 'Vpc' - "'\n" - export SWARM_QUEUE=' - !Ref 'SwarmSQS' - "'\n" - export CLEANUP_QUEUE=' - !Ref 'SwarmSQSCleanup' - "'\n" - export RUN_VACUUM=' - !Ref 'EnableSystemPrune' - "'\n" - export LOG_GROUP_NAME=' - !Join - '-' - - !Ref 'AWS::StackName' - lg - "'\n" - export HAS_DDC=' - !FindInMap - DockerForAWS - version - HasDDC - "'\n" - export ENABLE_EFS=' - !If - InstallCloudStorEFSPreReqs - '1' - '0' - "'\n" - export EFS_ID_REGULAR=' - !If - InstallCloudStorEFSPreReqs - !Ref 'FileSystemGP' - '' - "'\n" - export EFS_ID_MAXIO=' - !If - InstallCloudStorEFSPreReqs - !Ref 'FileSystemMaxIO' - '' - "'\n" - "export DOCKER_EXPERIMENTAL='false' \n" - "export NODE_TYPE='manager'\n" - "export INSTANCE_NAME='ManagerAsg'\n" - export HTTP_PROXY=' - !Ref 'HTTPProxy' - "'\n" - export HTTPS_PROXY=' - !Ref 'HTTPSProxy' - "'\n" - export NO_PROXY=' - !Ref 'NoProxy' - "'\n" - export UCP_ADMIN_USER=' - !Ref 'DDCUsernameSet' - "'\n" - export UCP_ADMIN_PASSWORD=' - !Ref 'DDCPasswordSet' - "'\n" - export S3_BUCKET_NAME=' - !Ref 'DDCBucket' - "'\n" - export LICENSE=' - !Ref 'License' - "'\n" - export UCP_ELB_HOSTNAME=' - !GetAtt 'UCPLoadBalancer.DNSName' - "'\n" - export DTR_ELB_HOSTNAME=' - !GetAtt 'DTRLoadBalancer.DNSName' - "'\n" - export APP_ELB_HOSTNAME=' - !GetAtt 'ExternalLoadBalancer.DNSName' - "'\n" - export MANAGER_COUNT=' - !Ref 'ManagerSize' - "'\n" - export UCP_TAG=' - !FindInMap - DockerForAWS - version - UCPTAG - "'\n" - export DTR_TAG=' - !FindInMap - DockerForAWS - version - DTRTAG - "'\n" - export UCP_INIT_TAG=' - !FindInMap - DockerForAWS - version - UCPINITTAG - "'\n" - export DTR_INIT_TAG=' - !FindInMap - DockerForAWS - version - DTRINITTAG - "'\n" - "# set HTTP Proxy settings if set.\n" - "# make changes before docker is restarted.\n" - "if [ -n \"$HTTP_PROXY\" ]; then\n" - " echo $HTTP_PROXY | mobyconfig set proxy/http\n" - "fi\n" - "\n" - "if [ -n \"$HTTPS_PROXY\" ]; then\n" - " echo $HTTPS_PROXY | mobyconfig set proxy/https\n" - "fi\n" - "\n" - "if [ -n \"$NO_PROXY\" ]; then\n" - " echo $NO_PROXY | mobyconfig set proxy/exclude\n" - "fi\n" - "\n" - "mkdir -p /var/lib/docker/editions\n" - "echo \"$EXTERNAL_LB\" > /var/lib/docker/editions/lb_name\n" - "echo \"# hostname : ELB_name\" >> /var/lib/docker/editions/elb.config\n" - "echo \"127.0.0.1: $EXTERNAL_LB\" >> /var/lib/docker/editions/elb.config\n" - "echo \"localhost: $EXTERNAL_LB\" >> /var/lib/docker/editions/elb.config\n" - "echo \"default: $EXTERNAL_LB\" >> /var/lib/docker/editions/elb.config\n" - "\n" - "echo '{\"experimental\": '$DOCKER_EXPERIMENTAL', \"labels\":[\"os=linux\"\ , \"region='$NODE_REGION'\", \"availability_zone='$NODE_AZ'\", \"instance_type='$INSTANCE_TYPE'\"\ , \"node_type='$NODE_TYPE'\" ]' > /etc/docker/daemon.json\n" - "\n" - "if [ $ENABLE_CLOUDWATCH_LOGS == 'yes' ] ; then\n" - " echo ', \"log-driver\": \"awslogs\", \"log-opts\": {\"awslogs-group\"\ : \"'$LOG_GROUP_NAME'\", \"tag\": \"{{.Name}}-{{.ID}}\" }}' >> /etc/docker/daemon.json\n" - "else\n" - " echo ' }' >> /etc/docker/daemon.json\n" - "fi\n" - "\n" - "chown -R docker /home/docker/\n" - "chgrp -R docker /home/docker/\n" - "rc-service docker restart\n" - "sleep 5\n" - "\n" - "# init-aws\n" - "docker run --label com.docker.editions.system --log-driver=json-file\ \ --restart=no -d -e DYNAMODB_TABLE=$DYNAMODB_TABLE -e NODE_TYPE=$NODE_TYPE\ \ -e REGION=$AWS_REGION -e STACK_NAME=$STACK_NAME -e STACK_ID=\"$STACK_ID\"\ \ -e ACCOUNT_ID=$ACCOUNT_ID -e INSTANCE_NAME=$INSTANCE_NAME -e DOCKER_FOR_IAAS_VERSION=$DOCKER_FOR_IAAS_VERSION\ \ -e EDITION_ADDON=$EDITION_ADDON -e HAS_DDC=$HAS_DDC -v /var/run/docker.sock:/var/run/docker.sock\ \ -v /var/log:/var/log docker4x/init-aws:$DOCKER_FOR_IAAS_VERSION\n" - "\n" - "# guide-aws\n" - "docker run --label com.docker.editions.system --log-driver=json-file\ \ --log-opt max-size=50m --name=guide-aws --restart=always -d -e DYNAMODB_TABLE=$DYNAMODB_TABLE\ \ -e NODE_TYPE=$NODE_TYPE -e REGION=$AWS_REGION -e STACK_NAME=$STACK_NAME\ \ -e INSTANCE_NAME=$INSTANCE_NAME -e VPC_ID=$VPC_ID -e STACK_ID=\"$STACK_ID\"\ \ -e ACCOUNT_ID=$ACCOUNT_ID -e SWARM_QUEUE=\"$SWARM_QUEUE\" -e CLEANUP_QUEUE=\"\ $CLEANUP_QUEUE\" -e RUN_VACUUM=$RUN_VACUUM -e DOCKER_FOR_IAAS_VERSION=$DOCKER_FOR_IAAS_VERSION\ \ -e EDITION_ADDON=$EDITION_ADDON -e HAS_DDC=$HAS_DDC -e CHANNEL=$CHANNEL\ \ -v /var/run/docker.sock:/var/run/docker.sock docker4x/guide-aws:$DOCKER_FOR_IAAS_VERSION\n" - "\n" - "# cloudstor\n" - "docker plugin install --alias cloudstor:aws --grant-all-permissions\ \ docker4x/cloudstor:$DOCKER_FOR_IAAS_VERSION CLOUD_PLATFORM=AWS EFS_ID_REGULAR=$EFS_ID_REGULAR\ \ EFS_ID_MAXIO=$EFS_ID_MAXIO AWS_REGION=$AWS_REGION AWS_STACK_ID=$STACK_ID\ \ EFS_SUPPORTED=$ENABLE_EFS DEBUG=1\n" - "docker run --label com.docker.editions.system --log-driver=json-file\ \ --log-opt max-size=50m --name=meta-aws --restart=always -d -p $LOCAL_IP:9024:8080\ \ -e AWS_REGION=$AWS_REGION -e MANAGER_SECURITY_GROUP_ID=$MANAGER_SECURITY_GROUP_ID\ \ -e WORKER_SECURITY_GROUP_ID=$WORKER_SECURITY_GROUP_ID -v /var/run/docker.sock:/var/run/docker.sock\ \ docker4x/meta-aws:$DOCKER_FOR_IAAS_VERSION metaserver -iaas_provider=aws\n" - "docker run --label com.docker.editions.system --log-driver=json-file\ \ --log-opt max-size=50m --name=l4controller-aws --restart=always -d\ \ -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/editions:/var/lib/docker/editions\ \ docker4x/l4controller-aws:$DOCKER_FOR_IAAS_VERSION run --log=4 --all=true\n" - "# ddc-init-aws\n" - "docker pull docker4x/ddc-init-aws:$UCP_INIT_TAG\n" - "docker run --log-driver=json-file --name=ddc-init-aws --restart=on-failure:5\ \ -e DYNAMODB_TABLE=$DYNAMODB_TABLE -e NODE_TYPE=$NODE_TYPE -e REGION=$AWS_REGION\ \ -e STACK_NAME=$STACK_NAME -e INSTANCE_NAME=$INSTANCE_NAME -e INSTALL_DDC='yes'\ \ -e NODE_NAME=$HOSTNAME -e UCP_ADMIN_USER=$UCP_ADMIN_USER -e UCP_ADMIN_PASSWORD=$UCP_ADMIN_PASSWORD\ \ -e S3_BUCKET_NAME=$S3_BUCKET_NAME -e LICENSE=\"$LICENSE\" -e UCP_ELB_HOSTNAME=$UCP_ELB_HOSTNAME\ \ -e DTR_ELB_HOSTNAME=$DTR_ELB_HOSTNAME -e APP_ELB_HOSTNAME=$APP_ELB_HOSTNAME\ \ -e MANAGER_COUNT=$MANAGER_COUNT -v /var/run/docker.sock:/var/run/docker.sock\ \ -v /usr/bin/docker:/usr/bin/docker -v /tmp/docker:/tmp/docker -e UCP_TAG=$UCP_TAG\ \ -e DTR_TAG=$DTR_TAG docker4x/ddc-init-aws:$UCP_INIT_TAG\n" Type: AWS::AutoScaling::LaunchConfiguration ManagerVpcSG: DependsOn: NodeVpcSG Properties: GroupDescription: Manager SecurityGroup. SecurityGroupIngress: - CidrIp: !Ref 'RemoteSSH' FromPort: 22 IpProtocol: tcp ToPort: 22 - IpProtocol: '50' SourceSecurityGroupId: !GetAtt 'NodeVpcSG.GroupId' - FromPort: 2377 IpProtocol: tcp SourceSecurityGroupId: !GetAtt 'NodeVpcSG.GroupId' ToPort: 2377 - FromPort: 4789 IpProtocol: udp SourceSecurityGroupId: !GetAtt 'NodeVpcSG.GroupId' ToPort: 4789 - FromPort: 7946 IpProtocol: tcp SourceSecurityGroupId: !GetAtt 'NodeVpcSG.GroupId' ToPort: 7946 - FromPort: 7946 IpProtocol: udp SourceSecurityGroupId: !GetAtt 'NodeVpcSG.GroupId' ToPort: 7946 VpcId: !Ref 'Vpc' Type: AWS::EC2::SecurityGroup MountTargetGP1: Condition: InstallCloudStorEFSPreReqs DependsOn: - FileSystemGP - SwarmWideSG Properties: FileSystemId: !Ref 'FileSystemGP' SecurityGroups: - !Ref 'SwarmWideSG' SubnetId: !Ref 'PubSubnetAz1' Type: AWS::EFS::MountTarget MountTargetGP2: Condition: InstallCloudStorEFSPreReqs DependsOn: - FileSystemGP - SwarmWideSG Properties: FileSystemId: !Ref 'FileSystemGP' SecurityGroups: - !Ref 'SwarmWideSG' SubnetId: !Ref 'PubSubnetAz2' Type: AWS::EFS::MountTarget MountTargetGP3: Condition: InstallCloudStorEFSPreReqs DependsOn: - FileSystemGP - SwarmWideSG Properties: FileSystemId: !Ref 'FileSystemGP' SecurityGroups: - !Ref 'SwarmWideSG' SubnetId: !Ref 'PubSubnetAz3' Type: AWS::EFS::MountTarget MountTargetMaxIO1: Condition: InstallCloudStorEFSPreReqs DependsOn: - FileSystemMaxIO - SwarmWideSG Properties: FileSystemId: !Ref 'FileSystemMaxIO' SecurityGroups: - !Ref 'SwarmWideSG' SubnetId: !Ref 'PubSubnetAz1' Type: AWS::EFS::MountTarget MountTargetMaxIO2: Condition: InstallCloudStorEFSPreReqs DependsOn: - FileSystemMaxIO - SwarmWideSG Properties: FileSystemId: !Ref 'FileSystemMaxIO' SecurityGroups: - !Ref 'SwarmWideSG' SubnetId: !Ref 'PubSubnetAz2' Type: AWS::EFS::MountTarget MountTargetMaxIO3: Condition: InstallCloudStorEFSPreReqs DependsOn: - FileSystemMaxIO - SwarmWideSG Properties: FileSystemId: !Ref 'FileSystemMaxIO' SecurityGroups: - !Ref 'SwarmWideSG' SubnetId: !Ref 'PubSubnetAz3' Type: AWS::EFS::MountTarget NodeAsg: CreationPolicy: ResourceSignal: Count: !Ref 'ClusterSize' Timeout: PT1H DependsOn: ManagerAsg Properties: DesiredCapacity: !Ref 'ClusterSize' HealthCheckGracePeriod: 300 HealthCheckType: ELB LaunchConfigurationName: !Ref 'NodeLaunchConfig17062ee3aws1' LoadBalancerNames: - !Ref 'ExternalLoadBalancer' MaxSize: '1000' MetricsCollection: - Granularity: 1Minute MinSize: '0' Tags: - Key: Name PropagateAtLaunch: true Value: !Join - '-' - - !Ref 'AWS::StackName' - worker - Key: swarm-node-type PropagateAtLaunch: true Value: worker - Key: swarm-stack-id PropagateAtLaunch: true Value: !Ref 'AWS::StackId' - Key: DOCKER_FOR_AWS_VERSION PropagateAtLaunch: true Value: !FindInMap - DockerForAWS - version - forAws - Key: DOCKER_VERSION PropagateAtLaunch: true Value: !FindInMap - DockerForAWS - version - docker VPCZoneIdentifier: - !If - HasOnly2AZs - !Join - ',' - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - !Join - ',' - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - !Ref 'PubSubnetAz3' Type: AWS::AutoScaling::AutoScalingGroup UpdatePolicy: AutoScalingRollingUpdate: MaxBatchSize: 1 MinInstancesInService: !Ref 'ClusterSize' PauseTime: PT1H WaitOnResourceSignals: true NodeLaunchConfig17062ee3aws1: DependsOn: ManagerAsg Properties: AssociatePublicIpAddress: true BlockDeviceMappings: - DeviceName: /dev/xvdb Ebs: VolumeSize: !Ref 'WorkerDiskSize' VolumeType: !Ref 'WorkerDiskType' IamInstanceProfile: !Ref 'WorkerInstanceProfile' ImageId: !FindInMap - AWSRegionArch2AMI - !Ref 'AWS::Region' - !FindInMap - AWSInstanceType2Arch - !Ref 'InstanceType' - Arch InstanceType: !Ref 'InstanceType' KeyName: !Ref 'KeyName' SecurityGroups: - !Ref 'NodeVpcSG' UserData: !Base64 Fn::Join: - '' - - "#!/bin/sh\n" - export EXTERNAL_LB=' - !Ref 'ExternalLoadBalancer' - "'\n" - export DOCKER_FOR_IAAS_VERSION=' - !FindInMap - DockerForAWS - version - forAws - "'\n" - export CHANNEL=' - !FindInMap - DockerForAWS - version - channel - "'\n" - export EDITION_ADDON=' - !FindInMap - DockerForAWS - version - addOn - "'\n" - "export LOCAL_IP=$(wget -qO- http://169.254.169.254/latest/meta-data/local-ipv4)\n" - "export INSTANCE_TYPE=$(wget -qO- http://169.254.169.254/latest/meta-data/instance-type)\n" - "export NODE_AZ=$(wget -qO- http://169.254.169.254/latest/meta-data/placement/availability-zone/)\n" - "export NODE_REGION=$(echo $NODE_AZ | sed 's/.$//')\n" - export ENABLE_CLOUDWATCH_LOGS=' - !Ref 'EnableCloudWatchLogs' - "'\n" - export AWS_REGION=' - !Ref 'AWS::Region' - "'\n" - export MANAGER_SECURITY_GROUP_ID=' - !Ref 'ManagerVpcSG' - "'\n" - export WORKER_SECURITY_GROUP_ID=' - !Ref 'NodeVpcSG' - "'\n" - export DYNAMODB_TABLE=' - !Ref 'SwarmDynDBTable' - "'\n" - export STACK_NAME=' - !Ref 'AWS::StackName' - "'\n" - export STACK_ID=' - !Ref 'AWS::StackId' - "'\n" - export ACCOUNT_ID=' - !Ref 'AWS::AccountId' - "'\n" - export VPC_ID=' - !Ref 'Vpc' - "'\n" - export SWARM_QUEUE=' - !Ref 'SwarmSQS' - "'\n" - export CLEANUP_QUEUE=' - !Ref 'SwarmSQSCleanup' - "'\n" - export RUN_VACUUM=' - !Ref 'EnableSystemPrune' - "'\n" - export LOG_GROUP_NAME=' - !Join - '-' - - !Ref 'AWS::StackName' - lg - "'\n" - export HAS_DDC=' - !FindInMap - DockerForAWS - version - HasDDC - "'\n" - export ENABLE_EFS=' - !If - InstallCloudStorEFSPreReqs - '1' - '0' - "'\n" - export EFS_ID_REGULAR=' - !If - InstallCloudStorEFSPreReqs - !Ref 'FileSystemGP' - '' - "'\n" - export EFS_ID_MAXIO=' - !If - InstallCloudStorEFSPreReqs - !Ref 'FileSystemMaxIO' - '' - "'\n" - "export DOCKER_EXPERIMENTAL='false' \n" - "export NODE_TYPE='worker'\n" - "export INSTANCE_NAME='NodeAsg'\n" - export HTTP_PROXY=' - !Ref 'HTTPProxy' - "'\n" - export HTTPS_PROXY=' - !Ref 'HTTPSProxy' - "'\n" - export NO_PROXY=' - !Ref 'NoProxy' - "'\n" - export UCP_ADMIN_USER=' - !Ref 'DDCUsernameSet' - "'\n" - export UCP_ADMIN_PASSWORD=' - !Ref 'DDCPasswordSet' - "'\n" - export S3_BUCKET_NAME=' - !Ref 'DDCBucket' - "'\n" - export LICENSE=' - !Ref 'License' - "'\n" - export UCP_ELB_HOSTNAME=' - !GetAtt 'UCPLoadBalancer.DNSName' - "'\n" - export DTR_ELB_HOSTNAME=' - !GetAtt 'DTRLoadBalancer.DNSName' - "'\n" - export APP_ELB_HOSTNAME=' - !GetAtt 'ExternalLoadBalancer.DNSName' - "'\n" - export MANAGER_COUNT=' - !Ref 'ManagerSize' - "'\n" - export UCP_TAG=' - !FindInMap - DockerForAWS - version - UCPTAG - "'\n" - export DTR_TAG=' - !FindInMap - DockerForAWS - version - DTRTAG - "'\n" - export UCP_INIT_TAG=' - !FindInMap - DockerForAWS - version - UCPINITTAG - "'\n" - export DTR_INIT_TAG=' - !FindInMap - DockerForAWS - version - DTRINITTAG - "'\n" - "# set HTTP Proxy settings if set.\n" - "# make changes before docker is restarted.\n" - "if [ -n \"$HTTP_PROXY\" ]; then\n" - " echo $HTTP_PROXY | mobyconfig set proxy/http\n" - "fi\n" - "\n" - "if [ -n \"$HTTPS_PROXY\" ]; then\n" - " echo $HTTPS_PROXY | mobyconfig set proxy/https\n" - "fi\n" - "\n" - "if [ -n \"$NO_PROXY\" ]; then\n" - " echo $NO_PROXY | mobyconfig set proxy/exclude\n" - "fi\n" - "\n" - "mkdir -p /var/lib/docker/editions\n" - "echo \"$EXTERNAL_LB\" > /var/lib/docker/editions/lb_name\n" - "echo \"# hostname : ELB_name\" >> /var/lib/docker/editions/elb.config\n" - "echo \"127.0.0.1: $EXTERNAL_LB\" >> /var/lib/docker/editions/elb.config\n" - "echo \"localhost: $EXTERNAL_LB\" >> /var/lib/docker/editions/elb.config\n" - "echo \"default: $EXTERNAL_LB\" >> /var/lib/docker/editions/elb.config\n" - "\n" - "echo '{\"experimental\": '$DOCKER_EXPERIMENTAL', \"labels\":[\"os=linux\"\ , \"region='$NODE_REGION'\", \"availability_zone='$NODE_AZ'\", \"instance_type='$INSTANCE_TYPE'\"\ , \"node_type='$NODE_TYPE'\" ]' > /etc/docker/daemon.json\n" - "\n" - "if [ $ENABLE_CLOUDWATCH_LOGS == 'yes' ] ; then\n" - " echo ', \"log-driver\": \"awslogs\", \"log-opts\": {\"awslogs-group\"\ : \"'$LOG_GROUP_NAME'\", \"tag\": \"{{.Name}}-{{.ID}}\" }}' >> /etc/docker/daemon.json\n" - "else\n" - " echo ' }' >> /etc/docker/daemon.json\n" - "fi\n" - "\n" - "chown -R docker /home/docker/\n" - "chgrp -R docker /home/docker/\n" - "rc-service docker restart\n" - "sleep 5\n" - "\n" - "# init-aws\n" - "docker run --label com.docker.editions.system --log-driver=json-file\ \ --restart=no -d -e DYNAMODB_TABLE=$DYNAMODB_TABLE -e NODE_TYPE=$NODE_TYPE\ \ -e REGION=$AWS_REGION -e STACK_NAME=$STACK_NAME -e STACK_ID=\"$STACK_ID\"\ \ -e ACCOUNT_ID=$ACCOUNT_ID -e INSTANCE_NAME=$INSTANCE_NAME -e DOCKER_FOR_IAAS_VERSION=$DOCKER_FOR_IAAS_VERSION\ \ -e EDITION_ADDON=$EDITION_ADDON -e HAS_DDC=$HAS_DDC -v /var/run/docker.sock:/var/run/docker.sock\ \ -v /var/log:/var/log docker4x/init-aws:$DOCKER_FOR_IAAS_VERSION\n" - "\n" - "# guide-aws\n" - "docker run --label com.docker.editions.system --log-driver=json-file\ \ --log-opt max-size=50m --name=guide-aws --restart=always -d -e DYNAMODB_TABLE=$DYNAMODB_TABLE\ \ -e NODE_TYPE=$NODE_TYPE -e REGION=$AWS_REGION -e STACK_NAME=$STACK_NAME\ \ -e INSTANCE_NAME=$INSTANCE_NAME -e VPC_ID=$VPC_ID -e STACK_ID=\"$STACK_ID\"\ \ -e ACCOUNT_ID=$ACCOUNT_ID -e SWARM_QUEUE=\"$SWARM_QUEUE\" -e CLEANUP_QUEUE=\"\ $CLEANUP_QUEUE\" -e RUN_VACUUM=$RUN_VACUUM -e DOCKER_FOR_IAAS_VERSION=$DOCKER_FOR_IAAS_VERSION\ \ -e EDITION_ADDON=$EDITION_ADDON -e HAS_DDC=$HAS_DDC -e CHANNEL=$CHANNEL\ \ -v /var/run/docker.sock:/var/run/docker.sock docker4x/guide-aws:$DOCKER_FOR_IAAS_VERSION\n" - "\n" - "# cloudstor\n" - "docker plugin install --alias cloudstor:aws --grant-all-permissions\ \ docker4x/cloudstor:$DOCKER_FOR_IAAS_VERSION CLOUD_PLATFORM=AWS EFS_ID_REGULAR=$EFS_ID_REGULAR\ \ EFS_ID_MAXIO=$EFS_ID_MAXIO AWS_REGION=$AWS_REGION AWS_STACK_ID=$STACK_ID\ \ EFS_SUPPORTED=$ENABLE_EFS DEBUG=1\n" - "# Worker user data\n" - "# ddc-init-aws\n" - "docker pull docker4x/ddc-init-aws:$UCP_INIT_TAG\n" - "docker run --log-driver=json-file --name=ddc-init-aws --restart=on-failure:5\ \ -e DYNAMODB_TABLE=$DYNAMODB_TABLE -e NODE_TYPE=$NODE_TYPE -e REGION=$AWS_REGION\ \ -e STACK_NAME=$STACK_NAME -e INSTANCE_NAME=$INSTANCE_NAME -e INSTALL_DDC='yes'\ \ -e NODE_NAME=$HOSTNAME -e UCP_ADMIN_USER=$UCP_ADMIN_USER -e UCP_ADMIN_PASSWORD=$UCP_ADMIN_PASSWORD\ \ -e S3_BUCKET_NAME=$S3_BUCKET_NAME -e LICENSE=\"$LICENSE\" -e UCP_ELB_HOSTNAME=$UCP_ELB_HOSTNAME\ \ -e DTR_ELB_HOSTNAME=$DTR_ELB_HOSTNAME -e APP_ELB_HOSTNAME=$APP_ELB_HOSTNAME\ \ -e MANAGER_COUNT=$MANAGER_COUNT -v /var/run/docker.sock:/var/run/docker.sock\ \ -v /usr/bin/docker:/usr/bin/docker -v /tmp/docker:/tmp/docker -e UCP_TAG=$UCP_TAG\ \ -e DTR_TAG=$DTR_TAG docker4x/ddc-init-aws:$UCP_INIT_TAG\n" Type: AWS::AutoScaling::LaunchConfiguration NodeVpcSG: DependsOn: Vpc Properties: GroupDescription: Node SecurityGroup. SecurityGroupEgress: - CidrIp: '0.0.0.0/0' FromPort: 8 IpProtocol: icmp ToPort: 0 - CidrIp: '0.0.0.0/0' IpProtocol: '50' - CidrIp: '0.0.0.0/0' FromPort: 0 IpProtocol: udp ToPort: 65535 - CidrIp: '0.0.0.0/0' FromPort: 0 IpProtocol: tcp ToPort: 2374 - CidrIp: '0.0.0.0/0' FromPort: 2376 IpProtocol: tcp ToPort: 65535 SecurityGroupIngress: - CidrIp: !FindInMap - VpcCidrs - vpc - cidr FromPort: 0 IpProtocol: '-1' ToPort: 65535 VpcId: !Ref 'Vpc' Type: AWS::EC2::SecurityGroup ProxyInstanceProfile: DependsOn: ProxyRole Properties: Path: / Roles: - !Ref 'ProxyRole' Type: AWS::IAM::InstanceProfile ProxyPolicies: DependsOn: ProxyRole Properties: PolicyDocument: Statement: - Action: - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - elasticloadbalancing:CreateLoadBalancerListeners - elasticloadbalancing:DeleteLoadBalancerListeners - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:DescribeTags - elasticloadbalancing:SetLoadBalancerListenerSSLCertificate - elasticloadbalancing:DescribeSSLPolicies - elasticloadbalancing:DescribeLoadBalancers Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: elb-update Roles: - !Ref 'ProxyRole' Type: AWS::IAM::Policy ProxyRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com - autoscaling.amazonaws.com Version: '2012-10-17' Path: / Type: AWS::IAM::Role PubSubnet1RouteTableAssociation: DependsOn: - PubSubnetAz1 - RouteViaIgw Properties: RouteTableId: !Ref 'RouteViaIgw' SubnetId: !Ref 'PubSubnetAz1' Type: AWS::EC2::SubnetRouteTableAssociation PubSubnet2RouteTableAssociation: DependsOn: - PubSubnetAz2 - RouteViaIgw Properties: RouteTableId: !Ref 'RouteViaIgw' SubnetId: !Ref 'PubSubnetAz2' Type: AWS::EC2::SubnetRouteTableAssociation PubSubnet3RouteTableAssociation: DependsOn: - PubSubnetAz3 - RouteViaIgw Properties: RouteTableId: !Ref 'RouteViaIgw' SubnetId: !Ref 'PubSubnetAz3' Type: AWS::EC2::SubnetRouteTableAssociation PubSubnetAz1: DependsOn: Vpc Properties: AvailabilityZone: !If - LambdaSupported - !GetAtt 'AZInfo.AZ0' - !Select - !FindInMap - AWSRegion2AZ - !Ref 'AWS::Region' - AZ0 - !GetAZs Ref: AWS::Region CidrBlock: !FindInMap - VpcCidrs - pubsubnet1 - cidr Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - Subnet1 VpcId: !Ref 'Vpc' Type: AWS::EC2::Subnet PubSubnetAz2: DependsOn: Vpc Properties: AvailabilityZone: !If - LambdaSupported - !GetAtt 'AZInfo.AZ1' - !Select - !FindInMap - AWSRegion2AZ - !Ref 'AWS::Region' - AZ1 - !GetAZs Ref: AWS::Region CidrBlock: !FindInMap - VpcCidrs - pubsubnet2 - cidr Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - Subnet2 VpcId: !Ref 'Vpc' Type: AWS::EC2::Subnet PubSubnetAz3: DependsOn: Vpc Properties: AvailabilityZone: !If - LambdaSupported - !GetAtt 'AZInfo.AZ2' - !Select - !FindInMap - AWSRegion2AZ - !Ref 'AWS::Region' - AZ2 - !GetAZs Ref: AWS::Region CidrBlock: !FindInMap - VpcCidrs - pubsubnet3 - cidr Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - Subnet3 VpcId: !Ref 'Vpc' Type: AWS::EC2::Subnet PublicRouteViaIgw: DependsOn: - AttachGateway - RouteViaIgw Properties: DestinationCidrBlock: '0.0.0.0/0' GatewayId: !Ref 'InternetGateway' RouteTableId: !Ref 'RouteViaIgw' Type: AWS::EC2::Route RouteViaIgw: DependsOn: Vpc Properties: Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - RT VpcId: !Ref 'Vpc' Type: AWS::EC2::RouteTable S3Policies: DependsOn: ProxyRole Properties: PolicyDocument: Statement: - Action: - s3:ListBucket - s3:GetBucketLocation - s3:ListBucketMultipartUploads Effect: Allow Resource: !Join - '' - - 'arn:aws:s3:::' - !Ref 'DDCBucket' - Action: - s3:PutObject - s3:GetObject - s3:DeleteObject - s3:ListMultipartUploadParts - s3:AbortMultipartUpload Effect: Allow Resource: !Join - '' - - 'arn:aws:s3:::' - !Ref 'DDCBucket' - /* Version: '2012-10-17' PolicyName: S3-DDC-Policy Roles: - !Ref 'ProxyRole' Type: AWS::IAM::Policy SwarmAPIPolicy: DependsOn: ProxyRole Properties: PolicyDocument: Statement: - Action: - ec2:DescribeInstances - ec2:DescribeVpcAttribute Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: swarm-policy Roles: - !Ref 'ProxyRole' Type: AWS::IAM::Policy SwarmAutoscalePolicy: DependsOn: - ProxyRole - WorkerRole Properties: PolicyDocument: Statement: - Action: - autoscaling:RecordLifecycleActionHeartbeat - autoscaling:CompleteLifecycleAction Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: swarm-autoscale-policy Roles: - !Ref 'ProxyRole' - !Ref 'WorkerRole' Type: AWS::IAM::Policy SwarmDynDBTable: DependsOn: ExternalLoadBalancer Properties: AttributeDefinitions: - AttributeName: node_type AttributeType: S KeySchema: - AttributeName: node_type KeyType: HASH ProvisionedThroughput: ReadCapacityUnits: 1 WriteCapacityUnits: 1 TableName: !Join - '-' - - !Ref 'AWS::StackName' - dyndbtable Type: AWS::DynamoDB::Table SwarmLogPolicy: DependsOn: - ProxyRole - WorkerRole Properties: PolicyDocument: Statement: - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: swarm-log-policy Roles: - !Ref 'ProxyRole' - !Ref 'WorkerRole' Type: AWS::IAM::Policy SwarmManagerUpgradeHook: DependsOn: SwarmSQS Properties: AutoScalingGroupName: !Ref 'ManagerAsg' LifecycleTransition: autoscaling:EC2_INSTANCE_TERMINATING NotificationTargetARN: !GetAtt 'SwarmSQS.Arn' RoleARN: !GetAtt 'ProxyRole.Arn' Type: AWS::AutoScaling::LifecycleHook SwarmSQS: Properties: MessageRetentionPeriod: 43200 ReceiveMessageWaitTimeSeconds: 10 Type: AWS::SQS::Queue SwarmSQSCleanup: Properties: MessageRetentionPeriod: 43200 ReceiveMessageWaitTimeSeconds: 10 Type: AWS::SQS::Queue SwarmSQSCleanupPolicy: DependsOn: - ProxyRole - WorkerRole - SwarmSQSCleanup Properties: PolicyDocument: Statement: - Action: - sqs:DeleteMessage - sqs:ReceiveMessage - sqs:SendMessage - sqs:GetQueueAttributes - sqs:GetQueueUrl - sqs:ListQueues Effect: Allow Resource: !GetAtt 'SwarmSQSCleanup.Arn' Version: '2012-10-17' PolicyName: swarm-sqs-cleanup-policy Roles: - !Ref 'ProxyRole' - !Ref 'WorkerRole' Type: AWS::IAM::Policy SwarmSQSPolicy: DependsOn: - ProxyRole - WorkerRole - SwarmSQS Properties: PolicyDocument: Statement: - Action: - sqs:DeleteMessage - sqs:ReceiveMessage - sqs:SendMessage - sqs:GetQueueAttributes - sqs:GetQueueUrl - sqs:ListQueues Effect: Allow Resource: !GetAtt 'SwarmSQS.Arn' Version: '2012-10-17' PolicyName: swarm-sqs-policy Roles: - !Ref 'ProxyRole' - !Ref 'WorkerRole' Type: AWS::IAM::Policy SwarmWideSG: DependsOn: Vpc Properties: GroupDescription: Swarm wide access. SecurityGroupIngress: - CidrIp: !FindInMap - VpcCidrs - vpc - cidr FromPort: 0 IpProtocol: '-1' ToPort: 65535 VpcId: !Ref 'Vpc' Type: AWS::EC2::SecurityGroup SwarmWorkerUpgradeHook: DependsOn: SwarmSQS Properties: AutoScalingGroupName: !Ref 'NodeAsg' LifecycleTransition: autoscaling:EC2_INSTANCE_TERMINATING NotificationTargetARN: !GetAtt 'SwarmSQS.Arn' RoleARN: !GetAtt 'WorkerRole.Arn' Type: AWS::AutoScaling::LifecycleHook UCPLoadBalancer: DependsOn: - AttachGateway - UCPLoadBalancerSG - PubSubnetAz1 - PubSubnetAz2 - PubSubnetAz3 Properties: ConnectionSettings: IdleTimeout: 1800 CrossZone: true HealthCheck: HealthyThreshold: '2' Interval: '60' Target: HTTPS:443/_ping Timeout: '10' UnhealthyThreshold: '10' Listeners: - InstancePort: '443' LoadBalancerPort: '443' Protocol: TCP SecurityGroups: - !Ref 'UCPLoadBalancerSG' Subnets: !If - HasOnly2AZs - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - - !Ref 'PubSubnetAz1' - !Ref 'PubSubnetAz2' - !Ref 'PubSubnetAz3' Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - ELB-UCP Type: AWS::ElasticLoadBalancing::LoadBalancer UCPLoadBalancerSG: DependsOn: Vpc Properties: GroupDescription: UCP Load Balancer SecurityGroup. SecurityGroupIngress: - CidrIp: '0.0.0.0/0' FromPort: 443 IpProtocol: tcp ToPort: 443 VpcId: !Ref 'Vpc' Type: AWS::EC2::SecurityGroup Vpc: Properties: CidrBlock: !FindInMap - VpcCidrs - vpc - cidr EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Join - '-' - - !Ref 'AWS::StackName' - VPC Type: AWS::EC2::VPC WorkerInstanceProfile: DependsOn: WorkerRole Properties: Path: / Roles: - !Ref 'WorkerRole' Type: AWS::IAM::InstanceProfile WorkerRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com - autoscaling.amazonaws.com Version: '2012-10-17' Path: / Type: AWS::IAM::Role