ecs.yml

AWSTemplateFormatVersion: "2010-09-09"
Description: ECS for crowley.cloud
Resources:
  WebListenerRule:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    Properties:
      ListenerArn:
        Fn::ImportValue: crowley-cloud-loadbalancer-LoadBalancerListener
      Priority: 100
      Conditions:
        - Field: path-pattern
          Values:
            - /*
      Actions:
        - TargetGroupArn: !Ref WebTargetGroup
          Type: forward
  WebTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      VpcId:
        Fn::ImportValue: crowley-cloud-networking-VPC
      Port: 80
      Protocol: HTTP
      Matcher:
        HttpCode: 200-299
      TargetType: ip
      HealthCheckIntervalSeconds: 10
      HealthCheckTimeoutSeconds: 5
      HealthyThresholdCount: 2
      HealthCheckPath: /
      HealthCheckProtocol: HTTP
      TargetGroupAttributes:
      - Key: deregistration_delay.timeout_seconds
        Value: "60"
  CrowleyCloudECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: CrowleyCloudECSCluster
  CrowleyCloudECSService:
    Type: AWS::ECS::Service
    DependsOn: WebListenerRule
    Properties:
      Cluster: !Ref CrowleyCloudECSCluster
      DesiredCount: 1
      LaunchType: FARGATE
      LoadBalancers:
        - ContainerName: crowley-cloud
          ContainerPort: 80
          TargetGroupArn: !Ref WebTargetGroup
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          Subnets:
            - Fn::ImportValue: crowley-cloud-networking-PrivateSubnetA
            - Fn::ImportValue: crowley-cloud-networking-PrivateSubnetB
          SecurityGroups:
            - !Ref ContainerSecurityGroup
      ServiceName: crowley-cloud-service
      TaskDefinition: !Ref CrowleyCloudTaskDefinition
      DeploymentConfiguration:
        MaximumPercent: 200
        MinimumHealthyPercent: 50
  ContainerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId:
        Fn::ImportValue: crowley-cloud-networking-VPC
      GroupDescription: Container security group for ecs containers
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: -1

  ECSTaskRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: [ecs-tasks.amazonaws.com]
          Action: ['sts:AssumeRole']
      Path: /
      Policies:
        - PolicyName: AWSTrainingAmazonECSTaskExecutionRolePolicy
          PolicyDocument:
            Statement:
            - Effect: Allow
              Action:
                # ECS Tasks to download images from ECR
                - 'ecr:GetAuthorizationToken'
                - 'ecr:BatchCheckLayerAvailability'
                - 'ecr:GetDownloadUrlForLayer'
                - 'ecr:BatchGetImage'
                # ECS tasks to upload logs to CloudWatch
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              Resource: '*'

  CloudWatchLogsGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/ecs/crowleycloud
      RetentionInDays: 7

  CrowleyCloudTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Cpu: "256"
      Memory: "512"
      ExecutionRoleArn: !Ref ECSTaskRole
      Family: crowley-cloud
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      ContainerDefinitions:
        -
          Name: crowley-cloud
          Image: !Sub "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/crowley-cloud-ecr:latest"
          PortMappings:
            - ContainerPort: 80
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Ref CloudWatchLogsGroup
              awslogs-region: !Ref AWS::Region
              awslogs-stream-prefix: crowleycloud