commit 992d9a6039be6ef7d546664d87dbbd5d8b85c06f Author: Kfir Dayan Date: Sun Sep 3 15:12:43 2023 +0300 first commit + bug in alb, need to replace to elb diff --git a/README.md b/README.md new file mode 100644 index 0000000..c7aa5ba --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +Self Signed Certificate: + +openssl genpkey -algorithm RSA -out private-key.pem - this is the private key +openssl req -new -key private-key.pem -x509 -days 365 -out certificate.pem - this is the certificate + diff --git a/certificates/certificate.pem b/certificates/certificate.pem new file mode 100644 index 0000000..bd127a9 --- /dev/null +++ b/certificates/certificate.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaACCQCVOFor5ub8RTANBgkqhkiG9w0BAQsFADAeMQswCQYDVQQGEwJJ +TDEPMA0GA1UECAwGSXNyYWVsMB4XDTIzMDgzMTExNDI0NFoXDTI0MDgzMDExNDI0 +NFowHjELMAkGA1UEBhMCSUwxDzANBgNVBAgMBklzcmFlbDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALEmvhycPlaP6/QroRbEq4P8iKtwIr5Ep6AgTcrD +tFhxB6/15nwQkFnEk0LP41St6U8ChwW6SlekZGOHUzyqA8xpQM1X97AMSd9xUGbo +3DQLfFCOZV/9TUV9MLtXaAkgN5n/1I3DCAZzZITAzI1NeD8H9PXYidfRYIHPwjQe +17acPA8XagQEpexF/upDwSgNPcWRGS3hBcRu+Pd5ZwDfaE2TqU92Oe5vP5u5AIRu +mxuQLMB8b6xi6xnudBG75N5dFqd4KfVJU67JNwYlCz2d+qCVlP8nSU5ocRHo8RTE +cg2ISKt2rO+n1cah0hyJZxfsAV+lYZx++YzIO7GMzxcPhHECAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAjU/gIjnyhyiqUzsaGpLP9WcnLQguSAB0DIWzCG7leXsGMYIN +TqwH1AinYiV5/7IXWNvnSwzmH+SWtcT5dJ6h7E54wxID72qGhaELI8Ov2UdgmT0r +lMJR6QOzhZdeY/OcydNtXThFNFFDhF5ueYvB8Id/PSF9aBKGAiBIgCRkLy6eT/MM +zk/VEr8OxJ6J0I4QjV8poQN1ob0S5M9INNzQkfKK0BEf50OPFV294HbF58yRtnCL +IQmj1taMRlwyvO73esv3rX6+q2E3/LodhbuSx+Nv6fyxapTDICG2MMt4boTjZzdT +KswffhUqCiJxxxRj6nZpHEprG/JugukySOzYJw== +-----END CERTIFICATE----- diff --git a/certificates/private-key.pem b/certificates/private-key.pem new file mode 100644 index 0000000..bc70d56 --- /dev/null +++ b/certificates/private-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxJr4cnD5Wj+v0 +K6EWxKuD/IircCK+RKegIE3Kw7RYcQev9eZ8EJBZxJNCz+NUrelPAocFukpXpGRj +h1M8qgPMaUDNV/ewDEnfcVBm6Nw0C3xQjmVf/U1FfTC7V2gJIDeZ/9SNwwgGc2SE +wMyNTXg/B/T12InX0WCBz8I0Hte2nDwPF2oEBKXsRf7qQ8EoDT3FkRkt4QXEbvj3 +eWcA32hNk6lPdjnubz+buQCEbpsbkCzAfG+sYusZ7nQRu+TeXRaneCn1SVOuyTcG +JQs9nfqglZT/J0lOaHER6PEUxHINiEirdqzvp9XGodIciWcX7AFfpWGcfvmMyDux +jM8XD4RxAgMBAAECggEAWB4UXLjfTUGDtc3p8CBdzGZWOSirL4eI9d57s4tLbt6y +WzVus3Gty+k68vXjd2CWd+Wi8hdrGVM9WECdB8Tt5MTKJhpGqzxBlrKPstDLj9vS +t2NNS8T8pb8S+W0N49QxtBmMSgOkP0kwy9P3K6ZIVNoJYCyYzFBqt8d3K2PYGw2h +wWfVZocKH6/O146k1AyBzQuxg1U83j+ZzGoTlzBJXW1Egi75uk0cWcIheJ1v/yag +Pcvx3R948TKc43wLcLfuzIIYu57dzgYc82G4XLz93W7PTpkPh/7+SRDhvb6PZ9n3 +A9CXahzrqSppFZ9fdyqHMDrKfYv9n8vpxjcO0XIu7QKBgQDe8njFHrNk/9UB4v9+ +Zb2Oq/ziy99BErICQSeuF1D7DQqntZBg7p8KtBKzW2RfwTeb14WXgVMPZM+fuC8O +SXu2XEW0gQ6Wl++zFEl5uns27P3Ied9xa1Q+UdagI9Y2/sbNfPhou32sYu5CJMs6 +OZJyzAb2lnhNB/Ca3QRyVM2yuwKBgQDLai3eYn+m4ZrRMqqXGEaDSqH9dMsSEu5Z +0yYJOQ+kwGKK8lWkyFFB/S/GNV6xpVpafELzVMpHtmFiDHEqMb++2yrAzEXI0o+E +S1RbgOkeYnlY1blRc3fJrTkYhzIGRDtYWPEZXDBV/muylWFkME/I9zHuWLzqy33V +IVQXrgsgwwKBgQCV2746IczMEvsG7aJ3P8QO5qRxfkBu6TYmNc2KQ7n3RmjnGjAW +N89HzorTbJcnliTe6BuwHwnJyyWUYqWeoN47UgK4thcsOqywXu6UmDjCTsK3wtPi +1RYnXbM6qVwQU2kmLt5656wt98HXTAwe8xvxdhsoHTR38uJT9kRK5Z3uiQKBgEpa +4bFsp+TEiub1ck4Q3ZWYbmZLjv9oVCAZgsnURdefS2Ym9w9o+er5NcFqONcO7lwt +F/wCfn6AOFCy45rc3I5TZulawheKgFOHhap9ELm+nUTPuxH+90aNP1Wr9ak8v8Sn +nln6zOBiQ9Pfrt4EmuWHFoVdgpEBGVoS+L4/LGopAoGBALffVDtB3lmCqJ+v/hxG +g/MIArmug2bCy9kKA1xpKkQzb+nEh/Fe/QjhTBveetFXkTJOSKUAwIJGW1BmP+9W +J867oEDOJbm2l968Jwo+/hrHC4SMqQhSVfGvnx3zYD86UC2x1pi2tvWT2te98rgv +GaSEdJB4yfPDy80Uk1qiJ+0f +-----END PRIVATE KEY----- diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..fc9f4c9 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,9 @@ +# Use the official NGINX image as the base image +FROM nginx + +# Copy your custom HTML and logo files to the NGINX web root +COPY index.html /usr/share/nginx/html/ +COPY logo.png /usr/share/nginx/html/ + +# Expose port 80 for HTTP traffic +EXPOSE 80 \ No newline at end of file diff --git a/nginx/index.html b/nginx/index.html new file mode 100644 index 0000000..6f4853d --- /dev/null +++ b/nginx/index.html @@ -0,0 +1,10 @@ + + + + Hello Commit + + +

Hello Commit

+ Logo + + diff --git a/nginx/logo.png b/nginx/logo.png new file mode 100644 index 0000000..fee5b94 Binary files /dev/null and b/nginx/logo.png differ diff --git a/vpc-subnets-stack.yml b/vpc-subnets-stack.yml new file mode 100644 index 0000000..d2a2833 --- /dev/null +++ b/vpc-subnets-stack.yml @@ -0,0 +1,216 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Resources: + VPC: + Type: AWS::EC2::VPC # or AWS::RDS::DBSubnetGroup + Properties: # or Properties + CidrBlock: 10.0.0.0/16 # this is the VPC CIDR block (CIDR = Classless Inter-Domain Routing, it means you can use 0.0.0.0/0 for all IPs) + EnableDnsSupport: true # Enable DNS hostnames (EnableDnsSupport is true by default) + EnableDnsHostnames: true # Enable DNS hostnames (EnableDnsHostnames is true by default) + + SubnetA: + Type: AWS::EC2::Subnet # this subnet is for the ECS instances (webserver) + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.0.0/24 # this is the subnet CIDR block it means that you can use 10.0.0.0/24 + AvailabilityZone: eu-central-1a + + SubnetB: + Type: AWS::EC2::Subnet # this subnet is for the RDS + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.1.0/24 + AvailabilityZone: eu-central-1b + + Nacl: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: !Ref VPC + + InboundRuleHttps: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: !Ref Nacl + RuleNumber: "1" + Protocol: 6 + RuleAction: allow + PortRange: + From: 443 + To: 443 + Egress: false # Egress means outbound + CidrBlock: 0.0.0.0/0 + + InboundRuleHttp: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: !Ref Nacl + RuleNumber: "2" + Protocol: 6 + RuleAction: allow + PortRange: + From: 80 + To: 80 + Egress: false # Egress means outbound + CidrBlock: 0.0.0.0/0 + + OutboundRuleHttps: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: !Ref Nacl + RuleNumber: "3" + Protocol: 6 + PortRange: + From: 443 + To: 443 + RuleAction: allow + Egress: true + CidrBlock: 0.0.0.0/0 + + OutboundRuleHttp: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: !Ref Nacl + RuleNumber: "4" + Protocol: 6 + PortRange: + From: 80 + To: 80 + RuleAction: allow + Egress: true + CidrBlock: 0.0.0.0/0 + + RDSInstance: + Type: AWS::RDS::DBInstance + Properties: + AllocatedStorage: 20 + DBInstanceClass: db.t2.micro + Engine: mysql # or postgres + MasterUsername: root_user + MasterUserPassword: root_password + DBName: root_db + MultiAZ: false + + ECSCluster: + Type: AWS::ECS::Cluster # this ECSCluster is to run the ECS tasks + + ECSTaskDefinition: + Type: AWS::ECS::TaskDefinition + Properties: + NetworkMode: awsvpc + RequiresCompatibilities: + - FARGATE + ExecutionRoleArn: !Ref ExecutionRole + TaskRoleArn: !Ref TaskRole + Cpu: 256 + Memory: 0.5GB + Family: !Ref ECSCluster + ContainerDefinitions: + - Name: commit-nginx + Image: 539634357948.dkr.ecr.eu-central-1.amazonaws.com/commit-nginx:latest + Memory: 512 # Specify memory here (in MiB) + PortMappings: + - ContainerPort: 80 + - ContainerPort: 443 + + ECSService: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref ECSCluster + LoadBalancers: + - ContainerName: commit-nginx + ContainerPort: 80 + LoadBalancerName: !GetAtt LoadBalancer.Name + TaskDefinition: !Ref ECSTaskDefinition + DesiredCount: 1 + LaunchType: EC2 + NetworkConfiguration: + AwsvpcConfiguration: + Subnets: + - !Ref SubnetA + - !Ref SubnetB + DependsOn: + - "LoadBalancer" + + + LoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: "Commit-elb" + LoadBalancerAttributes: + # this is the default, but is specified here in case it needs to be changed + - Key: idle_timeout.timeout_seconds + Value: 60 + # "internal" is also an option + Scheme: internet-facing + Subnets: + - !Ref SubnetA + - !Ref SubnetB + + ExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: "Commit-ECSRole" + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Action: "sts:AssumeRole" + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" + + TaskRole: + Type: AWS::IAM::Role + Properties: + RoleName: "Commit-TaskRole" + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Action: "sts:AssumeRole" + + MyInternetGateway: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: stack + Value: production + + MyVPCGatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref MyInternetGateway + VpcId: !Ref VPC + + + + ListenerHTTPS: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - TargetGroupArn: !Ref TargetGroup + Type: forward + LoadBalancerArn: !Ref LoadBalancer + Port: 80 + Protocol: HTTP + # Certificates: + # - CertificateArn: "arn:aws:acm:eu-central-1:539634357948:certificate/584cfb24-bc7a-431b-9150-16d47bdb8ea9" + + TargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + HealthCheckIntervalSeconds: 10 + # will look for a 200 status code by default unless specified otherwise + HealthCheckPath: "/" + HealthCheckTimeoutSeconds: 5 + UnhealthyThresholdCount: 2 + HealthyThresholdCount: 2 + Name: MyTargetGroup + Port: 80 + Protocol: HTTP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 60 # default is 300 + TargetType: ip + VpcId: !Ref VPC