sponsor_hpc.yaml

sponsor.hpc ECS task CloudFormation Deployment

This CloudFormation template will deploy an application docker container for sponsor.hpc

AWSTemplateFormatVersion: '2010-09-09' Description: sponsor.hpc.arizona.edu Application Stack Metadata: Description: sponsor.hpc.arizona.edu Application Stack AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Operational Configuration Parameters: - EcsStack - HostedZoneName - Label: default: Container Configuration Parameters: - DockerImage - SSLCertificateARN - EcsServiceTaskCount - Label: default: Tagging and Cost Management Parameters: - ServiceTag - EnvironmentTag - ContactNetidTag - AccountNumberTag - TicketNumberTag Parameters: EcsStack: Type: String Description: The name of the ECS CloudFormation stack. Default: uits-general-shared-ecs HostedZoneName: Type: String Description: route53 hosted zone name Default: uits-prod-aws.arizona.edu EcsServiceTaskCount: Description: The count of tasks to run for this servrer Type: String Default: 1 DockerImage: Description: Docker Image and Tag Type: String Default: "760232551367.dkr.ecr.us-west-2.amazonaws.com/hpc/sponsor:2018-07-20.a" SSLCertificateARN: Type: String Description: Full ARN of the SSL Certificate to use on the load balancer Default: "arn:aws:acm:us-west-2:760232551367:certificate/8313253d-3f85-4cef-a6ef-ae66fd4f7322"

Tags

The following tags are applied to all resources created by this template.

ServiceTag: Type: String Description: Exact name of the Service as defined in the service catalog. Default: HPC EnvironmentTag: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, cfg, sup, rpt] Default: prd ContactNetidTag: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. Default: fischerm AccountNumberTag: Type: String Description: Identifies the financial system account number. Default: 1192660

SubAccountTag: Type: String Description: Identifies the financial system sub account. Default: Mobile Application Development

TicketNumberTag: Type: String Description: Used to identify the Jira, Cherwell, or other ticketing system ticket number to link to more information about the need for the resource. Resources:

ECS Task Definition

Defines the ECS Task to run the UAgenda docker container

EcsTask: Type: "AWS::ECS::TaskDefinition" Properties: Family: !Sub "${AWS::StackName}-Task" NetworkMode: "bridge" TaskRoleArn: !Ref TaskRole ContainerDefinitions: - Name: "sponsor_hpc" Essential: "true" Image: !Ref DockerImage

Environment:

  • Name: dbhost Value: !Sub ${DatabaseHost}
  • Name: dbport Value: !Sub ${DatabasePort}
PortMappings: - HostPort: "0" ContainerPort: "80" Protocol: "tcp" Hostname: "sponsor.hpc.arizona.edu" Cpu: "0" MemoryReservation: "128" Privileged: "true" LogConfiguration: LogDriver: "awslogs" Options: awslogs-group: !Ref EcsLogGroup awslogs-region: "us-west-2" awslogs-stream-prefix: "sponsor_hpc"

ECS Service Definition

Create ECS Service to run a container task

EcsService: Type: "AWS::ECS::Service" Properties: ServiceName: !Sub "${AWS::StackName}-Service" Cluster: Fn::ImportValue: !Sub "${EcsStack}-cluster" TaskDefinition: !Ref EcsTask DesiredCount: !Ref EcsServiceTaskCount Role: !Ref IAMRoleForEcsService LoadBalancers: - ContainerName: "sponsor_hpc" ContainerPort: "80" TargetGroupArn: !Ref EcsAlbTargetGroup PlacementStrategies: - Field: "attribute:ecs.availability-zone" Type: "spread" DeploymentConfiguration: MinimumHealthyPercent: "0" MaximumPercent: "200"

IAM

IAM Roles

IAMRoleForEcsService: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ecs.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole

Task Role

This is the IAM role that will be applied to this ECS Task

TaskRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ecs-tasks.amazonaws.com Action: - sts:AssumeRole Path: "/"

ALB Route53 DNS record

EnvDnsRecord: Type: AWS::Route53::RecordSet Properties: HostedZoneName: !Sub "${HostedZoneName}." Name: !Sub "sponsor-hpc.${HostedZoneName}." Type: "CNAME" TTL: "200" ResourceRecords: - Fn::ImportValue: !Sub "${EcsStack}-alb-name"

Target Group

Define the Target Group for adding ECS Instances to the ALB as well as the health checks for those Instances

EcsAlbTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: HealthCheckIntervalSeconds: 60 UnhealthyThresholdCount: 3 Matcher: HttpCode: "200-399" Name: !Sub "${AWS::StackName}-targetgroup" Port: 80 Protocol: HTTP VpcId: Fn::ImportValue: !Sub "${EcsStack}-vpcid" Tags: - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: ticketnumber Value: !Ref TicketNumberTag

ALB Listeners definitions

EcsAlbListener80: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref EcsAlbTargetGroup LoadBalancerArn: Fn::ImportValue: !Sub "${EcsStack}-alb" Port: 80 Protocol: HTTP EcsAlbListener443: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref EcsAlbTargetGroup LoadBalancerArn: Fn::ImportValue: !Sub "${EcsStack}-alb" Port: 443 Protocol: HTTPS Certificates: - CertificateArn: !Ref SSLCertificateARN

Need to create a LogGroup in order for the ECS service to log details of the build If this does not exist the ECS Service will not come up

EcsLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub "${AWS::StackName}" RetentionInDays: 60 Outputs: AppURL: Description: The URL for the application Value: !Sub "https://sponsor-hpc.${HostedZoneName}"