Parameters:
ProjectName:
Type: String
Description: Project name to link stacks
EnvoyImage:
Type: String
Description: Envoy container image
ColorServerImage:
Type: String
Description: Color server app container image
ContainerPort:
Type: Number
Description: Port number to use for applications
Default: 8080
Resources:
PublicLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Type: network
Scheme: internet-facing
Subnets:
- Fn::ImportValue: !Sub '${ProjectName}:PublicSubnet1'
- Fn::ImportValue: !Sub '${ProjectName}:PublicSubnet2'
WebTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckPort: 8080
HealthCheckProtocol: TCP
HealthCheckTimeoutSeconds: 10
HealthyThresholdCount: 3
TargetType: ip
Name: !Sub '${ProjectName}-wtg'
Port: 80
Protocol: TCP
UnhealthyThresholdCount: 3
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 120
VpcId:
Fn::ImportValue: !Sub '${ProjectName}:VPC'
PublicLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn:
- PublicLoadBalancer
Properties:
DefaultActions:
- TargetGroupArn: !Ref WebTargetGroup
Type: 'forward'
LoadBalancerArn: !Ref PublicLoadBalancer
Port: 80
Protocol: TCP
TaskSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for the tasks"
VpcId:
Fn::ImportValue: !Sub '${ProjectName}:VPC'
SecurityGroupIngress:
- CidrIp:
Fn::ImportValue: !Sub '${ProjectName}:VpcCIDR'
IpProtocol: -1
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub '${ProjectName}-log-group'
RetentionInDays: 30
TaskIamRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument: |
{
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
"Action": [ "sts:AssumeRole" ]
}]
}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchFullAccess
- arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
- arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess
TaskExecutionIamRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument: |
{
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
"Action": [ "sts:AssumeRole" ]
}]
}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
- arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for the instances"
VpcId:
Fn::ImportValue: !Sub '${ProjectName}:VPC'
SecurityGroupIngress:
- CidrIp:
Fn::ImportValue: !Sub '${ProjectName}:VpcCIDR'
IpProtocol: -1
ColorGatewayRegistry:
Type: AWS::ServiceDiscovery::Service
Properties:
Name: 'color_gateway'
DnsConfig:
NamespaceId:
Fn::ImportValue: !Sub '${ProjectName}:CloudMapNamespaceId'
DnsRecords:
- Type: A
TTL: 300
HealthCheckCustomConfig:
FailureThreshold: 1
ColorGatewayService:
Type: AWS::ECS::Service
DependsOn:
- ColorServerService
- PublicLoadBalancerListener
Properties:
Cluster:
Fn::ImportValue: !Sub '${ProjectName}:ECSCluster'
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
DesiredCount: 1
LaunchType: 'FARGATE'
ServiceRegistries:
- RegistryArn: !GetAtt 'ColorGatewayRegistry.Arn'
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups:
- !Ref SecurityGroup
Subnets:
- Fn::ImportValue: !Sub '${ProjectName}:PrivateSubnet1'
- Fn::ImportValue: !Sub '${ProjectName}:PrivateSubnet2'
TaskDefinition: !Ref ColorGatewayTaskDef
LoadBalancers:
- ContainerName: app
ContainerPort: !Ref ContainerPort
TargetGroupArn: !Ref WebTargetGroup
ColorGatewayTaskDef:
Type: AWS::ECS::TaskDefinition
Properties:
RequiresCompatibilities:
- 'FARGATE'
Family: 'color_gateway'
NetworkMode: 'awsvpc'
Cpu: 256
Memory: 512
TaskRoleArn: !Ref TaskIamRole
ExecutionRoleArn: !Ref TaskExecutionIamRole
ContainerDefinitions:
- Name: app
Image: !Ref EnvoyImage
Essential: true
User: '1337'
Ulimits:
- Name: "nofile"
HardLimit: 15000
SoftLimit: 15000
PortMappings:
- ContainerPort: 9901
Protocol: 'tcp'
- ContainerPort: !Ref ContainerPort
Protocol: 'tcp'
HealthCheck:
Command:
- 'CMD-SHELL'
- 'curl -s http://localhost:9901/server_info | grep state | grep -q LIVE'
Interval: 5
Timeout: 2
Retries: 3
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Sub '${ProjectName}-log-group'
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: 'color_gateway-envoy'
Environment:
- Name: 'APPMESH_RESOURCE_ARN'
Value: !Sub 'mesh/${ProjectName}-mesh/virtualGateway/color_gateway'
- Name: 'ENVOY_LOG_LEVEL'
Value: 'debug'
ColorServerRegistry:
Type: AWS::ServiceDiscovery::Service
Properties:
Name: 'color_server'
DnsConfig:
NamespaceId:
Fn::ImportValue: !Sub '${ProjectName}:CloudMapNamespaceId'
DnsRecords:
- Type: A
TTL: 300
HealthCheckCustomConfig:
FailureThreshold: 1
ColorServerService:
Type: AWS::ECS::Service
Properties:
Cluster:
Fn::ImportValue: !Sub '${ProjectName}:ECSCluster'
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
DesiredCount: 1
LaunchType: 'FARGATE'
ServiceRegistries:
- RegistryArn: !GetAtt 'ColorServerRegistry.Arn'
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups:
- !Ref SecurityGroup
Subnets:
- Fn::ImportValue: !Sub '${ProjectName}:PrivateSubnet1'
- Fn::ImportValue: !Sub '${ProjectName}:PrivateSubnet2'
TaskDefinition: !Ref ColorServerTaskDef
ColorServerTaskDef:
Type: AWS::ECS::TaskDefinition
Properties:
RequiresCompatibilities:
- 'FARGATE'
Family: 'color_server'
NetworkMode: 'awsvpc'
Cpu: 256
Memory: 512
TaskRoleArn: !Ref TaskIamRole
ExecutionRoleArn: !Ref TaskExecutionIamRole
ProxyConfiguration:
Type: 'APPMESH'
ContainerName: 'envoy'
ProxyConfigurationProperties:
- Name: 'IgnoredUID'
Value: '1337'
- Name: 'ProxyIngressPort'
Value: '15000'
- Name: 'ProxyEgressPort'
Value: '15001'
- Name: 'AppPorts'
Value: !Sub '${ContainerPort}'
- Name: 'EgressIgnoredIPs'
Value: '169.254.170.2,169.254.169.254'
ContainerDefinitions:
- Name: 'app'
Image: !Ref ColorServerImage
Essential: true
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Sub '${ProjectName}-log-group'
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: 'color_server'
PortMappings:
- ContainerPort: !Ref ContainerPort
Protocol: 'tcp'
Environment:
- Name: 'PORT'
Value: !Sub '${ContainerPort}'
- Name: 'COLOR'
Value: !Sub 'no color!'
- Name: envoy
Image: !Ref EnvoyImage
Essential: true
User: '1337'
Ulimits:
- Name: "nofile"
HardLimit: 15000
SoftLimit: 15000
PortMappings:
- ContainerPort: 9901
Protocol: 'tcp'
- ContainerPort: 15000
Protocol: 'tcp'
- ContainerPort: 15001
Protocol: 'tcp'
HealthCheck:
Command:
- 'CMD-SHELL'
- 'curl -s http://localhost:9901/server_info | grep state | grep -q LIVE'
Interval: 5
Timeout: 2
Retries: 3
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Sub '${ProjectName}-log-group'
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: 'color_server-envoy'
Environment:
- Name: 'APPMESH_RESOURCE_ARN'
Value: !Sub 'mesh/${ProjectName}-mesh/virtualNode/color_server'
- Name: 'ENVOY_LOG_LEVEL'
Value: 'debug'
Outputs:
PublicEndpoint:
Description: 'Public endpoint for the color client service'
Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']]
Export:
Name: !Sub '${ProjectName}:PublicEndpoint'