jsfest
diff --git a/‎stack/__init__.py
Lines changed: 16 additions & 7 deletions b/‎stack/__init__.py
Lines changed: 16 additions & 7 deletions
diff --git a/‎stack/assets.py
Lines changed: 2 additions & 3 deletions b/‎stack/assets.py
Lines changed: 2 additions & 3 deletions
diff --git a/‎stack/common.py
Lines changed: 34 additions & 43 deletions b/‎stack/common.py
Lines changed: 34 additions & 43 deletions
diff --git a/‎stack/containers.py
Lines changed: 49 additions & 9 deletions b/‎stack/containers.py
Lines changed: 49 additions & 9 deletions
diff --git a/‎stack/dokku.py
Lines changed: 2 additions & 29 deletions b/‎stack/dokku.py
Lines changed: 2 additions & 29 deletions
diff --git a/‎stack/eb.py
Lines changed: 1 addition & 1 deletion b/‎stack/eb.py
Lines changed: 1 addition & 1 deletion
@@ -1,6 +1,14 @@
 import os
 
-if os.environ.get("USE_EKS") == "on":
+USE_DOKKU = os.environ.get("USE_DOKKU") == "on"
+USE_EB = os.environ.get("USE_EB") == "on"
+USE_EC2 = os.environ.get("USE_EC2") == "on"
+USE_ECS = os.environ.get("USE_ECS") == "on"
+USE_EKS = os.environ.get("USE_EKS") == "on"
+USE_GOVCLOUD = os.environ.get("USE_GOVCLOUD") == "on"
+USE_NAT_GATEWAY = os.environ.get("USE_NAT_GATEWAY") == "on"
+
+if USE_EKS:
     from . import vpc  # noqa: F401
     from . import template
     from . import repository  # noqa: F401
@@ -14,23 +22,24 @@
     from . import vpc  # noqa: F401
     from . import template
 
-    if os.environ.get("USE_GOVCLOUD") != "on":
+    if not USE_GOVCLOUD:
         # make sure this isn't added to the template for GovCloud, as it's not
         # supported in this region
         from . import search  # noqa: F401
 
-    if os.environ.get("USE_NAT_GATEWAY") == "on":
+    if USE_NAT_GATEWAY:
         from . import bastion  # noqa: F401
 
-    if os.environ.get("USE_ECS") == "on":
+    if USE_ECS:
         from . import repository  # noqa: F401
         from . import ecs_cluster  # noqa: F401
-    elif os.environ.get("USE_EB") == "on":
+    elif USE_EB:
         from . import repository  # noqa: F401
         from . import eb  # noqa: F401
-    elif os.environ.get("USE_DOKKU") == "on":
+    elif USE_DOKKU:
         from . import dokku  # noqa: F401
-    else:  # USE_GOVCLOUD and USE_EC2 both provide EC2 instances
+    elif USE_EC2 or USE_GOVCLOUD:
+        # USE_GOVCLOUD and USE_EC2 both provide EC2 instances
         from . import instances  # noqa: F401
 
 # Must be last to tag all resources
 
@@ -1,5 +1,3 @@
-import os
-
 from troposphere import (
     AWS_REGION,
     And,
@@ -36,6 +34,7 @@
     VersioningConfiguration
 )
 
+from . import USE_GOVCLOUD
 from .common import (
     arn_prefix,
     cmk_arn,
@@ -263,7 +262,7 @@
 )
 
 
-if os.environ.get('USE_GOVCLOUD') != 'on':
+if not USE_GOVCLOUD:
     assets_use_cloudfront = template.add_parameter(
         Parameter(
             "AssetsUseCloudFront",
 
@@ -1,7 +1,6 @@
-import os
-
 from troposphere import AWS_REGION, Equals, If, Not, Ref
 
+from . import USE_DOKKU, USE_EB, USE_ECS
 from .template import template
 from .utils import ParameterWithDefaults as Parameter
 
@@ -11,53 +10,45 @@
 template.add_condition(in_govcloud_region, Equals(Ref(AWS_REGION), "us-gov-west-1"))
 arn_prefix = If(in_govcloud_region, "arn:aws-us-gov", "arn:aws")
 
-administrator_ip_address = Ref(
-    template.add_parameter(
+administrator_ip_address = Ref(template.add_parameter(
+    Parameter(
+        "AdministratorIPAddress",
+        Description="The IP address allowed to access containers. "
+                    "Defaults to TEST-NET-1 (ie, no valid IP)",
+        Type="String",
+        # RFC5737 - TEST-NET-1 reserved for documentation
+        Default="192.0.2.0/24",
+    ),
+    group="Application Server",
+    label="Admin IP Address",
+))
+
+if any([USE_DOKKU, USE_EB, USE_ECS]):
+    secret_key = Ref(template.add_parameter(
         Parameter(
-            "AdministratorIPAddress",
-            Description="The IP address allowed to access containers. "
-            "Defaults to TEST-NET-1 (ie, no valid IP)",
+            "SecretKey",
+            Description="Application secret key for this stack (optional)",
             Type="String",
-            # RFC5737 - TEST-NET-1 reserved for documentation
-            Default="192.0.2.0/24",
+            NoEcho=True,
         ),
         group="Application Server",
-        label="Admin IP Address",
-    )
-)
+        label="Secret Key",
+    ))
 
-if "on" in set([os.getenv("USE_DOKKU"), os.getenv("USE_EB"), os.getenv("USE_ECS")]):
-    secret_key = Ref(
-        template.add_parameter(
-            Parameter(
-                "SecretKey",
-                Description="Application secret key for this stack (optional)",
-                Type="String",
-                NoEcho=True,
-            ),
-            group="Application Server",
-            label="Secret Key",
-        )
-    )
-
-use_aes256_encryption = Ref(
-    template.add_parameter(
-        Parameter(
-            "UseAES256Encryption",
-            Description="Whether or not to use server side encryption for S3, EBS, and RDS. "
-            "When true, encryption is enabled for all resources.",
-            Type="String",
-            AllowedValues=["true", "false"],
-            Default="false",
-        ),
-        group="Global",
-        label="Enable Encryption",
-    )
-)
+use_aes256_encryption = Ref(template.add_parameter(
+    Parameter(
+        "UseAES256Encryption",
+        Description="Whether or not to use server side encryption for S3, EBS, and RDS. "
+                    "When true, encryption is enabled for all resources.",
+        Type="String",
+        AllowedValues=["true", "false"],
+        Default="false",
+    ),
+    group="Global",
+    label="Enable Encryption",
+))
 use_aes256_encryption_cond = "UseAES256EncryptionCond"
-template.add_condition(
-    use_aes256_encryption_cond, Equals(use_aes256_encryption, "true")
-)
+template.add_condition(use_aes256_encryption_cond, Equals(use_aes256_encryption, "true"))
 
 cmk_arn = template.add_parameter(
     Parameter(
 
@@ -1,24 +1,24 @@
 """
-Common between instances and EKS.
+Common (almost) between instances, DOKKU, ECS, and EKS.
 """
-import os
-
+from awacs import ecr
 from troposphere import Ref, iam
 
-from stack.assets import assets_management_policy
-from stack.logs import logging_policy
+from stack import USE_EKS, USE_ECS
 from stack.template import template
 from stack.utils import ParameterWithDefaults as Parameter
 
-USE_EKS = os.environ.get("USE_EKS") == "on"
+if not USE_EKS:
+    from stack.assets import assets_management_policy
+    from stack.logs import logging_policy
 
 desired_container_instances = Ref(
     template.add_parameter(
         Parameter(
             "DesiredScale",
             Description="Desired container instances count",
             Type="Number",
-            Default="2",
+            Default="3" if USE_ECS else "2",
         ),
         group="Application Server",
         label="Desired Instance Count",
@@ -30,7 +30,7 @@
             "MaxScale",
             Description="Maximum container instances count",
             Type="Number",
-            Default="4",
+            Default="3" if USE_ECS else "4",
         ),
         group="Application Server",
         label="Maximum Instance Count",
@@ -50,6 +50,45 @@
     )
 )
 
+if USE_EKS:
+    container_policies = []
+else:
+    container_policies = [assets_management_policy, logging_policy]
+if USE_ECS:
+    container_policies.extend(
+        [
+            iam.Policy(
+                PolicyName="ECSManagementPolicy",
+                PolicyDocument=dict(
+                    Statement=[
+                        dict(
+                            Effect="Allow",
+                            Action=["ecs:*", "elasticloadbalancing:*"],
+                            Resource="*",
+                        )
+                    ],
+                ),
+            ),
+            iam.Policy(
+                PolicyName="ECRManagementPolicy",
+                PolicyDocument=dict(
+                    Statement=[
+                        dict(
+                            Effect="Allow",
+                            Action=[
+                                ecr.GetAuthorizationToken,
+                                ecr.GetDownloadUrlForLayer,
+                                ecr.BatchGetImage,
+                                ecr.BatchCheckLayerAvailability,
+                            ],
+                            Resource="*",
+                        )
+                    ],
+                ),
+            ),
+        ]
+    )
+
 container_instance_role = iam.Role(
     "ContainerInstanceRole",
     template=template,
@@ -63,7 +102,7 @@
         ]
     ),
     Path="/",
-    Policies=[assets_management_policy, logging_policy,],
+    Policies=container_policies,
     **(
         dict(
             ManagedPolicyArns=[
@@ -83,6 +122,7 @@
     Path="/",
     Roles=[Ref(container_instance_role)],
 )
+
 container_instance_type = Ref(
     template.add_parameter(
         Parameter(
 
@@ -1,14 +1,11 @@
 import troposphere.cloudformation as cloudformation
 import troposphere.ec2 as ec2
-import troposphere.iam as iam
 from troposphere import Base64, FindInMap, Join, Output, Ref, Tags
 from troposphere.policies import CreationPolicy, ResourceSignal
 
-from .assets import assets_management_policy
-from .containers import container_instance_type
+from .containers import container_instance_type, container_instance_profile
 from .domain import domain_name
 from .environment import environment_variables
-from .logs import logging_policy
 from .template import template
 from .utils import ParameterWithDefaults as Parameter
 from .vpc import private_subnet_a, vpc
@@ -100,30 +97,6 @@
     "us-west-2": {"AMI": "ami-8803e0f0"},
 })
 
-# EC2 instance role
-instance_role = iam.Role(
-    "ContainerInstanceRole",
-    template=template,
-    AssumeRolePolicyDocument=dict(Statement=[dict(
-        Effect="Allow",
-        Principal=dict(Service=["ec2.amazonaws.com"]),
-        Action=["sts:AssumeRole"],
-    )]),
-    Path="/",
-    Policies=[
-        assets_management_policy,
-        logging_policy,
-    ]
-)
-
-# EC2 instance profile
-instance_profile = iam.InstanceProfile(
-    "ContainerInstanceProfile",
-    template=template,
-    Path="/",
-    Roles=[Ref(instance_role)],
-)
-
 # EC2 security group
 security_group = template.add_resource(ec2.SecurityGroup(
     'SecurityGroup',
@@ -163,7 +136,7 @@
     InstanceType=container_instance_type,
     KeyName=Ref(key_name),
     SecurityGroupIds=[Ref(security_group)],
-    IamInstanceProfile=Ref(instance_profile),
+    IamInstanceProfile=Ref(container_instance_profile),
     SubnetId=Ref(private_subnet_a),
     BlockDeviceMappings=[
         ec2.BlockDeviceMapping(
 
@@ -9,6 +9,7 @@
 )
 from troposphere.iam import InstanceProfile, Role
 
+from . import USE_NAT_GATEWAY
 from .assets import assets_management_policy
 from .certificates import application as application_certificate
 from .containers import container_instance_type
@@ -21,7 +22,6 @@
 from .template import template
 from .utils import ParameterWithDefaults as Parameter
 from .vpc import (
-    USE_NAT_GATEWAY,
     private_subnet_a,
     private_subnet_b,
     public_subnet_a,