ECS-Cloudformation/vpc-subnets-stack.yml

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  VPC:
    Type: AWS::EC2::VPC # or AWS::RDS::DBSubnetGroup
    Properties: # or Properties
      CidrBlock: 10.0.0.0/16 # this is the VPC CIDR block (CIDR = Classless Inter-Domain Routing, it means you can use 0.0.0.0/0 for all IPs)
      EnableDnsSupport: true # Enable DNS hostnames (EnableDnsSupport is true by default)
      EnableDnsHostnames: true # Enable DNS hostnames (EnableDnsHostnames is true by default)

  SubnetA:
    Type: AWS::EC2::Subnet # this subnet is for the ECS instances (webserver)
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.0.0/24 # this is the subnet CIDR block it means that you can use 10.0.0.0/24
      AvailabilityZone: eu-central-1a

  SubnetB:
    Type: AWS::EC2::Subnet # this subnet is for the RDS
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: eu-central-1b

  Nacl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref VPC

  InboundRuleHttps:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref Nacl
      RuleNumber: "1"
      Protocol: 6
      RuleAction: allow
      PortRange:
        From: 443
        To: 443
      Egress: false # Egress means outbound
      CidrBlock: 0.0.0.0/0

  InboundRuleHttp:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref Nacl
      RuleNumber: "2"
      Protocol: 6
      RuleAction: allow
      PortRange:
        From: 80
        To: 80
      Egress: false # Egress means outbound
      CidrBlock: 0.0.0.0/0

  OutboundRuleHttps:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref Nacl
      RuleNumber: "3"
      Protocol: 6
      PortRange:
        From: 443
        To: 443
      RuleAction: allow
      Egress: true
      CidrBlock: 0.0.0.0/0

  OutboundRuleHttp:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref Nacl
      RuleNumber: "4"
      Protocol: 6
      PortRange:
        From: 80
        To: 80
      RuleAction: allow
      Egress: true
      CidrBlock: 0.0.0.0/0

  RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: 20
      DBInstanceClass: db.t2.micro
      Engine: mysql # or postgres
      MasterUsername: root_user
      MasterUserPassword: root_password
      DBName: root_db
      MultiAZ: false

  ECSCluster:
    Type: AWS::ECS::Cluster # this ECSCluster is to run the ECS tasks

  ECSTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      ExecutionRoleArn: !Ref ExecutionRole
      TaskRoleArn: !Ref TaskRole
      Cpu: 256
      Memory: 0.5GB
      Family: !Ref ECSCluster
      ContainerDefinitions:
        - Name: commit-nginx
          Image: 539634357948.dkr.ecr.eu-central-1.amazonaws.com/commit-nginx:latest
          Memory: 512 # Specify memory here (in MiB)
          PortMappings:
            - ContainerPort: 80
            - ContainerPort: 443

  ECSService:
    Type: AWS::ECS::Service
    Properties:
      Cluster: !Ref ECSCluster
      LoadBalancers:
        - ContainerName: commit-nginx
          ContainerPort: 80
          LoadBalancerName: !GetAtt LoadBalancer.Name
      TaskDefinition: !Ref ECSTaskDefinition
      DesiredCount: 1
      LaunchType: EC2
      NetworkConfiguration:
        AwsvpcConfiguration:
          Subnets:
            - !Ref SubnetA
            - !Ref SubnetB
    DependsOn:
         - "LoadBalancer"


  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: "Commit-elb"
      LoadBalancerAttributes:
        # this is the default, but is specified here in case it needs to be changed
        - Key: idle_timeout.timeout_seconds
          Value: 60
      # "internal" is also an option
      Scheme: internet-facing
      Subnets:
        - !Ref SubnetA
        - !Ref SubnetB

  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "Commit-ECSRole"
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"

  TaskRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "Commit-TaskRole"
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: "sts:AssumeRole"

  MyInternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: stack
          Value: production

  MyVPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref MyInternetGateway
      VpcId: !Ref VPC


  ListenerHTTPS:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - TargetGroupArn: !Ref TargetGroup
          Type: forward
      LoadBalancerArn: !Ref LoadBalancer
      Port: 80
      Protocol: HTTP
      # Certificates:
      #   - CertificateArn: "arn:aws:acm:eu-central-1:539634357948:certificate/584cfb24-bc7a-431b-9150-16d47bdb8ea9"

  TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      HealthCheckIntervalSeconds: 10
      # will look for a 200 status code by default unless specified otherwise
      HealthCheckPath: "/"
      HealthCheckTimeoutSeconds: 5
      UnhealthyThresholdCount: 2
      HealthyThresholdCount: 2
      Name: MyTargetGroup
      Port: 80
      Protocol: HTTP
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: 60 # default is 300
      TargetType: ip
      VpcId: !Ref VPC
first commit + bug in alb, need to replace to elb 2023-09-03 12:12:43 +00:00			`AWSTemplateFormatVersion: "2010-09-09"`

			`Resources:`
			`VPC:`
			`Type: AWS::EC2::VPC # or AWS::RDS::DBSubnetGroup`
			`Properties: # or Properties`
			`CidrBlock: 10.0.0.0/16 # this is the VPC CIDR block (CIDR = Classless Inter-Domain Routing, it means you can use 0.0.0.0/0 for all IPs)`
			`EnableDnsSupport: true # Enable DNS hostnames (EnableDnsSupport is true by default)`
			`EnableDnsHostnames: true # Enable DNS hostnames (EnableDnsHostnames is true by default)`

			`SubnetA:`
			`Type: AWS::EC2::Subnet # this subnet is for the ECS instances (webserver)`
			`Properties:`
			`VpcId: !Ref VPC`
			`CidrBlock: 10.0.0.0/24 # this is the subnet CIDR block it means that you can use 10.0.0.0/24`
			`AvailabilityZone: eu-central-1a`

			`SubnetB:`
			`Type: AWS::EC2::Subnet # this subnet is for the RDS`
			`Properties:`
			`VpcId: !Ref VPC`
			`CidrBlock: 10.0.1.0/24`
			`AvailabilityZone: eu-central-1b`

			`Nacl:`
			`Type: AWS::EC2::NetworkAcl`
			`Properties:`
			`VpcId: !Ref VPC`

			`InboundRuleHttps:`
			`Type: AWS::EC2::NetworkAclEntry`
			`Properties:`
			`NetworkAclId: !Ref Nacl`
			`RuleNumber: "1"`
			`Protocol: 6`
			`RuleAction: allow`
			`PortRange:`
			`From: 443`
			`To: 443`
			`Egress: false # Egress means outbound`
			`CidrBlock: 0.0.0.0/0`

			`InboundRuleHttp:`
			`Type: AWS::EC2::NetworkAclEntry`
			`Properties:`
			`NetworkAclId: !Ref Nacl`
			`RuleNumber: "2"`
			`Protocol: 6`
			`RuleAction: allow`
			`PortRange:`
			`From: 80`
			`To: 80`
			`Egress: false # Egress means outbound`
			`CidrBlock: 0.0.0.0/0`

			`OutboundRuleHttps:`
			`Type: AWS::EC2::NetworkAclEntry`
			`Properties:`
			`NetworkAclId: !Ref Nacl`
			`RuleNumber: "3"`
			`Protocol: 6`
			`PortRange:`
			`From: 443`
			`To: 443`
			`RuleAction: allow`
			`Egress: true`
			`CidrBlock: 0.0.0.0/0`

			`OutboundRuleHttp:`
			`Type: AWS::EC2::NetworkAclEntry`
			`Properties:`
			`NetworkAclId: !Ref Nacl`
			`RuleNumber: "4"`
			`Protocol: 6`
			`PortRange:`
			`From: 80`
			`To: 80`
			`RuleAction: allow`
			`Egress: true`
			`CidrBlock: 0.0.0.0/0`

			`RDSInstance:`
			`Type: AWS::RDS::DBInstance`
			`Properties:`
			`AllocatedStorage: 20`
			`DBInstanceClass: db.t2.micro`
			`Engine: mysql # or postgres`
			`MasterUsername: root_user`
			`MasterUserPassword: root_password`
			`DBName: root_db`
			`MultiAZ: false`

			`ECSCluster:`
			`Type: AWS::ECS::Cluster # this ECSCluster is to run the ECS tasks`

			`ECSTaskDefinition:`
			`Type: AWS::ECS::TaskDefinition`
			`Properties:`
			`NetworkMode: awsvpc`
			`RequiresCompatibilities:`
			`- FARGATE`
			`ExecutionRoleArn: !Ref ExecutionRole`
			`TaskRoleArn: !Ref TaskRole`
			`Cpu: 256`
			`Memory: 0.5GB`
			`Family: !Ref ECSCluster`
			`ContainerDefinitions:`
			`- Name: commit-nginx`
			`Image: 539634357948.dkr.ecr.eu-central-1.amazonaws.com/commit-nginx:latest`
			`Memory: 512 # Specify memory here (in MiB)`
			`PortMappings:`
			`- ContainerPort: 80`
			`- ContainerPort: 443`

			`ECSService:`
			`Type: AWS::ECS::Service`
			`Properties:`
			`Cluster: !Ref ECSCluster`
			`LoadBalancers:`
			`- ContainerName: commit-nginx`
			`ContainerPort: 80`
			`LoadBalancerName: !GetAtt LoadBalancer.Name`
			`TaskDefinition: !Ref ECSTaskDefinition`
			`DesiredCount: 1`
			`LaunchType: EC2`
			`NetworkConfiguration:`
			`AwsvpcConfiguration:`
			`Subnets:`
			`- !Ref SubnetA`
			`- !Ref SubnetB`
			`DependsOn:`
			`- "LoadBalancer"`


			`LoadBalancer:`
			`Type: AWS::ElasticLoadBalancingV2::LoadBalancer`
			`Properties:`
			`Name: "Commit-elb"`
			`LoadBalancerAttributes:`
			`# this is the default, but is specified here in case it needs to be changed`
			`- Key: idle_timeout.timeout_seconds`
			`Value: 60`
			`# "internal" is also an option`
			`Scheme: internet-facing`
			`Subnets:`
			`- !Ref SubnetA`
			`- !Ref SubnetB`

			`ExecutionRole:`
			`Type: AWS::IAM::Role`
			`Properties:`
			`RoleName: "Commit-ECSRole"`
			`AssumeRolePolicyDocument:`
			`Statement:`
			`- Effect: Allow`
			`Principal:`
			`Service: ecs-tasks.amazonaws.com`
			`Action: "sts:AssumeRole"`
			`ManagedPolicyArns:`
			`- "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"`

			`TaskRole:`
			`Type: AWS::IAM::Role`
			`Properties:`
			`RoleName: "Commit-TaskRole"`
			`AssumeRolePolicyDocument:`
			`Statement:`
			`- Effect: Allow`
			`Principal:`
			`Service: ecs-tasks.amazonaws.com`
			`Action: "sts:AssumeRole"`

			`MyInternetGateway:`
			`Type: AWS::EC2::InternetGateway`
			`Properties:`
			`Tags:`
			`- Key: stack`
			`Value: production`

			`MyVPCGatewayAttachment:`
			`Type: AWS::EC2::VPCGatewayAttachment`
			`Properties:`
			`InternetGatewayId: !Ref MyInternetGateway`
			`VpcId: !Ref VPC`



			`ListenerHTTPS:`
			`Type: AWS::ElasticLoadBalancingV2::Listener`
			`Properties:`
			`DefaultActions:`
			`- TargetGroupArn: !Ref TargetGroup`
			`Type: forward`
			`LoadBalancerArn: !Ref LoadBalancer`
			`Port: 80`
			`Protocol: HTTP`
			`# Certificates:`
			`# - CertificateArn: "arn:aws:acm:eu-central-1:539634357948:certificate/584cfb24-bc7a-431b-9150-16d47bdb8ea9"`

			`TargetGroup:`
			`Type: AWS::ElasticLoadBalancingV2::TargetGroup`
			`Properties:`
			`HealthCheckIntervalSeconds: 10`
			`# will look for a 200 status code by default unless specified otherwise`
			`HealthCheckPath: "/"`
			`HealthCheckTimeoutSeconds: 5`
			`UnhealthyThresholdCount: 2`
			`HealthyThresholdCount: 2`
			`Name: MyTargetGroup`
			`Port: 80`
			`Protocol: HTTP`
			`TargetGroupAttributes:`
			`- Key: deregistration_delay.timeout_seconds`
			`Value: 60 # default is 300`
			`TargetType: ip`
			`VpcId: !Ref VPC`