boomi_atom

---

FinMod Boomi Atom Template

This CloudFormation template creates an ECS cluster with tasks that will serve as a local atoms.

AWSTemplateFormatVersion: '2010-09-09' Description: FinMod Boomi atom for integration using EC2 instances

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: General Settings Parameters: - VPCID - VPCStackName - Label: default: ECS Parameters: - AtomName - ClusterName

   - ECSSubnet
   - ALBSubnetPri
   - ALBSubnetSec

- DNSAliasName - DNSHostedZone - SSLCert - TaskMem - TaskCpu - MemRes - KeyName - EcsImageID - EcsInstanceType - Label: default: Boomi Application Parameters: - BoomiUsernameSecret - BoomiPasswordSecret - BoomiAccountIDSecret - BoomiImage - BoomiContainerName - Label: default: Integration Application Parameters: - AppEFSMountStackName - AppEFSMountPath - AppEFSFileSystemId - AppEFSFileSystemSG - ContainerMountPath - Label: default: Tags Parameters: - TagService - TagName - TagEnvironment - TagCreatedBy - TagContactNetId - TagAccountNumber - TagSubAccount - TagTicketNumber - TagResourceFunction

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: VPCID: Description: "Target VPC (example: vpc-2b1ea94c)" Type: AWS::EC2::VPC::Id MinLength: 1 VPCStackName: Description: "Name of the VPC CloudFormation Stack to use for subnets" Type: String Default: kuali-vpc AtomName: Description: "Specify the Boomi Atom name" Type: String MinLength: 1 Default: nonprod-finmod-atom ClusterName: Description: "Specify the ECS cluster name" Type: String MinLength: 1 Default: nonprod-finmod-boomi

ECSSubnet: Description: "Select the subnet to use for the container (e.g., subnet-b0247ggh)" Type: 'AWS::EC2::Subnet::Id' MinLength: 1 ALBSubnetPri: Description: "Select the primary subnet to use for the load balancer (e.g., subnet-b0247ggh)" Type: AWS::EC2::Subnet::Id MinLength: 1 ALBSubnetSec: Description: "Select the secondary subnet to use for the load balancer (e.g., subnet-b0247ggh)" Type: AWS::EC2::Subnet::Id MinLength: 1

DNSAliasName: AllowedPattern: '^[0-9a-zA-Z-]+$' Description: 'Specify the DNS alias' Type: String Default: "finmod" DNSHostedZone: AllowedPattern: '^.+\.arizona\.edu$' Description: 'Name of Route53 Hosted Zone: ie ''aws.arizona.edu''' Type: String Default: "ua-uits-kuali-nonprod.arizona.edu" SSLCert: AllowedPattern: '^(arn:aws:acm:[a-z]{2}-[a-z]{4,}-\d:\d{12}:certificate\/[0-9a-zA-Z]+[0-9a-zA-Z-]+(|[0-9a-zA-Z-]*)|)$' Description: 'Specify the SSL Certificate ARN' Type: String Default: "arn:aws:acm:us-west-2:397167497055:certificate/ad8f66b6-b85e-4715-9df1-1543ebd9702c" TaskMem: Description: "Specify the memory limit for the task definition (MiB)" Default: 6656 Type: Number TaskCpu: Description: "Specify the CPU limit for the task definition (MiB)" Default: 512 Type: Number MemRes: Description: "Specify the minimum memory for the container (MiB)" Default: 6656 Type: Number KeyName: Description: "Amazon EC2 Key Pair" Type: AWS::EC2::KeyPair::KeyName Default: "kfs-development-environments-keypair-2021" EcsImageId: Description: "SSM Parameter store key for the latest ECS-optimized Amazon Linux 2 AMI ID" Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id> Default: '/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id' EcsInstanceType: Description: "ECS EC2 Instance Type" Type: String Default: "m5a.large" BoomiUsernameSecret: Description: "The ARN of the Secrets Manager entry that contains the Boomi account username" Type: String Default: "arn:aws:secretsmanager:us-west-2:397167497055:secret:finmod-boomi-deploy-resources-deployment-user-1CfL31" BoomiPasswordSecret: Description: "The ARN of the Secrets Manager entry that contains the Boomi account password" Type: String Default: "arn:aws:secretsmanager:us-west-2:397167497055:secret:finmod-boomi-deploy-resources-deployment-passwd-UAEl4j" BoomiAccountIDSecret: Description: "The ARN of the Secrets Manager entry that contains the Boomi account ID" Type: String Default: "arn:aws:secretsmanager:us-west-2:397167497055:secret:finmod-boomi-deploy-resources-deployment-accountid-nBUDI0" BoomiImage: Description: "Specify the Boomi Atom docker image (registry/image_name:tag)" MinLength: 1 Default: boomi/atom:4.2.1 Type: String BoomiContainerName: AllowedPattern: '^[0-9a-zA-Z]+$' Description: "Specify the Boomi Atom docker container name" Default: boomi Type: String AppEFSMountStackName: MinLength: '2' Type: String Description: "Name of the EFS CloudFormation Stack mounted for integration" Default: kfs7-nonprod-efs AppEFSMountPath: Description: "Path of the EFS volume we are mounting for integration, e.g. / or /dev" Default: "/dev" Type: String AppEFSFileSystemId: Description: "File system ID of the EFS volume we are mounting for integration" Default: fs-aa3de203 Type: String AppEFSFileSystemSG: Description: "Security group of the EFS volume we are mounting for integration" Default: sg-d5be10af Type: String ContainerMountPath: Description: "Path the Boomi Atom sees as the root directory of the mounted EFS volume" Default: "/efs/kfs/dev" Type: String TagService: Description: "Service name (from the service catalog) that is utilizing this resource" Type: String Default: Financials Modernization Integration TagName: Description: "Descriptive identifier of resource" Type: String Default: Boomi Atom resource TagEnvironment: Description: "Type of environment that is using this resource, such as 'dev', 'tst', 'prd'." Type: String TagCreatedBy: Description: "NetID of the user that created this resource" Type: String TagContactNetId: Description: "NetID of the person to contact for information about this resource" Type: String TagAccountNumber: Description: "Financial system account number for the service utilizing this resource" Type: String Default: 1192620 TagSubAccount: Description: "Financial system subaccount number for the service utilizing this resource" Type: String Default: 12AWS TagTicketNumber: Description: "Ticket number that this resource is for" Type: String TagResourceFunction: Description: "Human-readable description of what function this resource is providing" Type: String Default: For local Boomi atom

Resources

All of the resources deployed by the template.

Resources:

File System

Defines the EFS volume needed for this stack Resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html

EFSFileSystem: Type: AWS::EFS::FileSystem Properties: Encrypted: true PerformanceMode: generalPurpose BackupPolicy: Status: ENABLED FileSystemTags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: Name Value: !Sub "${AtomName}-efs" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

EFS Mount Points

EFS Mountpoints must be created for each Availability Zone in the VPC. This is also where you define access controls, as access to EFS is controlled by these security groups.

A pair of mount points must be created for each EFS volume.

Copied from efs_volume.yaml template.

EFSMountTargetZoneA: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem SubnetId: !ImportValue kuali-vpc-private-subnet-a SecurityGroups: - Ref: EFSSecurityGroup EFSMountTargetZoneB: Type: AWS::EFS::MountTarget Properties: FileSystemId: !Ref EFSFileSystem SubnetId: !ImportValue kuali-vpc-private-subnet-b SecurityGroups: - Ref: EFSSecurityGroup

EFS Access Point

Defines the access point for the EFS volume Resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-accesspoint.html

AccessPoint: Type: 'AWS::EFS::AccessPoint' Properties: FileSystemId: !Ref EFSFileSystem PosixUser: Uid: "1001" Gid: "1001" RootDirectory: CreationInfo: OwnerGid: "1001" OwnerUid: "1001" Permissions: "0777" Path: "/boomi" AppAccessPoint: Type: 'AWS::EFS::AccessPoint' Properties: FileSystemId: !Ref AppEFSFileSystemId PosixUser: Uid: "1002" Gid: "1002" RootDirectory:

   CreationInfo:
     OwnerGid: "1002"
     OwnerUid: "1001"
     Permissions: "0755"

Path: !Ref AppEFSMountPath # e.g. "/devfinmod336"

EFS Security Group

This security group defines what resources are able to access the EFS shared filesystem. Resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

EFSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VPCID GroupDescription: !Sub "${AWS::StackName} EFS Security Group" SecurityGroupIngress: - IpProtocol: tcp FromPort: 2049 ToPort: 2049 SourceSecurityGroupId: !Ref ECSSecurityGroup Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: Name Value: !Sub "${AWS::StackName} EFS Security Group" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

ECS Container Instance Role

This is the IAM role that will be applied to the ECS Instances. Any AWS specific permissions that the node might need should be defined here.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html

EnvInstanceRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com - ecs-tasks.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore Policies: - PolicyName: "CWlogs" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:PutLogEvents" Resource: - "*" - PolicyName: "SecretAccess" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "secretsmanager:GetSecretValue" Resource: - !Ref BoomiUsernameSecret - !Ref BoomiPasswordSecret - !Ref BoomiAccountIDSecret - PolicyName: "ECSExecAccess" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "ssmmessages:CreateControlChannel" - "ssmmessages:CreateDataChannel" - "ssmmessages:OpenControlChannel" - "ssmmessages:OpenDataChannel" Resource: - "*" - PolicyName: "ECRAccess" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "ecr:GetAuthorizationToken" - "ecr:BatchCheckLayerAvailability" - "ecr:GetDownloadUrlForLayer" - "ecr:GetRepositoryPolicy" - "ecr:DescribeRepositories" - "ecr:ListImages" - "ecr:DescribeImages" - "ecr:BatchGetImage" Resource: - "*" Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Role" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Instance Profile

This is just a little construct to connect a set of roles together into a profile. The profile is referenced by ec2 instances.

EnvInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - !Ref EnvInstanceRole

Instance Security Group

Security group for the host nodes themselves. Needs to permit incoming traffice from the ALB, and any other authorized incoming sources. Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

ECSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VPCID GroupDescription: !Sub "${AWS::StackName} ECS Security Group" SecurityGroupEgress: - Description: Allow outbound connections to AWS EFS Security Group IpProtocol: tcp FromPort: 2049 ToPort: 2049 DestinationSecurityGroupId: !Ref AppEFSFileSystemSG SecurityGroupIngress: - IpProtocol: tcp FromPort: 9090 ToPort: 9090 SourceSecurityGroupId: !Ref ALBSecurityGroup - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 10.138.2.0/24 Description: Mosaic VPN-1 Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Security Group" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the Application Load Balancer Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-loadbalancer.html

BoomiAtomALB: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: IpAddressType: ipv4 LoadBalancerAttributes: - Key: idle_timeout.timeout_seconds Value: 60 Name: !Sub "${ClusterName}-alb" Scheme: internal SecurityGroups: - !Ref ALBSecurityGroup Subnets: - !ImportValue kuali-vpc-private-subnet-a - !ImportValue kuali-vpc-private-subnet-b Type: application Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ALB" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Application Load Balancer (ALB) Resources

Defines the Application Load Balancer Security Group Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VPCID GroupDescription: !Sub "${AWS::StackName} ALB Security Group" SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: "0.0.0.0/0" Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ALB Security Group" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the ALB Target Group Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html

ALBTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Protocol: HTTP Port: 9090 TargetType: instance VpcId: !Ref VPCID HealthCheckProtocol: HTTP HealthCheckPort: "traffic-port" HealthCheckPath: "/_admin/status" HealthCheckIntervalSeconds: 60 HealthyThresholdCount: 2 UnhealthyThresholdCount: 3 Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ALB Target Group" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

Defines the ALB Listener Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html

ALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: Certificates: - CertificateArn: !Ref SSLCert DefaultActions: - Type: forward TargetGroupArn: !Ref ALBTargetGroup LoadBalancerArn: !Ref BoomiAtomALB Port: 443 Protocol: HTTPS

Route53 DNS Record

Create a DNS entry in Route53 for this environment. This creates a CNAME pointing at the DNS name of the Load Balancer. Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html

AppDnsRecord: Type: AWS::Route53::RecordSet Properties:

Append a period after the hosted zone DNS name

HostedZoneName: !Sub "${DNSHostedZone}." Name: !Sub "${DNSAliasName}.${DNSHostedZone}." Type: CNAME TTL: '900' ResourceRecords: - !GetAtt BoomiAtomALB.DNSName

Defines the ECS Log Group Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html

ECSLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub "${AWS::StackName}-logs" RetentionInDays: 180

Launch Config for the Auto Scaling Group for the ECS Cluster Copied from kfs_nexus_ecs.yaml template

EcsInstanceLc: Type: AWS::AutoScaling::LaunchConfiguration Properties: ImageId: !Ref EcsImageId InstanceType: !Ref EcsInstanceType InstanceMonitoring: false AssociatePublicIpAddress: false IamInstanceProfile: !Ref EnvInstanceProfile KeyName: !Ref KeyName SecurityGroups: - !Ref ECSSecurityGroup - !Ref AppEFSFileSystemSG BlockDeviceMappings: - DeviceName: "/dev/xvdcz" Ebs: VolumeSize: "22" VolumeType: "gp2" UserData: Fn::Base64: !Sub | #!/bin/bash echo ECS_CLUSTER=${ClusterName} >> /etc/ecs/ecs.config

Auto Scaling Group for Web/App/Batch Will be used in current non-prod environment Copied from kfs_nexus_ecs.yaml template

EcsInstanceAsg: Type: AWS::AutoScaling::AutoScalingGroup DependsOn: EcsCluster Properties: VPCZoneIdentifier: - !ImportValue kuali-vpc-private-subnet-a - !ImportValue kuali-vpc-private-subnet-b LaunchConfigurationName: !Ref EcsInstanceLc MinSize: '0' MaxSize: '1' DesiredCapacity: '1' TargetGroupARNs: - !Ref ALBTargetGroup Tags: - Key: Name Value: !Sub "${AWS::StackName} ECS Host" PropagateAtLaunch: 'true' - Key: Description Value: "This instance is the part of the Auto Scaling group which was created through CloudFormation" PropagateAtLaunch: 'true' - Key: service Value: !Ref TagService PropagateAtLaunch: 'true' - Key: environment Value: !Ref TagEnvironment PropagateAtLaunch: 'true' - Key: contactnetid Value: !Ref TagContactNetId PropagateAtLaunch: 'true' - Key: accountnumber Value: !Ref TagAccountNumber PropagateAtLaunch: 'true' - Key: subaccount Value: !Ref TagSubAccount PropagateAtLaunch: 'true' - Key: ticketnumber Value: !Ref "TagTicketNumber" PropagateAtLaunch: 'true'

ECS Resources

Defines the ECS Cluster Resource: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-cluster.html

EcsCluster: Type: "AWS::ECS::Cluster"

Need to make sure the LB is created before the ECS cluster is created

Properties: ClusterName: !Ref ClusterName

Defines the ECS Task Definition Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html

EcsTask: DependsOn: - EFSMountTargetZoneA - EFSMountTargetZoneB Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - Environment: - Name: BOOMI_ATOMNAME Value: !Ref AtomName - Name: ATOM_LOCALHOSTID Value: !Ref AtomName Image: !Ref BoomiImage Interactive: true LogConfiguration: LogDriver: "awslogs" Options: "awslogs-region": "us-west-2" "awslogs-group": !Sub "${AWS::StackName}-logs" "awslogs-stream-prefix": "boomi" MemoryReservation: !Ref MemRes MountPoints:

       - ContainerPath: "/mnt/boomi"  # not needed for EC2; ECS tries to update the permissions on the install dir
         SourceVolume: "BoomiEFS"

- ContainerPath: !Ref ContainerMountPath SourceVolume: "ApplicationEFS" Name: !Ref BoomiContainerName PortMappings: - ContainerPort: 9090 HostPort: 9090 Protocol: tcp - ContainerPort: 7800 HostPort: 7800 Protocol: tcp - ContainerPort: 45588 HostPort: 45588 Protocol: udp Privileged: "true" Secrets: - Name: BOOMI_USERNAME ValueFrom: !Ref BoomiUsernameSecret - Name: BOOMI_PASSWORD ValueFrom: !Ref BoomiPasswordSecret - Name: BOOMI_ACCOUNTID ValueFrom: !Ref BoomiAccountIDSecret Cpu: !Ref TaskCpu Memory: !Ref TaskMem ExecutionRoleArn: !GetAtt EnvInstanceRole.Arn NetworkMode: "bridge" Volumes: - Name: "BoomiEFS" EFSVolumeConfiguration: FilesystemId: !Ref EFSFileSystem TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref AccessPoint - Name: "ApplicationEFS" EFSVolumeConfiguration: FilesystemId: !Ref AppEFSFileSystemId

        RootDirectory: !Ref AppEFSMountPath  # e.g. "/" or "/devfinmod336", not used with AccessPoint resource

TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref AppAccessPoint Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Task" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

ECS Service

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html

EcsService: Type: "AWS::ECS::Service" #Waiting for the DNS record to be created beause we know the LB has been #created if the DNS record is created, and the LB needs to be created #before the ECS service is created DependsOn: - EcsInstanceAsg - AppDnsRecord Properties: ServiceName: !Ref AWS::StackName Cluster: !Ref ClusterName TaskDefinition: !Ref EcsTask DesiredCount: "1" HealthCheckGracePeriodSeconds: 180 Role: !Ref EcsServiceRole LaunchType: EC2 LoadBalancers: - ContainerName: !Ref BoomiContainerName ContainerPort: 9090 TargetGroupArn: !Ref ALBTargetGroup

 NetworkConfiguration:
   AwsvpcConfiguration:
     AssignPublicIp: DISABLED
     Subnets:
       - !ImportValue kuali-vpc-private-subnet-a
       - !ImportValue kuali-vpc-private-subnet-b
     SecurityGroups:
       - !Ref ECSSecurityGroup

#For now we will spread across AZs PlacementStrategies: - Field: "attribute:ecs.availability-zone" Type: "spread" DeploymentConfiguration: MaximumPercent: "100" MinimumHealthyPercent: "0" #PlacementConstraints:

PlacementConstraints, ...

Tags: - Key: service Value: !Ref TagService - Key: environment Value: !Ref TagEnvironment - Key: name Value: !Sub "${AWS::StackName} ECS Service" - Key: createdby Value: !Ref TagCreatedBy - Key: contactnetid Value: !Ref TagContactNetId - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: resourcefunction Value: !Ref TagResourceFunction

ECS Service Role

EcsServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ecs.amazonaws.com Action: - sts:AssumeRole Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole

Defines the ECS Security Group Ingress Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html ECSMulicastIngress: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: udp FromPort: 45588 ToPort: 45588 SourceSecurityGroupId: !Ref ECSSecurityGroup GroupId: !Ref ECSSecurityGroup Defines the ECS Security Group Ingress Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html ECSUnicastIngress: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 7800 ToPort: 7800 SourceSecurityGroupId: !Ref ECSSecurityGroup GroupId: !Ref ECSSecurityGroup

Use to add the Instance SG to the DB SG This is needed to allow the atom to connect to the DB

AppInstToDB1521: Type: "AWS::EC2::SecurityGroupIngress" Properties: GroupId: !ImportValue "Kuali-DbSg-DbSecurityGroup" IpProtocol: tcp FromPort: 1521 ToPort: 1521 SourceSecurityGroupId: !Ref ECSSecurityGroup Description: "ECS Instance"

Route53 DNS Record

Defines the ALB DNS Record Set Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html ALBDNSRecord: Type: AWS::Route53::RecordSet Properties: AliasTarget: HostedZoneId: !GetAtt ALB.CanonicalHostedZoneID DNSName: !GetAtt ALB.DNSName HostedZoneName: !Sub "${DNSHostedZone}." Name: !Sub "${DNSAliasName}.${DNSHostedZone}." Type: A

Outputs

Output values that can be viewed from the AWS CloudFormation console.

Outputs: BoomiAtomDNS: Value: !Ref AppDnsRecord Export: Name: !Sub "${AWS::StackName}-dns" BoomiAtomEcsCluster: Value: !Ref EcsCluster Export: Name: !Sub "${AWS::StackName}-ecscluster" EcsClusterArn: Value: !GetAtt EcsCluster.Arn Export: Name: !Sub "${AWS::StackName}-ecsclusterarn"