-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws_deploy.yaml
155 lines (142 loc) · 3.93 KB
/
aws_deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Parameters:
BucketName:
Type: String
DBName:
Type: String
SubNets:
Type: String
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- "ecs-tasks.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: /
Policies:
- PolicyName: executionRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:GetDownloadUrlForLayer'
- 'ecr:BatchGetImage'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
TaskRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- "ecs-tasks.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: /
Policies:
- PolicyName: taskRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:*
- dynamodb:*
Resource: '*'
Log:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Ref AWS::StackName
Task:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name: !Ref AWS::StackName
Environment:
- Name: 'AP_ECR_TASK'
Value: !Ref AWS::StackName
- Name: 'AP_AWS_REGION'
Value: !Ref AWS::Region
Image: !Sub '${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${AWS::StackName}:latest'
Essential: 'true'
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Ref Log
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: "ecs"
MemoryReservation: 4096
Cpu: 2048
ExecutionRoleArn:
Fn::GetAtt:
- ExecutionRole
- Arn
Family: !Ref AWS::StackName
Memory: 4096
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- TaskRole
- Arn
LambdaFunction:
Type: 'AWS::Serverless::Function'
Properties:
FunctionName: !Sub ${AWS::StackName}-tasklambda
Handler: index.lambda_handler
Runtime: python3.7
CodeUri: lambda/
Description: !Sub 'Lambda function to kick off ECS tasks. Part of ${AWS::StackName}'
MemorySize: 128
Timeout: 10
Policies:
- AWSLambdaFullAccess
- Statement:
- Effect: Allow
Action:
- ecs:RunTask
- ecs:DescribeTasks
- ecs:StopTask
Resource:
- !Ref Task
- !Sub arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task/*
- Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
- !GetAtt ExecutionRole.Arn
- !GetAtt TaskRole.Arn
Events:
GetTasks:
Type: Api
Properties:
Path: /tasks
Method: POST
CheckTasks:
Type: Api
Properties:
Path: /tasks/{proxy+}
Method: GET
Environment:
Variables:
AP_ECR_TASK: !Ref AWS::StackName
AP_AWS_REGION: !Ref AWS::Region
AP_SUBNETS: !Ref SubNets
Outputs:
LambdaEndpoint:
Value: !Sub 'https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/tasks'
Export:
Name: LambdaEndpoint