boomi_atom-fargate.yaml
---

FinMod Boomi Atom Template

This CloudFormation template creates an ECS cluster with tasks that will serve as a local atoms. It is configured to use Fargate instead of EC2 instances. Currently the configuration related to mounting the KFS non-prod EFS volume prevents this template from starting up a task successfully.

AWSTemplateFormatVersion: '2010-09-09' Description: FinMod Boomi atom for integration

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Settings Parameters: - VPCID - VPCStackName - Label: default: "ECS" Parameters: - BoomiUsernameSecret - BoomiPasswordSecret - BoomiAccountIDSecret - AtomName - ClusterName
   - ECSSubnet
   - ALBSubnetPri
   - ALBSubnetSec
- EnableJMX
   - JMXSecGrp
- DNSAliasName - DNSHostedZone - SSLCert - TaskMem - TaskCpu - MemRes - BoomiImage - BoomiContainerName - AppEFSMountStackName - AppEFSMountPath - AppEFSFileSystemId - AppEFSFileSystemSG - Label: default: Tags Parameters: - TagService - TagName - TagEnvironment - TagCreatedBy - TagContactNetId - TagAccountNumber - TagSubAccount - TagTicketNumber - TagResourceFunction

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: VPCID: Description: "Target VPC (example: vpc-2b1ea94c)" Type: AWS::EC2::VPC::Id MinLength: 1 VPCStackName: Description: "Name of the VPC CloudFormation Stack to use for subnets" Type: String Default: kuali-vpc BoomiUsernameSecret: Description: "The ARN of the Secrets Manager entry that contains the Boomi account username" Type: String BoomiPasswordSecret: Description: "The ARN of the Secrets Manager entry that contains the Boomi account password" Type: String BoomiAccountIDSecret: Description: "The ARN of the Secrets Manager entry that contains the Boomi account ID" Type: String AtomName: Description: "Specify the Boomi Atom name" Type: String MinLength: 1 Default: nonprod-finmod-atom ClusterName: Description: "Specify the ECS cluster name" Type: String MinLength: 1 Default: nonprod-finmod-boomi

ECSSubnet: Description: "Select the subnet to use for the container (e.g., subnet-b0247ggh)" Type: 'AWS::EC2::Subnet::Id' MinLength: 1 ALBSubnetPri: Description: "Select the primary subnet to use for the load balancer (e.g., subnet-b0247ggh)" Type: AWS::EC2::Subnet::Id MinLength: 1 ALBSubnetSec: Description: "Select the secondary subnet to use for the load balancer (e.g., subnet-b0247ggh)" Type: AWS::EC2::Subnet::Id MinLength: 1

EnableJMX: Description: "Specify 'true' to run the Prometheus JMX agent as part of the Boomi container (requires the use of a Boomi image which contains the JMX agent)" Default: false Type: String

JMXSecGrp: Description: "Select the security group used by the Prometheus JMX task" Type: 'AWS::EC2::SecurityGroup::Id' MinLength: 1

DNSAliasName: AllowedPattern: '^[0-9a-zA-Z-]+$' Description: 'Specify the DNS alias' Type: String Default: "finmod" DNSHostedZone: AllowedPattern: '^.+\.arizona\.edu$' Description: 'Name of Route53 Hosted Zone: ie ''aws.arizona.edu''' Type: String Default: "ua-uits-kuali-nonprod.arizona.edu" SSLCert: AllowedPattern: '^(arn:aws:acm:[a-z]{2}-[a-z]{4,}-\d:\d{12}:certificate\/[0-9a-zA-Z]+[0-9a-zA-Z-]+(|[0-9a-zA-Z-]*)|)$' Description: 'Specify the SSL Certificate ARN' Type: String Default: "arn:aws:acm:us-west-2:397167497055:certificate/ad8f66b6-b85e-4715-9df1-1543ebd9702c" TaskMem: Description: "Specify the memory limit for the task definition (MiB)" Default: 2048 Type: Number TaskCpu: Description: "Specify the CPU limit for the task definition (MiB)" Default: 512 Type: Number MemRes: Description: "Specify the minimum memory for the container (MiB)" Default: 2048 Type: Number BoomiImage: Description: "Specify the Boomi Atom docker image (registry/image_name:tag)" MinLength: 1 Default: boomi/atom:4.1.1 Type: String BoomiContainerName: AllowedPattern: '^[0-9a-zA-Z]+$' Description: "Specify the Boomi Atom docker container name" Default: boomi Type: String AppEFSMountStackName: MinLength: '2' Type: String Description: "Name of the EFS CloudFormation Stack mounted for integration" Default: kfs7-nonprod-efs AppEFSMountPath: Description: "Path of the EFS volume we are mounting for integration" Default: KFS7_NONPROD Type: String AppEFSFileSystemId: Description: "File system ID of the EFS volume we are mounting for integration" Default: fs-aa3de203 Type: String AppEFSFileSystemSG: Description: "Security group of the EFS volume we are mounting for integration" Default: sg-80bc12fa #sg-d5be10af Type: String TagService: Description: "Service name (from the service catalog) that is utilizing this resource" Type: String Default: Financials Modernization Integration TagName: Description: "Descriptive identifier of resource" Type: String Default: Boomi Atom resource TagEnvironment: Description: "Type of environment that is using this resource, such as 'dev', 'tst', 'prd'." Type: String TagCreatedBy: Description: "NetID of the user that created this resource" Type: String TagContactNetId: Description: "NetID of the person to contact for information about this resource" Type: String TagAccountNumber: Description: "Financial system account number for the service utilizing this resource" Type: String Default: 1192620 TagSubAccount: Description: "Financial system subaccount number for the service utilizing this resource" Type: String Default: 12AWS TagTicketNumber: Description: "Ticket number that this resource is for" Type: String TagResourceFunction: Description: "Human-readable description of what function this resource is providing" Type: String Default: For local Boomi atom Conditions: UseJMX: !Equals [ !Ref EnableJMX, "true"] NoJMX: !Not [Condition: UseJMX]

SplunkEnabled: !Not [!Equals [ !Ref CriblHECToken, ""]]

Resources

All of the resources deployed by the template.

Resources:

File System

Defines the EFS volume needed for this stack Resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html

EFSFileSystem: Type: AWS::EFS::FileSystem Properties: Encrypted: true PerformanceMode: generalPurpose BackupPolicy: Status: ENABLED FileSystemTags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: Name Value: !Sub "${AtomName}-efs" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

EFS Mount Points

EFS Mountpoints must be created for each Availability Zone in the VPC. This is also where you define access controls, as access to EFS is controlled by these security groups.

A pair of mount points must be created for each EFS volume.

Copied from efs_volume.yaml template.

EFSMountTargetZoneA: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem SubnetId: !ImportValue kuali-vpc-private-subnet-a SecurityGroups: - Ref: EFSSecurityGroup EFSMountTargetZoneB: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem SubnetId: !ImportValue kuali-vpc-private-subnet-b SecurityGroups: - Ref: EFSSecurityGroup

EFS Access Points

Defines the access points for the EFS volumes Resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-accesspoint.html

AccessPoint: Type: 'AWS::EFS::AccessPoint' Properties: FileSystemId: !Ref EFSFileSystem PosixUser: Uid: "1001" Gid: "1001" RootDirectory: CreationInfo: OwnerGid: "1001" OwnerUid: "1001" Permissions: "0777" Path: "/boomi" AppAccessPoint: Type: 'AWS::EFS::AccessPoint' Properties: FileSystemId: !Ref AppEFSFileSystemId PosixUser: Uid: "1001" Gid: "1001" RootDirectory: CreationInfo: OwnerGid: "1001" OwnerUid: "1001" Permissions: "0777" Path: "/mosaic/KFS7_NONPROD/devfinmod336"

EFS Security Group

This security group defines what resources are able to access the EFS shared filesystem. Resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

EFSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VPCID GroupDescription: !Sub "${AWS::StackName} EFS Security Group" SecurityGroupIngress: - IpProtocol: tcp FromPort: 2049 ToPort: 2049 SourceSecurityGroupId: !Ref ECSSecurityGroup Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: Name Value: !Sub "${AWS::StackName} EFS Security Group" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

ECS Resources

Defines the ECS Cluster Resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-cluster.html

EcsCluster: Type: "AWS::ECS::Cluster"

Need to make sure the LB is created before the ECS cluster is created

Properties: ClusterName: !Ref ClusterName

Defines the ECS Task Definition if using JMX Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html

ECSTaskJMX: Condition: UseJMX DependsOn: - EFSMountTargetZoneA - EFSMountTargetZoneB Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - Name: !Ref BoomiContainerName Image: !Ref BoomiImage Interactive: true MemoryReservation: !Ref MemRes LogConfiguration: LogDriver: "awslogs" Options: "awslogs-region": "us-west-2" "awslogs-group": !Sub "${AWS::StackName}-logs" "awslogs-stream-prefix": "boomi" PortMappings: - ContainerPort: 9090 HostPort: 9090 Protocol: tcp - ContainerPort: 7800 HostPort: 7800 Protocol: tcp - ContainerPort: 45588 HostPort: 45588 Protocol: udp - ContainerPort: 9404 HostPort: 9404 Protocol: tcp DockerLabels: ECS_PROMETHEUS_EXPORTER_PORT: 9404 Java_EMF_Metrics: true EntryPoint: - "" Command: - "/bin/sh" - "-c" - "export JAVA_TOOL_OPTIONS='-javaagent:/opt/jmx_exporter/jmx_prometheus_javaagent-0.14.0.jar=9404:/opt/jmx_exporter/config.yaml'; init" Environment: - Name: BOOMI_ATOMNAME Value: !Ref AtomName - Name: ATOM_LOCALHOSTID Value: !Ref AtomName MountPoints: - ContainerPath: "/mnt/boomi" SourceVolume: "BoomiEFS" - ContainerPath: "/mosaic/KFS7_NONPROD" ReadOnly: true SourceVolume: "ApplicationEFS" Secrets: - Name: BOOMI_USERNAME ValueFrom: !Ref BoomiUsernameSecret - Name: BOOMI_PASSWORD ValueFrom: !Ref BoomiPasswordSecret - Name: BOOMI_ACCOUNTID ValueFrom: !Ref BoomiAccountIDSecret Cpu: !Ref TaskCpu Memory: !Ref TaskMem TaskRoleArn: !GetAtt TaskIAMRole.Arn ExecutionRoleArn: !GetAtt TaskIAMRole.Arn RequiresCompatibilities: - "FARGATE" NetworkMode: "awsvpc"

EFS volumes that are mounted on the container https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-volumes - "The host and sourcePath parameters aren't supported for tasks run on AWS Fargate." https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-efsvolumeconfiguration.html

Volumes: - Name: "BoomiEFS" EFSVolumeConfiguration: FilesystemId: !Ref EFSFileSystem TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref AccessPoint - Name: "ApplicationEFS" EFSVolumeConfiguration: FilesystemId: !Ref AppEFSFileSystemId
        RootDirectory: "/mosaic/KFS7_NONPROD/devfinmod336"
TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref AppAccessPoint Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Task" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the ECS Task Definition if NOT using JMX Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html

ECSTask: Condition: NoJMX DependsOn: - EFSMountTargetZoneA - EFSMountTargetZoneB Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - Name: !Ref BoomiContainerName Image: !Ref BoomiImage Interactive: true MemoryReservation: !Ref MemRes LogConfiguration: LogDriver: "awslogs" Options: "awslogs-region": "us-west-2" "awslogs-group": !Sub "${AWS::StackName}-logs" "awslogs-stream-prefix": "boomi" PortMappings: - ContainerPort: 9090 HostPort: 9090 Protocol: tcp - ContainerPort: 7800 HostPort: 7800 Protocol: tcp - ContainerPort: 45588 HostPort: 45588 Protocol: udp Environment: - Name: BOOMI_ATOMNAME Value: !Ref AtomName - Name: ATOM_LOCALHOSTID Value: !Ref AtomName MountPoints: - ContainerPath: "/mnt/boomi" SourceVolume: "BoomiEFS" - ContainerPath: "/mosaic/KFS7_NONPROD" ReadOnly: true SourceVolume: "ApplicationEFS" Secrets: - Name: BOOMI_USERNAME ValueFrom: !Ref BoomiUsernameSecret - Name: BOOMI_PASSWORD ValueFrom: !Ref BoomiPasswordSecret - Name: BOOMI_ACCOUNTID ValueFrom: !Ref BoomiAccountIDSecret Cpu: !Ref TaskCpu Memory: !Ref TaskMem TaskRoleArn: !GetAtt TaskIAMRole.Arn ExecutionRoleArn: !GetAtt TaskIAMRole.Arn RequiresCompatibilities: - "FARGATE" NetworkMode: "awsvpc"

EFS volumes that are mounted on the container https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-volumes - "The host and sourcePath parameters aren't supported for tasks run on AWS Fargate." https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-efsvolumeconfiguration.html

Volumes: - Name: "BoomiEFS" EFSVolumeConfiguration: FilesystemId: !Ref EFSFileSystem TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref AccessPoint - Name: "ApplicationEFS" EFSVolumeConfiguration: FilesystemId: !Ref AppEFSFileSystemId
        RootDirectory: "/mosaic/KFS7_NONPROD/devfinmod336"
TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref AppAccessPoint Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Task" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the ECS Task IAM Role Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

TaskIAMRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ecs-tasks.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: "CWlogs" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:PutLogEvents" Resource: - "*" - PolicyName: "SecretAccess" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "secretsmanager:GetSecretValue"
           - "kms:Decrypt" # added for aws support testing
           - "ssm:GetParameters" # added for aws support testing
Resource:
           - "*" # added for aws support testing
- !Ref BoomiUsernameSecret - !Ref BoomiPasswordSecret - !Ref BoomiAccountIDSecret - PolicyName: "ECSExecAccess" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "ssmmessages:CreateControlChannel" - "ssmmessages:CreateDataChannel" - "ssmmessages:OpenControlChannel" - "ssmmessages:OpenDataChannel" Resource: - "*" - PolicyName: "ECRAccess" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "ecr:GetAuthorizationToken" - "ecr:BatchCheckLayerAvailability" - "ecr:GetDownloadUrlForLayer" - "ecr:GetRepositoryPolicy" - "ecr:DescribeRepositories" - "ecr:ListImages" - "ecr:DescribeImages" - "ecr:BatchGetImage" Resource: - "*" Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Role" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the ECS Service Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html

ECSService: DependsOn: - ALBListener Type: AWS::ECS::Service Properties: ServiceName: !Ref AWS::StackName Cluster: !Ref ClusterName EnableExecuteCommand: true DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 100 DesiredCount: 1 LaunchType: FARGATE SchedulingStrategy: REPLICA NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED Subnets: - !ImportValue kuali-vpc-private-subnet-a - !ImportValue kuali-vpc-private-subnet-b SecurityGroups: - !Ref ECSSecurityGroup TaskDefinition: !If [UseJMX, !Ref ECSTaskJMX, !Ref ECSTask] PlatformVersion: "1.4.0" LoadBalancers: - ContainerName: !Ref BoomiContainerName ContainerPort: 9090 TargetGroupArn: !Ref ALBTargetGroup Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Service" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the ECS Log Group Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html

ECSLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub "${AWS::StackName}-logs" RetentionInDays: 180

Defines the ECS Security Group Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

ECSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: !Sub "${AWS::StackName} ECS Security Group" GroupName: !Sub "${AWS::StackName}-ecs-sg" SecurityGroupEgress: - Description: Allow outbound connections to AWS EFS Security Group IpProtocol: tcp FromPort: 2049 ToPort: 2049 DestinationSecurityGroupId: !Ref AppEFSFileSystemSG SecurityGroupIngress: - IpProtocol: tcp FromPort: 9090 ToPort: 9090 SourceSecurityGroupId: !Ref ALBSecurityGroup VpcId: Ref: VPCID Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Security Group" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the ECS Security Group Ingress Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html

ECSMulicastIngress: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: udp FromPort: 45588 ToPort: 45588 SourceSecurityGroupId: !Ref ECSSecurityGroup GroupId: !Ref ECSSecurityGroup

Defines the ECS Security Group Ingress Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html

ECSUnicastIngress: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 7800 ToPort: 7800 SourceSecurityGroupId: !Ref ECSSecurityGroup GroupId: !Ref ECSSecurityGroup

Defines the ECS Security Group Ingress Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html

ECSJMXIngress: Condition: UseJMX Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 9404 ToPort: 9404
 SourceSecurityGroupId: !Ref JMXSecGrp
GroupId: !Ref ECSSecurityGroup

Use to add the Instance SG to the DB SG This is needed to allow the atom to connect to the DB

AppInstToDB1521: Type: "AWS::EC2::SecurityGroupIngress" Properties: GroupId: !ImportValue "Kuali-DbSg-DbSecurityGroup" IpProtocol: tcp FromPort: 1521 ToPort: 1521 SourceSecurityGroupId: !Ref ECSSecurityGroup Description: "ECS Instance"

Application Load Balancer (ALB) Resources

Defines the Application Load Balancer Security Group Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VPCID GroupDescription: !Sub "${AWS::StackName} ALB Security Group" SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: "0.0.0.0/0" Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ALB Security Group" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the Application Load Balancer Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-loadbalancer.html

BoomiAtomALB: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: IpAddressType: ipv4 LoadBalancerAttributes: - Key: idle_timeout.timeout_seconds Value: 60 Name: !Sub "${ClusterName}-alb" Scheme: internal SecurityGroups: - !Ref ALBSecurityGroup Subnets: - !ImportValue kuali-vpc-private-subnet-a - !ImportValue kuali-vpc-private-subnet-b Type: application Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ALB" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the ALB Listener Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html

ALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: Certificates: - CertificateArn: !Ref SSLCert DefaultActions: - Type: forward TargetGroupArn: !Ref ALBTargetGroup LoadBalancerArn: !Ref BoomiAtomALB Port: 443 Protocol: HTTPS

Defines the ALB Target Group Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html

ALBTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Protocol: HTTP Port: 9090 TargetType: ip VpcId: !Ref VPCID HealthCheckProtocol: HTTP HealthCheckPort: "traffic-port" HealthCheckPath: "/_admin/status" HealthCheckIntervalSeconds: 60 HealthyThresholdCount: 2 UnhealthyThresholdCount: 3 Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ALB Target Group" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Route53 DNS Record

Defines the ALB DNS Record Set Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html ALBDNSRecord: Type: AWS::Route53::RecordSet Properties: AliasTarget: HostedZoneId: !GetAtt ALB.CanonicalHostedZoneID DNSName: !GetAtt ALB.DNSName HostedZoneName: !Sub "${DNSHostedZone}." Name: !Sub "${DNSAliasName}.${DNSHostedZone}." Type: A

Route53 DNS Record

Create a DNS entry in Route53 for this environment. This creates a CNAME pointing at the DNS name of the Load Balancer. Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html

AppDnsRecord: Type: AWS::Route53::RecordSet Properties:

Append a period after the hosted zone DNS name

HostedZoneName: !Sub "${DNSHostedZone}." Name: !Sub "${DNSAliasName}.${DNSHostedZone}." Type: CNAME TTL: '900' ResourceRecords: - !GetAtt BoomiAtomALB.DNSName

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: LoadBalancerDNS: Value: !GetAtt BoomiAtomALB.DNSName Export: Name: !Sub "${AWS::StackName}-lb-dns" BoomiAtomDNS: Value: !Ref AppDnsRecord Export: Name: !Sub "${AWS::StackName}-dns" BoomiAtomEcsCluster: Value: !Ref EcsCluster Export: Name: !Sub "${AWS::StackName}-ecscluster" BoomiEcsClusterArn: Value: !GetAtt EcsCluster.Arn Export: Name: !Sub "${AWS::StackName}-ecsclusterarn" FileSystem: Value: !Ref EFSFileSystem Export: Name: !Sub "${AWS::StackName}-fs-id" EFSSecurityGroup: Value: !Ref EFSSecurityGroup Export: Name: !Sub "${AWS::StackName}-sg" EFSSecurityGroup: Value: !Ref EFSSecurityGroup Export: Name: !Sub "${AWS::StackName}-target-sg"