google-drive-backup/lib/google-drive-backup-stack.ts at ffc52080da5de7b780ba6b50352d0147ffad793e · freerange/google-drive-backup · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import * as cdk from '@aws-cdk/core';
import * as ecs from '@aws-cdk/aws-ecs';
import * as ec2 from '@aws-cdk/aws-ec2';
import * as aas from '@aws-cdk/aws-applicationautoscaling';
import * as iam from '@aws-cdk/aws-iam';
import * as s3 from '@aws-cdk/aws-s3';
import * as sm from '@aws-cdk/aws-secretsmanager';
import * as ecsp from '@aws-cdk/aws-ecs-patterns';
import * as dotenv from 'dotenv';

dotenv.config();

export class GoogleDriveBackupStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const servicePrincipal = new iam.ServicePrincipal('ecs-tasks.amazonaws.com');
    const role = new iam.Role(this, 'backupsRole', { assumedBy: servicePrincipal });
    const backupsBucket = new s3.Bucket(this, 'backupsBucket', {
      versioned: true
    });
    backupsBucket.grantReadWrite(role);

    const googleDriveCredentialsSecret = new sm.Secret(this, 'googleDriveCredentials', {
      secretName: '/google-drive-backup/RCLONE_DRIVE_SERVICE_ACCOUNT_CREDENTIALS'
    });

    const taskDefinition = new ecs.FargateTaskDefinition(this, 'backupTaskDefinition', {
      taskRole: role,
      cpu: 4 * 1024,
      memoryLimitMiB: 16 * 1024
    });
    taskDefinition.addContainer('backupTaskContainer', {
      image: ecs.ContainerImage.fromAsset('./local-image'),
      environment: {
        'HEALTHCHECKS_URL': process.env.HEALTHCHECKS_URL || '',
        'GOOGLE_DRIVE_IMPERSONATION_EMAIL': process.env.GOOGLE_DRIVE_IMPERSONATION_EMAIL || '',
        'GOOGLE_DRIVE_FOLDER': process.env.GOOGLE_DRIVE_FOLDER || '',
        'S3_BUCKET_NAME': backupsBucket.bucketName,
        'RCLONE_S3_REGION': process.env.RCLONE_S3_REGION || ''
      },
      secrets: {
        'RCLONE_DRIVE_SERVICE_ACCOUNT_CREDENTIALS': ecs.Secret.fromSecretsManager(
          googleDriveCredentialsSecret
        )
      },
      logging: new ecs.AwsLogDriver({ streamPrefix: this.node.id })
    });

    const vpc = new ec2.Vpc(this, 'vpc', {
      natGateways: 0,
      subnetConfiguration: [
        { name: 'public', cidrMask: 24, subnetType: ec2.SubnetType.PUBLIC }
      ],
    });
    const cluster = new ecs.Cluster(this, 'cluster', { vpc });

    const schedule = aas.Schedule.cron(JSON.parse(process.env.CRON_SCHEDULE || '{}'));

    const backupTask = new ecsp.ScheduledFargateTask(this, 'backupTask', {
      cluster: cluster,
      subnetSelection: { subnetType: ec2.SubnetType.PUBLIC },
      scheduledFargateTaskDefinitionOptions: {
        taskDefinition: taskDefinition
      },
      schedule: schedule
    });
  }
}