Description: > This template deploys an ECS cluster to the provided VPC and subnets using an Auto Scaling Group Parameters: EnvironmentName: Description: An environment name that will be prefixed to resource names Type: String InstanceType: Description: Which instance type should we use to build the ECS cluster? Type: String Default: c4.large KeyName: Description: The EC2 Key Pair to allow SSH access to the instances Type: AWS::EC2::KeyPair::KeyName ECSServiceLogGroupRetentionInDays: Type: Number Default: 30 ECSServicesDomain: Type: String Description: "Domain name registerd under Route-53 that will be used for Service Discovery" EC2Ami: Description: EC2 AMI ID Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id> Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" Resources: ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Ref EnvironmentName ECSInstancesSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Security group for the instances" VpcId: 'Fn::ImportValue': !Sub "${EnvironmentName}:VPC" SecurityGroupIngress: - CidrIp: 'Fn::ImportValue': !Sub "${EnvironmentName}:VpcCIDR" IpProtocol: -1 ECSServiceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Security group for the service" VpcId: 'Fn::ImportValue': !Sub "${EnvironmentName}:VPC" SecurityGroupIngress: - CidrIp: 'Fn::ImportValue': !Sub "${EnvironmentName}:VpcCIDR" IpProtocol: -1 TaskIamRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchFullAccess - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess - arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess TaskExecutionIamRole: Type: AWS::IAM::Role Properties: Path: / AssumeRolePolicyDocument: | { "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]}, "Action": [ "sts:AssumeRole" ] }] } ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess ECSServiceLogGroup: Type: 'AWS::Logs::LogGroup' Properties: RetentionInDays: Ref: ECSServiceLogGroupRetentionInDays ECSServiceDiscoveryNamespace: Type: AWS::ServiceDiscovery::PrivateDnsNamespace Properties: Vpc: 'Fn::ImportValue': !Sub "${EnvironmentName}:VPC" Name: { Ref: ECSServicesDomain } BastionSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: 'Fn::ImportValue': !Sub "${EnvironmentName}:VPC" SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 BastionHost: Type: AWS::EC2::Instance Properties: ImageId: !Ref EC2Ami KeyName: !Ref KeyName InstanceType: t2.micro SecurityGroupIds: - !Ref BastionSecurityGroup SubnetId: 'Fn::ImportValue': !Sub "${EnvironmentName}:PublicSubnet1" Tags: - Key: Name Value: bastion-host Outputs: Cluster: Description: A reference to the ECS cluster Value: !Ref ECSCluster Export: Name: !Sub "${EnvironmentName}:ECSCluster" ECSServiceDiscoveryNamespace: Description: A SDS namespace that will be used by all services in this cluster Value: !Ref ECSServiceDiscoveryNamespace Export: Name: !Sub "${EnvironmentName}:ECSServiceDiscoveryNamespace" ECSServiceLogGroup: Description: Log group for services to publish logs Value: !Ref ECSServiceLogGroup Export: Name: !Sub "${EnvironmentName}:ECSServiceLogGroup" ECSServiceSecurityGroup: Description: Security group to be used by all services in the cluster Value: !Ref ECSServiceSecurityGroup Export: Name: !Sub "${EnvironmentName}:ECSServiceSecurityGroup" TaskExecutionIamRoleArn: Description: Task Executin IAM role used by ECS tasks Value: { "Fn::GetAtt": TaskExecutionIamRole.Arn } Export: Name: !Sub "${EnvironmentName}:TaskExecutionIamRoleArn" TaskIamRoleArn: Description: IAM role to be used by ECS task Value: { "Fn::GetAtt": TaskIamRole.Arn } Export: Name: !Sub "${EnvironmentName}:TaskIamRoleArn" BastionIP: Description: Public IP for ssh access to bastion host Value: 'Fn::GetAtt': [ BastionHost, PublicIp ]