def create_alb_cert(stack, name, certificate_arn, listener_arn, condition_field=""):
"""Add Alb Certificate Resource."""
return stack.stack.add_resource(alb.ListenerCertificate('{0}ListenerCert'.format(name),
Condition=condition_field,
Certificates=[alb.Certificate('{0}Cert'.format(name),
CertificateArn=certificate_arn)],
ListenerArn=listener_arn))
def add_listener(self, template):
# Choose proper certificate source ?-> always acm?
acm_cert = Join("", [
"arn:aws:acm:",
Ref("AWS::Region"), ":",
Ref("AWS::AccountId"), ":certificate/",
Ref("ALBCertName")
])
# We probably don't need this code for an IAM Cert
iam_cert = Join("", [
"arn:aws:iam::",
Ref("AWS::AccountId"), ":server-certificate/",
Ref("ALBCertName")
])
cert_id = If("UseIAMCert", iam_cert, acm_cert)
alb_name = ALB_NAME
with_ssl = alb.Listener(
ALB_LISTENER % self.name,
Port="443",
Protocol="HTTPS",
LoadBalancerArn=Ref(alb_name),
DefaultActions=[
alb.Action(Type="forward",
TargetGroupArn=Ref(TARGET_GROUP_DEFAULT))
],
Certificates=[alb.Certificate(CertificateArn=cert_id)])
template.add_resource(with_ssl)
template.add_output(Output("IAlbListener", Value=with_ssl.Ref()))
def elbv2_listener(self,
name,
lb_arn,
protocol,
port,
default_actions,
ssl_policy="",
cert_arns=[]):
"""
Creates an ELBv2 listener
:param name: Name of the listener
:param lb_arn: ARN of the LB
:param protocol: protocol to use - ALB -> (HTTP, HTTPS), NLB -> (TLS, TCP)
:param port: Port to listen on
:param default_actions: Actions array
:param ssl_policy: SSL Policy
:param cert_arns: ARN of SSL certs, if applicable
:return: ELB Listener CFN object
"""
certificates = []
for arn in cert_arns:
certificates.append(elbv2.Certificate(CertificateArn=arn))
listener = elbv2.Listener(name,
LoadBalancerArn=lb_arn,
Port=port,
Protocol=protocol,
Certificates=certificates,
SslPolicy=ssl_policy,
DefaultActions=default_actions)
self.template.add_resource(listener)
return listener
def add_resources(self):
"""Add resources to template."""
template = self.template
variables = self.get_variables()
template.add_condition(
'ProtoIsHttps', Equals(variables['ListeningProtocol'].ref,
'HTTPS'))
listener = template.add_resource(
elasticloadbalancingv2.Listener(
'AlbListener',
Certificates=If('ProtoIsHttps', [
elasticloadbalancingv2.Certificate(
CertificateArn=variables['AcmCertArn'].ref)
], Ref('AWS::NoValue')),
DefaultActions=[
elasticloadbalancingv2.Action(
TargetGroupArn=variables['DefaultTargetGroupArn'].ref,
Type='forward')
],
LoadBalancerArn=variables['AlbArn'].ref,
Port=variables['ListeningPort'].ref,
Protocol=variables['ListeningProtocol'].ref,
SslPolicy=If('ProtoIsHttps', variables['SslPolicy'].ref,
Ref('AWS::NoValue'))))
template.add_output(
Output("{}Arn".format(listener.title),
Description="ARN of the Listener",
Value=Ref(listener),
Export=Export(
Sub('${AWS::StackName}-%sArn' % listener.title))))
def create_alb_listener(stack,
name,
alb_arn,
target_group,
port=443,
protocol='HTTPS',
certificates=[],
condition_field=''):
"""Add ALB Listener Resource."""
certificate_arns = [
alb.Certificate('{0}Cert'.format(name), CertificateArn=certificate_arn)
for certificate_arn in certificates
]
return stack.stack.add_resource(
alb.Listener('{0}Listener'.format(name),
Condition=condition_field,
Port=port,
Protocol=protocol,
Certificates=certificate_arns,
LoadBalancerArn=alb_arn,
DefaultActions=[
alb.Action(Type='forward',
TargetGroupArn=target_group)
]))
def create_loadbalancer():
return [
elb.LoadBalancer(
'tlsFrontend',
SecurityGroups=[Ref('secgrpLoadBalancer')],
Subnets=[Ref('subnetA'), Ref('subnetB')],
Tags=_tags(),
),
elb.Listener(
'tlsFrontendListener',
Certificates=[
elb.Certificate(CertificateArn=Ref('certificateArn')),
],
DefaultActions=[
elb.Action(TargetGroupArn=Ref('tlsFrontendApplication'),
Type='forward'),
],
LoadBalancerArn=Ref('tlsFrontend'),
Port=443,
Protocol='HTTPS',
),
elb.ListenerRule(
'tlsFrontendJenkinsRule',
Actions=[
elb.Action(TargetGroupArn=Ref('tlsFrontendJenkins'),
Type='forward'),
],
Conditions=[
elb.Condition(Field='host-header',
Values=[_subdomain_for_jenkins()]),
],
ListenerArn=Ref('tlsFrontendListener'),
Priority=1,
),
elb.TargetGroup(
'tlsFrontendApplication',
HealthCheckIntervalSeconds=300,
HealthCheckPath='/health',
Port=80,
Protocol='HTTP',
Tags=_tags(),
Targets=[
elb.TargetDescription(Id=Ref('devserver'), Port=80),
],
VpcId=Ref('vpc'),
),
elb.TargetGroup(
'tlsFrontendJenkins',
HealthCheckIntervalSeconds=300,
HealthCheckPath='/robots.txt',
Port=8080,
Protocol='HTTP',
Tags=_tags(),
Targets=[
elb.TargetDescription(Id=Ref('devserver'), Port=8080),
],
VpcId=Ref('vpc'),
),
]
def add_alb(self, template, provision_refs, instances):
alb = template.add_resource(
elb.LoadBalancer(
'ALB',
LoadBalancerAttributes=[
elb.LoadBalancerAttributes(
Key='idle_timeout.timeout_seconds', Value='3600')
],
Subnets=provision_refs.subnets,
Type='application',
Scheme='internet-facing',
IpAddressType='ipv4',
SecurityGroups=[provision_refs.security_group_alb]))
default_target_group = template.add_resource(
elb.TargetGroup(
'DefaultTargetGroup',
Port=46658,
Protocol='HTTP',
Targets=[
elb.TargetDescription(Id=Ref(instance))
for instance in instances
],
HealthCheckProtocol='HTTP',
HealthCheckPath='/rpc',
TargetGroupAttributes=[
elb.TargetGroupAttribute(Key='stickiness.enabled',
Value='true'),
elb.TargetGroupAttribute(Key='stickiness.type',
Value='lb_cookie'),
elb.TargetGroupAttribute(
Key='stickiness.lb_cookie.duration_seconds',
Value='86400'),
],
VpcId=provision_refs.vpc))
template.add_resource(
elb.Listener(
'ALBListener',
DefaultActions=[
elb.Action('DefaultAction',
Type='forward',
TargetGroupArn=Ref(default_target_group))
],
LoadBalancerArn=Ref(alb),
Port=46658,
Protocol='HTTPS',
SslPolicy='ELBSecurityPolicy-TLS-1-2-2017-01',
Certificates=[
elb.Certificate(
CertificateArn=
'arn:aws:acm:us-east-1:489745816517:certificate/'
'fbb68210-264e-4340-9c5c-a7687f993579')
]))
provision_refs.alb = alb
def __init__(self, title, **kwargs):
super().__init__(title, **kwargs)
self.Certificates = [
elbv2.Certificate(
CertificateArn=If('LoadBalancerSslCertificateAdHoc',
Ref('CertificateLoadBalancerAdHocExternal'),
get_endvalue('RegionalCertificateArn')))
]
self.Port = get_endvalue('ListenerLoadBalancerHttpsPort')
self.Protocol = 'HTTPS'
self.SslPolicy = get_endvalue('ListenerLoadBalancerSslPolicy')
def create_load_balancer_listener_resource(template, load_balancer_resource,
api_tarcreate_group_resource,
certificate_arn_parameter):
return template.add_resource(
elb.Listener(
'LoadBalancerListener',
LoadBalancerArn=Ref(load_balancer_resource),
Port=443,
Protocol='HTTPS',
DefaultActions=[
elb.Action(Type='forward',
TargetGroupArn=Ref(api_tarcreate_group_resource))
],
Certificates=[
elb.Certificate(CertificateArn=Ref(certificate_arn_parameter))
]))
def create_listener(self):
t = self.template
listener = t.add_resource(
elb.Listener(
"Listener",
Port=self.vars['ListenerPort'],
Protocol=self.protocol,
LoadBalancerArn=self.vars['LoadBalancerArn'],
DefaultActions=[
elb.Action(Type="forward",
TargetGroupArn=Ref(self.target_group))
],
Certificates=[
elb.Certificate(CertificateArn=cert_arn)
for cert_arn in self.vars['Certificates']
],
))
return listener
],
))
application_load_balancer = template.add_resource(LoadBalancer(
'ApplicationLoadBalancer',
Subnets=[
loadbalancer_a_subnet,
loadbalancer_b_subnet,
],
SecurityGroups=[Ref(load_balancer_security_group)],
))
application_listener = template.add_resource(Listener(
'ApplicationListener',
Certificates=[elasticloadbalancingv2.Certificate(
CertificateArn=acm_cluster_certificate_arn,
)],
LoadBalancerArn=Ref(application_load_balancer),
Protocol='HTTPS',
Port=443,
DefaultActions=[Action(
TargetGroupArn=Ref(application_target_group),
Type='forward',
)]
))
# ECS cluster
cluster = template.add_resource(Cluster(
"Cluster",
))
)
)
load_balancer_listener = template.add_resource(
elb.Listener(
'LoadBalancerListener',
LoadBalancerArn=Ref(load_balancer),
Port=443,
Protocol='HTTPS',
DefaultActions=[elb.Action(
Type='forward',
TargetGroupArn=Ref(api_target_group)
)],
Certificates=[
elb.Certificate(
CertificateArn=Ref(certificate_arn)
)
]
)
)
# Create the ECS services.
ecs_service_role = template.add_resource(
iam.Role(
'ECSServiceRole',
AssumeRolePolicyDocument={
'Version': '2012-10-17',
'Statement': [
{
'Action': 'sts:AssumeRole',
'Effect': 'Allow',
LoadBalancerArn=Ref(load_balancer),
Port='80',
Protocol='HTTP',
))
https_listener = t.add_resource(
elbv2.Listener('HttpsListener',
DefaultActions=[
elbv2.Action(TargetGroupArn=Ref(targetgroup),
Type='forward')
],
LoadBalancerArn=Ref(load_balancer),
Port='443',
Protocol='HTTPS',
Certificates=[
elbv2.Certificate(CertificateArn=Ref(param_certificate))
]))
#
# Output
#
t.add_output([
Output(
'LoadBalancerName',
Description='The name of the Application load balancer',
Value=GetAtt(load_balancer, 'LoadBalancerName'),
),
Output(
'LoadBalancerFullName',
Description='The full name of the Application load balancer',
Value=GetAtt(load_balancer, 'LoadBalancerFullName'),
def add_ec2(self, ami_name, instance_type, asg_size, cidr, hosted_zone):
"""
Helper method creates ingress given a source cidr range and a set of
ports
@param ami_name [string] Name of the AMI for launching the app
@param instance_type [string] Instance for the application
@param asg_size [int] Sets the size of the asg
@param cidr [string] Range of addresses for this vpc
@param hosted_zone [string] Name of the hosted zone the elb will be
mapped to
"""
print "Creating EC2"
self.internal_security_group = self.add_sg_with_cidr_port_list(
"ASGSG",
"Security Group for EC2",
'vpcId',
cidr,
[{"443": "443"}, {"80": "80"}]
)
self.public_lb_security_group = self.add_sg_with_cidr_port_list(
"ELBSG",
"Security Group for accessing EC2 publicly",
'vpcId',
'0.0.0.0/0',
[{"443": "443"}]
)
name = self.env_name.replace('-', '')
public_subnet_count = len(self._subnets.get('public').get('public'))
public_subnets = [{'Ref': x} for x in ["publicAZ%d" % n for n in range(0, public_subnet_count)]]
public_alb = self.add_resource(alb.LoadBalancer(
"PublicALB",
Scheme='internet-facing',
Subnets=public_subnets,
SecurityGroups=[Ref(sg) for sg in [self.public_lb_security_group]]
))
target_group = self.add_resource(alb.TargetGroup(
"AppTargetGroup80",
Port=80,
Protocol="HTTP",
VpcId=self.vpc_id
))
certificate = 'arn:aws:acm:us-east-1:422548007577:certificate/d9b8fbd2-13bb-4d6e-aba4-53061b1580f9'
alb_ssl_listener = self.add_resource(alb.Listener(
"ALBListner",
Port=443,
Certificates=[alb.Certificate(CertificateArn=certificate)],
Protocol="HTTPS",
DefaultActions=[alb.Action(
Type="forward",
TargetGroupArn=Ref(target_group))],
LoadBalancerArn=Ref(public_alb)
))
self.add_elb_dns_alias(public_alb, '', hosted_zone)
policies = ['cloudwatchlogs']
policies_for_profile = [self.get_policy(policy, 'EC2') for policy in policies]
asg = self.add_asg(
"EC2",
min_size=asg_size,
max_size=6,
ami_name=ami_name,
# load_balancer=public_elb,
instance_profile=self.add_instance_profile(name, policies_for_profile, name),
instance_type=instance_type,
security_groups=['commonSecurityGroup', Ref(self.internal_security_group)],
subnet_layer='private',
update_policy=UpdatePolicy(
AutoScalingRollingUpdate=AutoScalingRollingUpdate(
PauseTime='PT5M',
MinInstancesInService=1,
# The maximum number of instances that are terminated at a given time, left at 1 to ease into updates.
# Can be increased at a later time
MaxBatchSize='1'
)
),
user_data=Base64(Join('', [
'#!/bin/bash\n',
'echo Good to go'
])))
asg.resource['Properties']['TargetGroupARNs'] = [Ref(target_group)]
# Cluster Memory Scaling policies
asg_scale_up_policy = self.add_resource(
autoscaling.ScalingPolicy(
name + 'ScaleUpPolicy',
AdjustmentType='ChangeInCapacity',
AutoScalingGroupName=Ref(asg),
Cooldown=300,
ScalingAdjustment=1
)
)
# ELB latency above a threshold
self.add_resource(
cloudwatch.Alarm(
name + 'LatencyHigh',
MetricName='Latency',
ComparisonOperator='GreaterThanThreshold',
Period=300,
EvaluationPeriods=1,
Statistic='Average',
Namespace='AWS/ELB',
AlarmDescription=name + 'LatencyHigh',
Dimensions=[cloudwatch.MetricDimension(Name='LoadBalancerName', Value=Ref(public_alb))],
Threshold='6',
AlarmActions=[
Ref(asg_scale_up_policy),
'arn:aws:sns:us-east-1:422548007577:notify-pat'
]
)
)
])),
))
t.add_resource(
elb.Listener(
"HTTPSListener",
Port="443",
Protocol="HTTPS",
LoadBalancerArn=Ref("LoadBalancer"),
DefaultActions=[
elb.Action(Type="forward", TargetGroupArn=Ref("TargetGroup"))
],
# SSL certificate for https.
Certificates=[
elb.Certificate(
CertificateArn=
"arn:aws:acm:ap-northeast-2:540379673889:certificate/3202b1b0-7446-420e-99d2-4b175ecd6310"
)
]))
t.add_resource(
elb.Listener("HTTPListener",
Port="80",
Protocol="HTTP",
LoadBalancerArn=Ref("LoadBalancer"),
DefaultActions=[
elb.Action(Type="redirect",
RedirectConfig=elb.RedirectConfig(
Protocol='HTTPS',
StatusCode='HTTP_301',
Port='443',
))
"cluster-vpc-id"]
)
),
))
t.add_resource(elb.Listener(
"HTTPSListener",
Port="443",
Protocol="HTTPS",
LoadBalancerArn=Ref("LoadBalancer"),
DefaultActions=[elb.Action(
Type="forward",
TargetGroupArn=Ref("TargetGroup")
)],
# SSL certificate for https.
Certificates=[elb.Certificate(
CertificateArn="arn:aws:acm:ap-northeast-2:772278550552:certificate/8115428d-f80c-428b-a36e-5a1997f435cf")]
))
t.add_resource(elb.Listener(
"HTTPListener",
Port="80",
Protocol="HTTP",
LoadBalancerArn=Ref("LoadBalancer"),
DefaultActions=[elb.Action(
Type="redirect",
RedirectConfig=elb.RedirectConfig(
Protocol='HTTPS',
StatusCode='HTTP_301',
Port='443',
)
)]
def generate_app_load_balancer(self, lb_name, typ, port, cert_arn, log_bucket):
lb_name = self.cfn_name(lb_name)
if len(lb_name) >= 32:
alb_name = lb_name[0:31]
else:
alb_name = lb_name
if len(lb_name + 'TG') >= 32:
tg_name = '{}TG'.format(lb_name[0:29])
else:
tg_name = '{}TG'.format(lb_name)
if typ not in ['internal', 'internet-facing']:
raise NameError("Load balancer type must be of type internal, internet-facing")
# Use the system security groups (automatic) if internal, else use the limited external security group
sg = self.security_groups if typ == 'internal' else [Ref(self.elb_external_security_group)]
_alb = elasticloadbalancingv2.LoadBalancer(
alb_name,
Name=alb_name,
IpAddressType='ipv4',
LoadBalancerAttributes=[
elasticloadbalancingv2.LoadBalancerAttributes(
Key='access_logs.s3.enabled',
Value='true'
),
elasticloadbalancingv2.LoadBalancerAttributes(
Key='access_logs.s3.bucket',
Value=log_bucket
),
elasticloadbalancingv2.LoadBalancerAttributes(
Key='access_logs.s3.prefix',
Value="ELB/{}/{}".format(self.env, lb_name)
),
elasticloadbalancingv2.LoadBalancerAttributes(
Key='deletion_protection.enabled',
Value='false'
),
elasticloadbalancingv2.LoadBalancerAttributes(
Key='idle_timeout.timeout_seconds',
Value='60'
),
elasticloadbalancingv2.LoadBalancerAttributes(
Key='routing.http.drop_invalid_header_fields.enabled',
Value='false'
),
elasticloadbalancingv2.LoadBalancerAttributes(
Key='routing.http2.enabled',
Value='true'
)
],
Scheme=typ,
SecurityGroups=sg,
Subnets=[s['SubnetId'] for s in self.get_subnets('private' if typ == 'internal' else 'public')],
Type='application',
Tags=self.get_tags(
service_override="InternalALB" if typ == 'internal' else "ExternalALB",
role_override=lb_name
) + [ec2.Tag('Name', lb_name)]
)
_target_group = elasticloadbalancingv2.TargetGroup(
tg_name,
Name=tg_name,
HealthCheckIntervalSeconds=30,
HealthCheckPath='/ping',
HealthCheckPort=port,
HealthCheckProtocol='HTTP',
HealthCheckTimeoutSeconds=5,
HealthyThresholdCount=5,
UnhealthyThresholdCount=2,
Matcher=elasticloadbalancingv2.Matcher(
HttpCode='200'
),
Port=port,
Protocol='HTTP',
TargetGroupAttributes=[
elasticloadbalancingv2.TargetGroupAttribute(
Key='deregistration_delay.timeout_seconds',
Value='300'
),
elasticloadbalancingv2.TargetGroupAttribute(
Key='stickiness.enabled',
Value='false'
),
elasticloadbalancingv2.TargetGroupAttribute(
Key='stickiness.type',
Value='lb_cookie'
),
elasticloadbalancingv2.TargetGroupAttribute(
Key='load_balancing.algorithm.type',
Value='least_outstanding_requests'
)
],
TargetType='instance',
VpcId=self.vpc_id,
Tags=self.get_tags(
service_override="InternalALB" if typ == 'internal' else "ExternalALB",
role_override=lb_name
) + [ec2.Tag('Name', '{}TG'.format(lb_name))]
)
_listener_80 = self.add_resource(elasticloadbalancingv2.Listener(
'{}80Listener'.format(lb_name),
Port='80',
Protocol='HTTP',
LoadBalancerArn=Ref(_alb),
DefaultActions=[
elasticloadbalancingv2.Action(
Type='redirect',
RedirectConfig=elasticloadbalancingv2.RedirectConfig(
Host='#{host}',
Path='/#{path}',
Port='443',
Protocol='HTTPS',
Query='#{query}',
StatusCode='HTTP_301'
)
)
],
))
_listener_443 = self.add_resource(elasticloadbalancingv2.Listener(
'{}443Listener'.format(lb_name),
Port='443',
Protocol='HTTPS',
LoadBalancerArn=Ref(_alb),
SslPolicy='ELBSecurityPolicy-2016-08',
Certificates=[
elasticloadbalancingv2.Certificate(
CertificateArn=cert_arn
)
],
DefaultActions=[
elasticloadbalancingv2.Action(
Type='forward',
TargetGroupArn=Ref(_target_group)
)
],
))
return _alb, _target_group
def main():
template = Template()
template.add_version("2010-09-09")
template.set_description("AWS CloudFormation ECS Service")
# Add the Parameters
Application = template.add_parameter(
Parameter(
"Application",
Type="String",
))
DockerImage = template.add_parameter(
Parameter(
"DockerImage",
Type="String",
))
USERNAME = template.add_parameter(Parameter(
"USERNAME",
Type="String",
))
ClusterName = template.add_parameter(
Parameter(
"ClusterName",
Type="String",
))
ContainerPort = template.add_parameter(
Parameter(
"ContainerPort",
Type="String",
))
HostPort = template.add_parameter(Parameter(
"HostPort",
Type="String",
))
HostedZoneName = template.add_parameter(
Parameter(
"HostedZoneName",
Type="String",
))
CertArn = template.add_parameter(Parameter(
"CertArn",
Type="String",
))
ExecutionRoleArn = template.add_parameter(
Parameter("ExecutionRoleArn",
Type="String",
Description="Execution Role to get creadentials from ssm"))
HealthCheckPath = template.add_parameter(
Parameter(
"HealthCheckPath",
Type="String",
))
HealthCheckIntervalSeconds = template.add_parameter(
Parameter(
"HealthCheckIntervalSeconds",
Type="String",
))
HealthyThresholdCount = template.add_parameter(
Parameter(
"HealthyThresholdCount",
Type="String",
))
HealthCheckTimeoutSeconds = template.add_parameter(
Parameter(
"HealthCheckTimeoutSeconds",
Type="String",
))
UnhealthyThresholdCount = template.add_parameter(
Parameter(
"UnhealthyThresholdCount",
Type="String",
))
VpcId = template.add_parameter(Parameter(
"VpcId",
Type="String",
))
Subnets = template.add_parameter(
Parameter(
"Subnets",
Type="List<AWS::EC2::Subnet::Id>",
))
# Add the application ELB
NetworkLB = template.add_resource(
elb.LoadBalancer("NetworkLB",
Name=Join("", [Ref(Application), "-nlb"]),
Scheme="internet-facing",
Subnets=Ref(Subnets),
Type='network'))
NlbTargetGroup = template.add_resource(
elb.TargetGroup(
"NlbTargetGroup",
Name='ecs-service-targetgroup',
HealthCheckIntervalSeconds=Ref(HealthCheckIntervalSeconds),
HealthCheckProtocol="TCP",
HealthyThresholdCount=Ref(HealthyThresholdCount),
Port=80,
Protocol="TCP",
UnhealthyThresholdCount=Ref(UnhealthyThresholdCount),
VpcId=Ref(VpcId)))
NlbListener = template.add_resource(
elb.Listener(
"Listener",
DependsOn=["NlbTargetGroup", "NetworkLB"],
Certificates=[elb.Certificate(CertificateArn=Ref(CertArn))],
Port="443",
Protocol="TLS",
LoadBalancerArn=Ref(NetworkLB),
DefaultActions=[
elb.Action(Type="forward", TargetGroupArn=Ref(NlbTargetGroup))
]))
Task_Definition = template.add_resource(
TaskDefinition(
'TaskDefinition',
Memory='500',
ExecutionRoleArn=Ref(ExecutionRoleArn),
ContainerDefinitions=[
ContainerDefinition(
Name=Join("", [Ref(Application)]),
Image=Ref(DockerImage),
Essential=True,
Secrets=[Secret(Name='USERNAME', ValueFrom=Ref(USERNAME))],
Environment=[
Environment(Name="DOCKER_LABELS", Value="true")
],
DockerLabels={
'aws-account': Ref("AWS::AccountId"),
'region': Ref("AWS::Region"),
'stack': Ref("AWS::StackName")
},
PortMappings=[
PortMapping(ContainerPort=Ref(ContainerPort),
HostPort=Ref(HostPort))
])
]))
app_service = template.add_resource(
Service("AppService",
DependsOn=["Listener", "TaskDefinition"],
Cluster=Ref(ClusterName),
DesiredCount=1,
TaskDefinition=Ref(Task_Definition),
ServiceName=Join("", [Ref(Application), "-ecs-service"]),
LoadBalancers=[
ecs.LoadBalancer(ContainerName=Join(
"", [Ref(Application)]),
ContainerPort=Ref(ContainerPort),
TargetGroupArn=Ref(NlbTargetGroup))
]))
AppDNSRecord = template.add_resource(
RecordSetType(
"AppDNSRecord",
DependsOn=["AppService"],
HostedZoneName=Join("", [Ref(HostedZoneName), "."]),
Name=Join("", [Ref(Application), ".",
Ref(HostedZoneName), "."]),
Type="CNAME",
TTL="900",
ResourceRecords=[GetAtt(NetworkLB, "DNSName")]))
template.add_output(
Output("URL",
Description="DomainName",
Value=Join("", ["https://", Ref(AppDNSRecord)])))
with open("ecs-ec2-service-cf.yaml", "w") as yamlout:
yamlout.write(template.to_yaml())
load_balancer_https_listener_resource = template.add_resource(
elb.Listener(
'LoadBalancerListener',
LoadBalancerArn=Ref(load_balancer_resource),
Port=443,
Protocol='HTTPS',
DefaultActions=[
elb.Action(
Type='forward',
TargetGroupArn=Ref(api_target_group_resource)
)
],
Certificates=[
elb.Certificate(
CertificateArn=Ref(certificate_arn_parameter)
)
]
)
)
ecs_service_role_resource = template.add_resource(
iam.Role(
'ECSServiceRole',
AssumeRolePolicyDocument={
'Version': '2012-10-17',
'Statement': [
{
'Action': 'sts:AssumeRole',
'Effect': 'Allow',
'Principal': {
def define_load_balancer(template, sg):
alb_target_group_80 = elb.TargetGroup(
stack_name_strict + "TG80",
Tags=Tags(Name=stack_name, Custo=app_name),
HealthCheckPath=Ref(alb_health_check_path),
HealthCheckIntervalSeconds="30",
HealthCheckProtocol="HTTP",
HealthCheckTimeoutSeconds="10",
HealthyThresholdCount="3",
Matcher=elb.Matcher(HttpCode="301"),
Port=80,
Protocol="HTTP",
UnhealthyThresholdCount="2",
VpcId=Ref(vpc_id))
template.add_resource(alb_target_group_80)
alb_target_group_9090 = elb.TargetGroup(
stack_name_strict + "TG9090",
Tags=Tags(Name=stack_name, Custo=app_name),
HealthCheckPath=Ref(alb_health_check_path),
HealthCheckIntervalSeconds="30",
HealthCheckProtocol="HTTP",
HealthCheckTimeoutSeconds="10",
HealthyThresholdCount="3",
Matcher=elb.Matcher(HttpCode="200"),
Port=9090,
Protocol="HTTP",
UnhealthyThresholdCount="2",
VpcId=Ref(vpc_id))
template.add_resource(alb_target_group_9090)
alb = elb.LoadBalancer(stack_name_strict + "ALB",
Tags=Tags(Name=stack_name, Custo=app_name),
Scheme="internet-facing",
Subnets=[Ref(subnet_id1),
Ref(subnet_id2)],
SecurityGroups=[Ref(sg)])
template.add_resource(alb)
alb_listener_80 = elb.Listener(
stack_name_strict + "ListenerALB80",
Port=80,
Protocol="HTTP",
LoadBalancerArn=Ref(alb),
DefaultActions=[
elb.Action(Type="forward", TargetGroupArn=Ref(alb_target_group_80))
])
template.add_resource(alb_listener_80)
alb_listener_443 = elb.Listener(
stack_name_strict + "ListenerALB443",
Port=443,
Protocol="HTTPS",
Certificates=[
elb.Certificate(CertificateArn=Ref(ssl_certificate_arn))
],
LoadBalancerArn=Ref(alb),
DefaultActions=[
elb.Action(Type="forward",
TargetGroupArn=Ref(alb_target_group_9090))
])
template.add_resource(alb_listener_443)
return {
"loadbalancer": alb,
"alb_target_group_80": alb_target_group_80,
"alb_target_group_9090": alb_target_group_9090,
"alb_listener_80": alb_listener_80,
"alb_listener_9090": alb_listener_443
}
