fargate-on-demand-lb.yml

AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy a service on AWS Fargate, hosted in a public subnet, and accessible via a public load balancer.
Parameters:
  EnvironmentName:
    Type: String
    Default: benchmark
    Description: The name of the environment to add this service to
  ServiceName:
    Type: String
    Default: benchmark-fargate-lb
    Description: A name for the service
  ImageUrl:
    Type: String
    Default: public.ecr.aws/docker/library/nginx:latest
    Description: The url of a docker image that contains the application process that
                 will handle the traffic for this service
  ContainerPort:
    Type: Number
    Default: 80
    Description: What port number the application inside the docker container is binding to
  ContainerCpu:
    Type: Number
    Default: 256
    Description: How much CPU to give the container. 1024 is 1 CPU
  ContainerMemory:
    Type: Number
    Default: 512
    Description: How much memory in megabytes to give the container
  Path:
    Type: String
    Default: "*"
    Description: A path on the public load balancer that this service
                 should be connected to. Use * to send all load balancer
                 traffic to this service.
  Priority:
    Type: Number
    Default: 1
    Description: The priority for the routing rule added to the load balancer.
                 This only applies if your have multiple services which have been
                 assigned to different paths on the load balancer.
  DesiredCount:
    Type: Number
    Default: 0
    Description: How many copies of the service task to run
  Role:
    Type: String
    Default: ""
    Description: (Optional) An IAM role to give the service's containers if the code within needs to
                 access other AWS resources like S3 buckets, DynamoDB tables, etc

Conditions:
  HasCustomRole: !Not [ !Equals [!Ref 'Role', ''] ]

Resources:
  # A log group for storing the stdout logs from this service's containers
  LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub ${EnvironmentName}-service-${ServiceName}

  # The task definition. This is a simple metadata description of what
  # container to run, and what resource requirements it has.
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: !Ref 'ServiceName'
      Cpu: !Ref 'ContainerCpu'
      Memory: !Ref 'ContainerMemory'
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      ExecutionRoleArn:
        Fn::ImportValue: !Sub ${EnvironmentName}:ECSTaskExecutionRole
      TaskRoleArn:
        Fn::If:
          - 'HasCustomRole'
          - !Ref 'Role'
          - !Ref "AWS::NoValue"
      ContainerDefinitions:
        - Name: !Ref 'ServiceName'
          Cpu: !Ref 'ContainerCpu'
          Memory: !Ref 'ContainerMemory'
          Image: !Ref 'ImageUrl'
          PortMappings:
            - ContainerPort: !Ref 'ContainerPort'
          LogConfiguration:
            LogDriver: 'awslogs'
            Options:
              awslogs-group: !Sub ${EnvironmentName}-service-${ServiceName}
              awslogs-region: !Ref 'AWS::Region'
              awslogs-stream-prefix: !Ref 'ServiceName'

  # A security group for this specific service. We will add an ingress
  # rule to this SG so that it allows inbound traffic from the LB
  ServiceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub Access to the containers for service ${ServiceName}
      VpcId:
        Fn::ImportValue: !Sub ${EnvironmentName}:VpcId

  # The service. The service is a resource which allows you to run multiple
  # copies of a type of task, and gather up their logs and metrics, as well
  # as monitor the number of running tasks and replace any that have crashed
  Service:
    Type: AWS::ECS::Service
    Properties:
      ServiceName: !Ref 'ServiceName'
      Cluster:
        Fn::ImportValue: !Sub ${EnvironmentName}:ClusterName
      CapacityProviderStrategy:
        - Base: 0
          CapacityProvider: FARGATE
          Weight: 1
        #- Base: 0
        #  CapacityProvider: FARGATE_SPOT
        #  Weight: 1
      DeploymentConfiguration:
        MaximumPercent: 200
        MinimumHealthyPercent: 75
      DesiredCount: !Ref 'DesiredCount'
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
            - !Ref ServiceSecurityGroup
          Subnets:
            - Fn::ImportValue: !Sub ${EnvironmentName}:PrivateSubnetOne
            - Fn::ImportValue: !Sub ${EnvironmentName}:PrivateSubnetTwo
      TaskDefinition: !Ref 'TaskDefinition'
      LoadBalancers:
        - ContainerName: !Ref 'ServiceName'
          ContainerPort: !Ref 'ContainerPort'
          TargetGroupArn: !Ref 'TargetGroup'

  # A target group. This is used for keeping track of all the tasks, and
  # what IP addresses / port numbers they have. You can query it yourself,
  # to use the addresses yourself, but most often this target group is just
  # connected to an application load balancer, or network load balancer, so
  # it can automatically distribute traffic across all the targets.
  TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      HealthCheckIntervalSeconds: 6
      HealthCheckPath: /
      HealthCheckProtocol: HTTP
      HealthCheckTimeoutSeconds: 5
      HealthyThresholdCount: 2
      Name: !Ref 'ServiceName'
      Port: 80
      Protocol: HTTP
      UnhealthyThresholdCount: 2
      TargetType: ip
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: '5'
      VpcId:
        Fn::ImportValue: !Sub ${EnvironmentName}:VpcId

  # Create an ingress rule that allows the public load balancer to send traffic to the service's security group
  ServiceIngressFromPublicALB:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: Service ${ServiceName} allows inbound traffic from the public facing LB
      GroupId: !Ref ServiceSecurityGroup
      IpProtocol: -1
      SourceSecurityGroupId:
        Fn::ImportValue: !Sub ${EnvironmentName}:PublicLoadBalancerSG

  # Create a rule on the load balancer for routing traffic to the target group
  LoadBalancerRule:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    Properties:
      Actions:
        - TargetGroupArn: !Ref 'TargetGroup'
          Type: 'forward'
      Conditions:
        - Field: path-pattern
          Values: [!Ref 'Path']
      ListenerArn:
        Fn::ImportValue: !Sub ${EnvironmentName}:PublicListener
      Priority: !Ref 'Priority'

  # A CloudWatch log group for persisting the deployment events
  ServiceEventLog:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /aws/events/${EnvironmentName}-${ServiceName}-events

  # Create the EventBridge rule that captures deployment events into the CloudWatch log group
  CaptureServiceDeploymentEvents:
    Type: AWS::Events::Rule
    Properties:
      Description: !Sub 'Capture service deployment events from the ECS service ${ServiceName}'
      # Which events to capture
      EventPattern:
        source:
          - aws.ecs
        detail-type:
          - "ECS Deployment State Change"
          - "ECS Service Action"
        resources:
          - !Ref Service
      # Where to send the events
      Targets:
        - Arn: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${ServiceEventLog}
          Id: 'CloudWatchLogGroup'

  # A CloudWatch dashboard that runs a CloudWatch Log Insights query to display the deployment events
  # from ECS
  ServiceDashboard:
    Type: AWS::CloudWatch::Dashboard
    Properties:
      DashboardName: !Sub ${ServiceName}-Deployments
      DashboardBody:
        !Sub
          - |
            {
              "widgets": [
                {
                  "type": "log",
                  "x": 0,
                  "y": 0,
                  "width": 24,
                  "height": 12,
                  "properties": {
                    "region": "${AWS::Region}",
                    "title": "Service Deployments",
                    "query": "SOURCE '${ServiceEventLog}' | fields @timestamp, detail.eventName, detail.deploymentId | sort @timestamp desc | limit 500",
                    "view": "table"
                  }
                },
                {
                  "type": "metric",
                  "x": 0,
                  "y": 13,
                  "width": 24,
                  "height": 6,
                  "properties": {
                      "metrics": [
                          [ "ECS/ContainerInsights", "RunningTaskCount", "ServiceName", "${Service.Name}", "ClusterName", "${ClusterName}" ],
                          [ ".", "DesiredTaskCount", ".", ".", ".", "." ]
                      ],
                      "view": "timeSeries",
                      "stacked": false,
                      "region": "${AWS::Region}",
                      "stat": "Sum",
                      "period": 60,
                      "yAxis": {
                          "left": {
                              "min": 0
                          }
                      },
                      "title": "DesiredTaskCount, RunningTaskCount"
                  }
                }
              ]
            }
          - ClusterName: !ImportValue
              'Fn::Sub': ${EnvironmentName}:ClusterName